2019-04-15 07:42:42 +00:00
<!DOCTYPE html>
2021-04-10 12:03:10 +00:00
< html class = "theme-next muse use-motion" lang = "zh-Hans" >
2019-04-15 07:42:42 +00:00
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
2021-04-10 19:19:48 +00:00
< script src = "/lib/pace/pace.min.js?v=1.0.2" > < / script >
< link href = "/lib/pace/pace-theme-center-atom.min.css?v=1.0.2" rel = "stylesheet" >
2019-04-15 07:42:42 +00:00
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
< meta name = "keywords" content = "侧信道攻击,wifi," >
2021-04-11 06:53:08 +00:00
< link rel = "alternate" href = "/atom.xml" title = "混元霹雳手" type = "application/atom+xml" >
2019-04-15 07:42:42 +00:00
2021-04-10 13:53:56 +00:00
< meta name = "description" content = "什么是信息?什么是加密?什么是侧信道?" >
2019-04-15 07:42:42 +00:00
< meta name = "keywords" content = "侧信道攻击,wifi" >
< meta property = "og:type" content = "article" >
< meta property = "og:title" content = "wifi半双工侧信道攻击学习笔记" >
< meta property = "og:url" content = "https://cool-y.github.io/2019/01/16/wifi半双工侧信道攻击学习笔记/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
2021-04-10 13:53:56 +00:00
< meta property = "og:description" content = "什么是信息?什么是加密?什么是侧信道?" >
2019-04-15 07:42:42 +00:00
< meta property = "og:locale" content = "zh-Hans" >
2020-10-21 10:25:01 +00:00
< meta property = "og:image" content = "https://raw.githubusercontent.com/Cool-Y/tcp_exploit/master/pic/1.PNG" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/2-Man_in_the_middle_attack.svg.png?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/3-Connection_TCP.png?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/5-%E6%94%BB%E5%87%BB%E6%A8%A1%E5%9E%8B.PNG?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/4-netstat%E8%8E%B7%E5%8F%96%E4%BF%A1%E6%81%AF.jpg?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/6-GRL-R.PNG?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/7-GRL-L.PNG?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/8-%E6%94%B6%E5%8C%85%E5%8E%9F%E7%90%86.jpg?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/8-Trigger.PNG?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/8-noTrigger.PNG?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/9-%E5%BA%8F%E5%88%97%E5%8F%B7%E6%8E%A8%E6%96%AD.PNG?raw=true" >
< meta property = "og:image" content = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/9-http%E6%B3%A8%E5%85%A5.PNG?raw=true" >
2021-04-10 13:53:56 +00:00
< meta property = "og:updated_time" content = "2021-04-10T13:51:18.277Z" >
2019-04-15 07:42:42 +00:00
< meta name = "twitter:card" content = "summary" >
< meta name = "twitter:title" content = "wifi半双工侧信道攻击学习笔记" >
2021-04-10 13:53:56 +00:00
< meta name = "twitter:description" content = "什么是信息?什么是加密?什么是侧信道?" >
2020-10-21 10:25:01 +00:00
< meta name = "twitter:image" content = "https://raw.githubusercontent.com/Cool-Y/tcp_exploit/master/pic/1.PNG" >
2019-04-15 07:42:42 +00:00
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2021-04-10 12:03:10 +00:00
scheme: 'Muse',
2019-04-15 07:42:42 +00:00
version: '5.1.4',
2021-04-10 20:13:11 +00:00
sidebar: {"position":"left","display":"always","offset":12,"b2t":false,"scrollpercent":true,"onmobile":true},
