Osmocom presentation at KNF 2017

2017/osmocom-knf2017/osmocom-overview.tex

@@ -0,0 +1,631 @@
+% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
+
+\documentclass{beamer}
+
+\usepackage{url}
+\makeatletter
+\def\url@leostyle{%
+  \@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
+\makeatother
+%% Now actually use the newly defined style.
+\urlstyle{leo}
+
+
+% This file is a solution template for:
+
+% - Talk at a conference/colloquium.
+% - Talk length is about 20min.
+% - Style is ornate.
+
+
+
+% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
+%
+% In principle, this file can be redistributed and/or modified under
+% the terms of the GNU Public License, version 2.
+%
+% However, this file is supposed to be a template to be modified
+% for your own needs. For this reason, if you use this file as a
+% template and not specifically distribute it as part of a another
+% package/program, I grant the extra permission to freely copy and
+% modify this file as you see fit and even to delete this copyright
+% notice. 
+
+
+\mode<presentation>
+{
+  \usetheme{Warsaw}
+  % or ...
+
+  \setbeamercovered{transparent}
+  % or whatever (possibly just delete it)
+}
+
+
+\usepackage[english]{babel}
+% or whatever
+
+%\usepackage[latin1]{inputenc}
+% or whatever
+
+\usepackage{times}
+\usepackage[T1]{fontenc}
+% Or whatever. Note that the encoding and the font should match. If T1
+% does not look nice, try deleting the line with the fontenc.
+
+
+\title{osmocom.org - FOSS for mobile comms}
+
+\subtitle
+{community based Free / Open Source Software for communications}
+
+\author{Harald Welte <laforge@gnumonks.org>}
+
+\institute
+{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH}
+% - Use the \inst command only if there are several affiliations.
+% - Keep it simple, no one is interested in your street address.
+
+\date[] % (optional, should be abbreviation of conference name)
+{June 16, 2014, DORS/CLUC, Zagreb}
+% - Either use conference name or its abbreviation.
+% - Not really informative to the audience, more for people (including
+%   yourself) who are reading the slides online
+
+\subject{Communications}
+% This is only inserted into the PDF information catalog. Can be left
+% out. 
+
+
+
+% If you have a file called "university-logo-filename.xxx", where xxx
+% is a graphic format that can be processed by latex or pdflatex,
+% resp., then you can add a logo as follows:
+
+% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
+% \logo{\pgfuseimage{university-logo}}
+
+
+
+% Delete this, if you do not want the table of contents to pop up at
+% the beginning of each subsection:
+%\AtBeginSubsection[]
+%{
+%  \begin{frame}<beamer>{Outline}
+%    \tableofcontents[currentsection,currentsubsection]
+%  \end{frame}
+%}
+
+
+% If you wish to uncover everything in a step-wise fashion, uncomment
+% the following command: 
+
+%\beamerdefaultoverlayspecification{<+->}
+
+
+\begin{document}
+
+\begin{frame}
+  \titlepage
+\end{frame}
+
+\begin{frame}{Outline}
+  \tableofcontents[hideallsubsections]
+  % You might wish to add the option [pausesections]
+\end{frame}
+
+
+% Structuring a talk is a difficult task and the following structure
+% may not be suitable. Here are some rules that apply for this
+% solution: 
+
+% - Exactly two or three sections (other than the summary).
+% - At *most* three subsections per section.
+% - Talk about 30s to 2min per frame. So there should be between about
+%   15 and 30 frames, all told.
+
+% - A conference audience is likely to know very little of what you
+%   are going to talk about. So *simplify*!
+% - In a 20min talk, getting the main ideas across is hard
+%   enough. Leave out details, even if it means being less precise than
+%   you think necessary.
+% - If you omit details that are vital to the proof/implementation,
+%   just say so once. Everybody will be happy with that.
