576 lines
18 KiB
TeX
576 lines
18 KiB
TeX
% $Header: /cvsroot/latex-beamer/latex-beamer/solutions/conference-talks/conference-ornate-20min.en.tex,v 1.7 2007/01/28 20:48:23 tantau Exp $
|
|
|
|
\documentclass{beamer}
|
|
|
|
\usepackage{url}
|
|
\makeatletter
|
|
\def\url@leostyle{%
|
|
\@ifundefined{selectfont}{\def\UrlFont{\sf}}{\def\UrlFont{\tiny\ttfamily}}}
|
|
\makeatother
|
|
%% Now actually use the newly defined style.
|
|
\urlstyle{leo}
|
|
|
|
|
|
% This file is a solution template for:
|
|
|
|
% - Talk at a conference/colloquium.
|
|
% - Talk length is about 20min.
|
|
% - Style is ornate.
|
|
|
|
|
|
|
|
% Copyright 2004 by Till Tantau <tantau@users.sourceforge.net>.
|
|
%
|
|
% In principle, this file can be redistributed and/or modified under
|
|
% the terms of the GNU Public License, version 2.
|
|
%
|
|
% However, this file is supposed to be a template to be modified
|
|
% for your own needs. For this reason, if you use this file as a
|
|
% template and not specifically distribute it as part of a another
|
|
% package/program, I grant the extra permission to freely copy and
|
|
% modify this file as you see fit and even to delete this copyright
|
|
% notice.
|
|
|
|
|
|
\mode<presentation>
|
|
{
|
|
\usetheme{Warsaw}
|
|
% or ...
|
|
|
|
\setbeamercovered{transparent}
|
|
% or whatever (possibly just delete it)
|
|
}
|
|
|
|
|
|
\usepackage[english]{babel}
|
|
% or whatever
|
|
|
|
\usepackage[latin1]{inputenc}
|
|
% or whatever
|
|
|
|
\usepackage{times}
|
|
\usepackage[T1]{fontenc}
|
|
% Or whatever. Note that the encoding and the font should match. If T1
|
|
% does not look nice, try deleting the line with the fontenc.
|
|
|
|
|
|
\title{osmocom.org - FOSS for mobile comms}
|
|
|
|
\subtitle
|
|
{community based Free / Open Source Software for communications}
|
|
|
|
\author{Harald Welte <laforge@gnumonks.org>}
|
|
|
|
\institute
|
|
{gnumonks.org\\hmw-consulting.de\\sysmocom GmbH}
|
|
% - Use the \inst command only if there are several affiliations.
|
|
% - Keep it simple, no one is interested in your street address.
|
|
|
|
\date[] % (optional, should be abbreviation of conference name)
|
|
{August 3, 2013 / COSCUP / Taipei}
|
|
% - Either use conference name or its abbreviation.
|
|
% - Not really informative to the audience, more for people (including
|
|
% yourself) who are reading the slides online
|
|
|
|
\subject{Communications}
|
|
% This is only inserted into the PDF information catalog. Can be left
|
|
% out.
|
|
|
|
|
|
|
|
% If you have a file called "university-logo-filename.xxx", where xxx
|
|
% is a graphic format that can be processed by latex or pdflatex,
|
|
% resp., then you can add a logo as follows:
|
|
|
|
% \pgfdeclareimage[height=0.5cm]{university-logo}{university-logo-filename}
|
|
% \logo{\pgfuseimage{university-logo}}
|
|
|
|
|
|
|
|
% Delete this, if you do not want the table of contents to pop up at
|
|
% the beginning of each subsection:
|
|
%\AtBeginSubsection[]
|
|
%{
|
|
% \begin{frame}<beamer>{Outline}
|
|
% \tableofcontents[currentsection,currentsubsection]
|
|
% \end{frame}
|
|
%}
|
|
|
|
|
|
% If you wish to uncover everything in a step-wise fashion, uncomment
|
|
% the following command:
|
|
|
|
%\beamerdefaultoverlayspecification{<+->}
|
|
|
|
|
|
\begin{document}
|
|
|
|
\begin{frame}
|
|
\titlepage
|
|
\end{frame}
|
|
|
|
\begin{frame}{Outline}
|
|
\tableofcontents[hideallsubsections]
|
|
% You might wish to add the option [pausesections]
|
|
\end{frame}
|
|
|
|
|
|
% Structuring a talk is a difficult task and the following structure
|
|
% may not be suitable. Here are some rules that apply for this
|
|
% solution:
|
|
|
|
% - Exactly two or three sections (other than the summary).