2019-04-15 07:42:42 +00:00
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/2019/01/16/wifi半双工侧信道攻击学习笔记/" >
< title > wifi半双工侧信道攻击学习笔记 | 混元霹雳手< / title >
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2021-04-10 20:10:04 +00:00
< p class = "site-subtitle" > Battle⚔️ < / p >
2019-04-15 07:42:42 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
2019-08-08 12:42:56 +00:00
2021-04-11 06:53:08 +00:00
< li class = "menu-item menu-item-album" >
< a href = "/album/" rel = "section" >
2019-08-08 12:42:56 +00:00
2019-08-08 12:52:19 +00:00
< i class = "menu-item-icon fa fa-fw fa-heartbeat" > < / i > < br >
2019-08-08 12:42:56 +00:00
2021-04-11 06:53:08 +00:00
相簿
2019-08-08 12:42:56 +00:00
< / a >
< / li >
2019-04-15 07:42:42 +00:00
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/01/16/wifi半双工侧信道攻击学习笔记/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
< h1 class = "post-title" itemprop = "name headline" > wifi半双工侧信道攻击学习笔记< / h1 >
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-01-16T15:35:27+08:00" >
2019-01-16
< / time >
< / span >
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/顶会论文/" itemprop = "url" rel = "index" >
< span itemprop = "name" > 顶会论文< / span >
< / a >
< / span >
< / span >
< span id = "/2019/01/16/wifi半双工侧信道攻击学习笔记/" class = "leancloud_visitors" data-flag-title = "wifi半双工侧信道攻击学习笔记" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
3.7k 字
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
13 分钟
< / span >
< / div >
2021-04-10 13:53:56 +00:00
< div class = "post-description" >
什么是信息?什么是加密?什么是侧信道?
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< h1 id = "TCP侧信道分析及利用的学习报告" > < a href = "#TCP侧信道分析及利用的学习报告" class = "headerlink" title = "TCP侧信道分析及利用的学习报告" > < / a > TCP侧信道分析及利用的学习报告< / h1 > < p > < strong > < em > 论文来源:< / em > < / strong > USENIX SECURITY 2018: < br > < strong > < em > 下载:< / em > < / strong > < br > < a href = "https://www.usenix.org/conference/usenixsecurity18/presentation/chen-weiteng" target = "_blank" rel = "noopener" > 原文pdf< / a > < br > < a href = "https://res.cloudinary.com/dozyfkbg3/raw/upload/v1553316881/ARE/wifi.pptx" target = "_blank" rel = "noopener" > 中文slides< / a > < / p >
< h2 id = "背景知识" > < a href = "#背景知识" class = "headerlink" title = "背景知识" > < / a > 背景知识< / h2 > < h3 id = "测信道" > < a href = "#测信道" class = "headerlink" title = "测信道" > < / a > 测信道< / h3 > < p > < strong > 香农信息论< / strong > < / p >
2020-10-21 10:25:01 +00:00
< p > < img src = "https://raw.githubusercontent.com/Cool-Y/tcp_exploit/master/pic/1.PNG" alt = "信息熵" > < / p >
2019-04-15 07:42:42 +00:00
< p > < strong > 什么是信息?< / strong > 用来减少随机不确定的东西< / p >
< p > < strong > 什么是加密?< / strong > 类似于加噪声,增加随机不确定性< / p >
< blockquote >
< p > “从密码分析者来看,一个保密系统几乎就是一个通信系统。待传的消息是统计事件,加密所用的密钥按概率选出,加密结果为密报,这是分析者可以利用的,类似于受扰信号。”< / p >
< / blockquote >
< p > < strong > 侧信道随之出现< / strong > 越过加密算法增加的随机不定性,从其他的渠道获取数据标签,确定信息内容。< / p >
< ol >
< li > 早期:采集加密电子设备在运行过程中的时间消耗、功率消耗或者电磁辐射消耗等边缘信息的差异性< / li >
< li > 而随着研究的深入, < / li >
< li > 并在Web应用交互信息传递越来越频繁时, < / li >
< / ol >
< p > < strong > 侧信道攻击的流程< / strong > 第一个就是侧信道泄露的截取,第二个是信息的恢复。< / p >
< hr >
