TL;DR
This paper reveals a weakness in the Linux kernel's prandom PRNG, enabling cross-layer attacks that can predict network protocol values, facilitate DNS cache poisoning, and track devices across networks.
Contribution
It demonstrates a novel cross-layer attack exploiting the weak PRNG in Linux, enabling remote DNS cache poisoning and device tracking.
Findings
Efficient DNS cache poisoning attack with 3000-6000x speedup.
Ability to track and identify Linux and Android devices.
Demonstration of cross-layer inference of PRNG states across network protocols.
Abstract
We analyze the prandom pseudo random number generator (PRNG) in use in the Linux kernel (which is the kernel of the Linux operating system, as well as of Android) and demonstrate that this PRNG is weak. The prandom PRNG is in use by many "consumers" in the Linux kernel. We focused on three consumers at the network level -- the UDP source port generation algorithm, the IPv6 flow label generation algorithm and the IPv4 ID generation algorithm. The flawed prandom PRNG is shared by all these consumers, which enables us to mount "cross layer attacks" against the Linux kernel. In these attacks, we infer the internal state of the prandom PRNG from one OSI layer, and use it to either predict the values of the PRNG employed by the other OSI layer, or to correlate it to an internal state of the PRNG inferred from the other protocol. Using this approach we can mount a very efficient DNS cache…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