|
|
% - At *most* three subsections per section.
|
|
% - Talk about 30s to 2min per frame. So there should be between about
|
|
% 15 and 30 frames, all told.
|
|
|
|
% - A conference audience is likely to know very little of what you
|
|
% are going to talk about. So *simplify*!
|
|
% - In a 20min talk, getting the main ideas across is hard
|
|
% enough. Leave out details, even if it means being less precise than
|
|
% you think necessary.
|
|
% - If you omit details that are vital to the proof/implementation,
|
|
% just say so once. Everybody will be happy with that.
|
|
|
|
\begin{frame}{About the speaker}
|
|
\begin{itemize}
|
|
\item Using + toying with Linux since 1994
|
|
\item Kernel / bootloader / driver / firmware development since 1999
|
|
\item IT security expert, focus on network protocol security
|
|
\item Former core developer of Linux packet filter netfilter/iptables
|
|
\item Board-level Electrical Engineering
|
|
\item Always looking for interesting protocols (RFID, DECT, GSM)
|
|
\item OpenEXZ, OpenPCD, Openmoko, OpenBSC, OsmocomBB, OsmoSGSN
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\section{Researching communications systems}
|
|
|
|
\subsection{The Rolle of FOSS}
|
|
|
|
\begin{frame}{Research in TCP/IP/Ethernet}
|
|
Assume you want to do some research in the TCP/IP/Ethernet
|
|
communications area,
|
|
\begin{itemize}
|
|
\item you use off-the-shelf hardware (x86, Ethernet card)
|
|
\item you start with the Linux / *BSD stack
|
|
\item you add the instrumentation you need
|
|
\item you make your proposed modifications
|
|
\item you do some testing
|
|
\item you write your paper and publish the results
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Research in (mobile) communications}
|
|
Assume it is before 2009 (before Osmocom) and you want to do some research in mobile comms
|
|
\begin{itemize}
|
|
\item there is no FOSS implementation of any of the protocols or
|
|
functional entities
|
|
\item almost no university has a test lab with the required
|
|
equipment. And if they do, it is black boxes that you
|
|
cannot modify according to your research requirements
|
|
\item you turn away at that point, or you cannot work on really
|
|
exciting stuff
|
|
\item only chance is to partner with commercial company, who
|
|
puts you under NDAs and who wants to profit from your
|
|
research
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{GSM/3G vs. Internet}
|
|
\begin{itemize}
|
|
\item Observation
|
|
\begin{itemize}
|
|
\item Both GSM/3G and TCP/IP protocol specs are publicly available
|
|
\item The Internet protocol stack (Ethernet/Wifi/TCP/IP) receives lots of scrutiny
|
|
\item GSM networks are as widely deployed as the Internet
|
|
\item Yet, GSM/3G protocols receive no such scrutiny!
|
|
\end{itemize}
|
|
\item There are reasons for that:
|
|
\begin{itemize}
|
|
\item GSM industry is extremely closed (and closed-minded)
|
|
\item Only about 4 closed-source protocol stack implementations
|
|
\item GSM chipset makers never release any hardware documentation
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{GSM is more than phone calls}
|
|
Listening to phone calls is boring...
