外文翻譯----在sms蜂窩網(wǎng)絡(luò)上進(jìn)行開放式功能的開發(fā)

1、<p><b>　　畢業(yè)設(shè)計(jì)（論文）</b></p><p><b>　　譯文及原稿</b></p><p>　譯文題目：在SMS蜂窩網(wǎng)絡(luò)上進(jìn)行開放式功能的開發(fā)</p><p>　原稿出處：William Enck、Patrick Traynor、Patrick McDaniel and Tho-</p&g

2、t;<p>　mas La Porta;Systems and Internet Infrastructure Security La-</p><p>　boratory Department of Computer Science and Engineering;</p><p>　The Pennsylvania State University University

3、Park,PA 16802</p><p>　　在SMS蜂窩網(wǎng)絡(luò)上進(jìn)行開放式功能的開發(fā)</p><p>　　1.SMS/CELLULAR網(wǎng)絡(luò)概述 本節(jié)簡潔介紹基于GSM網(wǎng)絡(luò)系統(tǒng)的SMS短信從發(fā)送到接收的過程概況，包括基于CDMA等移動網(wǎng)絡(luò)，但原理基本一樣。 1.1發(fā)送短信 發(fā)送短信有兩種方法 -- 通過其他移動設(shè)備或通過一系列外部短消息設(shè)備（ESMEs）實(shí)現(xiàn)。 ESMEs

4、包括許多不同的設(shè)備和接口，從電子郵件和網(wǎng)頁到基于消息的服務(wù)供應(yīng)商門戶網(wǎng)站，語音郵件服務(wù)，傳呼系統(tǒng)和應(yīng)用軟件。無論這些系統(tǒng)是通過Internet還是通過特定的專用信道連接移動電話網(wǎng)絡(luò)，短信首先被傳到眾所周知的能夠處理短信息流量的短消息服務(wù)中心（SMSC）服務(wù)器。因此，支持短消息功能的服務(wù)提供商網(wǎng)路中至少包含一個(gè)短消息服務(wù)中心。由于這項(xiàng)服務(wù)日益普及，因此，服務(wù)提供商提供支持多種不同的短消息服務(wù)中心的服務(wù)變得普遍起來，以此來增加容量。

5、 在接收短信時(shí)，要對傳入數(shù)據(jù)包的內(nèi)容檢錯(cuò)，必要時(shí)，轉(zhuǎn)換成短信的格式并復(fù)制。這樣的話，來自互聯(lián)網(wǎng)的信息將無法區(qū)分哪些是從移動電話發(fā)來的。隨后，消息被放入一個(gè)短消息服務(wù)中心隊(duì)列進(jìn)行轉(zhuǎn)發(fā)。 1.2路由短信 SMSC是用來確定如何將短信路由到目的移動設(shè)備的。 SMSC查詢</p><p>　　當(dāng)短信從短消息服務(wù)中心傳來時(shí)，短消息服務(wù)中心提取具體的目標(biāo)設(shè)備信息。然后，短消息服務(wù)中心查詢訪問位置寄存器數(shù)據(jù)庫，訪問

6、位置寄存器數(shù)據(jù)庫包含目的設(shè)備歸屬位置寄存器的一個(gè)關(guān)于目的設(shè)備信息的本地副本。然后，移動交換中心通過移動設(shè)備所在基站的空中接口轉(zhuǎn)發(fā)這條短信。圖1.1是移動通信網(wǎng)絡(luò)圖，圖1.2是短信的消息流程圖。</p><p>　　圖 1.1 移動通信網(wǎng)絡(luò)</p><p>　　圖1.2 短消息流程網(wǎng)絡(luò)</p><p>　　1.3無線傳輸 空中接口分為兩部分 - 控制信道（C

7、CH）和尋呼信道（TCH）。 控制信道又細(xì)分為兩種-公用控制信道和專用控制信道。公用控制信道是包含尋呼信道（PCH）和隨機(jī)接入信道（RACH）組成的邏輯信道，用于基站進(jìn)行語音信號和SMS數(shù)據(jù)的傳輸機(jī)制。因此，所有連接網(wǎng)絡(luò)的移動設(shè)備周期性地檢測公用控制信道上的語音和SMS信號。 基站在尋呼信道上發(fā)送包含與終端移動用戶相關(guān)的臨時(shí)移動用戶識別碼（TMSI）信息。為了防止竊聽者試圖確定接收手機(jī)的身份，因此，網(wǎng)絡(luò)中使用臨時(shí)移動用戶識別碼