< h3 id = "网络攻击" > < a href = "#网络攻击" class = "headerlink" title = "网络攻击" > < / a > 网络攻击< / h3 > < ol >
< li > 中间人攻击< blockquote >
< p > “指攻击者与通讯的两端分别创建独立的联系,并交换其所收到的数据,使通讯的两端认为他们正在通过一个私密的连接与对方直接对话,但事实上整个会话都被攻击者完全控制。”< / p >
< / blockquote >
< / li >
< / ol >
2020-10-21 10:25:01 +00:00
< p > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/2-Man_in_the_middle_attack.svg.png?raw=true" alt > < / p >
2019-04-15 07:42:42 +00:00
< ul >
< li > 公共wifi、路由器劫持< / li >
< li > 一般使用加密来防御< / li >
< li > 加密的代价:维护密钥证书、影响功能(运营商无法做缓存)< / li >
< / ul >
< ol start = "2" >
< li > 非中间人攻击/偏离路径攻击/off-path attack< blockquote >
< p > 通信线路之外,攻击者看不到双方的消息,没办法截获和发送通信包。智能伪造成一方给另一方发消息。< / p >
< / blockquote >
< / li >
< / ol >
< ul >
< li > 攻击成功需要:消息合法+最先到达< / li >
< li > 防御措施: < br > 双方在通信前交换一个随机数,这个随机数在每次的通信中都要被附带,而中间人看不见这个随机数,因此伪造的消息被认为不合法。< / li >
< li > 攻击者如何得到这个随机数:侧信道< / li >
< / ul >
< hr >
2020-10-21 10:25:01 +00:00
< h3 id = "TCP三次握手" > < a href = "#TCP三次握手" class = "headerlink" title = "TCP三次握手" > < / a > TCP三次握手< / h3 > < p > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/3-Connection_TCP.png?raw=true" alt > < / p >
2019-04-15 07:42:42 +00:00
< blockquote >
< ol >
< li > 客户端通过向服务器端发送一个SYN来创建一个主动打开, < em > 随机数A< / em > 。< / li >
< li > 服务器端应当为一个合法的SYN回送一个SYN/ACK。ACK的确认码应为A+1, < em > 随机产生的序号B< / em > 。< / li >
< li > 最后, , , , < / li >
< / ol >
< / blockquote >
< p > 通过三次握手,确定对方不是非中间人< / p >
< p > < strong > < em > TCP序列号的问题< / em > < / strong > < / p >
< table >
< thead >
< tr >
< th style = "text-align:center" > 1985< / th >
< th style = "text-align:center" > 1995< / th >
< th style = "text-align:center" > 2001< / th >
< th style = "text-align:center" > 2004< / th >
< th style = "text-align:center" > 2007< / th >
< th style = "text-align:center" > 2012< / th >
< th style = "text-align:center" > 2012< / th >
< th style = "text-align:center" > 2016< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td style = "text-align:center" > Morris< / td >
< td style = "text-align:center" > Mitnik< / td >
< td style = "text-align:center" > Zalewsky< / td >
< td style = "text-align:center" > Waston< / td >
< td style = "text-align:center" > kLM< / td >
< td style = "text-align:center" > Herzberg< / td >
< td style = "text-align:center" > 作者< / td >
< td style = "text-align:center" > 作者< / td >
< / tr >
< tr >
< td style = "text-align:center" > 初始序列可预测< / td >
< td style = "text-align:center" > 真实利用< / td >
< td style = "text-align:center" > 漏洞仍在< / td >
< td style = "text-align:center" > BGP DoS< / td >
< td style = "text-align:center" > Windows攻击< / td >
< td style = "text-align:center" > Puppet-assisted< / td >
< td style = "text-align:center" > Malware-assisted< / td >
< td style = "text-align:center" > off-path attack< / td >
< / tr >
< / tbody >
< / table >
< ol >
< li > 90年代时发现并不随机: < / li >
< li > 2007年在windows场景下用IDID侧信道猜出序列号: , < / li >
< / ol >
< hr >
2020-10-21 10:25:01 +00:00
< h2 id = "Malware-assisted" > < a href = "#Malware-assisted" class = "headerlink" title = "Malware-assisted" > < / a > Malware-assisted< / h2 > < p > < strong > 攻击模型:< / strong > < br > 给受害者安装一个无特权的应用程序( ) , , < br > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/5-%E6%94%BB%E5%87%BB%E6%A8%A1%E5%9E%8B.PNG?raw=true" alt > < / p >
