1、 毕业设计(论文)译文及原稿译文题目:在SMS蜂窝网络上进行开放式功能的开发原稿题目:Exploiting Open Functionality in SMS-Capable Cellular Networks原稿出处:William Enck、Patrick Traynor、Patrick McDaniel and Tho-mas La Porta;Systems and Internet Infrastructure Security La-boratory Department of Computer Science and Engineering;The Pennsylvania St
2、ate University University Park,PA 16802 外文翻译在SMS蜂窝网络上进行开放式功能的开发1.SMS/CELLULAR网络概述 本节简洁介绍基于GSM网络系统的SMS短信从发送到接收的过程概况,包括基于CDMA等移动网络,但原理基本一样。 1.1发送短信 发送短信有两种方法 - 通过其他移动设备或通过一系列外部短消息设备(ESMEs)实现。 ESMEs包括许多不同的设备和接口,从电子邮件和网页到基于消息的服务供应商门户网站,语音邮件服务,传呼系统和应用软件。无论这些系统是通过Internet还是通过特定的专用信道连接移动电话网络,短信首先被传到众所周知的能够
3、处理短信息流量的短消息服务中心(SMSC)服务器。因此,支持短消息功能的服务提供商网路中至少包含一个短消息服务中心。由于这项服务日益普及,因此,服务提供商提供支持多种不同的短消息服务中心的服务变得普遍起来,以此来增加容量。 在接收短信时,要对传入数据包的内容检错,必要时,转换成短信的格式并复制。这样的话,来自互联网的信息将无法区分哪些是从移动电话发来的。随后,消息被放入一个短消息服务中心队列进行转发。 1.2路由短信 SMSC是用来确定如何将短信路由到目的移动设备的。 SMSC查询归属位置寄存器(HLR)数据库,该数据库作为用户数据的永久储存库,其中包括用户信息(如呼叫等待和信息内容),计费数
4、据,有效的目标用户和他们的当前位置信息。通过与其他网络元素的相互联系,HLR检测目标设备的路由信息。如果短消息中心收到当前用户无效的应答消息,它存储的消息下次交付。否则,响应将包含移动交换中心(MSC)目前提供服务的地址。移动交换中心除了呼叫路由外,还有移动设备的认证,本地基站的管理,网路切换和充当连接公众交换电话网络的网关等功能。当短信从短消息服务中心传来时,短消息服务中心提取具体的目标设备信息。然后,短消息服务中心查询访问位置寄存器数据库,访问位置寄存器数据库包含目的设备归属位置寄存器的一个关于目的设备信息的本地副本。然后,移动交换中心通过移动设备所在基站的空中接口转发这条短信。图1.1是
5、移动通信网络图,图1.2是短信的消息流程图。图 1.1 移动通信网络图1.2 短消息流程网络1.3无线传输 空中接口分为两部分 - 控制信道(CCH)和寻呼信道(TCH)。 控制信道又细分为两种-公用控制信道和专用控制信道。公用控制信道是包含寻呼信道(PCH)和随机接入信道(RACH)组成的逻辑信道,用于基站进行语音信号和SMS数据的传输机制。因此,所有连接网络的移动设备周期性地检测公用控制信道上的语音和SMS信号。 基站在寻呼信道上发送包含与终端移动用户相关的临时移动用户识别码(TMSI)信息。为了防止窃听者试图确定接收手机的身份,因此,网络中使用临时移动用户识别码,而不会使用目的移动手机的
6、电话号码传送信息。当移动设备检测到自己的临时移动用户识别码时,它试图通过随机接入信道连接基站,并通知网络自己的设备能被呼叫和接收数据。当基站接收到响应信号时,就通知目的设备检测具体的独立专用控制信道(SDCCH)信号。使用独立专用控制信道,基站能简化对目的设备的认证(通过在移动交换中心的用户信息),启用加密,提供一个新的TMSI,然后传送短信本身。为了减少开销,如果短消息服务中心包含多个SMS消息,则一次SDCCH会话中发送不只一条短信5。如果不是文本信息,而是进行呼叫接续,则上述所有的信道以同样的方式传输信号,来建立业务信道的连接。 空中接口交付的最后阶段见图1.3。 图1.3 简化的SMS
7、空中接口2.SMS/CELLULAR网络脆弱性分析 在日常的社交活动和简单的商业性质的交流中,SMS系统的大多数合理使用功能常常被定性为是不重要的。这些通信的显着特点是,它们通常可以通过其他一些途径实现,尽管潜在的合适信道很少。然而,在 2001年9月11日发生的恐怖袭击期间,文字消息被证明是更实用。随着成百上千的人想联络他们的朋友和家人,电信公司意识到了这大大阻碍移动语音服务的使用。例如,威瑞森无线公司,报告语音通话流量已经高出一般水平一倍以上; 辛格勒无线公司数据显示接入华盛顿地区的语音通话流量已高出了10倍以上44。虽然这些网络设计能处理高于原有理论的容量,但如此大量的通话需求远远超过它
8、的极限值,影响语音通信能力。由于业务信道渐渐达到饱和,基于语音电话服务就变得毫无价值,然而,即使在最拥挤的地区,短信仍然能被成功接收,因为短信使用控制信道,它并不拥塞,因此,短信传送仍然有效。 尽管不能实现语音通话,但有需要的大多数的个体用户可以通过文字信息功能实现通信。因此,现在看来,短信作为一种可靠的通讯方法,这是其他通信方式无法实现的特点。 由于随机接入信道是一个使用时隙ALOHA协议的共享信道,某一基站上大量的呼叫响应很慢。 由于短信的不断扩散,我们分析互联网的起源,蜂窝网络的短信攻击、语音和其他服务的影响。我们首先通过对现有标准的文件和灰盒测试的广泛研究,了解这些系统的特性。从这些数
9、据,我们论述了一系列的攻击和移动电话网络的脆弱性。最后,通过这次的灰盒测试,我们评估网络抵御这些攻击的能力。 在讨论任何有关移动网络攻击的具体情况时,必需要从对手的角度来审视这些系统。在本节中,通过确定这些网络的瓶颈,我们提出了简单的方法来发现网络中最脆弱的部分。然后,探讨建立有效的终端系统来处理这些瓶颈。 2.1确定蜂窝网络的瓶颈 短信传送至移动网络和移动用户接收短信之间存在着固有的成本失衡。这种不平衡是DOS攻击的根源。 要认识这些瓶颈,需要对整个系统有彻底的了解。蜂窝网络标准文件,该文件虽然提供系统建立的框架,但缺乏具体实施的细节。为了弥补这个差距,我们进行灰盒测试7,14。 我们通过系
10、统的传输协议、传输速率和接口特性来度量系统的特征。所有测试都是用我们自己的手机完成。 我们绝不会把有害的数据包加入系统或违反任何服务协议。2.1.1传输协议 网络的传输协议规定了信息在系统中的传输方式。通过对这个信息流的研究来推测系统接收信息的响应度。整个系统的响应是多个排队点总和得到的。该标准文件包括两个节点-短消息服务中心和目标设备。 短消息服务中心是短信服务的核心,所有的信息必须通过他们。由于实际条件的限制,每个SMSC的只有队列的每个用户的邮件数量有限。短消息服务中心是根据存储和转发机制进行信息路由,每条信息都会被保存,除非目标设备成功接收该短信或超时无效。通过缓冲区容量和短信删除策略
11、确定哪些信息到达接受者。 SMSC的缓冲区和驱逐政策进行了评价,同时慢慢注入目标设备是断电的消息。最著名的三大服务提供商为:ATT公司(现在是Cingular公司的一部分),Verizon和斯普林特公司。对于每一个供应商,每60秒可以连续处理缓存中大约400条信息。当设备重新连接网络时,包含缓冲区大小和序列短信删除策略的序列号会变化。我们发现,ATT的短消息服务中心的缓冲区能存放400条短信.这看起来似乎很大,400条含160字节的信息量大小也只有62.5KB。而对Verizon公司的短消息服务中心测试的结果不一样。当设备开启时,下载的第一条消息不是序列号为1的那条,而是序列号为301的那条。
12、这表明,Verizon公司的短消息服务中心缓存区只能存储100条信息和采用先进先出的规则执行,一个FIFO迁出的政策缓冲能力。斯普林特公司的短消息服务中心是与AT&T公司和Verizon公司的都不同。它的设备重新连接网络时,只能容纳从序列号从1开始的30条短信。因此, 斯普林特公司的短消息服务中心只能存储30条短信,也遵循先入先出的规则。当终端设备的短信缓存区是满的,网络中的短信被保留在短消息服务中心的缓存中。在这种情况下,与全球移动通信系统的标准一样,移动手机会从归属位置寄存器返回一个基站缓存溢出标志。由于归属位置寄存器不可能确定每一个手机的收件箱容量,因此,我们选择了不同时期不同价格的手机