8、，而不會使用目的移動手機(jī)的電話號碼傳送信息。當(dāng)移動設(shè)備檢測到自己的臨時(shí)移動用戶識別碼時(shí)，它試圖通過隨機(jī)接入信道連接基站，并通知網(wǎng)絡(luò)自己的設(shè)備能被呼叫和接收數(shù)據(jù)。當(dāng)基站接收到響應(yīng)信號時(shí)，就通知目的設(shè)備檢測具體的獨(dú)立專用控制信道（SDCCH）信號。使用獨(dú)立專用控制信道，基站能簡化對目的設(shè)備的認(rèn)證（通過在移動交換中心的用戶信息），啟用加密，提供一個(gè)新的TMSI，然后傳送短信本身。為了減少開銷，如果短消息服務(wù)中心包含多個(gè)SMS消息，則一次SDC

9、CH會話中發(fā)送不只一條短信[5]。如果不是文本信息，而是進(jìn)</p><p>　　空中接口交付的最后階段見圖1.3。 </p><p>　　圖1.3 簡化的SMS空中接口2.SMS/CELLULAR網(wǎng)絡(luò)脆弱性分析 在日常的社交活動和簡單的商業(yè)性質(zhì)的交流中，SMS系統(tǒng)的大多數(shù)合理使用功能常常被定性為是不重要的。這些通信的顯著特點(diǎn)是，它們通?？梢酝ㄟ^其他一些途徑實(shí)現(xiàn)，盡管潛在的合適信

10、道很少。然而，在 2001年9月11日發(fā)生的恐怖襲擊期間，文字消息被證明是更實(shí)用。隨著成百上千的人想聯(lián)絡(luò)他們的朋友和家人，電信公司意識到了這大大阻礙移動語音服務(wù)的使用。例如，威瑞森無線公司，報(bào)告語音通話流量已經(jīng)高出一般水平一倍以上; 辛格勒無線公司數(shù)據(jù)顯示接入華盛頓地區(qū)的語音通話流量已高出了10倍以上[44]。雖然這些網(wǎng)絡(luò)設(shè)計(jì)能處理高于原有理論的容量，但如此大量的通話需求遠(yuǎn)遠(yuǎn)超過它的極限值，影響語音通信能力。由于業(yè)務(wù)信道漸漸達(dá)到飽和，基

11、于語音電話服務(wù)就變得毫無價(jià)值，然而，即使在最擁擠的地區(qū)，短信仍然能被成功接收，因?yàn)槎绦攀褂每刂菩诺?，它并不擁塞，因此，短信傳送仍然有效?盡管不能實(shí)現(xiàn)語音通話，但有需要的大多數(shù)的個(gè)體用戶可以通過文字信息功能實(shí)現(xiàn)通信。因此，現(xiàn)在看來，短信作為一種可靠的通訊方法，這是其他通信方式無法實(shí)現(xiàn)的特點(diǎn)。</p><p>　　由于隨機(jī)接入信道是一個(gè)使用時(shí)隙ALOHA協(xié)議的共享信道，某一基站上大量的呼叫響應(yīng)很慢。

12、 由于短信的不斷擴(kuò)散，我們分析互聯(lián)網(wǎng)的起源，蜂窩網(wǎng)絡(luò)的短信攻擊、語音和其他服務(wù)的影響。我們首先通過對現(xiàn)有標(biāo)準(zhǔn)的文件和灰盒測試的廣泛研究，了解這些系統(tǒng)的特性。從這些數(shù)據(jù)，我們論述了一系列的攻擊和移動電話網(wǎng)絡(luò)的脆弱性。最后，通過這次的灰盒測試，我們評估網(wǎng)絡(luò)抵御這些攻擊的能力。 在討論任何有關(guān)移動網(wǎng)絡(luò)攻擊的具體情況時(shí)，必需要從對手的角度來審視這些系統(tǒng)。在本節(jié)中，通過確定這些網(wǎng)絡(luò)的瓶頸，我們提出了簡單的方法來發(fā)現(xiàn)網(wǎng)絡(luò)中最脆弱的部分。然

