1 files changed, 451 insertions, 0 deletions
diff --git a/2010/openbsc-elce2010/openbsc.tex b/2010/openbsc-elce2010/openbsc.tex
new file mode 100644
index 0000000..b387895
--- /dev/null
+++ b/2010/openbsc-elce2010/openbsc.tex
@@ -0,0 +1,451 @@
+% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
+
+\documentclass{beamer}
+
+\usepackage{url}
+\makeatletter
+\def\url@leostyle{%
+  \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
+\makeatother
+%% Now actually use the newly defined style.
+\urlstyle{leo}
+
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice. 
+
+
+\mode<presentation>
+{
+  \usetheme{Warsaw}
+  % or ...
+
+  \setbeamercovered{transparent}
+  % or whatever (possibly just delete it)
+}
+
+
+\usepackage[english]{babel}
+% or whatever
+
+\usepackage[latin1]{inputenc}
+% or whatever
+
+\usepackage{times}
+\usepackage[T1]{fontenc}
+\usepackage{subfigure}
+\usepackage{hyperref}
+% Or whatever. Note that the encoding and the font should match. If T1
+% does not look nice, try deleting the line with the fontenc.
+
+
+\title{Free Software GSM protocol stacks}
+
+\subtitle
+{OpenBSC, OsmoSGSN, OpenGGSN, OsmocomBB}
+
+\author{Harald Welte}
+
+\institute
+{gnumonks.org\\gpl-violations.org\\OpenBSC\\airprobe.org\\hmw-consulting.de}
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[ELCE 2010] % (optional, should be abbreviation of conference name)
+{ELCE 2010, October 2010, Cambridge/UK}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+%   yourself) who are reading the slides online
+
+\subject{GSM Security}
+% This is only inserted into the PDF information catalog. Can be left
+% out. 
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+%  \begin{frame}<beamer>{Outline}
+%    \tableofcontents[currentsection,currentsubsection]
+%  \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command: 
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+\begin{frame}{Outline}
+  \tableofcontents
+  % You might wish to add the option [pausesections]
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution: 
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+%   are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+%   enough. Leave out details, even if it means being less precise than
+%   you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+%   just say so once. Everybody will be happy with that.
+
+\begin{frame}{About the speaker}
+\begin{itemize}
+	\item Using + playing with Linux since 1994
+	\item Kernel / bootloader / driver / firmware development since 1999
+	\item IT security expert, focus on network protocol security
+	\item Core developer of Linux packet filter netfilter/iptables 
+	\item Board-level Electrical Engineering
+	\item Always looking for interesting protocols (RFID, DECT, GSM)
+\end{itemize}
+\end{frame}
+
+\section{GSM/3G security}
+
+\begin{frame}{GSM/3G protocol security}
+\begin{itemize}
+	\item Observation
+	\begin{itemize}
+		\item Both GSM/3G and TCP/IP protocol specs are publicly available
+		\item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
+		\item GSM networks are as widely deployed as the Internet
+		\item Yet, GSM/3G protocols receive no such scrutiny!
+	\end{itemize}
+	\item There are reasons for that:
+	\begin{itemize}
+		\item GSM industry is extremely closed (and closed-minded)
+		\item Only about 4 closed-source protocol stack implementations
+		\item GSM chipset makers never release any hardware documentation
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{The closed GSM industry}
+
+\begin{frame}{The closed GSM industry}{Handset manufacturing side}
+\begin{itemize}
+	\item Only very few companies build GSM/3.5G baseband chips today
+	\begin{itemize}
+		\item Those companies buy the operating system kernel and the protocol stack from third parties
+	\end{itemize}
+	\item Only very few handset makers are large enough to become a customer
+	\begin{itemize}
+		\item Even they only get limited access to hardware documentation
+		\item Even they never really get access to the firmware source
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The closed GSM industry}{Network manufacturing side}
+\begin{itemize}
+	\item Only very few companies build GSM network equipment
+	\begin{itemize}
+		\item Basically only Ericsson, Nokia-Siemens, Alcatel-Lucent and Huawei
+		\item Exception: Small equipment manufacturers for picocell / nanocell / femtocells / measurement devices and law enforcement equipment
+	\end{itemize}
+	\item Only operators buy equipment from them
+	\item Since the quantities are low, the prices are extremely high
+	\begin{itemize}
+		\item e.g. for a BTS, easily 10-40k EUR
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The closed GSM industry}{Operator side}
+\begin{itemize}
+	\item Operators are mainly banks today
+	\item Typical operator outsources
+	\begin{itemize}
+		\item Network planning / deployment / servicing
+		\item Even Billing!
