Readme for reproducibility submission of the ACM WiSec'25 paper "Fragile Frames: Wi-Fi's Fraught Fight Against FragAttacks".

A) Source code info

Repository: https://github.com/vanhoefm/fragattacks-survey-public
Virtual Machine: lubuntu-20.04.5-fragileframes.ova
List of Programming Languages: Python
Compiler Info: Python 3.8.10
Packages/Libraries Needed: scapy 2.6.1

B) Datasets info
Repository: N/A
Data generators: N/A

The data that our survey generated is sensitive information: it is a list of Wi-Fi networks and to which attacks they are vulnerable to. We decided not to include this data in our artifacts, and instead created a virtual Wi-Fi environment to reproduce and test our survey tool. In this virtual environment, all the surveyed vulnerabilities can be reproduced. Additionally, we reproduce the A-MSDU vulnerability in mesh networks, and can verify that our defense stops the attack.

C) Hardware Info

To reproduce the results, no special hardware is needed. We created a virtual Wi-Fi setup, based on the mac80211_hwsim driver, to enable reproduction of our survey tool in a virtual Wi-Fi environment.

D) Experimentation Info

The username of the VM is "demo" without a password. Just press enter when asked for a password.

This artifact reproduces the two main parts of the paper: (1) the survey tool to test networks for a subset of the FragAttacks; and (2) a bypass against a FragAttack defense in mesh networks and a new kernel patch to prevent this bypass. If there are any unexpected issues, please do not hesitate to contact Mathy Vanhoef.

## 1. Wi-Fi Network Survey Tool

We created patched Linux kernel modules to create a Wi-Fi network that is vulnerable to the 5 surveyed FragAttack CVEs. Note that we did not test for CVE-2020-26145 in our survey (see Section 3.2) and hence we also do not simulate it here. All combined, this means our virtual setup can reproduce the Plaintext Full frame injection (CVE-2020-26140), Fragmented Plaintext frame injection (CVE-2020-26143), EAPOL Forward (CVE-2020-26139), and Spoofing A-MSDUs (CVE-2020-24588). If you are interested in how these vulnerabilities are reproduced, you can navigate to the directory `~/backports-6.1.110-1` in a terminal and execute `git diff c0518`.

You can reproduce the detection of the above 5 vulnerabilities by opening a terminal, navigating to `~/fragattacks-survey-public`, and then executing the following five scripts:

1. In the first terminal, execute `./start_hwsim.sh`. This creates a virtual Wi-Fi setup.
2. In the second terminal, execute `./start_ap.sh`. This starts the vulnerable access point.
3. In the third terminal, execute `./start_client.sh`. This starts a client that connects to the access point.
4. In the fourth terminal, execute `sudo ./gentraffic.py`. This simulates legitimate network traffic.
5. In the fifth terminal, execute the following:

	sudo su
	source venv/bin/activate
	python3 main.py

The tool should now output in green each of the following lines at least once:

	PLAINTEXT BROADCAST PACKET CAPTURED: Plain. full (CVE-2020-26140)
	PLAINTEXT BROADCAST PACKET CAPTURED: Plain. frag. (CVE-2020-26143)
	FORWARDED PACKET CAPTURED: EAPOL forward (CVE-2020-26139)
	BROADCAST PACKET CAPTURED: Fake EAPOL (CVE-2020-26144)
	ENTERPRISE: Spoof. A-MSDU (CVE-2020-24588)

When one of these lines is printed, it means the network was detected as affected by this vulnerability. Due to sensitivity to frame transmission timing, you might have to execute `python3 main.py` several times before all vulnerabilities are rediscovered (at most 10 in our tests).

Note: optionally, you can also provide an argument to `./start_hwsim.sh [plain-full, plain-frag, eapol-forward, spoof-amsdu, fake-eapol]` to only simulate a single vulnerability in each run.


## 2. FragAttacks Defense Bypass in Mesh Networks

You can reproduce the mesh attack by navigating to `~/fragattacks-survey-public`, and the executing the following three scripts (close all other scripts first):

1. In the first terminal, execute `./start_hwsim.sh mesh-attack`. This creates a virtual Wi-Fi setup with the existing A-MSDU defenses enabled.
2. In the second terminal, execute `./start_mesh1.sh`. This starts the victim mesh client.
3. In the third terminal, execute the following:

	cd ~/fragattacks-survey-public/hostap-mesh-poc/research
	sudo su
	source venv/bin/activate
	./client.py wlan1 wlan2

The following output will be shown in the attack succeeded:

	...
	wlan2: Control interface command 'GET tk'wlan2: Control interface command 'GET tk'
	CTRL_IFACE GET 'tk'
	CTRL-DEBUG: ctrl_sock-sendto: sock=13 sndbuf=212992 outq=0 send_len=32
	>>> Got key 1af69c3678d775cfb6f5faf78ff9e0b2
	RTM_NEWLINK: ifi_index=4 ifname=wlan1 operstate=6 linkmode=1 ifi_family=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])

	>>> Sending simulated attacker IPv4 single MSDU marked but marked as A-MSDU...