13、后，探討建立有效的終端系統(tǒng)來處理這些瓶頸。</p><p>　　2.1確定蜂窩網(wǎng)絡(luò)的瓶頸 短信傳送至移動網(wǎng)絡(luò)和移動用戶接收短信之間存在著固有的成本失衡。這種不平衡是DOS攻擊的根源。 要認(rèn)識這些瓶頸，需要對整個(gè)系統(tǒng)有徹底的了解。蜂窩網(wǎng)絡(luò)標(biāo)準(zhǔn)文件，該文件雖然提供系統(tǒng)建立的框架，但缺乏具體實(shí)施的細(xì)節(jié)。為了彌補(bǔ)這個(gè)差距，我們進(jìn)行灰盒測試[7，14]。 我們通過系統(tǒng)的傳輸協(xié)議、傳輸速率和接口特

14、性來度量系統(tǒng)的特征。所有測試都是用我們自己的手機(jī)完成。 我們絕不會把有害的數(shù)據(jù)包加入系統(tǒng)或違反任何服務(wù)協(xié)議。</p><p>　　2.1.1傳輸協(xié)議 網(wǎng)絡(luò)的傳輸協(xié)議規(guī)定了信息在系統(tǒng)中的傳輸方式。通過對這個(gè)信息流的研究來推測系統(tǒng)接收信息的響應(yīng)度。整個(gè)系統(tǒng)的響應(yīng)是多個(gè)排隊(duì)點(diǎn)總和得到的。該標(biāo)準(zhǔn)文件包括兩個(gè)節(jié)點(diǎn)-短消息服務(wù)中心和目標(biāo)設(shè)備。</p><p>　　短消息服務(wù)中心是短

15、信服務(wù)的核心，所有的信息必須通過他們。由于實(shí)際條件的限制，每個(gè)SMSC的只有隊(duì)列的每個(gè)用戶的郵件數(shù)量有限。短消息服務(wù)中心是根據(jù)存儲和轉(zhuǎn)發(fā)機(jī)制進(jìn)行信息路由，每條信息都會被保存，除非目標(biāo)設(shè)備成功接收該短信或超時(shí)無效。通過緩沖區(qū)容量和短信刪除策略確定哪些信息到達(dá)接受者。 SMSC的緩沖區(qū)和驅(qū)逐政策進(jìn)行了評價(jià)，同時(shí)慢慢注入目標(biāo)設(shè)備是斷電的消息。最著名的三大服務(wù)提供商為：AT＆T公司（現(xiàn)在是Cingular公司的一部分），Verizon

16、和斯普林特公司。對于每一個(gè)供應(yīng)商，每60秒可以連續(xù)處理緩存中大約400條信息。當(dāng)設(shè)備重新連接網(wǎng)絡(luò)時(shí)，包含緩沖區(qū)大小和序列短信刪除策略的序列號會變化。</p><p>　　我們發(fā)現(xiàn)，AT＆T的短消息服務(wù)中心的緩沖區(qū)能存放400條短信.這看起來似乎很大，400條含160字節(jié)的信息量大小也只有62.5KB。而對Verizon公司的短消息服務(wù)中心測試的結(jié)果不一樣。當(dāng)設(shè)備開啟時(shí)，下載的第一條消息不是序列號為1的那條，而是序

17、列號為301的那條。這表明，Verizon公司的短消息服務(wù)中心緩存區(qū)只能存儲100條信息和采用先進(jìn)先出的規(guī)則執(zhí)行，一個(gè)FIFO遷出的政策緩沖能力。斯普林特公司的短消息服務(wù)中心是與AT&T公司和Verizon公司的都不同。它的設(shè)備重新連接網(wǎng)絡(luò)時(shí),只能容納從序列號從1開始的30條短信。因此, 斯普林特公司的短消息服務(wù)中心只能存儲30條短信，也遵循先入先出的規(guī)則。</p><p>　　當(dāng)終端設(shè)備的短信緩存區(qū)是滿

