Components

FISSURE is a tool suite and RF framework consisting of dedicated Python components networked together for the purpose of RF device assessment and vulnerability analysis.

Overview

FISSURE stemmed from the need to quickly identify and react to unknown devices or devices operating in unidentified modes in a congested RF environment. Over the years it has grown into an in-house laboratory tool used by AIS for nearly all things RF.

Communications

The major components for FISSURE are written in Python/PyQt and communicate over an IP network to a central hub using ZeroMQ. Each component has a direct connection to the hub but can also have an unlimited number of one-to-many connections to broadcast status messages to other components. Any number of custom components can be added to the framework as long as the inputs/outputs are clearly defined in YAML and adhere to a simple message schema that allows for input sanitization and error handling.

Library

Library utilities for browsing; searching; uploading images; adding/removing modulation types, packet types, signals of interest, statistics, demodulation flow graphs, and attacks.

File Structure

FISSURE
├── Archive
│   ├── Datasets
│   └── Playlists
├── Attack Recordings
├── Crafted Packets
│   ├── Defaults
│   └── Scapy
├── Custom_Blocks
│   └── maint-3.x
│       ├── gr-a...
│       ├── ...
│       └── gr-z...
├── Dissectors
├── docs
│   ├── Gallery
│   ├── Help
│   ├── Icons
│   ├── Lessons
│   └── RTD
├── Flow Graph Library
│   ├── Archive Flow Graphs
│   ├── Fuzzing Flow Graphs
│   ├── Inspection Flow Graphs
│   ├── IQ Flow Graphs
│   ├── PD Flow Graphs
│   ├── Single-Stage Flow Graphs
│   ├── Sniffer Flow Graphs
│   ├── Standalone Flow Graphs
│   └── TSI Flow Graphs
├── Installer
├── IQ Recordings
├── Logs
│   └── Session Logs
├── Multi-Stage Attack Files
├── Protocol Discovery Data
├── Tools
├── UI
│   └── Style_Sheets
└── YAML
    ├── Library Backups
    └── User Configs
Archive/

Default location for downloading IQ files from the online signal archive.

Archive/Datasets/

Default location for storing generated IQ datasets and .csv files from the Archive Datasets tab.

Archive/Playlists/

Default location for storing signal playlists for the Archive Replay tab.

Attack Recordings/

Default location for storing any recordings produced from attacks.

Crafted Packets/

Default location for storing packet data from the Packet Crafter tab.

Crafted Packets/Defaults/

Location for default packet types listed in the Packet Crafter. Used to send data to UDP ports in the Sniffer tab. Not used to populate the Packet Crafter as defaults for packet types are acquired from the FISSURE library.

Crafted Packets/Scapy/

Location for temporarily storing loaded Scapy data used by the Scapy Injector in the Packet Crafter.

Custom_Blocks/

Contains GNU Radio out-of-tree (OOT) modules used by FISSURE. These include git submodules of specific compatible branches from online repositories. Any updates to these branches will be reflected in the contents of this folder. A few OOT modules are not git submodules and reside locally.

Custom_Blocks/maint-3.x/

Subfolder named after the major version of GNU Radio supported by the current branch.

Dissectors/

Default location for saving and editing Lua dissectors created by the Protocol Discovery Dissectors tab. Dissector files in this folder get copied to the Wireshark plugins folder during the FISSURE install and after clicking the Update Wireshark button in the Dissectors tab.

docs/

Contains static files used by FISSURE for display and documentation.

docs/Gallery/

Location of images of note that can be assigned to a protocol found in the FISSURE library. The image file must begin with the same name as the protocol to be displayed in the Library Gallery tab.

docs/Help/

Location of FISSURE help pages written in Markdown and HTML. Contents will eventually be folded into this Read the Docs project.

docs/Icons/

Location of icons used by the FISSURE GUI widgets and README.

docs/Lessons/

Location of FISSURE lesson pages written in Markdown and HTML. Contents will eventually be folded into this Read the Docs project.

docs/RTD/

Contains the HTML and PDF versions of this Read the Docs project. The Python3_maint-3.10 branch of FISSURE contains the files needed to populate and build the project.

Flow Graph Library/

Contains the flow graphs and Python scripts that are called by the main FISSURE components.

Flow Graph Library/Archive Flow Graphs/

Location of flow graphs used by the Archive tab for IQ file replay and building datasets from altered IQ files.

Flow Graph Library/Fuzzing Flow Graphs/

Location of special Attack flow graphs containing Fuzzer blocks that periodically change message contents during transmission.

Flow Graph Library/Inspection Flow Graphs/

Location of inspection flow graphs used by the IQ Data tab for analyzing signal data sourced from streaming SDRs and file captures (“File” folder).

Flow Graph Library/IQ Flow Graphs/

Location of flow graphs used by the IQ Data tab for recording and playback of signals. Contains two types of playback flow graphs: single playback and repeating playback.

Flow Graph Library/PD Flow Graphs/

Location of flow graphs used by the Protocol Discovery tab for signal analysis and demodulation.