+
+\begin{frame}{About the speaker}
+\begin{itemize}
+	\item Using + toying with Linux since 1994
+	\item Kernel / bootloader / driver / firmware development since 1999
+	\item IT security expert, focus on network protocol security
+	\item Former core developer of Linux packet filter netfilter/iptables
+	\item Board-level Electrical Engineering
+	\item Always looking for interesting protocols (RFID, DECT, GSM)
+	\item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN
+\end{itemize}
+\end{frame}
+
+
+\section{Researching communications systems}
+
+\subsection{The Rolle of FOSS}
+
+\begin{frame}{What this talk is about}
+\begin{itemize}
+	\item Implementing GSM/GPRS/3G network elements as FOSS
+	\item Applied Protocol Archaeology
+	\item Doing all of that on top of Linux (in userspace)
+	\item From two nerds with a BTS off e-bay to a community project, several companies and real-world deployments around the globe
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{Research in TCP/IP/Ethernet}
+Assume you want to do some research in the TCP/IP/Ethernet
+communications area,
+\begin{itemize}
+	\item you use off-the-shelf hardware (x86, Ethernet card)
+	\item you start with the Linux / *BSD stack
+	\item you add the instrumentation you need
+	\item you make your proposed modifications
+	\item you do some testing
+	\item you write your paper and publish the results
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Research in (mobile) communications}
+Assume it is 2008 (before Osmocom) and you want to do some research in mobile comms
+\begin{itemize}
+	\item there is no FOSS implementation of any of the protocols or
+		functional entities
+	\item almost no university has a test lab with the required
+		equipment.  And if they do, it is black boxes that you
+		cannot modify according to your research requirements
+	\item you turn away at that point, or you cannot work on really
+		exciting stuff
+	\item only chance is to partner with commercial company, who
+		puts you under NDAs and who wants to profit from your
+		research
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Running small (mobile) networks}
+Assume it is 2008 (before Osmocom) and you want to run a small cellular network for research,
+education, testing. You
+\begin{itemize}
+	\item go to Ericsson/Huawei/ZTE/Nokia/Alcatel/...
+	\item spend lots of time convincing them that you’re an eligible customer
+	\item spend a six-digit figure for even the most basic full network
+	\item end up with black boxes that you can neither study or improve
+	\begin{itemize}
+		\item WTF?
+		\item I used FOSS protocol stacks for the Internet since 1994 and hacked on them since 1999. I knew a better world.
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{GSM/3G vs. Internet}
+\begin{itemize}
+	\item Observation
+	\begin{itemize}
+		\item Both GSM/3G and TCP/IP protocol specs are publicly available
+		\item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
+		\item GSM networks are as widely deployed as the Internet
+		\item Yet, GSM/3G protocols receive no such scrutiny!
+	\end{itemize}
+	\item There are reasons for that:
+	\begin{itemize}
+		\item GSM industry is extremely closed (and closed-minded)
+		\item Only about 4 closed-source protocol stack implementations
+		\item GSM chipset makers never release any hardware documentation
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\begin{frame}{GSM is more than phone calls}
+Listening to phone calls is boring...
+\begin{itemize}
+	\item Machine-to-Machine (M2M) communication
+	\begin{itemize}
+		\item BMW can unlock/open your car via GSM
+		\item Alarm systems often report via GSM
+		\item Smart Metering (Utility companies)
+		\item GSM-R / European Train Control System
+		\item Vending machines report that their cash box is full
+		\item Control if wind-mills supply power into the grid
+		\item Transaction numbers for electronic banking
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+\section{The Osmocom project}
+
+\begin{frame}{Enter Osmocom}
+In 2008, two crazy Germans (Dieter Spaar + yours truly) started to write FOSS for GSM.