18、的，網(wǎng)絡(luò)中的短信被保留在短消息服務(wù)中心的緩存中。在這種情況下，與全球移動通信系統(tǒng)的標(biāo)準(zhǔn)一樣，移動手機(jī)會從歸屬位置寄存器返回一個(gè)基站緩存溢出標(biāo)志。由于歸屬位置寄存器不可能確定每一個(gè)手機(jī)的收件箱容量，因此，我們選擇了不同時(shí)期不同價(jià)格的手機(jī)進(jìn)行測試：美國電話電報(bào)公司的Nokia 3560手機(jī)、弗萊森電訊的稍新一點(diǎn)的LG 4400手機(jī)和斯普林特公司最近發(fā)布的高端Treo 650手機(jī)，包含1GB的可移動的記憶棒。移動設(shè)備的能力可以通過緩慢地發(fā)送信

19、息到目標(biāo)用戶，使目標(biāo)用戶的整個(gè)收件箱出現(xiàn)警告指示來觀察。表2.1所示是不同移動設(shè)備緩沖能力的結(jié)果值。</p><p>　　表2.1 SMS移動設(shè)備容量</p><p>　　發(fā)送規(guī)則實(shí)驗(yàn)結(jié)果指明手機(jī)短信服務(wù)系統(tǒng)是如何對大量涌入的文本信息作出反應(yīng)。我們確信大多數(shù)短消息服務(wù)中心和移動設(shè)備的緩沖容量有限。倘若發(fā)生拒絕服務(wù)攻擊，大量短信涌入造成短信的丟失。因此，拒絕服務(wù)攻擊要成功，必須有分布式的大量

20、用戶。</p><p>　　Exploiting Open Functionality in SMS-Capable Cellular Networks</p><p>　　1．SMS/CELLULAR NETWORK OVERVIEW</p><p>　　This section offers a simpli?ed view of an SMS message

21、traversing a GSM-based system from submission to delivery. These procedures are similar in other cellular networks including CDMA.</p><p>　　1.1 Submitting a Message</p><p>　　There are two meth

22、ods of sending a text message to a mobile device - via another mobile device or through a variety of External Short Messaging Entities (ESMEs). ESMEs include a large number of diverse devices and interfaces ranging from

23、 email and web-based messaging portals at service provider websites to voicemail services, paging systems and software applications. Whether these systems connect to the mobile phone network via the Internet or speci?c d

24、edicated channels, messages are ?rst deliv</p><p>　　Upon receiving a message, the contents of incoming packets are examined and, if necessary, converted and copied into SMS message format. At this point in t

25、he system, messages from the Internet become indistinguishable from those that originated from mobile phones. Messages are then placed into an SMSC queue for forwarding.</p><p>　　1.2 Routing a Message<

26、/p><p>　　The SMSC needs to determine how to route messages to their targeted mobile devices. The SMSC queries a Home Location Register (HLR) database, which serves as the permanent repository of user data and i

27、ncludes subscriber information (e.g. call waiting and text messaging), billing data, availability of the targeted user and their current location. Through interaction with other network elements, the HLR determines the

28、routing information for the destination device. If the SMSC receives a reply st</p><p>　　When a text message arrives from the SMSC, the MSC fetches information speci?c to the target device. The MSC queries a

29、 database known as the Visitor Location Register, which returns a local copy of the targeted device’s information when it is away from its HLR.The MSC then forwards the text message on to the appropriate base station for

30、 transmission over the air interface. A diagram of a mobile phone network is depicted in Figure 1.1, followed by a simpli?ed SMS message ?ow in Figure 1.2.</p><p>　　Figure 1.1 SMS Network</p><p>

31、;　　Figure 1.2 Simplified examples of an SMS Network and message flow</p><p>　　1.3 Wireless Delivery</p><p>　　The air interface is divided into two parts - the Control Channels (CCH) and Traf?c

32、 Channels (TCH). The CCH is further divided into two types of channels - the Common CCH and Dedicated CCHs. The Common CCH, which consists of logical channels including the Paging Channel (PCH) and Random Access Channel(

33、RACH), is the mechanism used by the base station to initiate the delivery of voice and SMS data. Accordingly, all connected mobile devices are constantly listening to the Common CCH for voice and S</p><p>　　

34、The base station sends a message on the PCH containing the Temporary Mobile Subscriber ID (TMSI) associated with the end destination. The network uses the TMSI instead of the targeted device’s phone number in order to th

