306 lines
9.3 KiB
TeX
306 lines
9.3 KiB
TeX
% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
|
|
|
|
\documentclass{beamer}
|
|
|
|
\usepackage{url}
|
|
\makeatletter
|
|
\def\url@leostyle{%
|
|
\@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
|
|
\makeatother
|
|
%% Now actually use the newly defined style.
|
|
\urlstyle{leo}
|
|
|
|
|
|
% This file is a solution template for:
|
|
|
|
% - Talk at a conference/colloquium.
|
|
% - Talk length is about 20min.
|
|
% - Style is ornate.
|
|
|
|
|
|
|
|
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
|
|
%
|
|
% In principle, this file can be redistributed and/or modified under
|
|
% the terms of the GNU Public License, version 2.
|
|
%
|
|
% However, this file is supposed to be a template to be modified
|
|
% for your own needs. For this reason, if you use this file as a
|
|
% template and not specifically distribute it as part of a another
|
|
% package/program, I grant the extra permission to freely copy and
|
|
% modify this file as you see fit and even to delete this copyright
|
|
% notice.
|
|
|
|
|
|
\mode<presentation>
|
|
{
|
|
\usetheme{Warsaw}
|
|
% or ...
|
|
|
|
\setbeamercovered{transparent}
|
|
% or whatever (possibly just delete it)
|
|
}
|
|
|
|
|
|
\usepackage[english]{babel}
|
|
% or whatever
|
|
|
|
\usepackage[latin1]{inputenc}
|
|
% or whatever
|
|
|
|
\usepackage{times}
|
|
\usepackage[T1]{fontenc}
|
|
\usepackage{subfigure}
|
|
\usepackage{hyperref}
|
|
% Or whatever. Note that the encoding and the font should match. If T1
|
|
% does not look nice, try deleting the line with the fontenc.
|
|
|
|
|
|
\title{Free Software for GSM cellular telephony}
|
|
|
|
\subtitle
|
|
{OpenBSC, OsmoSGSN, OpenGGSN, OsmocomBB}
|
|
|
|
\author{Harald Welte}
|
|
|
|
\institute
|
|
{gnumonks.org\\gpl-violations.org\\osmocom.org\\airprobe.org\\hmw-consulting.de}
|
|
% - Use the \inst command only if there are several affiliations.
|
|
% - Keep it simple, no one is interested in your street address.
|
|
|
|
\date[ENSA 2011] % (optional, should be abbreviation of conference name)
|
|
{ENSA, May 2011, Tetouan/Morocco}
|
|
% - Either use conference name or its abbreviation.
|
|
% - Not really informative to the audience, more for people (including
|
|
% yourself) who are reading the slides online
|
|
|
|
\subject{GSM Security}
|
|
% This is only inserted into the PDF information catalog. Can be left
|
|
% out.
|
|
|
|
|
|
|
|
% If you have a file called "university-logo-filename.xxx", where xxx
|
|
% is a graphic format that can be processed by latex or pdflatex,
|
|
% resp., then you can add a logo as follows:
|
|
|
|
% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
|
|
% \logo{\pgfuseimage{university-logo}}
|
|
|
|
|
|
|
|
% Delete this, if you do not want the table of contents to pop up at
|
|
% the beginning of each subsection:
|
|
%\AtBeginSubsection[]
|
|
%{
|
|
% \begin{frame}<beamer>{Outline}
|
|
% \tableofcontents[currentsection,currentsubsection]
|
|
% \end{frame}
|
|
%}
|
|
|
|
|
|
% If you wish to uncover everything in a step-wise fashion, uncomment
|
|
% the following command:
|
|
|
|
%\beamerdefaultoverlayspecification{<+->}
|
|
|
|
|
|
\begin{document}
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}{Outline}
|
|
\tableofcontents[hideallsubsections]
|
|
% You might wish to add the option [pausesections]
|
|
\end{frame}
|
|
|
|
|
|
% Structuring a talk is a difficult task and the following structure
|
|
% may not be suitable. Here are some rules that apply for this
|
|
% solution:
|
|
|
|
% - Exactly two or three sections (other than the summary).
|
|
% - At *most* three subsections per section.
|
|
% - Talk about 30s to 2min per frame. So there should be between about
|
|
% 15 and 30 frames, all told.
|
|
|
|
% - A conference audience is likely to know very little of what you
|
|
% are going to talk about. So *simplify*!
|
|
% - In a 20min talk, getting the main ideas across is hard
|
|
% enough. Leave out details, even if it means being less precise than
|
|
% you think necessary.
|
|
% - If you omit details that are vital to the proof/implementation,
|
|
% just say so once. Everybody will be happy with that.
|
|
|
|
\begin{frame}{About the speaker}
|
|
\begin{itemize}
|
|
\item Using + playing with GNU/Linux since 1994
|
|
\item Kernel / bootloader / driver / firmware development since 1999
|
|
\item IT security expert, focus on network protocol security
|
|
\item Core developer of Linux packet filter netfilter/iptables
|
|
\item Trained as Electrical Engineer
|
|
\item Always looking for interesting protocols (RFID, DECT, GSM)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Success of Free Software}{depending on area of computing}
|
|
\begin{itemize}
|
|
\item Free Software has proven to be successful in many areas of
|
|
computing
|
|
\begin{itemize}
|
|
\item Operating Systems (GNU/Linux)
|
|
\item Internet Servers (Apache, Sendmail, Exim, Cyrus,
|
|
...)
