On Wednesday 14 April 2010 23:48:22 Harald Welte wrote:
Hi!
Collin Mulliner, Tobias Engel and myself have been meeting yesterday to
discuss a generic application interface for OpenBSC.
very nice.
They are both doing security analysis and want to achieve a clean way
how an external application can get access to a more or less transparent
communication channel to the phone.
The purpose of this is to be able to send intentionally malformed
packets to the mobile phone GSM stack at various different levels within
the stack.
Let me answer to your question from the bottom. If our only goal is to send
malformed packets to the MS I think this interface is way too low level and
for now all requirements can be handled by basic GSM08.08 messages.
1) Ability to establish a SDCCH or TCH channel by
paging the phone
As of now, the 'silent call' feature from the VTY already does this.
GSM08.08 Paging Request which will be answered with a GSM08.08 Complete Layer3
Information (a new connection)
2) Ability to send arbitrary layer3 protocol messages to the phone
Adding this is relatively easy (use rsl_sendmsg on the lchan from the
silent call)
GSM08.08 DTAP
3) Ability to receive responses from the phone, as well as error
conditions such as 'readio link failure'. We don't have a solution
for this yet, and we also have no clean way to identify what might
be a response from the phone to the external app, and what might
be a message from the phone to the normal network code in OpenBSC
GSM08.08 DTAP and GSM08.08 Cleanup Request (Error Cause Radio Link Failure)
So what I've been thinking of as a solution to the
problem:
* store a bypass_flags bitmask related to the subscriber structure,
where we indicate values such as BYPASS_RR, BYPASS_MM, BYPASS_CC,
BYPASS_SAPI3.
That sounds easy so far. We could easily extend it to MSG type in the future.