35、wart eavesdroppers attempting to determine the identity of the receiving phone. When a device hears its TMSI, it attempts to contact the base station over the RACH and alerts the network of its availability to receive in

36、coming call or text data. When the response arrives, the bas</p><p>　　An illustration of this ?nal stage of delivery over the air interface is shown in Figure 1.3.</p><p>　　Figure 1.3 Simplified

37、 SMS air interface communication</p><p>　　2．SMS/CELLULAR NETWORK VULNERABILITY ANALYSIS</p><p>　　The majority of legitimate uses for SMS can often be characterized as nonessential, ranging from

38、social interactions to low priority business-related exchanges. The salient feature of these communications is that they can typically be accomplished through a number of other, albeit potentially less convenient channel

39、s. During the terrorist attacks of September 11, 2001, however, the nature of text messaging proved to be far more utilitarian. With millions of people attempting to contact friends a</p><p>　　Text messaging

40、 allowed the lines of communication to remain open for many individuals in need in spite of their inability to complete voice calls. Accordingly, SMS messaging is now viewed by many as a reliable method of communication

41、when all other means appear unavailable.</p><p>　　A high number of call initiations at a given base station slows this response as the RACH is a shared access channel running the Slotted Aloha protocol</p

42、><p>　　Due to this proliferation of text messaging, we analyze Internet-originated, SMS attacks and their effects on voice and other services in cellular networks. We ?rst characterize these systems through an

43、extensive study of the available standards documentation and gray-box testing. From this data, we discuss a number of attacks and the susceptibility of mobile phone networks to each.Lastly, from gray-box testing,we asses

44、s the resilience of these networks to these attacks.</p><p>　　Before discussing the speci?cs of any attack on cellular networks, it is necessary to examine these systems from an adversary’s perspective. In t

45、his section, we present simple methods of discovering the most fragile portions of these networks by determining system bottlenecks. We then investigate the creation of effective targeting systems designed to exploit the

46、se choke points.</p><p>　　2.1 Determining Bottlenecks in Cellular Networks</p><p>　　There is an inherent cost imbalance between injecting SMS messages into the phone network and delivering mes

47、sages to a mobile user. Such imbalances are the root of DoS attacks.</p><p>　　Recognizing these bottlenecks requires a thorough understanding of the system. The cellular network standards documentation prov

48、ides the framework from which the system is built, but it lacks implementation speci?c details. In an effort to bridge this gap, we performed gray-box testing [7, 14].</p><p>　　We characterize these systems

49、by delivery disciplines, delivery rates, and interfaces. All tests were performed using our own phones.</p><p>　　At no time did we inject a damaging volume of packets into the system or violate any service a

50、greement.</p><p>　　Delivery Discipline</p><p>　　The delivery discipline of a network dictates the way messages move through the system. By studying this ?ow, we determine system response to an

51、in?ux of text messages. The overall system response is a composite of multiple queuing points. The standards documentation indicates two points of interest - the SMSC and the target device.</p><p>　　SMSCs ar

52、e the locus of SMS message ?ow; all messages pass through them. Due to practical limitations, each SMSC only queues a ?nite number of messages per user. As SMSCs route messages according to a store and forward mechanism

53、, each message is held until either the target device successfully receives it or it is dropped due to age. The buffer capacity and eviction policy therefore determine which messages reach the recipient.</p><p

54、>　　The SMSC buffer and eviction policy were evaluated by slowly injecting messages while the target device was powered off. Three of the most prominent service providers were evaluated: AT&T(now part of Cingular)

55、, Verizon, and Sprint. For each provider, 400 messages were serially injected at a rate of approximately one per 60 seconds. When the device was reconnected to the network, the range of the attached sequence numbers indi

56、cated both buffer size and queue eviction policy.</p><p>　　We found that AT&T’s SMSC buffered the entire 400 messages.While seemingly large, 400 160-byte messages is only 62.5KB.Tests of Verizon’s SMSC y

57、ielded different results. When the device was turned on, the ?rst message downloaded was not sequence number one; instead the ?rst 300 messages were missing. This demonstrates that Verizon’s SMSC has a buffer capacity

