GreyFan：一种Wi-Fi隐蔽信道攻击框架

doi:10.11959/j.issn.1000-0801.2019179

电信科学 ›› 2019, Vol. 35 ›› Issue (9): 85-97.doi: 10.11959/j.issn.1000-0801.2019179

GreyFan：一种Wi-Fi隐蔽信道攻击框架

马栋捷^1,²,金成强^1,²,陈园^1,²,陈铁明^1,^2,³

¹ 浙江工业大学计算机科学与技术学院，浙江杭州 310023
² 浙江省网络空间安全创新研究中心，浙江杭州 310023
³ 之江实验室工业互联网研究中心，浙江杭州 311100

修回日期:2019-07-03 出版日期:2019-09-20 发布日期:2019-09-30
作者简介:马栋捷（1994- ），男，浙江工业大学计算机科学与技术学院硕士生，主要研究方向为信息安全。|金成强（1995- ），男，浙江工业大学计算机科学与技术学院硕士生，主要研究方向为信息安全。|陈园（1994- ），女，浙江工业大学计算机科学与技术学院硕士生，主要研究方向为物联网安全。|陈铁明（1978- ），男，博士，浙江工业大学计算机科学与技术学院教授，主要研究方向为网络空间安全与大数据智能分析。
基金资助:
国家自然科学基金资助项目(61202282);国家自然科学基金资助项目(61772026);国家自然科学基金与浙江省政府联合项目(U1509214)

GreyFan:a network attack framework using Wi-Fi covert channel

Dongjie MA^1,²,Chengqiang JIN^1,²,·uan CHEN^1,²,Tieming CHEN^1,^2,³

¹ College of Computer Science and Technology,Zhejiang University of Technology,Hangzhou 310023,China
² Zhejiang Innovation Center of Cyberspace Security,Hangzhou 310023,China
³ Research Center of Industrial Internet,Zhejiang Lab,Hangzhou 311100,China

Revised:2019-07-03 Online:2019-09-20 Published:2019-09-30
Supported by:
The National Natural Science Foundation of China(61202282);The National Natural Science Foundation of China(61772026);The Joint Project of National Natural Science Foundation and Zhejiang Provincial Government(U1509214)

摘要/Abstract

摘要：

针对现实网络中诸如侧信道攻击、HID 攻击等传统的物理攻击，物理隔离被认为是一种较为彻底的抵御网络攻击的安全防护手段。2018 年，业界首次提出了一种物理隔离环境下的 Wi-Fi 隐蔽信道方法——Ghost Tunnel，即在Wi-Fi尚未连接的状态下，无线AP可成功将数据传给发起连接请求的计算机。提出了一种基于Ghost Tunnel方法的攻击框架—— GreyFan，利用该攻击框架攻击者可以对未连接Wi-Fi的用户实施无感知攻击，如文件隐蔽传输、任意代码执行等，并分析了相应的防御技术。

关键词: HID攻击, 网络隔离, 隐蔽信道, GreyFan攻击

Abstract:

For traditional physical attacks such as side channel attacks and HID attacks in real networks,physical isolation is considered to be a relatively complete security protection against network attacks.In 2018,a Wi-Fi hidden channel method in the physical isolation environment——Ghost Tunnel was firstly proposed,that is,in the state that Wi-Fi didn’t connected,the wireless AP could successfully transmit data to the computer that initiates the connection request.An attack framework based on the Ghost Tunnel method——GreyFan was proposed.This attack framework enabled attackers to implement non-aware attacks on users who didn’t connected to Wi-Fi,such as file concealed transmission and arbitrary code execution,etc.The corresponding defense technology was also analyzed.

Key words: HID attack, network isolation, covert channel, GreyFan attack

中图分类号:

TP309

马栋捷,金成强,陈园,陈铁明. GreyFan：一种Wi-Fi隐蔽信道攻击框架[J]. 电信科学, 2019, 35(9): 85-97.

Dongjie MA,Chengqiang JIN,·uan CHEN,Tieming CHEN. GreyFan:a network attack framework using Wi-Fi covert channel[J]. Telecommunications Science, 2019, 35(9): 85-97.