2019-04-15 07:42:42 +00:00
< p > < strong > 如何劫持TCP< / strong > < / p >
< ol >
2020-10-21 10:25:01 +00:00
< li > < p > 需要的信息: , , < br > 使用netstat命令获取: < br > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/4-netstat%E8%8E%B7%E5%8F%96%E4%BF%A1%E6%81%AF.jpg?raw=true" alt > < / p >
2019-04-15 07:42:42 +00:00
< / li >
< li > < p > 任务: , < / p >
< / li >
< li > 如何验证序列号正确:通过某种侧信道,这个恶意软件在后台可以提供反馈。< / li >
< / ol >
< h3 id = "变种一:防火墙" > < a href = "#变种一:防火墙" class = "headerlink" title = "变种一:防火墙" > < / a > 变种一:防火墙< / h3 > < p > < strong > 攻击过程:< / strong > TCP三次握手之后产生A和B, , , , , < / p >
< p > < strong > 具体侧信道方案:< / strong > CPU资源使用率( ) > TCP计数器( ) > 低噪音计数器:包被丢掉时,一个相应的错误计数器。< / p >
< p > < strong > 解决方法:< / strong > 关闭防火墙检查序列号的功能< / p >
< h3 id = "变种二:无防火墙" > < a href = "#变种二:无防火墙" class = "headerlink" title = "变种二:无防火墙" > < / a > 变种二:无防火墙< / h3 > < p > 具体侧信道方案: , < br > 影响范围: < / p >
< hr >
< h2 id = "Pure-off-path-无恶意软件协助" > < a href = "#Pure-off-path-无恶意软件协助" class = "headerlink" title = "Pure off-path:无恶意软件协助" > < / a > Pure off-path:无恶意软件协助< / h2 > < blockquote >
< p > 不植入恶意软件, : , < / p >
< / blockquote >
< h3 id = "Global-Rate-Limit" > < a href = "#Global-Rate-Limit" class = "headerlink" title = "Global Rate Limit" > < / a > Global Rate Limit< / h3 > < blockquote >
< p > USENIX 2016 : Off-Path TCP Exploits: Global Rate Limit Considered Dangerous< / p >
< / blockquote >
< p > < strong > 侧信道:< / strong > 所有的侧信道, , < strong > < em > 服务器上< / em > < / strong > 的共享资源,< strong > < em > 限速器< / em > < / strong > ( ) ( ) < / p >
< p > < strong > 如何利用共享限速器:< / strong > < br > 先判断是否建立了连接。然后伪造TCP包, , , , , ( ) ; , < / p >
2020-10-21 10:25:01 +00:00
< p > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/6-GRL-R.PNG?raw=true" alt > < / p >
< p > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/7-GRL-L.PNG?raw=true" alt > < / p >
2019-04-15 07:42:42 +00:00
< p > < strong > 评估:< / strong > 是否建立了连接:< 10s ; Seq: ; < 10s< / p >
< p > < strong > 解决方案:< / strong > 1. 加噪音, ; < / p >
< hr >
< h3 id = "Unfixable-WiFi-timing" > < a href = "#Unfixable-WiFi-timing" class = "headerlink" title = "Unfixable WiFi timing" > < / a > Unfixable WiFi timing< / h3 > < blockquote >
< p > USENIX 2018 : Off-Path TCP Exploit: How Wireless Routers< br > Can Jeopardize Your Secrets< br > 之前的漏洞无论是计数器还是限速器都属于软件,很好更正,但这篇文章的漏洞利用无法修复。< / p >
< / blockquote >
2020-10-21 10:25:01 +00:00
< p > < strong > TCP收包的原理: < / strong > 通常TCP收包要看这个包是否匹配了当前的某一个连接。如果连接匹配上了, ; , , ; , , , < br > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/8-%E6%94%B6%E5%8C%85%E5%8E%9F%E7%90%86.jpg?raw=true" alt > < / p >
2019-04-15 07:42:42 +00:00
< p > < strong > 侧信道:< / strong > 攻击者伪装成服务器给客户端发包,正确的序列号会有< strong > < em > 回复< / em > < / strong > ,错误则没有。但回复时发送给服务器的,有没有回复攻击者并不知道。那么如何去判断有没有回复,利用无线网络的 < strong > < em > 半双工< / em > < / strong > 传输。< br > 让有回包和没有回包的时间差异放大。< / p >
2020-10-21 10:25:01 +00:00
< p > < strong > 判断流程:< / strong > 客户端和路由器之间wifi通信。攻击者依次发送三个数据包, , , , , < br > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/8-Trigger.PNG?raw=true" alt > < / p >