13、进行测试:美国电话电报公司的Nokia 3560手机、弗莱森电讯的稍新一点的LG 4400手机和斯普林特公司最近发布的高端Treo 650手机,包含1GB的可移动的记忆棒。移动设备的能力可以通过缓慢地发送信息到目标用户,使目标用户的整个收件箱出现警告指示来观察。表2.1所示是不同移动设备缓冲能力的结果值。表2.1 SMS移动设备容量 发送规则实验结果指明手机短信服务系统是如何对大量涌入的文本信息作出反应。我们确信大多数短消息服务中心和移动设备的缓冲容量有限。倘若发生拒绝服务攻击,大量短信涌入造成短信的丢失。因此,拒绝服务攻击要成功,必须有分布式的大量用户。Exploiting Open Fun
14、ctionality in SMS-Capable Cellular Networks1SMS/CELLULAR NETWORK OVERVIEWThis section offers a simplied view of an SMS message traversing a GSM-based system from submission to delivery. These procedures are similar in other cellular networks including CDMA.1.1 Submitting a MessageThere are two metho
15、ds of sending a text message to a mobile device - via another mobile device or through a variety of External Short Messaging Entities (ESMEs). ESMEs include a large number of diverse devices and interfaces ranging from email and web-based messaging portals at service provider websites to voicemail s
16、ervices, paging systems and software applications. Whether these systems connect to the mobile phone network via the Internet or specic dedicated channels, messages are rst delivered to a server that handles SMS trafc known as the Short Messaging Service Center (SMSC). A service provider supporting
17、text messaging must have at least one SMSC in their network. Due to the rising popularity of this service, however, it is becoming increasingly common for service providers to support multiple SMSCs in order to increase capacity.Upon receiving a message, the contents of incoming packets are examined
18、 and, if necessary, converted and copied into SMS message format. At this point in the system, messages from the Internet become indistinguishable from those that originated from mobile phones. Messages are then placed into an SMSC queue for forwarding.1.2 Routing a MessageThe SMSC needs to determin
19、e how to route messages to their targeted mobile devices. The SMSC queries a Home Location Register (HLR) database, which serves as the permanent repository of user data and includes subscriber information (e.g. call waiting and text messaging), billing data, availability of the targeted user and th
20、eir current location. Through interaction with other network elements, the HLR determines the routing information for the destination device. If the SMSC receives a reply stating that the current user is unavailable, it stores the text message for later delivery. Otherwise, the response will contain
21、 the address of the Mobile Switching Center (MSC) currently providing service. In addition to call routing, MSCs are responsible for facilitating mobile device authentication, location management for attached base stations (BS), performing handoffs and acting as gateways to the Public Switched Telep
22、hone Network (PSTN).When a text message arrives from the SMSC, the MSC fetches information specic to the target device. The MSC queries a database known as the Visitor Location Register, which returns a local copy of the targeted devices information when it is away from its HLR.The MSC then forwards
23、 the text message on to the appropriate base station for transmission over the air interface. A diagram of a mobile phone network is depicted in Figure 1.1, followed by a simplied SMS message ow in Figure 1.2.Figure 1.1 SMS NetworkFigure 1.2 Simplified examples of an SMS Network and message flow1.3
24、Wireless DeliveryThe air interface is divided into two parts - the Control Channels (CCH) and Trafc Channels (TCH). The CCH is further divided into two types of channels - the Common CCH and Dedicated CCHs. The Common CCH, which consists of logical channels including the Paging Channel (PCH) and Ran
