Foreword

Abstract: The research presented in this paper provides the reader with a set of algorithms and techniques that enable the user to remotely determine what chipset and device driver an 802.11 device is using. The technique outlined is entirely passive, and given the amount of features that are being considered for inclusion into the 802.11 standard, seems quite likely that it will increase in precision as the standard marches forward.

The implications of this are far ranging. On one hand, the techniques can be used to implement innovative new features in Wireless Intrusion Detection Systems (WIDS). On the other, they can be used to target link layer device driver attacks with much higher precision.

LIST OF FIGURES

Figure 4.1. SimpleCompare duration-value onlyanalysis
Figure 4.2. SimpleCompare (packet type, duration) analysis
Figure 4.3. MediumCompare duration-value only analysis
Figure 4.4. MediumCompare (packet_type, duration) analysis
Figure 4.5. CompleCompare duration-value only analysis
Figure 4.6. ComplexCompare (packet_type, duration) analysis
Figure 4.7. BayesCompare duration value only analysis
Figure 4.8. BayesCompare (packet_type, duration) analysis
Figure 4.9. BayesCompare-Modified duration value only analysis
Figure 4.10. BayesCompare-Modified (packet-type, duration) analysis

LIST OF TABLES

4.1 Summary of databases created
4.2 Implementation-Id: 1 (Atheros, ar5211.sys), database: Lexie
4.3 Implementation-Id: 9 (Prism-2.5, smc2532w.sys), database: Lexie
4.4 Implementation-Id: 1 (Atheros, ar5211.sys), database: Lexie
4.5 Implementation-Id: 1 (Atheros, ar5211.sys), database: Lexie
5.1 Ordered list generated from a matching metric.
5.2 SimpleCompare, duration values only
5.3 SimpleCompare, (packet_type, duration) pairs only
5.4 SimpleCompare combined.
5.5 MediumCompare, (packet_type, duration) pairs only
5.6 ComplexCompare, (packet_type, duration) pairs only
5.7 Results summary
A.1 SimpleCompare, duration values only
A.2 SimpleCompare, (packet_type, duration) pairs only
A.3 SimpleCompare combined.
A.4 MediumCompare, duration values only
A.5 MediumCompare, (packet_type, duration) pairs only
A.6 MediumCompare combined.
A.7 ComplexCompare, duration values only
A.8 ComplexCompare, (packet_type, duration) pairs only
A.9 ComplexCompare combined.
A.10 BayesCompare, duration values only
A.11 BayesCompare, (packet_type, duration) pairs only
A.12 BayesCompare combined.
A.13 BayesCompare-modified, duration values only
A.14 BayesCompare-modified, (packet_type, duration) pairs only
A.15 BayesCompare-modified combined.
A.16 Results summary
C.1 Sample output from duration-print-matcher
C.2 output from: ./duration-print-grader -P
./print-db/lexie/
D Exhaustive 802.11 implementation data

Acknowledgements: I would like to thank Dr. Volpano for his technical as well as editorial expertise. Without his help, this work would be significantly more difficult on the reader. I would also like to thank Joshua Wright and Mike Kershaw for their technical input and contributions to those of us interested in 802.11 research in general. This material is based upon work supported by the National Science Foundation under Grant No. DUE0414102. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation.

This paper is a subset of the thesis research done while attending the Naval Postgraduate School. The entire thesis is available at http://www.802.11mercenary.net/~johnycsh/publications.