|
|
\begin{itemize}
|
|
\item Machine-to-Machine (M2M) communication
|
|
\begin{itemize}
|
|
\item BMW can unlock/open your car via GSM
|
|
\item Alarm systems often report via GSM
|
|
\item Smart Metering (Utility companies)
|
|
\item GSM-R / European Train Control System
|
|
\item Vending machines report that their cash box is full
|
|
\item Control if wind-mills supply power into the grid
|
|
\item Transaction numbers for electronic banking
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\section{The Osmocom project}
|
|
|
|
\begin{frame}{Osmocom / osmocom.org}
|
|
\begin{itemize}
|
|
\item Osmocom == Open Soruce Mobile Communications
|
|
\item Classic collaborative, community-driven FOSS project
|
|
\item Gathers creative people who want to explore this
|
|
industry-dominated closed mobile communications world
|
|
\item communication via mailing lists, IRC
|
|
\item soure code in git, information in trac/wiki
|
|
\item http://osmocom.org/
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\subsection{Osmocom sub-projects}
|
|
|
|
\begin{frame}{OpenBSC}
|
|
\begin{itemize}
|
|
\item first Osmocom project
|
|
\item Implements GSM A-bis interface towards BTS
|
|
\item Primarily supports sysmoBTS and ip.access nanoBTS
|
|
\item Limited support for some Siemens, Ericsson and Nokia BTS models
|
|
\item can implement only BSC function (osmo-bsc) or a fully
|
|
autonomous self-contained GSM network (osmo-nitb) that
|
|
requires no external MSC/VLR/AUC/HLR/EIR
|
|
\item deployed in > 200 installations world-wide, commercial and
|
|
research
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{First OpenBSC test installation (HAR 2009)}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=60mm]{bts_tree_full.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OpenBSC use cases}
|
|
\begin{itemize}
|
|
\item can be used either as pure BSC (A-over-IP)
|
|
\begin{itemize}
|
|
\item suitable for operators with existing core (MSC/VLR/HLR/AUC)
|
|
\item easy integration into existing infrastructure
|
|
\end{itemize}
|
|
\item or as NITB (network in the box)
|
|
\begin{itemize}
|
|
\item suitable for private / autonomous small networks (PBX style)
|
|
\item no dependency on any other external component
|
|
\item connect to the outside via ISDN or VoIP (using
|
|
linux call router)
|
|
\item off-shore drilling rigs, underground mining, alternative to PMR
|
|
\end{itemize}
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{OsmoSGSN / OpenGGSN}
|
|
\begin{itemize}
|
|
\item extends the OpenBSC based network from GSM to GPRS/EDGE by
|
|
implementing the classic SGSN and GGSN functional
|
|
entities
|
|
\item OpenGGSN existed already, but was abandoned by original
|
|
author
|
|
\item Works only with BTSs that provides Gb interface, like
|
|
sysmoBTS or nanoBTS
|
|
\item Suitable for research only, not production ready
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmoSGSN / OpenGGSN use cases}
|
|
\begin{itemize}
|
|
\item Testing of M2M devices using your own BTS+SGSN+GGSN
|
|
\item Mobile malware research (analyze cellular data traffic of
|
|
apps)
|
|
\item Any type of GPRS related research
|
|
\item Teaching, training on mobile data protocols/interfaces
|
|
(RLC, MAC, LLC, SNDCP, BSSGP, NS, GTP, etc.)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB}
|
|
\begin{itemize}
|
|
\item Full baseband processor firmware implementation of a mobile phone (MS)
|
|
\item We re-use existing phone hardware and re-wrote the L1, L2,
|
|
L3 and higher level logic
|
|
\item Higher layers reuse code from OpenBSC wherever possible
|
|
\item Used in a number of universities and other research contexts
|
|
\end{itemize}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=50mm]{c123_pcb.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomBB use cases}
|
|
\begin{itemize}
|
|
\item Applied security research on Infrastructure
|
|
\begin{itemize}
|
|
\item Fuzzing / exploiting of protocol parsers on network side
|
|
\item RACH denial of service
|
|
\item Check if networks use random padding
|
|
\item Detect IMSI catchers or other fals base stations
|
|
\item Assess GSM network (operator) security level
|
|
\end{itemize}
|
|
\item Study + learn how a GSM stack / phone work
|
|
\item Protocol tracing of your own transactions with the network
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmoBTS}
|
|
\begin{itemize}
|
|
\item OpenBSC/OsmoNITB takes care of BTS and higher elements
|
|
\item OsmoBTS implements a BTS with A-bis/IP back-haul to OpenBSC
|
|
\item Developed primarily for sysmoBTS hardware
|
|
