defending against malicious peripherals with cinch
play

Defending against malicious peripherals with Cinch Presented by - PowerPoint PPT Presentation

Feb 16, 2023 •218 likes •650 views

Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer Security in the Physical World University of Illinois Based on slides by Sebastian Angel Citation S. Angel,R. Wahby, M. Howald, J. Leners, M.

  1. Defending against malicious peripherals with Cinch Presented by Avesta Hojjati CS598 Computer Security in the Physical World University of Illinois Based on slides by Sebastian Angel

  2. Citation • S. Angel,R. Wahby, M. Howald, J. Leners, M. Spilo, Z. Sun, A. Blumberg, M. Walfish. "Defending against Malicious Peripherals with Cinch." USENIX Security 2016

  3. USB architecture from 30,000 feet Your machine Drivers Hub Host Controller Peripherals’ firmware can be modified with BadUSB [Nohl and Lell, Black Hat 2014] Government agencies intercept and modify shipments [Glenn Greenwald, The Guardian 2014]

  4. Peripherals can exploit driver vulnerabilities Your machine $@$#$#%$% Drivers Hub Host Controller 13 vulnerabilities in Linux’s USB stack reported in 2016 alone

  5. Peripherals can leverage DMA to attack OSes Your machine write “evil” to <kernel address> Drivers Hub Host Controller Inception [Maartmann-Moe 2014], Funderbolt [Black Hat 2013]

  6. Peripherals can lie about their identity Your machine Hi, what are you? Drivers Hub I’m a keyboard J Host Controller Users Really Do Plug in USB Drives They Find [Tischer et al., S&P 2016]

  7. Hubs broadcast messages downstream Your machine File_for_SSD.txt Drivers Hub Host Controller File_for_SSD.txt Compromised hubs can eavesdrop and modify all traffic

  8. Okay, so what can we do? • Don’t use a computer • Close all the ports

  9. Our machine interacts with untrusted devices every day… on the Internet! As part of this interaction, our machine routinely: • Determines to whom it is talking • Prevents eavesdropping and data tampering • Defends against malicious traffic

  10. How do we apply the arsenal of network security tools to peripheral buses? And how can this be done with minor or no modifications to OSes and existing devices… Your machine Insert network security logic …while keeping the bus at arm’s length? Drivers somewhere here Host Controller

  11. Design requirements • Making peripheral buses look “remote”, preventing direct action with the rest of the computer • Traffic between the “remote” devices and rest of the computer should travel through a “narrow choke point”, this is essential to apply defense • The solution should NOT require modification of the bus • Portability, no re-design, or re-implementation for different OSes • Flexibility and extensibility • Imposing reasonable overhead

  12. Cinch brings network defenses to USB Your machine Controller Enforcer Drivers Host Hub peripherals • Cinch is effective (but not perfect!) against the threats described • Cinch is portable and backwards-compatible – Works transparently across OSes – Requires no driver or USB protocol modifications • Cinch separates the bus from your machine, creating an enforcement point

  13. In the rest of this talk… • How did they build Cinch? • What defenses can be built on Cinch? • How well do defenses work and what is their cost?

  14. In the rest of this talk… • How did they build Cinch? • What defenses can be built on Cinch? • How well do defenses work and what is their cost?

  15. What do we need to answer? • Where and how can one create a logical separation between the bus and the host, while arranging for an explicit communication channel that a policy enforcement mechanism can interpose on? • How can one instantiate this separation and channel with no modifications to bus standards, OSes, or driver stacks?

  16. Your machine Drivers What we have today Hub Host Controller Your machine Host Controller What we want Drivers Hub

  17. Devices can be attached to another machine Your machine sacrificial machine network Drivers Drivers Hub Host Controller But this requires an additional machine… Pragmatic choice: leverage virtualization technology to instantiate the (sacrificial) machine on the same hardware

  18. An IOMMU can be used to restrict where in memory a device may write VM VM Data Data Virtual Card Hypervisor Data Hypervisor IOMMU Restrict I/O to VM’s address space Evil Device can only write to configured addresses

  19. Devices are attached to a sacrificial VM Your machine Drivers What we have today Hub Host Controller Your machine (VM) sacrificial machine (VM) network Drivers Drivers Under Cinch Hub Host Controller Hypervisor configures IOMMU to Hypervisor map bus to sacrificial machine

  20. Interposing on VM-VM communication Your machine (VM) sacrificial machine (VM) Drivers Drivers Enforcer Hub Host Controller Module 2 Module 3 Module 1 Enforcer’s design is inspired by the Click modular router [Kohler et al., ACM TOCS 2000]

  21. The architecture of Cinch Enforces security policy Driver Normal OS with stripped down USB STACK

  22. In the rest of this talk… • How did they build Cinch? • What defenses can be built on Cinch? • How well do defenses work and what is their cost?

