a stepping stone into your kernel moritz jodeit martin
play

A Stepping Stone into your Kernel Moritz - PowerPoint PPT Presentation

Jan 05, 2023 •284 likes •615 views

2009 A Stepping Stone into your Kernel Moritz Jodeit, Martin Johns Agenda USB intro Motivation Attack surface Vulnerability identification Hardware-aided approach

  1. 2009 ���������� ������� A Stepping Stone into your Kernel Moritz Jodeit, Martin Johns

  2. Agenda • USB intro • Motivation • Attack surface • Vulnerability identification – Hardware-aided approach – Emulated environment • Crash analysis • Some findings • Conclusion 2

  3. Who am I? • Moritz Jodeit <moritz@jodeit.org> – Bug hunter / security researcher – Penetration tester at n.runs AG – Living in Hamburg, Germany 3

  4. USB intro 4

  5. USB concepts • Host / device • Enumeration • Descriptors • USB lingo – Endpoints – Pipes – Interfaces – Configurations 5

  6. USB overview 6

  7. Motivation • Social engineering attacks • Gain access to locked workstations – USB device enumeration starts even while workstation is locked! • Digital voting pen • Wireless USB (CWUSB) • Unprotected USB ports… 7

  8. Motivation 8

  9. Attacks • Data leakage • AutoRun malware – U3 flash drives • Malicious USB mouse/keyboard • Bugs in USB stacks and device drivers 9

  10. Attack surface 10

  11. Vulnerability identification • Hardware fuzzer • Hardware-aided software fuzzer • Emulated environments • USB over IP 11

  12. Hardware fuzzer • Direct connection to target – No middle layer which could influence results – Embedded devices can be fuzzed • Disadvantages – Fuzzing target might stop responding • Fuzzing EP0 on Windows XP (SP2) – Inflexible during development 12

  13. Hardware-aided software solution • Linux-USB Gadget API Framework – Peripheral controller drivers – Gadget drivers • Ethernet • Mass storage • Serial • MIDI • GadgetFS • Peripheral controller – Netchip NET2280 – PCI evaluation board 13

  14. Hardware-aided software solution 14

  15. Hardware-aided software solution • Linux-USB Gadget API Framework – Disadvantages • Encountered various dead locks on fuzzing host • Main focus doesn‘t seem to be fuzzing ;-) • Still bad target control – Can be used to build the final exploit • No firmware writing required 15

  16. Emulated environments • Good target monitoring capabilities • Virtual machine snapshots – Quickly recover non-responding target – Easy way to reproduce crashes • Use of high level languages • (Interesting) side effects… 16

  17. …bugs in virtualisation software 17

  18. USB over IP • Use of USB over IP bridge • Easy access to raw USB packets – Existing fuzzers / fuzzing frameworks can be used – USB hardware sniffer • All bridges we know of require software on the host :( • Currently planing our own USB-IP-USB bridge – Work in progress 18

  19. Fuzzing • Generation-based fuzzing – Time consuming • New device firmware • New Linux gadget driver – Good code coverage • Mutation-based fuzzing – Good for first quick results – USB man-in-the-middle fuzzing 19

  20. Fuzzing in emulated environments • First approach – Implemented as a patch to Qemu – Complete fuzzing logic implemented in python – Easy development of custom fuzzers 20

  21. Fuzzing in emulated environments 21

  22. Fuzzing in emulated environments • Disadvantages of first approach – Restricted to Qemu – Maintaining patches is no fun • We can do better… 22

  23. Universal man-in-the-middle fuzzer • Based on USB device file system • All USB communication passes through usbfs (/proc/bus/usb) • Syscall interception (ptrace) – Fuzz data before it is passed to the virtualisation software • Universal solution (Qemu, Vmware, …) – No modifications needed 23

  24. Universal man-in-the-middle fuzzer • Automic device attachment/detachment – Qemu • usb_add host:0123:4567 • usb_del host:0123:4567 – Vmware • No VIX API available (AFAIK) • Re-attachment can be triggered by starting/stopping the VM 24