25、dom Access Channel(RACH), is the mechanism used by the base station to initiate the delivery of voice and SMS data. Accordingly, all connected mobile devices are constantly listening to the Common CCH for voice and SMS signaling.The base station sends a message on the PCH containing the Temporary Mo
26、bile Subscriber ID (TMSI) associated with the end destination. The network uses the TMSI instead of the targeted devices phone number in order to thwart eavesdroppers attempting to determine the identity of the receiving phone. When a device hears its TMSI, it attempts to contact the base station ov
27、er the RACH and alerts the network of its availability to receive incoming call or text data. When the response arrives, the base station instructs the targeted device to listen to a specic Standalone Dedicated Control Channel (SDCCH). Using the SDCCH, the base station is able to facilitate authenti
28、cation of the destination device (via the subscriber information at the MSC), enable encryption, deliver a fresh TMSI and then deliver the SMS message itself. In order to reduce overhead, if multiple SMS messages exist on the SMSC, more than one message may be transmitted over an SDCCH session 5. If
29、 a voice call had been waiting at the base station instead of a text message,all of the above channels would have been used in the same manner to establish a connection on a trafc channel.An illustration of this nal stage of delivery over the air interface is shown in Figure 1.3.Figure 1.3 Simplifie
30、d SMS air interface communication2SMS/CELLULAR NETWORK VULNERABILITY ANALYSISThe majority of legitimate uses for SMS can often be characterized as nonessential, ranging from social interactions to low priority business-related exchanges. The salient feature of these communications is that they can t
31、ypically be accomplished through a number of other, albeit potentially less convenient channels. During the terrorist attacks of September 11, 2001, however, the nature of text messaging proved to be far more utilitarian. With millions of people attempting to contact friends and family, telecommunic
32、ations companies witnessed tremendous spikes in cellular voice service usage. Verizon Wireless, for example, reported voice trafc rate increases of up to 100% above typical levels; Cingular Wireless recorded an increase of up to 1000% on calls destined for the Washington D.C. area 44. While these ne
33、tworks are engineered to handle elevated amounts of trafc, the sheer number of calls was far greater than capacity for voice communications in the affected areas. However, with voice-based phone services being almost entirely unavailable due to TCH saturation, SMS messages were still successfully re
34、ceived in even the most congested regions because the control channels responsible for their delivery remained available.Text messaging allowed the lines of communication to remain open for many individuals in need in spite of their inability to complete voice calls. Accordingly, SMS messaging is no
35、w viewed by many as a reliable method of communication when all other means appear unavailable.A high number of call initiations at a given base station slows this response as the RACH is a shared access channel running the Slotted Aloha protocolDue to this proliferation of text messaging, we analyz
36、e Internet-originated, SMS attacks and their effects on voice and other services in cellular networks. We rst characterize these systems through an extensive study of the available standards documentation and gray-box testing. From this data, we discuss a number of attacks and the susceptibility of