  23. Defense 1: Enforcing allowed device behavior USB specifications Constraints on: • Packet formats • Restricted field values • Individual fields • Sizes within allowed range • Packet sequences • Proper encoding (e.g. UTF-16)

  24. Defense 1: Enforcing allowed device behavior • States based on history USB specifications Allow / Drop packet Constraints on: • Transitions based on • Packet formats incoming packets • Individual fields • Packet sequences

  25. Defense 2: Filtering known exploits Download / populate database Inspect incoming traffic Allow / Drop packet with known malicious signatures for matches

  26. Benefits of signature-based defenses • Quick response to an attack – Deriving a signature is usually faster than understanding the exploit and finding the root cause • Useful for closed-source OSes – No need to wait for OS vendor patch vulnerability

  27. Limitations of signature-based defenses • Cannot prevent zero-day attacks • Tension between protection and compatibility – Exact signatures are not very effective – Very general signatures (e.g. wildcard / regex) can prevent benign traffic • Signatures do not fix the underlying problem

  28. Defense 3: authentication and encryption

  29. Defense 3: authentication and encryption Your machine (VM) sacrificial machine (VM) Drivers Drivers Enforcer Hub Host Controller Unauthenticated cleartext communication

  30. Defense 3: authentication and encryption Your machine (VM) sacrificial machine (VM) Drivers Drivers Enforcer Hub Host Controller Cleartext Authenticated and encrypted communication Install TLS endpoint at device and enforcer

  31. Defense 3: authentication and encryption Your machine (VM) sacrificial machine (VM) Drivers Drivers Enforcer Hub Host Controller Cleartext Cleartext Authenticated and encrypted communication Existing devices can be retrofitted with an adapter

  32. Summary of defenses • Compliance with the USB specification – Prevents certain types of driver bugs from being exploited • Signature matching – Prevents known exploits and can be used as a quick response • Authentication and encryption – Prevent masquerading and eavesdropping on the bus • Other: Log and replay, remote auditing, exporting functionality via higher-layer protocols (e.g., access flash drives via NFS)

  33. In the rest of this talk… • How did they build Cinch? • What defenses can be built on Cinch? • How well do defenses work and what is their cost?

  34. Implementation details • Hypervisor is Linux running QEMU/KVM • Enforcer is a Linux user-level process and it is written in Rust • USB transfers are encapsulated/decapsulated in TCP/IP • They built the TLS adapter on a Beaglebone Black (arm-based computer) • They implemented exploits using a facedancer21 à

  35. How well do defenses work?

  36. Evaluation of Cinch’s effectiveness happens in 3 ways • They implemented exploits for existing USB driver vulnerabilities • They carried out a 3-phase penetration testing exercise • They used a fuzzing tool to test 10,000 invalid devices – Summary: Cinch’s enforcer prevents all 10,000 – Subtlety: None of the tests affected a machine without Cinch either

  37. They implemented exploits for existing USB driver vulnerabilities • Linux CVEs reported from Jan to June 2016. They affect Linux 4.5.1 • 5 exploits that work on Windows 8.1 [Boteanu and Fowler, Black Hat Europe 2015] Their findings: • 16 out of 18 exploits were prevented immediately • 2 exploits succeeded, but can be prevented with a signature

  38. They carried out a 3-phase penetration testing exercise • Phase 1: Red team has vague knowledge of Cinch • Phase 2: Red team has access to a pre-configured Cinch binary • Phase 3: Red team has Cinch’s source code Their findings: • Increased knowledge of Cinch’s functionality resulted in more intricate exploits • Cinch is not able to prevent polymorphic attacks