  25. Universal man-in-the-middle fuzzer 25

  26. Crash analysis • Reproducing a triggered crash – Re-apply the same modifications • Based on packet number received from host • Works best for crashes in enum phase • Doesn‘t really work for crashes after hundreds of packets beeing exchanged… – Replaying the whole communication • Works with easy protocols (e.g. HID) • Breaks with mass storage devices 26

  27. Evaluation 27

  28. Apple iPod Shuffle • Connected to Windows XP (SP2) • Double-free of kernel pool memory in usbstor.sys • Kernel pool memory corruption in disk.sys – While reading the partition table • Crash in iTunes iPodService.exe – NULL pointer deref 28

  29. Microsoft LifeCam VX-1000 • Kernel oops on Ubuntu 9.04 – NULL pointer deref in SN9C102 driver • NULL pointer deref on Windows Vista (SP2) – Inside vx1000.sys driver 29

  30. Various mass storage devices • NULL pointer deref on Windows Vista (SP2) – Inside the usbhub.sys driver • Function pointer set to NULL – call 0x00000000 – Not reproduceable using current approach :( 30

  31. Conclusion • Fuzzing in emulated environment seems like the right approach • Reproduction of crashes can be hard sometimes • Potential for more vulns to be discovered – More intelligent fuzzing – 3rd party drivers? 31

  32. Questions? • Fuzzer will be published when ready… – Drop me a line, if you want to be notified (moritz@jodeit.org) 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware

Moritz Jodeit moritz.jodeit@nruns.com Twitter: @moritzj Agenda Attack Surface Firmware Analysis Device Rooting System Architecture Vulndev Environment Remote H.323 Exploit Post Exploitation Who am I? From Hamburg,

1.13k views • 80 slides
A kernel in a library Genodes custom kernel approach Martin Stein &lt;

A kernel in a library Genodes custom kernel approach Martin Stein &lt;

A kernel in a library Genodes custom kernel approach Martin Stein &lt; martin.stein@genode-labs.com &gt; Outline 1. Motivation 2. Overview 3. Scheduling 4. Capabilities 5. Communication A kernel in a library Genodes custom kernel

798 views • 45 slides
TRUNCATED PATH ALGEBRAS, A GEOMETRIC AND HOMOLOGICAL STEPPING STONE Birge Huisgen-Zimmermann

TRUNCATED PATH ALGEBRAS, A GEOMETRIC AND HOMOLOGICAL STEPPING STONE Birge Huisgen-Zimmermann

TRUNCATED PATH ALGEBRAS, A GEOMETRIC AND HOMOLOGICAL STEPPING STONE Birge Huisgen-Zimmermann University of California at Santa Barbara Collaborators on the geometric results: Babson, Bleher, Chinburg, Goodearl, Shipman, Thomas Collaborators

677 views • 18 slides
Imitation as a Stepping Stone to Innovation Amy Jocelyn Glass Texas A&amp;M University Shift

Imitation as a Stepping Stone to Innovation Amy Jocelyn Glass Texas A&amp;M University Shift

Imitation as a Stepping Stone to Innovation Amy Jocelyn Glass Texas A&amp;M University Shift from Imitation to Innovation Countries such as Korea, China, and Taiwan shifting from imitation to innovation. Product cycle literature

323 views • 18 slides
Science drivers for ERIS as a stepping stone for E-ELTs G. B ONO Setting the scene E-ELT in a

Science drivers for ERIS as a stepping stone for E-ELTs G. B ONO Setting the scene E-ELT in a

Science drivers for ERIS as a stepping stone for E-ELTs G. B ONO Setting the scene E-ELT in a nutshell First light instruments ERIS Paving the way for E-ELT Future Perspectives First Generation E-ELT Instruments First Light E-ELT -- CAM

554 views • 24 slides
An over-the-air reconfiguration API for cognitive radio testbeds Moritz Fischer, Martin Braun, Jens

An over-the-air reconfiguration API for cognitive radio testbeds Moritz Fischer, Martin Braun, Jens

Wireless Innovation Forum European Conference 2011 An over-the-air reconfiguration API for cognitive radio testbeds Moritz Fischer, Martin Braun, Jens P. Elsner, Friedrich K. Jondral Communications Engineering Lab Prof. Dr.rer.nat. Friedrich K.

324 views • 16 slides
Euroleader Stepping into our houses means stepping into our history, our culture and our art.