< p > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/8-noTrigger.PNG?raw=true" alt > < / p >
2019-04-15 07:42:42 +00:00
< p > < strong > 评估:< / strong > 在本地环境下, , < / p >
< p > < strong > 攻击应用:< / strong > < br > < strong > 1. 攻击模型:< / strong > 受害者访问了我们的钓鱼网站, ( ) , ( ) , < / p >
< blockquote >
< p > 与理想情况的不同: ; < / p >
< / blockquote >
< pre > < code > Attacker -------wire----------|
Router ---------wireless-------Victim (client)
Server -------wire----------|
< / code > < / pre > < p > < strong > 2. 攻击目标:< / strong > 推断出客户端和服务器是否建立了连接; ; ( ) , , , < / p >
< p > < strong > 3. 攻击过程:< / strong > 假设傀儡已经建立了连接, ( ) , , , , , , , < / p >
< p > < strong > 4. 细节:< / strong > < / p >
< ul >
< li > < strong > 连接(四元组)推断:< / strong > 每一轮使用30个重复包测试一个端口, , < strong > < em > web缓存投毒< / em > < / strong > ,还需要傀儡初始化连接来协助,根据系统不同,有不同的端口选择算法可以优化:< strong > < em > windows& macOS< / em > < / strong > 使用全局和顺序端口分配策略为其TCP连接选择短暂的端口号, , < strong > < em > NAT< / em > < / strong > 端口保留,不需要关心外部端口被转换成不可预知的内部端口。< strong > < em > 来自同一域名的多个IP地址< / em > < / strong > ,这意味着攻击者需要付出更大的代价来推断端口号。< / li >
2020-10-21 10:25:01 +00:00
< li > < strong > 序列号推断:< / strong > 通过利用时序侧信道来判断是否存在相应的响应,从而将窗口序列号与窗外序列号区分开来。一旦我们得到一个 < strong > < em > 窗口内序列号< / em > < / strong > ,通过进行二分搜索进一步将序列号空间缩小到单个值 < strong > < em > RCV.NXT< / em > < / strong > 。如果还要使用傀儡建立的连接发起web缓存投毒, : < strong > < em > 增大接收窗口的大小< / em > < / strong > , , , < br > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/9-%E5%BA%8F%E5%88%97%E5%8F%B7%E6%8E%A8%E6%96%AD.PNG?raw=true" alt > < / li >
2019-04-15 07:42:42 +00:00
< li > < p > < strong > TCP劫持: < / strong > 通过劫持傀儡初始化的连接, , < strong > < em > windows< / em > < / strong > : , < br > 因此, , < strong > < em > ( ) < / em > < / strong > , , , , , , < / p >
2019-07-16 09:15:34 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > websocket.send(|wnd|*i)< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2020-10-21 10:25:01 +00:00
< p > 因此, , , , < br > < img src = "https://github.com/Cool-Y/tcp_exploit/blob/master/pic/9-http%E6%B3%A8%E5%85%A5.PNG?raw=true" alt > < br > < strong > < em > ( ) < / em > < / strong > , , , ( ) , < br > 此外, , , ( ) , , , , < / p >
2019-04-15 07:42:42 +00:00
< / li >
< / ul >
< hr >
< h2 id = "Discussion" > < a href = "#Discussion" class = "headerlink" title = "Discussion" > < / a > Discussion< / h2 > < p > 时序侧信道来自无线网络的半双工性质。由于无线协议中固有的冲突和回退, , , < br > 虽然作者只讨论威胁模型, , ( , ) , ( ) < br > 此外, , , , , , , < / p >
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
2021-04-10 12:03:10 +00:00
< div >
< ul class = "post-copyright" >
< li class = "post-copyright-author" >
< strong > 本文作者:< / strong >
Cool-Y
< / li >
< li class = "post-copyright-link" >
< strong > 本文链接:< / strong >
< a href = "https://cool-y.github.io/2019/01/16/wifi半双工侧信道攻击学习笔记/" title = "wifi半双工侧信道攻击学习笔记" > https://cool-y.github.io/2019/01/16/wifi半双工侧信道攻击学习笔记/< / a >
< / li >
< li class = "post-copyright-license" >
< strong > 版权声明: < / strong >
本博客所有文章除特别声明外,均采用 < a href = "https://creativecommons.org/licenses/by-nc-sa/3.0/" rel = "external nofollow" target = "_blank" > CC BY-NC-SA 3.0< / a > 许可协议。转载请注明出处!
