From IP ID to Device ID and KASLR Bypass
IPv4 headers include a 16-bit ID field. Our work examines the generation of this field in Windows, Linux and Android, and shows that the IP ID field enables remote servers to assign a unique ID to each device and thus be able to identify subsequent transmissions sent from that device. This identification works across all browsers and over network changes, including VPNs and browser privacy modes. In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR, which is a major part of the kernel security defenses.
Our work includes reverse-engineering of the Windows IP ID generation code, and a cryptanalysis of this code and of the Linux kernel IP ID generation code. It provides practical techniques to partially extract the key used by each of these algorithms. We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.
We disclosed our findings to Microsoft and Linux, and they subsequently deployed patches to mitigate our attacks.
Bio: Amit is currently a post-doc researcher in the Hebrew University. He did his PhD studies at Bar Ilan University. Previously he was the CTO of Trusteer (now an IBM company), and the chief scientist of Cyota (acquired by RSA Security). His research is in the intersection between network protocols and operating system security. His research won the first prize in the CSAW Israel applied research competitions in 2019 and 2020. Aside from academic conferences, his research was frequently presented at top industrial cyber security conferences.
The Network Time Protocol (NTP) synchronizes time across computer systems over the Internet, and so constitutes a crucial part of the Internet infrastructure. Unfortunately, NTP is highly vulnerable to “time shifting attacks”, which has severe implications for time-sensitive applications, as well as many security mechanisms. I will discuss our recent proposals for securing NTP, which draw ideas from distributed computing theory to achieve good synchronization even in the presence of powerful man-in-the-middle attackers. I will also discuss some lessons we have learned from this endeavor, which we believe apply to securing the Internet in general.