Virtualised USB Fuzzing using QEMU and Scapy

Transcription

1 Virtualised USB using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller School of Computing Dublin City University / 28

2 1 Motivation USB Trivia USB Architecture 2 Obtaining valid USB communication QEMU Virtual USB Device 3 Stack Stress Test USB Fingerprinting Driver Flaws 2 / 28

3 About me Motivation USB Trivia USB Architecture About me Tobi(as) Mueller Mail 974C F452 FDA0 99D8 CB7E 54F7 DC03 BAA3 D349 2A2A Talk 40 mins Ask immediately Demos 3 / 28

4 About me Motivation USB Trivia USB Architecture Motivation What s the problem? USB supported by every major OS USB widely deployed USB drivers in kernel space Not easy to assess security Development board? Inject messages into kernel? 4 / 28

5 Digital Voting Pen Yes, it uses USB. hehe

6 In-Flight entertainment Based on Linux or VxWorks

7

8 About me Motivation USB Trivia USB Architecture USB <1990: Serial and Parallel ports IO and IRQs >1990: USB *yay* cheap to build hotplug auto config However <5 metres device device 8 / 28

9 About me Motivation USB Trivia USB Architecture Architecture Host initiated communication polling Yes, even with keyboards or mice packet-based SETUP IN OUT 9 / 28

10 Application Application Application Userspace Kernelspace Device Driver Device Driver Subsystem USB Stack Subsystem Electrical Layer

11 Device Descriptor Configuration Configuration Interface Interface Interface Endpoint Endpoint Endpoint Endpoint

12 Device Descriptor QemuUSB pipe direction D>H (device to h[...] pid IN devaddr 0 devep 0 length 18 USBIn Descriptor length 18 type Device DeviceDescriptor bcdusb 0x0200 bdeviceclass Base Class bdevicesubclass 0 bdeviceprotocol 0 bmaxpacketsize 64 idvendor 0x1307 idproduct 0x0163 bcddevice 256 imanufacturer 1 iproduct 2 iserialnumber 3 bnumconfigurations1 44 3e

13 Recent USB issues About me Motivation USB Trivia USB Architecture The Playstation 3 Hack Configuration Descriptor overflow... m( 13 / 28

14 Recent USB issues (cont.) About me Motivation USB Trivia USB Architecture Solaris FAIL Configuration Descriptor overflow by Andy Davies (CVE ) 14 / 28

15 About me Motivation USB Trivia USB Architecture Physical Access? Often argued that it s not in the OS s threat model except, it is... Not necessarily needed due to: USB/IP Wireless USB 15 / 28

16 Obtaining valid USB communication QEMU Virtual USB Device Dumb coined in late 80 s feed program with random(?) data received a lot of attention 2004 Smart Modify existing valid structured data Checksums Cover more code Patent encumbered? Scapy Awesome (!) framework sniff, manipulate, craft, send (Ethernet) packets models packets in Python 16 / 28

17 Obtaining valid USB communication QEMU Virtual USB Device Obtaining Valid USB communication Read specs :-( mount none -t debugfs /sys/kernel/debug mount none -t usbmon see Documentation/usb/usbmon.txt :-( Using QEMU: Implement filter to pipe out communication (originally done by Moritz Jodeit) 17 / 28

18 Obtaining valid USB communication QEMU Virtual USB Device Host Virtual Machine (QEMU) Filter USB Device 18 / 28

19 Obtaining valid USB communication QEMU Virtual USB Device Small demo 19 / 28

20 Obtaining valid USB communication QEMU Virtual USB Device QEMU Full virtualisation (not Xen, OpenVZ, UML, etc... ) Free (as in speech) Virtualisation (not VMWare) Existing Virtual USB Drivers (not VirtualBox as of end 2010) 20 / 28

21 Obtaining valid USB communication QEMU Virtual USB Device Virtual USB Device Take simple existing MSD or Serial driver Write out / Read in USB packets Implement desired behaviour externally cat and echo Or enhancing Scapy to read/write from pipes Automaton class 21 / 28

22 Obtaining valid USB communication QEMU Virtual USB Device Host Virtual Machine (QEMU) Virtual USB Software Device 22 / 28

23 Obtaining valid USB communication QEMU Virtual USB Device Small demo 23 / 28

24 USB Stack stress testing How many devices can you handle? def r u n s i m p l e t e s t ( qemu, timeout =4, d e l e t e=f a l s e ) : qemu. usb add ( mouse ) time. s l e e p ( timeout ) cmd = l i s t ( dmesg ) + [ space ] \ + [ minus ] + [ c ] + [ enter ] qemu. s e n d k e y s (cmd) u s b d e v i c e s = qemu. u s b i n f o ( ) i f d e l e t e : f o r d e v i c e i n u s b d e v i c e s [ usbdevices ] : qemu. u s b d e l ( %d.%d % ( d e v i c e [ busnr ], d e v i c e [ devaddr ] ) ) p r i n t qemu. c p u i n f o ( )

25 Stack Stress Test USB Fingerprinting Driver Flaws USB Fingerprinting Targeted attacks OS Packet Sequence Retries Windows SETUP, IN, OUT 3 Linux SETUP (9x), RESET 4+2 OpenBSD 4.7 SETUP, IN, OUT 7 FreeBSD 8.0 SETUP, IN, OUT 6 Tabelle: USB Stack Fingerprints of various operating systems 25 / 28

26 Stack Stress Test USB Fingerprinting Driver Flaws Driver Flaws Demo: Who s got Linux? 26 / 28

27 Future Work What s next? USB-3? (SuperSpeed, Device Initiated Communication) Making it work with GadgetFS Make that work on N900 Get more fingerprints Exploit more drivers Run shellcode USB Firewall 27 / 28

28 Q&A Questions? Muchas Gracias! Preguntas?! 28 / 28