Flow Graph Library/Single-Stage Flow Graphs/

Location of flow graphs and Python scripts for the single-stage attacks listed in the Attack tab tree widget. Support files for the single-stage attacks are stored in the “Attack Files” folder.

Flow Graph Library/Sniffer Flow Graphs/

Location of flow graphs that tap into a running Protocol Discovery demodulation flow graph to pass data to a UDP port for Wireshark viewing.

Flow Graph Library/Standalone Flow Graphs/

Location of flow graphs that are accessed from the Standalone menu. These flow graphs are copies and can be modified without impacting FISSURE or the out-of-tree modules.

Flow Graph Library/TSI Flow Graphs/

Location of flow graphs used by the TSI component for slow scanning detection and fixed frequency detection.

Installer/

Location of the primary FISSURE installation script and its support files. It is called by the “install” bash script after checking for prerequisities.

IQ Recordings/

Default location for storing IQ files captured with the IQ Data tab recorder. Contains example files for testing purposes.

Logs/

Default location for event logs saved by FISSURE.

Logs/Session Logs/

Default location for session logs saved by the user.

Multi-Stage Attack Files/

Default location for storing multi-stage attack playlists from the Attack Multi-Stage tab.

Protocol Discovery Data/

Default location for storing data during the process of protocol discovery.

Tools/

Additional scripts, patches, configuration files, reference material, or standalone programs used to support FISSURE and the installer. These files are generally not modified during the install or while operating FISSURE. Installed third-party tools are located elsewhere in the “~/Installed_by_FISSURE” directory.

UI/

Default location for PyQt .ui files.

UI/Style_Sheets/

Default location for FISSURE style sheets which control UI appearance and color schemes.

YAML/

Location of the FISSURE library, logging configuration, and component messaging definitions and input sanitization.

YAML/Library Backups/

Location for storing backups and temporary copies of the FISSURE library before performing library operations.

YAML/User Configs/

Location of default settings for FISSURE including hardware configurations, component networking, and default options.

Supported Protocols

Tools, Scripts, FISSURE Library Data

  • 802.11

  • ACARS

  • Bluetooth

  • Clapper Plus (433 MHz)

  • DECT

  • DSRC

  • FM Radio

  • Garage Door (Stanley)

  • GSM

  • J2497

  • LTE

  • Mode S (ADS-B)

  • Morse Code

  • Radiosonde

  • RDS

  • SimpliciTI

  • TPMS

  • X10

  • Z-Wave

FISSURE Packet Crafter

  • 802.11

  • DECT

  • DSRC

  • Mode S (ADS-B)

  • RDS

  • SimpliciTI

  • TPMS

  • X10

  • Z-Wave

Dashboard

Concepts

The User Dashboard is the means for the operator to configure FISSURE and communicate with and view information from the other components. It offers several other features that do not require their own dedicated component including:

  • A packet crafter for protocols found the FISSURE library. It includes Scapy integration for transmitting different types of 802.11 packets while in monitor mode.

  • Library utilities for browsing; searching; uploading images; adding/removing modulation types, packet types, signals of interest, statistics, demodulation flow graphs, and attacks.

  • Menu items for launching standalone GNU Radio flow graphs.

  • Third-party and online tools as menu items organized by protocol or application.

  • Lessons and tutorials for interacting with various RF protocols.

  • Help pages for operation and development, protocol reference material, calculators, and hardware instructions.

  • Buttons for: assigning RF-enabled hardware to individual components (USRP B205mini, B210, X300 series; HackRF; bladeRF; LimeSDR; 802.11x Adapters; RTL2832U; Open Sniffer); probing the hardware for diagnostics; and acquiring IP address, daughterboard, and serial number information.

Communication

Modification

Target Signal Identification

The Target Signal Identification (TSI) component runs four subcomponents: a detector, a signal conditioner, a feature extractor, and a classifier.

The Detector subcomponent allows the operator to configure scan parameters for multiple search bands with the goal of reporting the power, frequency, and time of observed signals.

The Signal Conditioner subcomponent will be responsible for isolating and conditioning signals from a stream of raw I/Q data for more detailed analysis.

The Feature Extractor subcomponent will accept the conditioned signals and extract a predetermined list of signal characteristics dependent on the AI/ML method chosen for classification.

The Signal Classifier subcomponent will interpret the feature sets and make specific conclusions such as the confidence levels for protocol and emitter classification.

Protocol Discovery

The Protocol Discovery component is responsible for identifying and reversing RF protocols to help extract meaningful data from unknown signals. It is designed to: accept signal of interest information, iterate flow graphs to perform recursive demodulation techniques, deduce protocol methods, assign confidence levels, analyze a bitstream, calculate CRC polynomials, and create custom Wireshark dissectors.

Flow Graph/Script Executor

The Flow Graph/Script Executor component runs flow graphs or Python scripts to perform single-stage attacks, multi-stage attacks, fuzzing attacks, IQ recording and playback, live signal inspection/analysis, and transmit playlists of signal data constructed with files downloaded from an online archive.

HIPRFISR

The Central Hub receives commands from the User Dashboard to distribute to other components, manages automation and editing of the main library - which contains RF protocol information, script and flow graph mappings, and observation data.