|
|
\item Desktop Computers (gnome, KDE, Firefox, LibreOffice, ...)
|
|
\item Mobile Devices
|
|
\item Embedded network devices (Router, Firewall, NAT, WiFi-AP)
|
|
\end{itemize}
|
|
\item There are more areas to computing that people tend to
|
|
forget. Examples in the communications area:
|
|
\begin{itemize}
|
|
\item Cellular telephony networks (GSM, 3G, LTE)
|
|
\item Professional Mobile Radio (TETRA, TETRAPOL)
|
|
\item Cordless telephones (DECT)
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\include{part-security_research}
|
|
|
|
\begin{frame}{Security analysis of GSM}{The bootstrapping process}
|
|
\begin{itemize}
|
|
\item Start to read GSM specs (> 1000 PDF documents!)
|
|
\item Gradually grow knowledge about the protocols
|
|
\item Obtain actual GSM network equipment (BTS)
|
|
\item Try to get actual protocol traces as examples
|
|
\item Start a complete protocol stack implementation from scratch
|
|
\item Finally, go and play with GSM protocol security
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{The GSM network}
|
|
|
|
\begin{frame}{The GSM network}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=100mm]{gsm_network.png}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{GSM network components}
|
|
\begin{itemize}
|
|
\item The BSS (Base Station Subsystem)
|
|
\begin{itemize}
|
|
\item MS (Mobile Station): Your phone
|
|
\item BTS (Base Transceiver Station): The {\em cell tower}
|
|
\item BSC (Base Station Controller): Controlling up to hundreds of BTS
|
|
\end{itemize}
|
|
\item The NSS (Network Sub System)
|
|
\begin{itemize}
|
|
\item MSC (Mobile Switching Center): The central switch
|
|
\item HLR (Home Location Register): Database of subscribers
|
|
\item AUC (Authentication Center): Database of authentication keys
|
|
\item VLR (Visitor Location Register): For roaming users
|
|
\item EIR (Equipment Identity Register): To block stolen phones
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{GSM network interfaces}
|
|
\begin{itemize}
|
|
\item Um: Interface between MS and BTS
|
|
\begin{itemize}
|
|
\item the only interface that is specified over radio
|
|
\end{itemize}
|
|
\item A-bis: Interface between BTS and BSC
|
|
\item A: Interface between BSC and MSC
|
|
\item B: Interface between MSC and other MSC
|
|
\end{itemize}
|
|
GSM networks are a prime example of an asymmetric distributed network,
|
|
very different from the end-to-end transparent IP network.
|
|
\end{frame}
|
|
|
|
|
|
\subsection{The GSM protocols}
|
|
|
|
\begin{frame}{GSM network protocols}{On the Um interface}
|
|
\begin{itemize}
|
|
\item Layer 1: Radio Layer, TS 04.04
|
|
\item Layer 2: LAPDm, TS 04.06
|
|
\item Layer 3: Radio Resource, Mobility Management, Call Control: TS 04.08
|
|
\item Layer 4+: for USSD, SMS, LCS, ...
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{GSM network protocols}{On the A-bis interface}
|
|
\begin{itemize}
|
|
\item Layer 1: Typically E1 line, TS 08.54
|
|
\item Layer 2: A variant of ISDN LAPD with fixed TEI's, TS 08.56
|
|
\item Layer 3: OML (Organization and Maintenance Layer, TS 12.21)
|
|
\item Layer 3: RSL (Radio Signalling Link, TS 08.58)
|
|
\item Layer 4+: transparent messages that are sent to the MS via Um
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\include{section-openbsc}
|
|
|
|
\include{section-osmocombb}
|
|
|
|
\include{section-openbts}
|
|
\include{section-airprobe}
|
|
\include{section-wireshark}
|
|
|
|
%\section{Summary}
|
|
%\subsection{What we've learned}
|
|
|
|
\begin{frame}{Summary}{What we've learned}
|
|
\begin{itemize}
|
|
\item The GSM industry is making security analysis very difficult
|
|
\item It is well-known that the security level of the GSM stacks is very low
|
|
\item We now have multiple solutions for sending arbitrary protocol data
|
|
\begin{itemize}
|
|
\item From a rogue network to phones (OpenBSC, OpenBTS)
|
|
\item From a FOSS controlled phone to the network (OsmocomBB)
|
|
\item From an A-bis proxy to the network or the phones
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{Where we go from here}
|
|
|
|
\begin{frame}{TODO}{Where we go from here}
|
|
\begin{itemize}
|
|
\item The tools for fuzzing mobile phone protocol stacks are available
|
|
\item It is up to the security community to make use of those tools (!)
|
|
\item Don't you too think that TCP/IP security is boring?
|
|
\item Join the GSM protocol security research projects
|
|
\item Boldly go where no (free) man has gone before
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Current Areas of Work / Future plans}
|
|
\begin{itemize}
|
|
\item UMTS(3G) support for NodeB and femtocells
|
|
\item SS7 / MAP integration (Erlang and C)
|
|
\item Playing with SIM Toolkit from the operator side
|
|
\item Playing with MMS
|
|
\item More exploration of RRLP + SUPL
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
%\subsection{Further Reading}
|
|
|
|
\begin{frame}{Further Reading}
|
|
\begin{itemize}
|
|
\item \url{http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf}
|
|
\item \url{http://bb.osmocom.org/}
|
|
\item \url{http://openbsc.osmocom.org/}
|
|
\item \url{http://openbts.sourceforge.net/}
|
|
\item \url{http://airprobe.org/}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\end{document}
|