\item Support for other hardware is ongoing in the community
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomTETRA}
|
|
\begin{itemize}
|
|
\item SDR implementation of a TETRA radio-modem (PHY/MAC)
|
|
\item Rx is fully implemented, Tx only partial
|
|
\item Can be used for air interface interception
|
|
\item Accompanied by wireshark dissectors for the TETRA protocol
|
|
stack
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomTETRA use cases}
|
|
\begin{itemize}
|
|
\item Analysis/assessment of TETRA network security
|
|
\item Learn how TETRA works on teh lowest levels (L1, MAC, L3)
|
|
\item Protocol analysis / sniffing / intercepting unencrypted networks
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomGMR}
|
|
\begin{itemize}
|
|
\item ETSI GMR (Geo Mobile Radio) is "GSM for satellites"
|
|
\item GMR-1 used by Thuraya satellite network
|
|
\item OsmocomGMR implements SDR based radiomodem + PHY/MAC (Rx)
|
|
\item Partial wireshark dissectors for the protocol stack
|
|
\item Reverse engineered implementation of GMR-A5 crypto
|
|
\item Speech codec is proprietary, still needs reverse engineering
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomGMR use cases}
|
|
\begin{itemize}
|
|
\item Analysis/assessment of GMR/Thuraya security (there is none)
|
|
\item Learn and understnad how satellite telephony L1 and protocol work
|
|
\item Actual interception of SMS + data
|
|
\item Voice still difficult due to proprietary undocumented codec
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomDECT}
|
|
\begin{itemize}
|
|
\item ETSI DECT (Digital European Cordless Telephony) is used in
|
|
millions of cordless phones
|
|
\item deDECTed.org project started with open source protocol
|
|
analyzers and demonstrated many vulnerabilities
|
|
\item OsmocomDECT is an implementation of the DECT hardware
|
|
drivers and protocols for the Linux kernel
|
|
\item Integrates with Asterisk
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomOP25}
|
|
\begin{itemize}
|
|
\item APCO25 is Professional PMR system used in the US
|
|
\item Can be compared to TETRA in Europe
|
|
\item OsmocomOP25 is again SDR receiver + protocol analyzer
|
|
\item Use cases like OsmocomTETRA
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmoSDR}
|
|
\begin{itemize}
|
|
\item small, low-power / low-cost USB SDR hardware
|
|
\item higher bandwidth than FunCubeDonglePro
|
|
\item much lower cost than USRP
|
|
\item Open Hardware
|
|
\item Developer units available
|
|
\end{itemize}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=70mm]{osmosdr.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{rtl-sdr}
|
|
\begin{itemize}
|
|
\item re-purpose a USD 20 DVB-T USB dongle based on Realtek chipset
|
|
\item deactivate/bypass DVB-T demodulator / MPEG decoder
|
|
\item pass baseband samples via high-speed USB into PC
|
|
\item no open hardware, but Free Software
|
|
\end{itemize}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=70mm]{ezcap_top.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{OsmocomSIMTRACE}
|
|
\begin{itemize}
|
|
\item Hardware protocol tracer for SIM - phone interface
|
|
\item Wireshark protocol dissector for SIM-ME protocol (TS 11.11)
|
|
\item Can be used for SIM Application development / analysis
|
|
\item Also capable of SIM card emulation and man-in-the-middle attacks
|
|
\end{itemize}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=60mm]{simtrace_and_phone.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Osmo-E1-Xcvr}
|
|
\begin{itemize}
|
|
\item Open hardware project for interfacing E1 lines with
|
|
microcontrollers
|
|
\item So far no software/firmware yet, stay tuned!
|
|
\end{itemize}
|
|
\begin{figure}[h]
|
|
\centering
|
|
\includegraphics[width=60mm]{osmo-e1-xcvr.jpg}
|
|
\end{figure}
|
|
\end{frame}
|
|
|
|
\begin{frame}{osmo\_ss7, osmo\_map, signerl}
|
|
\begin{itemize}
|
|
\item Erlang-language SS7 implementation (MTP3, SCCP, TCAP, MAP)
|
|
\item SIGTRAN variants (M2PA, M2UA, M3UA and SUA)
|
|
\item Enables us to interface with GSM/UMTS inter-operator core network
|
|
\item Already used in production in some really nasty
|
|
special-purpose protocol translators (think of NAT for
|
|
SS7)
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{osmo\_ss7, osmo\_map, signerl use cases}
|
|
\begin{itemize}
|
|
\item Implement GSM/3G core network elements (HLR, SCF, etc.)
|
|
\item Applications that interact with GSM/3G core network
|
|
elements
|
|
\item Mostly useful for small MVNOs or other operators who have
|
|
requirements that cannot be fulfilled with off-the-shelf
|
|
proprietary equipment.