< / li >
< / ul >
< / div >
2019-04-15 07:42:42 +00:00
< footer class = "post-footer" >
< div class = "post-tags" >
< a href = "/tags/侧信道攻击/" rel = "tag" > # 侧信道攻击< / a >
< a href = "/tags/wifi/" rel = "tag" > # wifi< / a >
< / div >
2021-04-10 19:19:48 +00:00
< div class = "post-widgets" >
< div id = "needsharebutton-postbottom" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
< / div >
2019-04-15 07:42:42 +00:00
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
2019-07-01 09:29:47 +00:00
< a href = "/2018/12/25/TCPDUMP拒绝服务攻击漏洞/" rel = "next" title = "TCPDUMP拒绝服务攻击漏洞" >
< i class = "fa fa-chevron-left" > < / i > TCPDUMP拒绝服务攻击漏洞
2019-04-15 07:42:42 +00:00
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
< a href = "/2019/02/22/qq数据库的加密解密/" rel = "prev" title = "QQ数据库的加密与解密" >
QQ数据库的加密与解密 < i class = "fa fa-chevron-right" > < / i >
< / a >
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
2021-04-10 12:37:40 +00:00
< div class = "comments" id = "comments" >
< div id = "gitalk-container" > < / div >
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
2021-04-10 20:13:11 +00:00
< div id = "sidebar-dimmer" > < / div >
2019-04-15 07:42:42 +00:00
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2021-04-10 20:10:04 +00:00
< p class = "site-description motion-element" itemprop = "description" > Juice is temporary but Sauce is forever< / p >
2019-04-15 07:42:42 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
2021-05-20 11:39:04 +00:00
< span class = "site-state-item-count" > 31< / span >
2019-04-15 07:42:42 +00:00
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
2019-10-15 11:24:26 +00:00
< span class = "site-state-item-count" > 7< / span >
2019-04-15 07:42:42 +00:00
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2021-04-10 10:53:27 +00:00
< span class = "site-state-item-count" > 55< / span >
2019-04-15 07:42:42 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
2021-04-11 06:53:08 +00:00
< div class = "feed-link motion-element" >
< a href = "/atom.xml" rel = "alternate" >
< i class = "fa fa-rss" > < / i >
RSS
< / a >
< / div >
2019-04-15 07:42:42 +00:00
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
2019-10-01 12:45:37 +00:00
< div id = "music163player" >
2021-04-10 12:03:10 +00:00
< iframe frameborder = "no" border = "0" marginwidth = "0" marginheight = "0" width = "330" height = "110" src = "//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=90" > < / iframe >
2019-10-01 12:45:37 +00:00
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
2019-07-01 11:52:45 +00:00
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#TCP侧信道分析及利用的学习报告" > < span class = "nav-text" > TCP侧信道分析及利用的学习报告< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#背景知识" > < span class = "nav-text" > 背景知识< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#测信道" > < span class = "nav-text" > 测信道< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#网络攻击" > < span class = "nav-text" > 网络攻击< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#TCP三次握手" > < span class = "nav-text" > TCP三次握手< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#Malware-assisted" > < span class = "nav-text" > Malware-assisted< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#变种一:防火墙" > < span class = "nav-text" > 变种一:防火墙< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#变种二:无防火墙" > < span class = "nav-text" > 