+\begin{itemize}
+	\item to boldly go where no FOSS hacker has gone before
+	\item where protocol stacks are deep
+	\item and acronyms are plentiful
+	\item we went from {\tt bs11-abis} to {\tt bsc\_hack} to OpenBSC to OsmoNITB + OsmoBSC
+	\item many other projects were created
+	\item finally leading to the {\em Osmocom} umbrella project
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Siemens BS-11 via ebay}
+\begin{figure}[h]
+\centering
+\includegraphics[width=50mm]{BS11_BTS.jpg}
+\end{figure}
+\end{frame}
+
+
+\begin{frame}{Simplifying the GSM Network}
+\begin{figure}[h]
+\centering
+\includegraphics[width=99mm]{gsm-digraph-box.png}
+\end{figure}
+\begin{figure}[h]
+\centering
+\includegraphics[width=60mm]{gsm-digraph-nitb.png}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Osmocom / osmocom.org}
+\begin{itemize}
+	\item Osmocom == Open Soruce Mobile Communications
+	\item Classic collaborative, community-driven FOSS project
+	\item Gathers creative people who want to explore this
+		industry-dominated closed mobile communications world
+	\item communication via mailing lists, IRC
+	\item soure code in git, information in trac/wiki
+	\item http://osmocom.org/
+\end{itemize}
+\end{frame}
+
+\subsection{Osmocom sub-projects}
+
+\begin{frame}{OpenBSC}
+\begin{itemize}
+	\item first Osmocom project
+	\item Implements GSM A-bis interface towards BTS
+	\item Primarily supports sysmoBTS and ip.access nanoBTS
+	\item Limited support for some Siemens, Ericsson and Nokia BTS models
+	\item can implement only BSC function (osmo-bsc) or a fully
+		autonomous self-contained GSM network (osmo-nitb) that
+		requires no external MSC/VLR/AUC/HLR/EIR
+	\item deployed in (at least) > 300 installations world-wide, commercial and research
+\end{itemize}
+\end{frame}
+
+\begin{frame}{First OpenBSC test installation (HAR 2009)}
+\begin{figure}[h]
+\centering
+\includegraphics[width=60mm]{bts_tree_full.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{Osmocom Cellular Network use cases}
+\begin{itemize}
+	\item can be used either as pure BSC (A-over-IP)
+	\begin{itemize}
+		\item suitable for operators with existing core (MSC/VLR/HLR/AUC)
+		\item easy integration into existing infrastructure
+	\end{itemize}
+	\item or together with OsmoMSC, OsmoHLR to form a Network In The Box
+	\begin{itemize}
+		\item suitable for private / autonomous small networks (PBX style)
+		\item no dependency on any other external component
+		\item connect to the outside via ISDN or VoIP (using
+			linux call router, osmo-sip-connector)
+		\item off-shore drilling rigs, underground mining, alternative to PMR
+	\end{itemize}
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{OsmoPCU / OsmoSGSN / OsmoGGSN}
+\begin{itemize}
+	\item extends the Osmocom based network from GSM to GPRS/EDGE by
+		implementing the classic PCU, SGSN and GGSN functional
+		entities
+	\item OsmoGGSN based on pre-existing OpenGGSN code that was abandoned by original
+		author
+	\item Works only with BTSs that provides Gb interface, like
+		sysmoBTS or nanoBTS
+	\item Suitable for research only, not production ready
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmoSGSN / OsmoGGSN use cases}
+\begin{itemize}
+	\item Testing of M2M devices using your own BTS+SGSN+GGSN
+	\item Mobile malware research (analyze cellular data traffic of
+		apps)
+	\item Any type of GPRS related research
+	\item Teaching, training on mobile data protocols/interfaces
+		(RLC, MAC, LLC, SNDCP, BSSGP, NS, GTP, etc.)
+	\item 3G / 3.5G support since 2016 by means of IuPS interface
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmoBTS}
+\begin{itemize}
+	\item OpenBSC/OsmoNITB takes care of BTS and higher elements
+	\item OsmoBTS implements a BTS with A-bis/IP back-haul to OpenBSC
+	\item Developed primarily for sysmoBTS hardware
+	\item Ported to various other hardware, even by some BTS vendors!
