deriving intelligence from usb stack
play

Deriving intelligence from USB stack interactions Andy Davis, - PowerPoint PPT Presentation

Jun 19, 2023 •352 likes •874 views

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Andy Davis, Research Director NCC Group Image from: p1fran.com UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco

  1. Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Andy Davis, Research Director NCC Group Image from: p1fran.com

  2. UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

  3. Agenda Part One: • Overview of the USB enumeration phase • Different USB stack implementations • USB testing platform • Installed drivers and supported devices • Fingerprinting techniques • Umap demo Part Two: • The Windows 8 RNDIS kernel pool overflow • Challenges faced when exploiting USB bugs • Conclusions

  4. Part One: Information gathering • Why do we care? • If you connect to a device surely you already know the platform? • Embedded devices are mostly based on Linux anyway aren't they? • Allows you to focus your testing on only supported functionality

  5. USB Background stuff Image from: blog.brickhousesecurity.com

  6. Overview of the USB enumeration phase • What is enumeration for? • Assign an address • Speed of communication • Power requirements • Configuration options • Device descriptions • Identify class drivers • Lots of information exchange – implemented in many different ways Image from :http://ewalk2.blog117.fc2.com

  7. The USB enumeration phase < Get Device descriptor > Set Address < Get Device descriptor < Get Configuration descriptor < Get String descriptor 0 < Get String descriptor 2 < Get Configuration descriptor < Get Configuration descriptor > Set Configuration

  8. Enumeration phase peculiarities • Why is the device descriptor initially requested twice? • Why are there multiple requests for other descriptors? • Class-specific descriptors: < Get Hub descriptor < Get HID Report descriptor

  9. Different USB stack implementations • Typical components of a USB stack • Windows USB driver stack • Linux USB stack • Embedded Access USB stack Image from: blogs.msdn.com

  10. Typical components of a USB stack • Host Controller hardware • USB System software: • Host Controller Driver – Hardware Abstraction Layer • USB Driver • Class drivers • Application software Image from: www.wired.com

  11. Windows USB driver stack Image from: msdn.microsoft.com

  12. Linux USB stack Image from: www.linux-usb.org

  13. Embedded Access USB stack Image from: www.embedded-access.com

  14. Interacting with USB Image from: www.nvish.com

  15. USB interaction requirements • Need to capture and replay USB traffic • Full control of generated traffic • Class decoders extremely useful • Support for Low/High/Full speed required • USB 3.0 a bonus

  16. USB testing – gold-plated solution • Commercial test equipment

  17. USB testing – the cheaper approach • Facedancer (http://goodfet.sourceforge.net/hardware/facedancer21)

  18. Best solution: A combination of both • Device data can be carefully crafted • Host response data can be captured • Microsecond timing is also recorded • All class-specific data is decoded

  19. Information enumeration Image from: network.nature.com

  20. Target list • Windows 8 • Ubuntu Linux 12.04 LTS • Apple OS X Lion • FreeBSD 5.3 • Chrome OS • Linux-based TV STB

  21. Installed drivers and supported devices • Enumerating supported class types – standard USB drivers • Enumerating all installed drivers • Other devices already connected

  22. Enumerating supported class types Where is USB class information stored? Device Descriptor Interface Descriptor

  23. Installed drivers and supported devices • Drivers are referenced by class (Device and Interface descriptors) • Also, by VID and PID: • For each device class VID and PID values can be brute-forced (can easily be scripted using Facedancer) • Although there may be some shortcuts…. • Valid PIDs and VIDs are available (http://www.linux-usb.org/usb.ids)

  24. Enumerating installed drivers Not installed: Installed: All communication stops after “Set Configuration”

  25. Sniffing the bus - Other connected devices • Data from other devices will be displayed on other addresses • Controlling other devices? (untested)

  26. Fingerprinting techniques • Descriptor request patterns • Timing information • Descriptor types requested • Responses to invalid data • Order of Descriptor requests

  27. OS Identification Linux-based TV STB Windows 8 < Get Max LUN (Mass Storage) < Get Max LUN (Mass Storage) > CBW: INQUIRY > CBW: INQUIRY < MSC Data In < MSC Data In < CSW - Status Passed < CSW - Status Passed > CBW: TEST UNIT READY > CBW: INQUIRY < CSW - Status Passed < MSC Data In > CBW: READ CAPACITY < CSW - Status Passed < MSC Data In > CBW: READ FORMAT CAPACITIES < CSW - Status Passed < MSC Data In > CBW: MODE SENSE < CSW - Status Passed

