WIFI AND THE BEASTINTRO TO 80211 IN THE LINUX KERNEL

OURI LIPNERSECURITY RESEARCHEREQUUS TECHNOLOGIES

OURI.LIPNER@GMAIL.COM

WHY ARE WE HERE AND WHAT IS THIS MADNESS?

A SHORT INTRO TO WIFI

• FULLMAC - SOFTMAC• FRAME TYPES• FRAME PROTOCOL TRANSLATION (DOT11 – ETH)• MONITOR MODE• SCAN – AUTH – ASSOC• AP – STA (AND OTHERS)

CONNECTION ESTABLISHMENT

WPA2

BASIC WIFI FRAME

DATA FRAMES TRANSLATION

static int __ieee80211_data_to_8023(struct sk_buff *skb, struct ethhdr *ehdr, const u8 *addr, enum nl80211_iftype iftype)

A SHORT INTRO TO WIFI - RECAP

• FULLMAC - SOFTMAC• FRAME TYPES• FRAME PROTOCOL TRANSLATION (DOT11 – ETH)• MONITOR MODE• SCAN – AUTH – ASSOC• AP – STA (AND OTHERS)

TASKS OF A WIFI DRIVER

• STATE MACHINE – MLME (PER STA)• INTERFACE STATE CHANGE / PEER STATE CHANGE• PACKET ADMITTANCE

• VIF• SCAN• CHANNEL SELECTION• CRYPTO CONFIGURATION + VALIDATION• AUTHENTICATION• RATE CONTROL• REGDOMAIN• POWERSAVE• …• MADWIFI (NET80211 + ATH) : > 56K LOC

DRIVER EXAMPLE - MADWIFI

• CONNECTION STAGES• MANAGEMENT FRAMES• DATA FRAMES

MADWIFI CONNECTION ESTABLISHMENT

• IWCONFIG WLAN<X> MODE MANAGED• IWCONFIG WLAN<X> ESSID “MYNET”• IEEE80211_IOCTL_SIWESSID() – IOCTL HANDLER, STARTS

INTERFACE• IEEE80211_NEWSTATE() – STATEFULL SWITCH CASE• IEEE80211_CHECK_SCAN() – FIND ESSID IN SCAN CACHE OR

INIT SCAN• IEEE80211_STA_JOIN() – ALLOCTE NODE FOR AP• IEEE80211_NEWSTATE() AGAIN• …• FULLY SELF-SUFFICIENT

MADWIFI MANAGEMENT FRAME RX

• IEEE80211_INPUT() – SWITCH CASE FOR INTERFACE MODE, MAINLY• CHECK IF STAGE IS LOGICAL, FRAME SIZE, CRYPTO

• IEEE80211_RECV_MGMT() – PARSE AND HANDLE FRAME IN KERNEL

MADWIFI DATA FRAME RX

• IEEE80211_INPUT(), AGAIN SWITCH CASE ON IFACE STATE AND PACKET• CHECK CRYPTO, REASSEMBLE, CHECK CRYPTO SIGNATURE• A LOT OF DIFFERENT PACKET TYPES AND IFACE STATES (WDS,

ETC.)• CONVERT WIFI FRAME TO ETHERNET

• ACCEPT_DATA_FRAME() – VERIFY 802.1X PORT STATUS• IEEE80211_DELIVER_DATA() – NETIF_RX()

MAC80211

• IDEA: LET’S HAVE ONE MAC IMPLEMENTATION FOR ALL WIFI DRIVERS

• ALSO: LET’S PUSH AS MUCH AS POSSIBLE TO USER MODE

NEW ARCHITECTURE

• MAC80211• CFG80211• NL80211

• IWEXT STILL IN USE• ATH5K ~ 31K LOC (VS. >56K IN MADWIFI)

ATH5K – MAC80211 DRIVER

MAC80211 RX PATH (MGMT, AP)

ATH5K_RECEIVE_FRAME() – HW FLAGS, NO LOGICIEEE80211_RX_NAPI() - MAC80211, SANITYIEEE80211_RX_HANDLERS() – SANITY CHECKS AS WELLIEEE80211_RX_H_USERSPACE_MGMT() – SEND IT TO USER MODE

USER MODE HELPER

• HOSTAPD / WPA_SUPPLICANT• RECEIVES AND SEND MANAGEMENT FRAMES USING NETLINK

(MOSTLY)• CONTROLS CONNECTION ESTABLISHMENT, ETC.• ALSO PROVIDES HIGH LEVEL PROTOCOLS – WPA2, WPS, P2P-

GO

TINKERING WITH A DRIVER

• IS DEVICE FULLMAC / SOFTMAC?• IS DRIVER BASED ON MAC80211?• FIRMWARE AND EEPROM – HAVEN’T TOUCHED HERE.

EXAMPLEHTTPS://DEV.OPENWRT.ORG/BROWSER/TRUNK/PACKAGE/KERNEL/MAC80211/PATCHES

EXAMPLE2

THANK YOU FOR LISTENING