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=99mm]{osmobts-hardware.png}
+\end{figure}
+
+\end{frame}
+
+\begin{frame}{Osmocom 3G}
+\begin{itemize}
+	\item Osmo{BTS,PCU,BSC,MSC,HLR,SGSN,GGSN} developed for 2G/2.5G/2.75G
+	\item in 2015/2016, we added 3G/3.5G support
+	\item OsmoMSC got IuCS interface
+	\item OsmoSGSN got IuPS interface
+	\item OsmoHLR got support for 3G mutual authentication
+	\item OsmoHNBGW for talking Iuh to femtocells
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Osmocom Cellular Network in 2017}
+\begin{figure}[h]
+\centering
+\includegraphics[width=110mm]{osmocom-cellnet-topology.png}
+\end{figure}
+\end{frame}
+
+\begin{frame}{OsmocomBB}
+\begin{itemize}
+	\item Full baseband processor firmware implementation of a mobile phone (MS)
+	\item We re-use existing phone hardware and re-wrote the L1, L2,
+		L3 and higher level logic
+	\item Higher layers reuse code from OpenBSC wherever possible
+	\item Used in a number of universities and other research contexts
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=50mm]{c123_pcb.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{OsmocomBB use cases}
+\begin{itemize}
+	\item Applied security research on Infrastructure
+	\begin{itemize}
+		\item Fuzzing / exploiting of protocol parsers on network side
+		\item RACH denial of service
+		\item Check if networks use random padding
+		\item Detect IMSI catchers or other fals base stations
+		\item Assess GSM network (operator) security level
+	\end{itemize}
+	\item Study + learn how a GSM stack / phone work
+	\item Protocol tracing of your own transactions with the network
+\end{itemize}
+\end{frame}
+
+
+\begin{frame}{OsmocomTETRA}
+\begin{itemize}
+	\item SDR implementation of a TETRA radio-modem (PHY/MAC)
+	\item Rx is fully implemented, Tx only partial
+	\item Can be used for air interface interception
+	\item Accompanied by wireshark dissectors for the TETRA protocol
+		stack
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomTETRA use cases}
+\begin{itemize}
+	\item Analysis/assessment of TETRA network security
+	\item Learn how TETRA works on teh lowest levels (L1, MAC, L3)
+	\item Protocol analysis / sniffing / intercepting unencrypted networks
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomGMR}
+\begin{itemize}
+	\item ETSI GMR (Geo Mobile Radio) is "GSM for satellites"
+	\item GMR-1 used by Thuraya satellite network
+	\item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx)
+	\item Partial wireshark dissectors for the protocol stack
+	\item Reverse engineered implementation of GMR-A5 crypto
+	\item Speech codec is proprietary, still needs reverse engineering
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomGMR use cases}
+\begin{itemize}
+	\item Analysis/assessment of GMR/Thuraya security (there is none)
+	\item Learn and understnad how satellite telephony L1 and protocol work
+	\item Actual interception of SMS + data
+	\item Voice still difficult due to proprietary undocumented codec
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomDECT}
+\begin{itemize}
+	\item ETSI DECT (Digital European Cordless Telephony) is used in
+		millions of cordless phones
+	\item deDECTed.org project started with open source protocol
+		analyzers and demonstrated many vulnerabilities
+	\item OsmocomDECT is an implementation of the DECT hardware
+		drivers and protocols for the Linux kernel
+	\item Integrates with Asterisk
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmocomOP25}
+\begin{itemize}
+	\item APCO25 is Professional PMR system used in the US
+	\item Can be compared to TETRA in Europe
+	\item OsmocomOP25 is again SDR receiver + protocol analyzer
+	\item Use cases like OsmocomTETRA
+\end{itemize}
+\end{frame}
+
+\begin{frame}{OsmoSDR}
+\begin{itemize}
+	\item small, low-power / low-cost USB SDR hardware
+	\item higher bandwidth than FunCubeDonglePro
+	\item much lower cost than USRP
+	\item Open Hardware
+	\item Developer units available
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=70mm]{osmosdr.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{rtl-sdr}
+\begin{itemize}
+	\item re-purpose a USD 20 DVB-T USB dongle based on Realtek chipset
+	\item deactivate/bypass DVB-T demodulator / MPEG decoder
+	\item pass baseband samples via high-speed USB into PC
+	\item no open hardware,  but Free Software
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=70mm]{ezcap_top.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{OsmocomSIMTRACE}
+\begin{itemize}
+	\item Hardware protocol tracer for SIM - phone interface
+	\item Wireshark protocol dissector for SIM-ME protocol (TS 11.11)
+	\item Can be used for SIM Application development / analysis
+	\item Also capable of SIM card emulation and man-in-the-middle attacks
+\end{itemize}
+\begin{figure}[h]
+\centering
+\includegraphics[width=60mm]{simtrace_and_phone.jpg}
+\end{figure}
+\end{frame}
+
+\begin{frame}{osmo\_ss7, osmo\_map, signerl}
+\begin{itemize}
+	\item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP)
+	\item SIGTRAN variants (M2PA, M2UA, M3UA and SUA)
+	\item Enables us to interface with GSM/UMTS inter-operator core network
+	\item Already used in production in some really nasty
+		special-purpose protocol translators (think of NAT for
+		SS7)
+\end{itemize}
+\end{frame}
+
+\begin{frame}{osmo\_ss7, osmo\_map, signerl use cases}
+\begin{itemize}
+	\item Implement GSM/3G core network elements (HLR, SCF, etc.)