37、mobile phone networks to each.Lastly, from gray-box testing,we assess the resilience of these networks to these attacks.Before discussing the specics of any attack on cellular networks, it is necessary to examine these systems from an adversarys perspective. In this section, we present simple method
38、s of discovering the most fragile portions of these networks by determining system bottlenecks. We then investigate the creation of effective targeting systems designed to exploit these choke points.2.1 Determining Bottlenecks in Cellular NetworksThere is an inherent cost imbalance between injecting
39、 SMS messages into the phone network and delivering messages to a mobile user. Such imbalances are the root of DoS attacks.Recognizing these bottlenecks requires a thorough understanding of the system. The cellular network standards documentation provides the framework from which the system is built
40、, but it lacks implementation specic details. In an effort to bridge this gap, we performed gray-box testing 7, 14.We characterize these systems by delivery disciplines, delivery rates, and interfaces. All tests were performed using our own phones.At no time did we inject a damaging volume of packet
41、s into the system or violate any service agreement.2.1.1 Delivery DisciplineThe delivery discipline of a network dictates the way messages move through the system. By studying this ow, we determine system response to an inux of text messages. The overall system response is a composite of multiple qu
42、euing points. The standards documentation indicates two points of interest - the SMSC and the target device.SMSCs are the locus of SMS message ow; all messages pass through them. Due to practical limitations, each SMSC only queues a nite number of messages per user. As SMSCs route messages according
43、 to a store and forward mechanism, each message is held until either the target device successfully receives it or it is dropped due to age. The buffer capacity and eviction policy therefore determine which messages reach the recipient.The SMSC buffer and eviction policy were evaluated by slowly inj
44、ecting messages while the target device was powered off. Three of the most prominent service providers were evaluated: AT&T(now part of Cingular), Verizon, and Sprint. For each provider, 400 messages were serially injected at a rate of approximately one per 60 seconds. When the device was reconnecte
45、d to the network, the range of the attached sequence numbers indicated both buffer size and queue eviction policy.We found that AT&Ts SMSC buffered the entire 400 messages.While seemingly large, 400 160-byte messages is only 62.5KB.Tests of Verizons SMSC yielded different results. When the device wa
46、s turned on, the rst message downloaded was not sequence number one; instead the rst 300 messages were missing. This demonstrates that Verizons SMSC has a buffer capacity of 100 messages and a FIFO eviction policy. Sprints SMSC proved different than both AT&T and Verizon. Upon reconnecting the devic
47、e to the network, we found only 30 messages starting with message number one. Therefore, Sprints SMSC has a message capacity of 30 messages and a LIFO eviction policy.Messages also remain in the SMSC buffer when the target devices message buffer is full.This occurs, as noted in the GSM standards 5,
48、when the mobile phone returns a Mobile-Station-Memory-Capacity-Exceeded-Flag to the HLR. Because it is impossible to determine the inbox capacity of every phone, we chose to test three representative devices of varying age and expense:the Nokia 3560 (AT&T), the slightly newer LG 4400 (Verizon), and the recently released high-end Treo 650 (Sprint) containing a 1GB removable mem
浙ICP备2021020529号-1 | 浙B2-20240490 