  39. What is the cost of these defenses?

  40. Performance evaluation highlights Baseline: connecting devices directly to your machine Experiment 1: transferring 1 GB file to a USB 3.0 SSD • Throughput reduction: 38% (due to memory copies) • Memory overhead: 200 MB (due to sacrificial VM) • CPU overhead: 8X (due to virtualization and enforcer) Experiment 2: ping from a remote machine using USB Ethernet adapter • Round-trip time increase: ~2 ms

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Defending against malicious peripherals with Cinch Sebastian Angel 1,2 Riad S. Wahby 3 , Max

Defending against malicious peripherals with Cinch Sebastian Angel 1,2 Riad S. Wahby 3 , Max

Defending against malicious peripherals with Cinch Sebastian Angel 1,2 Riad S. Wahby 3 , Max Howald 2,4 , Joshua B. Leners 5 , Michael Spilo 2 , Zhen Sun 2 , Andrew J. Blumberg 1 , and Michael Walfish 2 1 UT Austin 2 NYU 3 Stanford 4 The Cooper

553 views • 39 slides
Defending Against Malicious Socialbots Position Paper Yazan Boshmaf, Ildar Muslukhov,

Defending Against Malicious Socialbots Position Paper Yazan Boshmaf, Ildar Muslukhov,

Key Challenges in Defending Against Malicious Socialbots Position Paper Yazan Boshmaf, Ildar Muslukhov, Konstantin Beznosov, Matei Ripeanu Laboratory for Education and Research in Secure Systems Engineering (LERSSE) Networked Systems

391 views • 36 slides
WIPTECH PERIPHERALS PVT .L TD. A Quality Product from: WIPTECH PERIPHERALS PVT .L TD.

WIPTECH PERIPHERALS PVT .L TD. A Quality Product from: WIPTECH PERIPHERALS PVT .L TD.

A Quality Product from: WIPTECH PERIPHERALS PVT .L TD. A Quality Product from: WIPTECH PERIPHERALS PVT .L TD. WIPTECH, a pioneer in its field, has become the benchmark for the security electric fencing industry. The Wiptech

254 views • 22 slides
LCD interfacing +Other Peripherals in AVR Microcontrollers Contents A brief overview over

LCD interfacing +Other Peripherals in AVR Microcontrollers Contents A brief overview over

Microprocessors , Lecture 11: LCD interfacing +Other Peripherals in AVR Microcontrollers Contents A brief overview over the AVR peripherals not covered by the course LCD University of Tehran 2 AVR peripherals University of Tehran 3

551 views • 28 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Lender Liability: Evaluating, Minimizing and Defending Claims Defending Against Attacks on Loans in

Lender Liability: Evaluating, Minimizing and Defending Claims Defending Against Attacks on Loans in

Presenting a live 90 minute webinar with interactive Q&amp;A Lender Liability: Evaluating, Minimizing and Defending Claims Defending Against Attacks on Loans in Workouts, Defaults, and Bankruptcy TUES DAY, DECEMBER 21, 2010 1pm Eastern |

1.33k views • 131 slides
AUTOMATISMS AND INDUSTRIAL PERIPHERALS EN ACCURACY INDUSTRIAL DETAIL Automatisms and

AUTOMATISMS AND INDUSTRIAL PERIPHERALS EN ACCURACY INDUSTRIAL DETAIL Automatisms and

Divmac Projectos, Automatismos e Perifricos Industriais, S.A . AUTOMATISMS AND INDUSTRIAL PERIPHERALS EN ACCURACY INDUSTRIAL DETAIL Automatisms and industrial peripherals WHAT WE DO Divmac is a solutions company operating in a wide range

1.09k views • 13 slides
Interfacing Peripherals Instructor: Dmitri A. Gusev Fall 2007 CS 502: Computers and

Interfacing Peripherals Instructor: Dmitri A. Gusev Fall 2007 CS 502: Computers and

Interfacing Peripherals Instructor: Dmitri A. Gusev Fall 2007 CS 502: Computers and Communications Technology Lecture 12, October 15, 2007 Interfacing Processors and Peripherals I/O Design affected by many factors (expandability,

577 views • 24 slides
Pinch of Prevention Asthma Take Action! Updated: October 2014 CINCH is a community

Pinch of Prevention Asthma Take Action! Updated: October 2014 CINCH is a community

Pinch of Prevention Asthma Take Action! Updated: October 2014 CINCH is a community partnership to improve childrens health in Hampton Roads ASTHMA , long-term disorder of the airways that cause 3 primary changes in the lungs : ASTHMA