  28. Application identification “Photos” Metro app (Windows 8) gphoto2 (Linux) > Image: OpenSession > Image: OpenSession < Image: OK < Image: OK > Image: GetDeviceInfo > Image: GetDeviceInfo < Image: DeviceInfo < Image: DeviceInfo < Image: OK < Image: OK > Image: GetStorageIDs > Image: SetDevicePropValue < Image: StorageIDs > Image: DeviceProperty < Image: OK < Image: OK > Image: GetStorageInfo < Image: DeviceInfoChanged < Image: StorageInfo < Image: OK > Image: CloseSession DeviceProperty includes some text: /Windows/6.2.9200 < Image: OK MTPClassDriver/6.2.9200.16384

  29. Request patterns unique elements? • Windows 8 (HID) – 3 x Get Configuration descriptor requests (others have two) • Apple OS X Lion (HID) – Set Feature request right after Set Configuration • FreeBSD 5.3 (HID) – Get Status request right before Set Configuration • Linux-based TV STB (Mass Storage) – Order of class-specific requests

  30. Timing information (work in progress…)

  31. Timing information (work in progress…)

  32. Using timing information? (work in progress …) • Large amount of variance over entire enumeration phase: • 4.055s, 3.834s, 3.612s, 3.403s, 3.089s • Much greater accuracy between specific requests: • Between String Descriptor #0 and #2 requests - 5002us, 5003us, 5003us, 4999us, 5001us • If we know the OS can we potentially determine the processor speed?

  33. Descriptor types requested • Microsoft OS Descriptors (MOD) • Used for “unusual” devices classes • Devices that support Microsoft OS Descriptors must store a special USB string descriptor in firmware at the fixed string index of 0xEE. The request is:

  34. Responses to invalid data • Different USB stacks respond to invalid data in different ways • Maximum and minimum values • Logically incorrect values • Missing data • In some cases: Crashes (potential vulnerabilities) • Other cases: Unique behaviour Image from: windows7.iyogi.com

  35. Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:

  36. Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:

  37. Order of Descriptor requests • Some USB stacks request data from devices in a different order • Different drivers may request different descriptors multiple times • Sometimes descriptors are re-requested after enumeration is complete

  38. Demo: umap Image from: us.cdn4.123rf.com

  39. Umap overview • Supported device classes can be enumerated • Operating system information can be enumerated • Devices with specific VID/PID/REV can be emulated • The enumeration phase and class-specific data can be fuzzed • Endpoint protection systems configuration can be assessed • Endpoint protection systems USB protection can be circumvented • USB host implementations can be comprehensively tested

  40. Part Two: Potentially exploitable USB bugs Image from: www.biro-media.hr

  41. The Windows 8 RNDIS kernel pool overflow • MS13-027 • usb8023x.sys - default (Microsoft-signed) Windows Remote NDIS driver that provides network connectivity over USB. • When the following USB descriptor field is manipulated a Bug check occurs indicating a kernel pool overwrite: Configuration descriptor: bNumInterfaces field > actual number of USB interfaces

  42. The Bug Check BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. <Truncated for brevity> Arguments: Arg1: 00000020, a pool block header size is corrupt. Arg2: 83e38610, The pool entry we were looking for within the page. Arg3: 83e38690, The next pool entry. Arg4: 08100008, (reserved) <Truncated for brevity> WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted. WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted. SYMBOL_NAME: usb8023x ! SelectConfiguration +1bd

  43. The SelectConfiguration() function

  44. The crash point

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from Constraint Checkers Nicolas Beldiceanu(1), Mats Carlsson(2) and Thierry Petit(1) (1) LINA FRE CNRS 2729, Ecole des Mines de Nantes, FR-44307 Nantes Cedex

642 views • 40 slides
Deriving Knowledge from Local Optima Networks for Evolutionary Optimization in Inventory Routing

Deriving Knowledge from Local Optima Networks for Evolutionary Optimization in Inventory Routing

Deriving Knowledge from Local Optima Networks for Evolutionary Optimization in Inventory Routing Problem Piotr Lipinski 1 , Krzysztof Michalak 2 GECCO 2019, Praha, July 13th, 2019 1 Computational Intelligence Research Group, Institute of

415 views • 41 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
Location Intelligence. Privacy Augsburg 2020 Anto Aasa http://aasa.ut.ee/augsburg Location

Location Intelligence. Privacy Augsburg 2020 Anto Aasa http://aasa.ut.ee/augsburg Location

Location Intelligence. Privacy Augsburg 2020 Anto Aasa http://aasa.ut.ee/augsburg Location intelligence (LI) or spatial intelligence process of deriving meaningful insight from geospatial data relationships to solve a particular

867 views • 83 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
Module 1: Introduction Deriving Business Information Deriving meaningful information from

Module 1: Introduction Deriving Business Information Deriving meaningful information from

Raw Data vs. Business Information Capturing Raw Data Gathering data recorded in everyday operations Module 1: Introduction Deriving Business Information Deriving meaningful information from raw data to Data Warehousing Turning