+	\item Applications that interact with GSM/3G core network
+		elements
+	\item Mostly useful for small MVNOs or other operators who have
+		requirements that cannot be fulfilled with off-the-shelf
+		proprietary equipment.
+\end{itemize}
+\end{frame}
+
+\begin{frame}{More Osmocom projects}
+\begin{itemize}
+	\item Have a look at http://git.osmcoom.org/
+	\item ~ 100 public git repositories / projects at this point
+	\item way too many to cover here in this talk
+	\item Often RTFS, no manual/docs
+\end{itemize}
+\end{frame}
+
+\section{Non-osmocom projects}
+
+\begin{frame}{The OpenBTS Um - SIP bridge}
+\begin{itemize}
+	\item OpenBTS is a SDR implementation of GSM Um radio interface
+	\item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC
+	\item suitable for research on air interface, but very different
+		from traditional GSM networks
+	\item work is being done to make it interoperable with OpenBSC
+\end{itemize}
+\end{frame}
+
+\begin{frame}{airprobe.org}
+\begin{itemize}
+	\item SDR implementation of Um sniffer
+	\item suitable for receiving GSM Um downlink and uplink
+	\item predates all of the other projects
+	\item more or less abandoned at this point
+\end{itemize}
+\end{frame}
+
+\begin{frame}{xgoldmon}
+\begin{itemize}
+	\item extract all GSM/GPRS and even 3G protocol messages from
+		your Samsung Galaxy 2, Galaxy 3, Note 2, Nexus phone via USB
+	\item feed them into your PC running xgoldmon
+	\item forward them from xgoldmon via GSMTAP into wireshark
+	\item https://github.com/2b-as/xgoldmon
+\end{itemize}
+\end{frame}
+
+\begin{frame}{sysmocom GmbH}{systems for mobile communications}
+\begin{itemize}
+	\item small company, started by two Osmocom developers in Berlin
+	\item provides commercial R\&d and support for professional
+		users of Osmocom software
+	\item develops + sells products like sysmoBTS (inexpensive,
+		small-form-factor, OpenBSC compatible BTS)
+	\item runs a small webshop for Osmocom related hardware items
+		like SIMtrace
+\end{itemize}
+\end{frame}
+
+
+\subsection{Future projects}
+
+\begin{frame}{Where do we go from here?}
+\begin{itemize}
+	\item Now that we have GSM, GPRS, EGPRS, UMTS: LTE, of course
+	\item Re-using femtocells in creative ways
+	\item Proprietary PMR systems
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Call for contributions}
+\begin{itemize}
+	\item Don't you agree that classic Internet/TCP/IP is boring and
+		has been researched to death?
+	\item There are many more communications systems out there
+	\item Never trust the industry, they only care about selling
+		their stuff
+	\item Lets democratize access to those communication systems
+	\item Become a contributor or developer today!
+	\item Join our mailing lists, use/improve our code
+	\item for OsmocomBB you only need a EUR 20 phone to start
+\end{itemize}
+\end{frame}
+
+\begin{frame}{Thanks}
+I'd like to thank the many Osmocom developers and contributors, especially
+\begin{itemize}
+	\item Dieter Spaar
+	\item Holger Freyther
+	\item Andreas Eversberg
+	\item Sylvain Munaut
+	\item Neels Hofmeyr
+\end{itemize}
+Also, thanks to CEPT for permitting the GSM specs to be written in English (not French, the official Language of the international postal system)
+\end{frame}
+
+
+\begin{frame}{Thanks}
+Thanks for your attention.  I hope we have time for Q\&A.
+
+EOF.
+\end{frame}
+
+
+\end{document}