图/表 14

图1

图2

图3

图4

图5

表1

图6

图7

图8

图9

图10

图11

图12

图13

参考文献 13

[1]	DAKHANE D M , DESHMUKH P R . Active warden for TCP sequence number base covert channel[C]// International Conference on Pervasive Computing,Jan 8-10,2015,Pune,India. Piscataway:IEEE Press, 2015: 1-5.
[2]	ZANDER S , ARMITAGE G , BRANCH P . Covert channels and countermeasures in computer network protocols[J]. IEEE Communications Surveys ＆ Tutorials, 2007,9(3): 44-57.
[3]	王娟, 郭永冲, 王强 ,等. 基于BHO的网络隐蔽通道研究[J]. 计算机工程, 2009,35(5): 159-161,164.
	WANG J , GUO · C , WANG Q ,et al. Research of network covert channel based on BHO[J]. Computer Engineering, 2009,35(5): 159-161,164.
[4]	AHMADZADEH S A , AGNEW G . Turbo covert channel:an iterative framework for covert communication over data networks[C]// IEEE INFOCOM,April 14-19,2013,Turin,Italy. Piscataway:IEEE Press, 2013: 2031-2039.
[5]	姬国珍, 谭全福 . 基于数据包时间间隔的隐蔽通道实现及检测方法研究[J]. 通信技术, 2018,51(1): 189-194.
	JI G Z , TAN Q F . Covert channel implementation based on between-packet time intervals and detection method[J]. Communications Technology, 2018,51(1): 189-194.
[6]	李卫, 嵩天 . 适用于NAT环境的隐蔽通道构建方法[J]. 计算机工程与应用, 2018,54(17): 103-109.
	LI W , SONG T . Covert channel applying to NAT environment[J]. Computer Engineering and Applications, 2018,54(17): 103-109.
[7]	朱越凡, 马迪, 王伟 ,等. 一种 NTP 协议隐蔽通道[J]. 计算机系统应用, 2017,26(5): 119-125.
	ZHU · F , MA D , WANG W ,et al. Covert channel based on NTP protocol[J]. Computer Systems ＆ Applications, 2017,26(5): 119-125.
[8]	TAN · A , XU X , LIANG C ,et al. An end-to-end covert channel via packet dropout for mobile networks[J]. International Journal of Distributed Sensor Networks, 2018,14(5).
[9]	·ANG Z , HUANG Q , ZHANG Q ,et al. NICScatter:backscatter as a covert channel in mobile devices[Z]. 2017.
[10]	SCHULZ M , LINK J . Shadow Wi-Fi:teaching smartphones to transmit raw signals and to extract channel state information to implement practical covert channels over Wi-Fi[C]// The 16th Annual International Conference on Mobile Systems,Applications,and Services Table of Contents,June 10-15,2018,San Francisco,California,USA.[S.l.:s.n]. 2018: 256-268.
[11]	WU K , WEI Z S , TEACHER W Z . A study on the application of intrusion detection technology to WLAN[C]// IEEE International Conference on Communication Software and Networks,May 27-29,2011,Xi’an,China. Piscataway:IEEE Press, 2011: 344-346.
[12]	谭彦, 厉萍, 卢洪涛 ,等. Wi-Fi 无线钓鱼攻击分析及应对技术研究[J]. 电信科学, 2013,29(Z2): 143-146,151.
	TAN · , LI P , LU H T ,et al. Wi-Fi wireless phishing attack analysis and coping technology research[J]. Telecommunications Science, 2013,29(Z2): 143-146,151.
[13]	高波, 潘毅明, 黄国瑾 . 基于城域组网的运营级WLAN组网技术[J]. 电信科学, 2015,31(10): 199-203.
	GAO B , PAN · M , HUANG G J . Technology of WLAN in operation level based on metropolitan area network[J]. Telecommunications Science, 2015,31(10): 199-203.

字节数/byte	含义	用途
1	特殊字段	标识该帧用于传输文件
2	文件名长度	标识文件名的长度，用 16 进制表示
8	散列值	用于可靠传输
2	文件总长度	标识文件的总分片数，用16进制表示
2	当前分片序号	标识当前分片所属的位置，用16进制表示
0 ～ 240	文件名	标识文件的保存名称，可带具体路径
0 ～ 240－文件名长度	文件的具体内容	发送具体的文件信息

GreyFan：一种Wi-Fi隐蔽信道攻击框架

GreyFan:a network attack framework using Wi-Fi covert channel

在线阅读

PDF下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 14

参考文献 13

相关文章 1

Metrics

推荐阅读 0