On Wednesday 14 April 2010 23:48:22 Harald Welte wrote:
Hi!
Collin Mulliner, Tobias Engel and myself have been meeting yesterday to discuss a generic application interface for OpenBSC.
very nice.
They are both doing security analysis and want to achieve a clean way how an external application can get access to a more or less transparent communication channel to the phone.
The purpose of this is to be able to send intentionally malformed packets to the mobile phone GSM stack at various different levels within the stack.
Let me answer to your question from the bottom. If our only goal is to send malformed packets to the MS I think this interface is way too low level and for now all requirements can be handled by basic GSM08.08 messages.
- Ability to establish a SDCCH or TCH channel by paging the phone As of now, the 'silent call' feature from the VTY already does this.
GSM08.08 Paging Request which will be answered with a GSM08.08 Complete Layer3 Information (a new connection)
- Ability to send arbitrary layer3 protocol messages to the phone Adding this is relatively easy (use rsl_sendmsg on the lchan from the silent call)
GSM08.08 DTAP
- Ability to receive responses from the phone, as well as error conditions such as 'readio link failure'. We don't have a solution for this yet, and we also have no clean way to identify what might be a response from the phone to the external app, and what might be a message from the phone to the normal network code in OpenBSC
GSM08.08 DTAP and GSM08.08 Cleanup Request (Error Cause Radio Link Failure)
So what I've been thinking of as a solution to the problem:
- store a bypass_flags bitmask related to the subscriber structure, where we indicate values such as BYPASS_RR, BYPASS_MM, BYPASS_CC, BYPASS_SAPI3.
That sounds easy so far. We could easily extend it to MSG type in the future.