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{More Osmocom projects}
|
|
\begin{itemize}
|
|
\item Have a look at http://git.osmcoom.org/
|
|
\item 79 public git repositories / projects at this point
|
|
\item way too many to cover here in this talk
|
|
\item Often RTFS, no manual/docs
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\section{Non-osmocom projects}
|
|
|
|
\begin{frame}{The OpenBTS Um - SIP bridge}
|
|
\begin{itemize}
|
|
\item OpenBTS is a SDR implementation of GSM Um radio interface
|
|
\item directly bridges to SIP/RTP, no A-bis/BSC/A/MSC
|
|
\item suitable for research on air interface, but very different
|
|
from traditional GSM networks
|
|
\item work is being done to make it interoperable with OpenBSC
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{airprobe.org}
|
|
\begin{itemize}
|
|
\item SDR implementation of Um sniffer
|
|
\item suitable for receiving GSM Um downlink and uplink
|
|
\item predates all of the other projects
|
|
\item more or less abandoned at this point
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{UmTRX}
|
|
\begin{itemize}
|
|
\item SDR hardware, specifically for GSM Um air interface
|
|
\item can be used with OpenBTS and soon: OsmoTRX / OsmoBTS
|
|
\item Oepen Hardware Design
|
|
\item http://code.google.com/p/umtrx/
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{xgoldmon}
|
|
\begin{itemize}
|
|
\item extract all GSM/GPRS and even 3G protocol messages from
|
|
your Samsung Galaxy 2, Galaxy 3, Note 2, Nexus phone via USB
|
|
\item feed them into your PC running xgoldmon
|
|
\item forward them from xgoldmon via GSMTAP into wireshark
|
|
\item https://github.com/2b-as/xgoldmon
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{sysmocom GmbH}{systems for mobile communications}
|
|
\begin{itemize}
|
|
\item small company, started by two Osmocom developers in Berlin
|
|
\item provides commercial R\&d and support for professional
|
|
users of Osmocom software
|
|
\item develops + sells products like sysmoBTS (inexpensive,
|
|
small-form-factor, OpenBSC compatible BTS)
|
|
\item runs a small webshop for Osmocom related hardware items
|
|
like SIMtrace
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\subsection{Future projects}
|
|
|
|
\begin{frame}{Where do we go from here?}
|
|
\begin{itemize}
|
|
\item Dieter Spaar has been working with 3G NodeBs (Ericsson,
|
|
Nokia) to be able to run our own RNC
|
|
\item Research into intercepting microwave back-haul links
|
|
\item Research into GPS simulation / transmission / faking
|
|
\item Port of OsmocomBB to other baseband chips
|
|
\item Low-level control from Free Software on a 3G/3.5G phone
|
|
\item Re-using femtocells in creative ways
|
|
\item Proprietary PMR systems
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Call for contributions}
|
|
\begin{itemize}
|
|
\item Don't you agree that classic Internet/TCP/IP is boring and
|
|
has been researched to death?
|
|
\item There are many more communications systems out there
|
|
\item Never trust the industry, they only care about selling
|
|
their stuff
|
|
\item Lets democratize access to those communication systems
|
|
\item Become a contributor or developer today!
|
|
\item Join our mailing lists, use/improve our code
|
|
\item for OsmocomBB you only need a EUR 20 phone to start
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
\begin{frame}{Thanks}
|
|
I'd like to thank the many Osmocom developers and contributors,
|
|
especially
|
|
\begin{itemize}
|
|
\item Dieter Spaar
|
|
\item Holger Freyther
|
|
\item Andreas Eversberg
|
|
\item Sylvain Munaut
|
|
\item On-Waves e.h.f
|
|
\end{itemize}
|
|
\end{frame}
|
|
|
|
|
|
\begin{frame}{Thanks}
|
|
Thanks for your attention. I hope we have time for Q\&A.
|
|
\end{frame}
|
|
|
|
|
|
\end{document}
|