+	\end{itemize}
+	\item Operator just knows the closed equipment as shipped by manufacturer
+	\item Very few people at an operator have knowledge of the protocol beyond what's needed for operations and maintenance
+\end{itemize}
+\end{frame}
+
+\begin{frame}{GSM is more than phone calls}
+Listening to phone calls is boring...
+\begin{itemize}
+	\item Machine-to-Machine (M2M) communication
+	\begin{itemize}
+		\item BMW can unlock/open your car via GSM
+		\item Alarm systems often report via GSM
+		\item Smart Metering (Utility companies)
+		\item GSM-R / European Train Control System
+		\item Vending machines report that their cash box is full
+		\item Control if wind-mills supply power into the grid
+		\item Transaction numbers for electronic banking
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{Security implications}
+
+\begin{frame}{The closed GSM industry}{Security implications}
+The security implications of the closed GSM industry are:
+\begin{itemize}
+	\item Almost no people who have detailed technical knowledge outside the protocol stack or GSM network equipment manufacturers
+	\item No independent research on protocol-level security
+	\begin{itemize}
+		\item If there's security research at all, then only theoretical (like the A5/2 and A5/1 cryptanalysis)
+		\item Or on application level (e.g. mobile malware)
+	\end{itemize}
+	\item No open source protocol implementations
+	\begin{itemize}
+		\item which are key for making more people learn about the protocols
+		\item which enable quick prototyping/testing by modifying existing code
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The closed GSM industry}{My self-proclaimed mission}
+Mission: Bring TCP/IP/Internet security knowledge to GSM
+\begin{itemize}
+	\item Create tools to enable independent/public IT Security community to examine GSM
+	\item Try to close the estimated 10 year gap between the state of security technology on the Internet vs. GSM networks
+	\begin{itemize}
+		\item Industry thinks in terms of {\em walled garden} and {\em phones behaving like specified}
+		\item No proper incident response strategies!
+		\item No packet filters, firewalls, intrusion detection on GSM protocol level
+		\item General public assumes GSM networks are safer than Internet
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{The closed GSM industry}{Areas of interest for Security research}
+\begin{itemize}
+	\item Specification problems
+	\begin{itemize}
+		\item Encryption optional, weak and only on the Um interface
+		\item Lack of mutual authentication
+		\item Silent calls for pin-pointing a phone
+		\item RRLP and SUPL to obtain GPS coordinates of phone
+	\end{itemize}
+	\item Implementation problems
+	\begin{itemize}
+		\item TMSI information leak on network change
+		\item TLV parsers that have never seen invalid packets
+		\item Obscure options in spec lead to rarely-tested/used code paths
+	\end{itemize}
+	\item Operation problems
+	\begin{itemize}
+		\item VLR overflow leading to paging-by-IMSI
+		\item TMSI re-allocation too infrequent
+		\item Networks/Cells without frequency hopping
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{How would you get started?}
+If you were to start with GSM protocol level security analysis, where and
+how would you start?
+\begin{itemize}
+	\item On the network side?
+	\begin{itemize}
+		\item Difficult since equipment is not easily available and normally extremely expensive
+		\item However, network is very modular and has many standardized/documented interfaces
+		\item Thus, if BTS equipment is available, much easier/faster progress
+	\end{itemize}
+	\item Result: Started project OpenBSC in 10/2008
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Security analysis of GSM}{How would you get started?}
+If you were to start with GSM protocol level security analysis, where and
+how would you start?
+\begin{itemize}
+	\item On the handset side?
