This page contains an overview of selected open source tools that I helped create. These range from deployed defenses to research platforms and various vulnerability testing tools.
Standardized & Deployed Defenses
- Operating channel validation: implementation of operating channel validation that has meanwhile beep adopted by Linux's Hostap. See this Linux commit for additional kernel support to handle certain edge cases.
- Beacon protection: Linux's implementation of our beacon protection defense. See the HostAp commit and its parent commits for the user-space implementation and see patchwork for the Linux kernel part.
- Radiotap TX flags:
update to the Radiotap specification to have more control over injected
Wi-Fi frames, making it easier to perform experiments. Implemented by Wireshark, Scapy, and Linux (see kernel patches below).
- Contributed to the hash-to-curve RFC to better project weak passwords.
Research Platforms and Tools
- ModWiFi: This framework can be use to perform low-layer Wi-Fi experiments using cheap hardware. The framework modifies firmware and kernel drivers to accomplish this. In our paper we used this to demonstrate unfair channel usage, continuous jamming, reactive jamming, and implemented a multi-channel machine-in-the-middle attack. It it based on cheap commodity USB WiFi dongles. This tool has been used in more than a dozen research papers.
- Timeless timing attacks: This is a Python script that can be used to test whether HTTP/2 servers are vulnerable to timeless timing attacks.
- Symbolic execution of crypto protocols: Experimental KLEE patches to symbolically execute several implementation of WPA2's 4-way handshake.
- M-test: implementation in R of the statistical M-test of Fuchs and Kenett to detect outliers.
- FlowFox: FlowFox is a modified Firefox browser that we extended using information flow techniques to prevent sensitive information from leaking.
- Passive scanning: patches to Android and wpa_supplicant to passively scan for Wi-Fi networks in order to improve privacy.
- Fuzzing WPA2's handshake: this implements a model-based fuzzing technique to detect logical implementation flaws in the 4-way handshake of WPA2. This code has also been used by other papers.
- KRACK Attacks: this script can test test whether clients reinstall the pairwise or group key, and can test whether an AP reinstalls the pairwise key. I also created a script to perform the all-zero key attack against Android and Linux.
- Dragonblood: several tools to test for vulnerabilities in WPA3 and EAP-pwd. Dragonslayer performs invalid curve attacks against EAP-pwd, Dragondrain performs a denial-of-service attack against WPA3, Dragontime is an experimental tool to perform timing attacks against WPA3, and Dragonforce is an experimental tool to perform brute-force attacks based on the information leaked from timing or cache attacks against WPA3.
- WPA2 Handshake Bugs: this repository contains several proof-of-concepts of vulnerabilities in implementations of WPA2's 4-way handshake. These were discovered through model-based fuzzing of implementations.
- WPA-TKIP Side-Channels: proof-of-concept code of the sleep-based side-channel attack against Linux's WPA-TKIP implementation.
- WPA-TKIP DoS: this tool abuses TKIP MIC failures to launch a Denial-of-Service attack against clients using TKIP. For this to work, at least one client must be using TKIP! The code is available as a patch on top of aircrack-ng. Note that mdk3 contains an independent implementation of this attack.
- Predicting WPA2 Group Key: this script exploits weak random number generators in MediaTek (and simulated Broadcom) implementations. The brute-force search is sped up using GPU code.
- ApBleed: experimental code to test heartbleed against enterprise Wi-Fi networks.
Selected Linux Kernel Patches
Improved frame injection:
- ath9k_htc: adhere to the DONT_REORDER transmit flag
- mac80211: assure that certain drivers adhere to DONT_REORDER flag
- mac80211: don't overwrite QoS TID of injected frames
- mac80211: adhere to Tx control flag that prevents frame reordering
- mac80211: add radiotap flag to assure frames are not reordered
- mac80211: parse radiotap header when selecting Tx queue
- mac80211: remove unused flags argument in transmit functions
- mac80211: use same flag everywhere to avoid sequence number overwrite
- mac80211: do not overwrite the sequence number if requested
- mac80211: add radiotap flag to prevent sequence number overwrite
- mac80211: never drop injected frames even if normally not allowed
Other Open Source Contributions
- AWUS036ACH driver: prevent sequence number from being overwritten and add a parameter to control retransmission behavior.
- Aircrack-ng: created patch to properly address CVE-2010-1159.
Halo: Combat Evolved
Previously I reverse engineered Halo 1 PC and made tools for it. This was my introduction to reverse engineering and security, and as a tribute I'll list some the tools that I made:
- Gandanur: This tool extends the Halo server with voting abilities, player and admin management functions, remote control tools, and other features that the game lacked. It's programmed in assembly and C++. There was an active collaboration with HaloRank and HaloAntiCheat where they relied on Gandanur.
- Two other tools I made, the Sightjacker and Version Changer, also tended to be popular. The Sightjacker can be used to catch cheaters while the Version Changer allows you to play on all versions of Halo 1.