58、of 100 messages and a FIFO eviction policy. Sprint’s SMSC proved different than both AT&T and Verizon. Upon reconnecting the device to </p><p>　　Messages also remain in the SMSC buffer when the target d

59、evice’s message buffer is full.This occurs, as noted in the GSM standards [5], when the mobile phone returns a Mobile-Station-Memory-Capacity-Exceeded-Flag to the HLR. Because it is impossible to determine the inbox capa

60、city of every phone, we chose to test three representative devices of varying age and expense:the Nokia 3560 (AT&T), the slightly newer LG 4400 (Verizon), and the recently released high-end Treo 650 (Sprint) containi

61、ng a 1G</p><p>　　Table 2.1 Mobile Device SMS Capacity</p><p>　　The delivery discipline experimentation results indicate how the SMS system will react to an in?ux of text messages. We con?rmed th

62、at ?nite buffer capacities exist in most SMSCs and mobile devices.In the event of a DoS attack, messages exceeding these saturation levels will be lost. Therefore, a successful DoS attack must be distributed over a numbe

63、r of subscribers.</p><p>　　2.1.2 Delivery Rate</p><p>　　The speed at which a collection of nodes can process and forward a message is the delivery rate.In particular, bottlenecks are discovered

64、by comparing injection rates with delivery rates. Additionally, due to variations in injection size for different interfaces,the injection size per message is estimated.</p><p>　　Determining the maximum inje

65、ction rate for a cellular network is an extremely dif?cult task.The exact number of SMSCs in a network is not publicly known or discoverable. Given the sheer number of entrances into these networks, including but not li

66、mited to website interfaces, email, instant messaging, and dedicated connections running the Short Messaging Peer Protocol (SMPP), we conservatively estimate that it is currently possible to submit between several hundre

67、d and several thousand messages </p><p>　　A brief sampling of available interfaces is provided in Table 2.These interfaces can be grouped into three main categories: instant messaging, information services,

68、and bulk SMS. Instant messaging provides the same functionality as text messaging, but connects new networks of users to cellular networks. With 24 hour news,customers are frequently ?ooded with “on the go” updates of h

69、eadlines, sports, and stocks from information service providers such as CNN and MSNBC. Lastly, through bulk SMS pro</p><p>　　While injection rates for instant messaging and the information services are unkno

70、wn, the bulk SMS providers offer plans with rates as high as 30-35 messages per second, per SMPP connection. Furthermore, by using multiple SMPP connections, START Corp. (www.startcorp.com) offers rates “an order of mag

71、nitude” greater. Combining all of these conduits provides an adversary with the ability to inject an immense number of messages.</p><p>　　When message delivery time exceeds that of message submission, a syst

72、em is subject to DoS attacks. We therefore compare the time it takes for serially injected messages to be submitted and then delivered to the targeted mobile device. This was accomplished via a PERL script designed to se

73、rially inject messages approximately once per second into each provider’s web interface. From this, we recorded an average send time of 0.71 seconds.</p><p>　　Measurement of incoming messages was more dif?cu

74、lt due to a lack low-level access to the device operating system. Via informal observation, we recorded interarrival times of 7-8 seconds for both Verizon and AT&T. Interarrival times for Sprint were undetermined due

75、 to sporadic message downloads occurring anywhere between a few seconds and few minutes apart. The experiments clearly demonstrate an imbalance between the time to submit and the time to receive.</p><p>　　W

76、hile SMS messages have a maximum size of 160 bytes, each submission requires additional overhead. Using tcpdump, we observed both raw IP and user data traf?c. Not considering TCP/IP data overhead, Sprint, AT&T, and

77、Verizon all required under 700 bytes to send a 160 byte SMS message. This included the HTTP POST and browser headers. </p><p>　　Due to the ACKs required for downloading the web page (8.5KB for Sprint, 13.6K

78、B for AT&T, 36.4KB for Verizon), the actual data upload size was signi?cantly higher. While the overhead is relative to retransmissions and window size, we recorded upload sizes of 1300 bytes (Sprint), 1100 bytes (A

79、T&T), and 1600 bytes (Verizon). In an effort to reduce the overhead induced by TCP traf?c,we observed the traf?c resulting from email submission. Even with TCP/IP traf?c overhead, less than 900 bytes was re</p>