357 views • 11 slides
Programming of Interactive Systems Anastasia.Bezerianos@lri.fr Week 4: a. Peripherals,

Programming of Interactive Systems Anastasia.Bezerianos@lri.fr Week 4: a. Peripherals,

Programming of Interactive Systems Anastasia.Bezerianos@lri.fr Week 4: a. Peripherals, Software Architectures &amp; MVC Anastasia.Bezerianos@lri.fr peripherals structure of an interactive system What we see output visible part

832 views • 43 slides
MANA MANAGING HOME BIA GING HOME BIAS: : DEFENDING THE V DEFENDING THE VALUE OF LUE OF GL

MANA MANAGING HOME BIA GING HOME BIAS: : DEFENDING THE V DEFENDING THE VALUE OF LUE OF GL

MANA MANAGING HOME BIA GING HOME BIAS: : DEFENDING THE V DEFENDING THE VALUE OF LUE OF GL GLOBAL EQUITIES OBAL EQUITIES TO US PRIV US PRIVATE CLIENT E CLIENTS Jonathan F Jonathan Foster ster President &amp; CEO Angeles Wealth

643 views • 19 slides
Pursuing or Defending Claims Assessing Claims, Proving or Defending Liability, Navigating Complex

Pursuing or Defending Claims Assessing Claims, Proving or Defending Liability, Navigating Complex

Presenting a live 90-minute webinar with interactive Q&amp;A Wrongful Death Claims and Survival Actions: Pursuing or Defending Claims Assessing Claims, Proving or Defending Liability, Navigating Complex Valuation and Settlement Issues WEDNESDAY,

481 views • 26 slides
leebounds : Lees (2009) treatment effects bounds for non-random sample selection for Stata

leebounds : Lees (2009) treatment effects bounds for non-random sample selection for Stata

leebounds : Lees (2009) treatment effects bounds for non-random sample selection for Stata Harald Tauchmann (RWI &amp; CINCH) Rheinisch-Westflisches Institut fr Wirtschaftsforschung (RWI) &amp; CINCH Health Economics Research Centre 1.

222 views • 20 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
Interfacing Processors and Peripherals I/O I/O Design affected by many factors

Interfacing Processors and Peripherals I/O I/O Design affected by many factors

Interfacing Processors and Peripherals I/O I/O Design affected by many factors (expandability, resilience) Important but neglected Performance: The difficulties in assessing and designing I/O systems have access latency

290 views • 4 slides
The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F

The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F

The Federal Payroll Tax Case (Focus on Trust-Fund Recovery Penalty) S T E P H E N P . K A U F F M A N E S Q . S K E E N &amp; K A U F F M A N 9 11 N . CH A R L E S S T . B A L T I M O R E , M D 2 12 0 1 S K A U F F M A N @ S K A U F F

527 views • 34 slides
Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to

Adversarial Machine Learning (AML) Somesh Jha University of Wisconsin, Madison Thanks to Nicolas Papernot, Ian Goodfellow, and Jerry Zhu for some slides . Machine learning brings social disruption at scale Healthcare Energy Source: Peng and

821 views • 71 slides
15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico

15-780 Graduate Artificial Intelligence: Adversarial attacks and provable defenses J. Zico Kolter (this lecture) and Ariel Procaccia Carnegie Mellon University Spring 2018 Portions base upon joint work with Eric Wong 1 Outline Adverarial

710 views • 39 slides
Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch

Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch

Differentiable Abstract Interpretation for Provably Robust Neural Networks safeai.ethz.ch Matthew Mirman Timon Gehr Martin Vechev ICML 2018 1 / 27 Adversarial Attack Example of FGSM attack produced by Goodfellow et al. (2014) 2 / 27 L

677 views • 35 slides
Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements

Outline Return address protections CSci 5271 Introduction to Computer Security Announcements intermission Day 5: Low-level defenses and counterattacks ASLR and counterattacks Stephen McCamant University of Minnesota, Computer Science &amp;

269 views • 5 slides
CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems Security Trent Jaeger Systems and

651 views • 28 slides
Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu - peteresnyder.com Surveillance Defense 1. Good Practices 2. System / PC Security 3. Mobile Security 4. Browser Security 5. Secure Networking Tools

443 views • 27 slides
On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS

548 views • 29 slides

More recommend