+	\begin{itemize}
+		\item Difficult since GSM firmware and protocol stacks are closed and proprietary
+		\item Even if you want to write your own protocol stack, the layer 1 hardware and signal processing is closed and undocumented, too
+		\item Publicly known attempts (12/2009)
+		\begin{itemize}
+			\item The TSM30 project as part of the THC GSM project
+			\item mados, an alternative OS for Nokia DTC3 phones
+		\end{itemize}
+		\item none of those projects have been successful
+		\item Result: Started project OsmocomBB in 01/2010
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Security analysis of GSM}{The bootstrapping process}
+\begin{itemize}
+	\item Start to read GSM specs (> 1000 PDF documents)
+	\item Gradually grow knowledge about the protocols
+	\item Obtain actual GSM network equipment (BTS)
+	\item Try to get actual protocol traces as examples
+	\item Start a complete protocol stack implementation from scratch
+	\item Finally, go and play with GSM protocol security
+\end{itemize}
+\end{frame}
+
+\subsection{The GSM network}
+
+\begin{frame}{The GSM network}
+  \begin{figure}[h]
+  \centering
+  \includegraphics[width=100mm]{gsm_network.png}
+  \end{figure}
+\end{frame}
+
+\begin{frame}{GSM network components}
+  \begin{itemize}
+    \item The BSS (Base Station Subsystem)
+    \begin{itemize}
+      \item MS (Mobile Station): Your phone
+      \item BTS (Base Transceiver Station): The {\em cell tower}
+      \item BSC (Base Station Controller): Controlling up to hundreds of BTS
+    \end{itemize}
+    \item The NSS (Network Sub System)
+    \begin{itemize}
+      \item MSC (Mobile Switching Center): The central switch
+      \item HLR (Home Location Register): Database of subscribers
+      \item AUC (Authentication Center): Database of authentication keys
+      \item VLR (Visitor Location Register): For roaming users
+      \item EIR (Equipment Identity Register): To block stolen phones
+    \end{itemize}
+  \end{itemize}
+\end{frame}
+
+\begin{frame}{GSM network interfaces}
+  \begin{itemize}
+    \item Um: Interface between MS and BTS
+    \begin{itemize}
+	\item the only interface that is specified over radio
+    \end{itemize}
+    \item A-bis: Interface between BTS and BSC
+    \item A: Interface between BSC and MSC
+    \item B: Interface between MSC and other MSC
+  \end{itemize}
+  GSM networks are a prime example of an asymmetric distributed network,
+  very different from the end-to-end transparent IP network.
+\end{frame}
+
+
+\subsection{The GSM protocols}
+
+\begin{frame}{GSM network protocols}{On the Um interface}
+  \begin{itemize}
+    \item Layer 1: Radio Layer, TS 04.04
+    \item Layer 2: LAPDm, TS 04.06
+    \item Layer 3: Radio Resource, Mobility Management, Call Control: TS 04.08
+    \item Layer 4+: for USSD, SMS, LCS, ...
+  \end{itemize}
+\end{frame}
+
+\begin{frame}{GSM network protocols}{On the A-bis interface}
+  \begin{itemize}
+    \item Layer 1: Typically E1 line, TS 08.54
+    \item Layer 2: A variant of ISDN LAPD with fixed TEI's, TS 08.56
+    \item Layer 3: OML (Organization and Maintenance Layer, TS 12.21)
+    \item Layer 3: RSL (Radio Signalling Link, TS 08.58)
+    \item Layer 4+: transparent messages that are sent to the MS via Um
+  \end{itemize}
+\end{frame}
+
+\include{section-openbsc}
+
+\include{section-osmocombb}
+
+\section{Summary}
+
+\subsection{What we've learned}
+
+\begin{frame}{Summary}{What we've learned}
+\begin{itemize}
+	\item The GSM industry is making security analysis very difficult
+	\item It is well-known that the security level of the GSM stacks is very low
+	\item We now have multiple solutions for sending arbitrary protocol data
+	\begin{itemize}
+		\item From a rogue network to phones (OpenBSC, OpenBTS)
+		\item Frem a FOSS controlled phone to the network (OsmocomBB)
+		\item From an A-bis proxy to the network or the phones
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\subsection{Where we go from here}
+
+\begin{frame}{TODO}{Where we go from here}
+\begin{itemize}
+	\item The tools for fuzzing mobile phone protocol stacks are available
+	\item It is up to the security community to make use of those tools (!)
+	\item Don't you too think that TCP/IP security is boring?
+	\item Join the GSM protocol security research projects
+	\item Boldly go where no man has gone before
+\end{itemize}
+\end{frame}
+
+\subsection{Where we go from here}
+
+\begin{frame}{Current Areas of Work / Future plans}
+\begin{itemize}
+	\item UMTS(3G) support for NodeB and femtocells
+	\item SS7 / MAP integration
+	\item Playing with SIM Toolkit from the operator side
+	\item Playing with MMS
+	\item More exploration of RRLP + SUPL
+\end{itemize}
+\end{frame}
+
+\subsection{Further Reading}
+
+\begin{frame}{Further Reading}
+\begin{itemize}
+	\item \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
+	\item \url{http://bb.osmocom.org/}
+	\item \url{http://openbsc.gnumonks.org/}
+	\item \url{http://openbts.sourceforge.net/}
+	\item \url{http://airprobe.org/}
+\end{itemize}
+\end{frame}
+
+\end{document}