Click here to flash read.
The IEEE 802.11 family of standards, better known as WiFi, is a widely used
protocol utilized by billions of users. Previous works on WiFi formal
verification have mostly focused on the four-way handshake and other security
aspects. However, recent works have uncovered severe vulnerabilities in
functional aspects of WiFi, which can cause information leakage for billions of
devices. No formal analysis method exists able to reason on the functional
aspects of the WiFi protocol. In this paper, we take the first steps in
addressing this gap and present an extensive formal analysis of the functional
aspects of the WiFi protocol, more specifically, the fragmentation and the
power-save-mode process. To achieve this, we design a novel segment-based
formal verification process and introduce a practical threat model (i.e. MAC
spoofing) in Tamarin to reason about the various capabilities of the attacker.
To this end, we verify 68 properties extracted from WiFi protocol
specification, find 3 vulnerabilities from the verification, verify 3 known
attacks, and discover 2 new issues. These vulnerabilities and issues affect 14
commercial devices out of 17 tested cases, showing the prevalence and impact of
the issues. Apart from this, we show that the proposed countermeasures indeed
are sufficient to address the issues. We hope our results and analysis will
help vendors adopt the countermeasures and motivate further research into the
verification of the functional aspects of the WiFi protocol.
No creative common's license