# From IP ID to Device ID and KASLR Bypass (Extended Version)

**Authors:** Amit Klein, Benny Pinkas

arXiv: 1906.10478 · 2019-10-29

## TL;DR

This paper analyzes IP ID generation across Windows, Linux, and Android, revealing how it enables device identification and kernel address leaks, and presents techniques to extract device-specific keys for fingerprinting.

## Contribution

It provides a detailed reverse-engineering and cryptanalysis of IP ID generation algorithms, demonstrating practical device fingerprinting and KASLR bypass techniques.

## Key findings

- IP ID can uniquely identify devices across network changes
- Linux and Android leak kernel addresses via IP ID
- Practical key extraction enables device fingerprinting

## Abstract

IP headers include a 16-bit ID field. Our work examines the generation of this field in Windows (versions 8 and higher), Linux and Android, and shows that the IP ID field enables remote servers to assign a unique ID to each device and thus be able to identify subsequent transmissions sent from that device. This identification works across all browsers and over network changes. In modern Linux and Android versions, this field leaks a kernel address, thus we also break KASLR.   Our work includes reverse-engineering of the Windows IP ID generation code, and a cryptanalysis of this code and of the Linux kernel IP ID generation code. It provides practical techniques to partially extract the key used by each of these algorithms, overcoming different implementation issues, and observing that this key can identify individual devices. We deployed a demo (for Windows) showing that key extraction and machine fingerprinting works in the wild, and tested it from networks around the world.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1906.10478/full.md

## Figures

2 figures with captions in the complete paper: https://tomesphere.com/paper/1906.10478/full.md

## References

62 references — full list in the complete paper: https://tomesphere.com/paper/1906.10478/full.md

---
Source: https://tomesphere.com/paper/1906.10478