Euroleader Stepping into our houses means stepping into our history, our culture and our art.

1 Keszthely, April 26 th 28 th , 2007 Euroleader Stepping into our houses means stepping into our history, our culture and our art. Not only into the peace of the surrounding nature; enjoy both and be our welcomed guests - Leonardo

588 views • 37 slides
Stepping Up Six Questions Framework Nastassia Walsh, Program Manager, National Association of

Stepping Up Six Questions Framework Nastassia Walsh, Program Manager, National Association of

Stepping Up Six Questions Framework Nastassia Walsh, Program Manager, National Association of Counties October 2017 Stepping Up Launched May 2015 2 Counties are Stepping Up! Iowa is Stepping Up! Lyon Osceola Dickinson Emmet Winnebago

445 views • 18 slides
Stepping On Program and the Aboriginal Population Supporting Local Partnerships Carly Barnes

Stepping On Program and the Aboriginal Population Supporting Local Partnerships Carly Barnes

Stepping On Program and the Aboriginal Population Supporting Local Partnerships Carly Barnes Stepping On Coordinator, MLHD What is Stepping On? Evidence and group based multifactorial falls prevention program Community dwelling

272 views • 13 slides
1 Stepping Up actions -November 15, 2016: Board of Supervisors adopts resolution to join

1 Stepping Up actions -November 15, 2016: Board of Supervisors adopts resolution to join

1 Stepping Up actions -November 15, 2016: Board of Supervisors adopts resolution to join Stepping Up -January 2017: Stepping Up California Summit -May 2, 2017: Board of Supervisors directs CAO to work with Sheriff and DA to develop an

634 views • 9 slides
Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1

Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1

Rumprun for Rump Kernels: Instant Unikernels for POSIX applications Martin Lucina, @matolucina 1 / 8 So many Kernels, what are they? Monolithic kernel, Microkernel: standard stuff. Rump kernel: an existing monolithic kernel componentized into

215 views • 8 slides
1 2 Where in the World is Stepping Up? American Psychiatric Association (San Diego, Calif.) 3

1 2 Where in the World is Stepping Up? American Psychiatric Association (San Diego, Calif.) 3

1 2 Where in the World is Stepping Up? American Psychiatric Association (San Diego, Calif.) 3 Upcoming Stepping Up TA Resources 4 Grants Available 5 Michael Schaefer, Ph.D., ABPP Assistant Commissioner -

323 views • 18 slides
Performance Engineering for Algorithmic Building Blocks in the GHOST Library Georg Hager, Moritz

Performance Engineering for Algorithmic Building Blocks in the GHOST Library Georg Hager, Moritz

Performance Engineering for Algorithmic Building Blocks in the GHOST Library Georg Hager, Moritz Kreutzer, Faisal Shahzad, Gerhard Wellein, Martin Galgon, Lukas Krmer, Bruno Lang, Jonas Thies, Melven Rhrig-Zllner, Achim Basermann, Andreas

358 views • 18 slides
STONE PAPER COMPANY Presentation MINERAL RESIN The Raw Materials An Eco-Innovation Stone

STONE PAPER COMPANY Presentation MINERAL RESIN The Raw Materials An Eco-Innovation Stone

STONE PAPER COMPANY Presentation MINERAL RESIN The Raw Materials An Eco-Innovation Stone Paper Sustainable No Water Pollution Minimized CO 2 Photo Degradable Production Easy to Recycle What is Stone Paper? Stone Paper is an unique

899 views • 24 slides
fpga manager &amp; device tree overlays moritz fischer moritz.fischer@ettus.com

fpga manager &amp; device tree overlays moritz fischer moritz.fischer@ettus.com

fpga manager &amp; device tree overlays moritz fischer moritz.fischer@ettus.com mfischer embedded sdr wtf?! what does that even mean embedded sdr? come see other talks tomorrow @ sdr track so why care about fpgas? performance

835 views • 46 slides
October 17, 2019 6:30 PM Luck Stone produces crushed stone and gravel used as the foundation

October 17, 2019 6:30 PM Luck Stone produces crushed stone and gravel used as the foundation

