source: README.md @ 21

Last change on this file since 21 was 21, checked in by tim, 9 years ago

grammar fix; links

File size: 4.2 KB
Line 
1# Nanown
2
3A tool for identifying, evaluating, and exploiting timing
4vulnerabilities remotely.  This is part of the output from a research
5effort [discussed at BlackHat 2015](https://www.blackhat.com/us-15/briefings.html#web-timing-attacks-made-practical).
6This project is still highly experimental and not particularly easy to
7use at this point.
8
9
10# Prerequisites
11
12Linux and Python 3.4+ are required.  Yes, really, your Python needs to
13be that new.  You will also need to install the following modules for
14this version of Python:
15```
16requests
17numpy
18netifaces
19matplotlib
20```
21On Debian unstable, you can get these by running:
22```
23apt-get install python3-requests python3-numpy python3-netifaces python3-matplotlib
24```
25If you can't get the appropriate packages from your distro, resort to `pip3`.
26
27In addition, you'll need to have a C compiler and the development
28package for libpcap installed.  Under Debian this is probably sufficient:
29```
30apt-get install libpcap-dev gcc
31```
32
33
34# Installation
35
36Hah! Funny.
37
38Currently there's no installation script...
39
40To attempt to use this code, clone the repository and build the
41`nanown-listen` tool with:
42```
43cd nanown/trunk/src && ./compile.sh
44```
45
46That will drop the `nanown-listen` binary under nanown/trunk/bin.  You
47must then put this directory in your `$PATH` in order to perform any
48data collection.
49
50To run any of the other scripts, change to the nanown/trunk directory
51and run them directly from there.  E.g.:
52```
53bin/train ...args...
54bin/graph ...args...
55```
56
57
58# Usage
59
60Our goal for a usage workflow is this:
61
621. Based on example HTTP requests, and test cases supplied by the user,
63   a script generator creates a new script.  This new script serves
64   as the sample collection script, customized for your web
65   application.
66
672. After collecting samples using the script from step 1, you run a
68   mostly automated script to train and test various classifiers on your
69   samples.  This will then tell you how many samples you need to
70   reliably detect the timing difference.
71
723. Given the output from step 3 and inputs to step 1, a second script
73   generator creates an attack script for you as a starting point.  You
74   customize this and run your attacks.
75
76Sounds great, yeah?  Well steps 1 and 3 aren't quite implemented yet. =\
77
78If you are really dying to use this code right now, just make a copy of
79the `trunk/bin/sampler` script and hack on it until it sends HTTP requests
80that your targeted web application expects.  Be sure to define the test
81cases appropriately.  Then run it to collect at least
8250,000 samples for each of the train, test and train_null data sets
83(150,000 samples total).  NOTE: Your sampler script must be run as `root`
84so it can tweak local networking settings and sniff packets.
85
86Next you can move on to step 2, where you simply run the train script
87against the database created by your sampler script:
88```
89bin/train mysamples.db
90```
91This will run for a while.  If you cancel out and re-run it, it will
92pick up where it left off.  Pay special attention to the final results
93it prints out.  This will tell you how many samples are needed to
94distinguish between the test cases.  Do a little math on your own to
95decide how feasible your overall attack will be.
96
97Finally, we come to step 3.  If you choose to carry out an attack, you
98will need to implement your own attack script that collects batches of
99samples, distinguishes between them using the best classifier available
100(from step 2) and then repeats as needed.  Consider starting with the
101sample script at `test/blackhat-demo/jregistrate-attack`.
102
103Any questions?  See the source, watch our [BlackHat presentation](https://www.youtube.com/watch?v=k-Pv3sf3G2A), read
104our [research paper](https://www.blackhat.com/docs/us-15/materials/us-15-Morgan-Web-Timing-Attacks-Made-Practical-wp.pdf),
105or [post an issue](https://github.com/ecbftw/nanown/issues) on GitHub.
106
107
108# License
109
110Unless otherwise indicated in the source code, this software is licensed
111under the GNU GPL version 3.  See the LICENSE file for details.
112
113
114# Contributing
115
116We certainly welcome and encourage code contributions, no matter how
117small. Currently, this GitHub repository is a mirror of an SVN
118repository. Please don't submit pull requests.  Instead, just contact us
119through the issue tracker and send us a patch if needed.  We may switch
120to git later.
Note: See TracBrowser for help on using the repository browser.