	Plaintext: <Dot11  subtype=QoS Data type=Data FCfield=to-DS+from-DS addr1=02:00:00:00:00:00 (RA) addr2=02:00:00:00:01:00 (TA) addr3=02:00:00:00:00:00 (DA) SC=80 addr4=02:00:00:00:01:00 (BSSID) |<Dot11QoS  TXOP=1 |<Dot11MeshControl  ttl=31 seqnum=6002 |<LLC  dsap=0xaa ssap=0xaa ctrl=3 |<SNAP  code=IPv4 |<IP  |<Raw  load=b'\x00\x00' |<Ether  dst=02:00:00:00:00:00 src=02:00:00:00:01:00 type=0x4500 |<Dot11MeshControl  ttl=31 seqnum=6002 |<LLC  dsap=0xaa ssap=0xaa ctrl=3 |<SNAP  code=IPv4 |<IP  frag=0 proto=udp src=1.2.3.4 dst=5.6.7.8 |<UDP  |<Raw  load=b'Simulated A-MSDU attack injection' |>>>>>>>>>>>>>>
	Encrypted: <Dot11  subtype=QoS Data type=Data FCfield=to-DS+from-DS+protected addr1=02:00:00:00:00:00 (RA) addr2=02:00:00:00:01:00 (TA) addr3=02:00:00:00:00:00 (BSSID) SC=80 addr4=02:00:00:00:01:00 (BSSID) |<Dot11QoS  A_MSDU_Present=1 TXOP=1 |<Dot11CCMP  PN0=5 PN1=0 key_id=0 ext_iv=1 PN2=0 PN3=0 PN4=0 PN5=0 |<Raw  load=b'\x84\x04/\xa2LV\x9dp\x94t]h\x9f\x88_X0\xac\x93e\x89\xd2\xdfp\x94\xf7\xefT\xe6$t\xabU\xa2Vu#\xf1\xf4\xebO\x0eo\xb6\x17sBq\xb7L\xa7H\xde1\x0c\xe2K\xa74\x17S\x9e\n\x98\x96M\xee\xee\xf5P\xee5VW`\x8b\x975o\x18\xbd]\xf3\xdb}\xc7\xa6a^q\xb1]e?:.t|*k\x03\xa8\xa6P\x8bYj\xf5\xb2\xc7\xc9%\xc6}K\xf6\xe6O\xe7\xbc\\M\xc7\xab?' |<Raw  load=b'\x13\x91ex\x12\xf4\x81\xa4' |>>>>>
	RTM_NEWLINK: ifi_index=9 ifname=monwlan2 operstate=0 linkmode=0 ifi_family=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])
	.
	Sent 1 packets.
	RTM_NEWLINK: ifi_index=9 ifname=monwlan2 operstate=0 linkmode=0 ifi_family=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])

	>>> ATTACK WORKED! Received injected packet

	<IP  version=4 ihl=5 tos=0x0 len=61 id=1 flags= frag=0 ttl=64 proto=udp chksum=0x6a9c src=1.2.3.4 dst=5.6.7.8 |<UDP  sport=domain dport=domain len=41 chksum=0xa671 |<DNS  id=21353 qr=0 opcode=13 aa=1 tc=0 rd=1 ra=0 z=1 ad=1 cd=1 rcode=refused qdcount=27745 ancount=29797 nscount=25632 arcount=16685 qd=[<DNSQR  qname=b'.' qtype=17493 unicastresponse=0 qclass=8289 |>, <DNSQR  qname=b'.' qtype=24931 unicastresponse=0 qclass=27424 |>, <DNSQR  qname=b'.' qtype=27237 unicastresponse=0 qclass=25460 |>, <Raw  load=b'ion' |>] |>>>


You can now re-do this experiment with our drivers that include our new mesh defense. First stop all scripts (you might have to execute CTRL+C twice to stop the mesh client) then again navigate to `~/fragattacks-survey-public`, and execute:

1. In the first terminal, execute `./start_hwsim.sh mesh-defense`. This creates a virtual Wi-Fi setup.
2. In the second terminal, execute `./start_mesh1.sh`. This restarts the victim mesh client, now with our novel mesh defense.
3. In the third terminal, execute the following:

	cd ~/fragattacks-survey-public/hostap-mesh-poc/research
	sudo su
	source venv/bin/activate
	./client.py wlan1 wlan2

The attack should now fail, i.e., the following output will eventually be shown:

	>> Couldn't detect injected packet. Client looks secure.