变种二:无防火墙< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#Pure-off-path-无恶意软件协助" > < span class = "nav-text" > Pure off-path:无恶意软件协助< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#Global-Rate-Limit" > < span class = "nav-text" > Global Rate Limit< / span > < / a > < / li > < li class = "nav-item nav-level-3" > < a class = "nav-link" href = "#Unfixable-WiFi-timing" > < span class = "nav-text" > Unfixable WiFi timing< / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#Discussion" > < span class = "nav-text" > Discussion< / span > < / a > < / li > < / ol > < / li > < / ol > < / div >
2019-04-15 07:42:42 +00:00
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
2021-01-08 04:26:24 +00:00
< div class = "copyright" > © 2019 — < span itemprop = "copyrightYear" > 2021< / span >
2019-04-15 07:42:42 +00:00
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2021-05-20 11:39:04 +00:00
< span title = "Site words total count" > 105.1k< / span >
2019-04-15 07:42:42 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
2021-04-10 19:19:48 +00:00
< span id = "scrollpercent" > < span > 0< / span > %< / span >
2019-04-15 07:42:42 +00:00
< / div >
2021-04-10 19:19:48 +00:00
< div id = "needsharebutton-float" >
< span class = "btn" >
< i class = "fa fa-share-alt" aria-hidden = "true" > < / i >
< / span >
< / div >
2019-04-15 07:42:42 +00:00
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
2021-04-10 12:37:40 +00:00
2021-04-10 12:40:26 +00:00
<!-- LOCAL: You can save these files to your site and update links -->
< link rel = "stylesheet" href = "https://unpkg.com/gitalk/dist/gitalk.css" >
< script src = "https://unpkg.com/gitalk/dist/gitalk.min.js" > < / script >
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitalk(){
var gitalk = new Gitalk({
owner: 'Cool-Y',
repo: 'gitment-comments',
clientID: '180955a2c3ae3d966d9a',
clientSecret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
admin: 'Cool-Y',
2021-04-10 12:47:46 +00:00
id: decodeURI(location.pathname),
2021-04-10 12:40:26 +00:00
distractionFreeMode: 'true'
});
gitalk.render('gitalk-container');
}
renderGitalk();
< / script >
2019-04-15 07:42:42 +00:00
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
2021-05-21 07:35:38 +00:00
< script > AV . initialize ( "CnxMogaLcXQrm9Q03lF8XH7j-gzGzoHsz" , "EHqNuJ6AYvuHnY6bN6w2SMXl" ) ; < / script >
2019-04-15 07:42:42 +00:00
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
2021-04-10 19:19:48 +00:00
< link rel = "stylesheet" href = "/lib/needsharebutton/needsharebutton.css" >
2019-04-15 07:42:42 +00:00
2021-04-10 19:19:48 +00:00
< script src = "/lib/needsharebutton/needsharebutton.js" > < / script >
< script >
pbOptions = {};
pbOptions.iconStyle = "box";
pbOptions.boxForm = "horizontal";
pbOptions.position = "bottomCenter";
pbOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-postbottom', pbOptions);
flOptions = {};
flOptions.iconStyle = "box";
flOptions.boxForm = "horizontal";
flOptions.position = "middleRight";
flOptions.networks = "Weibo,Wechat,Douban,QQZone,Twitter,Facebook";
new needShareButton('#needsharebutton-float', flOptions);
< / script >
2019-04-15 07:42:42 +00:00
2021-04-10 19:19:48 +00:00
< script type = "text/javascript" src = "/js/src/js.cookie.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/scroll-cookie.js?v=5.1.4" > < / script >
2019-04-15 07:42:42 +00:00
< / body >
< / html >
