From 035b3a0430a4b4350b603ded8e8e7a88365dc4c1 Mon Sep 17 00:00:00 2001 From: Jiao Xianjun Date: Tue, 22 Jun 2021 09:36:24 +0200 Subject: [PATCH] Update csi_fuzzer.md --- doc/app_notes/csi_fuzzer.md | 54 ++++++++++++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 6 deletions(-) diff --git a/doc/app_notes/csi_fuzzer.md b/doc/app_notes/csi_fuzzer.md index a4c921c..af60100 100644 --- a/doc/app_notes/csi_fuzzer.md +++ b/doc/app_notes/csi_fuzzer.md @@ -7,7 +7,9 @@ SPDX-License-Identifier: AGPL-3.0-or-later [Openwifi CSI fuzzer for authorized sensing and covert channels](https://arxiv.org/pdf/2105.07428.pdf) (accepted by ACM WiSec 2021) CSI (Channel State Information) of WiFi systems is available in some WiFi chips and can be used for sensing the environment (keystrokes, people, object) passively and secretly. - + +## Concept + How could a CSI fuzzer stop unauthorized sensing? ![](./csi-fuzzer-system-before-vs-now.png) @@ -16,15 +18,55 @@ CSI fuzzer implementation principle. ![](./csi-fuzzer-principle.png) +## Demo instructions + +Thanks to the full-duplex capability and CSI extraction feature of openwifi, you can monitor the artificial channel response via [side channel](./csi.md) by Tx-Rx over the air coupling without affecting the normal operation/traffic of openwifi. Before the self-monitoring, the auto-mute during Tx needs to be disabled. + +The full demo steps are: + +``` +ssh root@192.168.10.122 +(password: openwifi) + +cd openwifi + +./fosdem-11ag.sh +(setup openwifi AP) + +./sdrctl dev sdr0 set reg xpu 1 1 +(Disable auto-muting to listen self-TX) + +insmod side_ch.ko num_eq_init=0 + +./side_ch_ctl wh1h2001 +./side_ch_ctl wh6hffffffff +(Let's only monitor self-beacon-TX CSI over-the-air loopback) + +./side_ch_ctl g1 +``` +Go to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. You should see the over-the-air loopback CSI when CSI fuzzer is not enabled. Then stop the python3 side_info_display.py script to ease the next step. + +Start another ssh session to the openwifi board: +``` +ssh root@192.168.10.122 +(password: openwifi) + +cd openwifi + +./csi_fuzzer_scan.sh 1 +(CSI fuzzer applies possible artificial CSI by scanning all values) +(csi_fuzzer.sh is called. Please read both scripts to understand these commands) +``` + +Go to openwifi/user_space/side_ch_ctl_src, and run `python3 side_info_display.py 0`. Now you should see that CSI keeps changing like in this [video](https://youtu.be/aOPYwT77Qdw). + +# Further explanation on parameters + CSI fuzzer in openwifi system architecture and related commands. ![](./csi-fuzzer-implementation.png) -Thanks to the full-duplex capability and CSI extraction feature of openwifi, you can monitor the artificial channel response via [side channel](./csi.md) by Tx-Rx over the air coupling without affecting the normal operation/traffic of openwifi. Before the self-monitoring, the auto-mute during Tx needs to be disabled: - -``` -./sdrctl dev sdr0 set reg xpu 1 1 -``` +# Example fuzzed CSI CSI self-monitoring before fuzzing.