October 17, 2019 6:30 PM Luck Stone produces crushed stone and gravel used as the foundation for roads, bridges, and buildings in the Southeast. Proposed New Quarry and Processing Plant: Highway 9, Chester SC 550 tons per hour Stone

377 views • 12 slides
Some Results on Integrable Algorithms X ING -B IAO H U ICMSEC, AMSS, Chinese Academy of Sciences

Some Results on Integrable Algorithms X ING -B IAO H U ICMSEC, AMSS, Chinese Academy of Sciences

CIRM, Luminy Sept. 28Oct.2, 2009 Some Results on Integrable Algorithms X ING -B IAO H U ICMSEC, AMSS, Chinese Academy of Sciences P.O.Box 2719, China, 100080 hxb@lsec.cc.ac.cn This is joint work with Yi HE, Hon-Wah TAM and Satoshi

797 views • 33 slides
Economics of Small Scale LNG Shipping: Application for Indonesia and SEA Eduardo Perez

Economics of Small Scale LNG Shipping: Application for Indonesia and SEA Eduardo Perez

Economics of Small Scale LNG Shipping: Application for Indonesia and SEA Eduardo Perez www.SMALL-LNG.com small-lng.com When and where to use Small LNG carriers Islands Seasonal consumption Isolated places / expensive pipelines

576 views • 20 slides
The Positive Grassmannian (from a mathematicians perspective) Lauren K. Williams, UC Berkeley

The Positive Grassmannian (from a mathematicians perspective) Lauren K. Williams, UC Berkeley

The Positive Grassmannian (from a mathematicians perspective) Lauren K. Williams, UC Berkeley Lauren K. Williams (UC Berkeley) The Positive Grassmannians March 2014 1 / 40 Plan of the talk The totally non-negative Grassmannian (also called

1.87k views • 123 slides
Latin and Greek Elements in English Lessons 10-21: How Words Change with this lesson, we

Latin and Greek Elements in English Lessons 10-21: How Words Change with this lesson, we

Latin and Greek Elements in English Lessons 10-21: How Words Change with this lesson, we begin an overview of how words change form, function and meaning Lesson 10: how letters inside words change to facilitate pronunciation, e.g.

628 views • 16 slides
Lecture 7 - Lecture 7 - April 22, 2019 April 22, 2019 1 Administrative: Project Proposal Due

Lecture 7 - Lecture 7 - April 22, 2019 April 22, 2019 1 Administrative: Project Proposal Due

Fei-Fei Li &amp; Justin Johnson &amp; Serena Yeung Fei-Fei Li &amp; Justin Johnson &amp; Serena Yeung Lecture 7 - Lecture 7 - April 22, 2019 April 22, 2019 1 Administrative: Project Proposal Due tomorrow, 4/24 on GradeScope 1 person per

1.69k views • 80 slides
Saturation of General Clause Sets Corollary 3.36: Let N be a set of general clauses saturated

Saturation of General Clause Sets Corollary 3.36: Let N be a set of general clauses saturated

Saturation of General Clause Sets Corollary 3.36: Let N be a set of general clauses saturated under Sup sel , i. e., sel ( N ) N . Then there exists a selection function sel such Sup that sel | N = sel | N and G ( N ) is also

363 views • 23 slides
Nonlinear Control Lecture # 38 Tracking &amp; Regulation Nonlinear Control Lecture # 38 Tracking

Nonlinear Control Lecture # 38 Tracking &amp; Regulation Nonlinear Control Lecture # 38 Tracking

Nonlinear Control Lecture # 38 Tracking &amp; Regulation Nonlinear Control Lecture # 38 Tracking &amp; Regulation Output Feedback Tracking: = f 0 ( , ) e i = e i +1 , 1 i 1 a ( , ) + b ( , ) u + (

410 views • 11 slides
Saturation of Sets of General Clauses Corollary 3.27: Let N be a set of general clauses saturated

Saturation of Sets of General Clauses Corollary 3.27: Let N be a set of general clauses saturated

Saturation of Sets of General Clauses Corollary 3.27: Let N be a set of general clauses saturated under Res , i. e., Res ( N ) N . Then also G ( N ) is saturated, that is, Res ( G ( N )) G ( N ). 290 Saturation of Sets of General

703 views • 29 slides

More recommend