345 views • 5 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

Elementary Data Structures Stacks, Queues, Vectors, Lists &amp; Sequences Trees The Stack ADT (2.1.1) The Stack ADT stores arbitrary objects Insertions and deletions Auxiliary stack follow the last-in first-out operations: scheme

473 views • 13 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

679 views • 19 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

1.06k views • 37 slides
Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call Stack higher %rsp holds lowest stack address addresses (address of &quot;top&quot; element) Topics stack grows Procedures toward lower

76 views • 5 slides
Service composition: Deriving Component Designs from Global Requirements Gregor v. Bochmann

Service composition: Deriving Component Designs from Global Requirements Gregor v. Bochmann

Service composition: Deriving Component Designs from Global Requirements Gregor v. Bochmann School of I nformation Technology and Engineering (SI TE) University of Ottawa Canada http://www.site.uottawa.ca/~ bochmann/talks/Deriving-3.ppt

707 views • 56 slides
Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate strings of entries of any (arbitrary) type in LIFO (last-in-first-out) order A kind of dual to Queue Remember, &quot;first&quot; and

450 views • 33 slides
Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An instruction r = F(a 1 ,a n ): Pops n operands from the stack Computes the operation F using the operands Pushes the result r on the stack Alex

362 views • 13 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Patrick Xia David

Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Patrick Xia David

Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Patrick Xia David Yarowsky code, resources, slides: www.github.com/pitrack/monolign Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Deriving

1.05k views • 85 slides
Fingerprint Policy Optimisation for Robust Reinforcement Learning Supratik Paul, Michael A.

Fingerprint Policy Optimisation for Robust Reinforcement Learning Supratik Paul, Michael A.

Poster #50 Fingerprint Policy Optimisation for Robust Reinforcement Learning Supratik Paul, Michael A. Osborne, Shimon Whiteson This project has received funding from the European Research Council (ERC) under the European Unions Horizon 2020

385 views • 25 slides
VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin

VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin

VIDEN VIDEN At Attacker Identification on In-Vehicle Networks Kyong-Tak Cho and Kang G. Shin Presented by Alokparna Bandyopadhyay Fall 2018, Wayne State University Overview Introduction CAN Message Transmission System and Threat

849 views • 31 slides
Private Fingerprint Matching Siamak F Shahandashti Reihaneh Safavi-Naini Philip Ogunbona Uni of

Private Fingerprint Matching Siamak F Shahandashti Reihaneh Safavi-Naini Philip Ogunbona Uni of

Private Fingerprint Matching Siamak F Shahandashti Reihaneh Safavi-Naini Philip Ogunbona Uni of Wollongong &amp; Uni of Calgary ACISP 2012 SF Shahandashti, R Safavi-Naini, P Ogunbona Private Fingerprint Matching Fingerprint Matching: from

477 views • 20 slides
The Calculation of Molecular Similarity: Principles and Practice Peter Willett, University of

The Calculation of Molecular Similarity: Principles and Practice Peter Willett, University of

The Calculation of Molecular Similarity: Principles and Practice Peter Willett, University of Sheffield For details, see the full paper in the Summer School issue of Molecular Informatics Overview Principles Why is molecular similarity

520 views • 27 slides
1 Introduction There are three fundamental principles of There are three fundamental

1 Introduction There are three fundamental principles of There are three fundamental

Fingerprint Identification By: Travis R. Gault Overview Introduction Introduction Features of interest Features of interest Feature Encoding Feature Encoding Implementations in Industry Implementations in Industry

493 views • 18 slides
Br Browser fi fingerprinting Nataliia Bielova @nataliabielova February 12

Br Browser fi fingerprinting Nataliia Bielova @nataliabielova February 12

Br Browser fi fingerprinting Nataliia Bielova @nataliabielova February 12 th , 2019 Security and ethical aspects of data Universit Cote d'Azur Todays class A brief history

534 views • 38 slides
Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of

Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of

Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of Michigan Fingerprinting ECUs for Vehicle Intrusion Detection Kyong-Tak Cho, Kang G. Shin, University of Michigan How To Tell if Your Car is h4xd

291 views • 15 slides
Website Fingerprinting at Internet Scale Andriy Panchenko 1 , Fabian Lanze 1 , Andreas Zinnen 2 ,

Website Fingerprinting at Internet Scale Andriy Panchenko 1 , Fabian Lanze 1 , Andreas Zinnen 2 ,

Website Fingerprinting at Internet Scale Andriy Panchenko 1 , Fabian Lanze 1 , Andreas Zinnen 2 , Martin Henze 3 , Jan Pennekamp 1 , Klaus Wehrle 3 , Thomas Engel 1 1 Interdisciplinary Centre for Security, Reliability and Trust (SnT), Luxembourg 2

567 views • 23 slides

More recommend