device drivers
play

Device Drivers: Dont build a house on a shaky foundation johnny - PowerPoint PPT Presentation

Mar 06, 2024 •183 likes •881 views

Device Drivers: Dont build a house on a shaky foundation johnny cache, researcher david maynor, SecureWorks Overview Problems Nifty Fingerprinting Stuff Finding and Exploiting Vulns Shellcode Design DEMOS!!!!!!

  1. Device Drivers: Don’t build a house on a shaky foundation johnny cache, researcher david maynor, SecureWorks

  2. Overview • Problems • Nifty Fingerprinting Stuff • Finding and Exploiting Vulns • Shellcode Design • DEMOS!!!!!!

  3. Problems? • Speed to market is so important. • Some things don’t get tested properly • New hardware and committee designed protocols are especially susceptible.

  4. Problems (cont…) • Although what follows is mostly focused on 802.11a/b/g the lessons learned can be applied to lots of things – Bluetooth – New 802.11 specs – Wireless data (EDGE, EV-DO, HSDPA)

  5. 802.11 • Why is it so complicated • Does it have to be • Can we fix it? • Consequence’s of complexity: – Fingerprinting 802.11 implementations – Exploiting device drivers

  6. Why so complicated? • "Fear leads to anger. Anger leads to hate. Hate leads to protocols designed by committe.” --warlord (?)

  7. Why so complicated • Partly to ambitious, partly attempting to deal with legitimate problems. • -hidden nodes • -unreliable links • -other networks on same channel

  8. Can we fix it • Yes, all it costs is standards compliance. • Ignore management frames • Ignore (some?) control frames • Remove extra’s (more on these later),

  9. Why is this interesting? • Complexity is a hacker’s best friend. • If its not complex theres no room for bugs. No bugs means no fun. • 802.11 is not lacking in complexity.

  10. Ethernet • 3 fields: src, dst, type.

  11. 802.11 • Version • Type • Subtype • 8 flags. • 1,2,3 or 4 addresses, variable positions ����� ��� ��������� ���

  12. Not done yet.. • Positive acknowledgement • 11 management frames • 6 control frames • ..lots of subtypes for each. • ..various encryption fields (IV, MIC/ICV, etc)

  13. More features! • Ad-Hoc • Power savings • 2 types of MAC (PCF vs DCF) • .11e QoS • Geo-locating proposed? WTH does ‘media access control’ have to do with geo-locating

  14. What do you get when you remove the extras? Nintendo DS No Wi-Fi certification Nowhere near 802.11 compliant Ignores de-auth/disassociates Possibly ignores control packets Works great! (probably doesn’t roam very well)

  15. Fingerprinting 802.11 • Why bother – Target exploits – WIDS can monitor users’ chipset, driver. – Possibly refine OS fingerprints

  16. Fingerprinting 802.11 • Why is this cool – No other link layer protocol fingerprints that I know of • Why is this possible? – Complexity of the protocol

  17. How far down can you go? • Chipset families • Distinct drivers for chipsets • Different versions of the same driver • Firmware (?)

  18. Specific fingerprints • RTS/CTS window honouring • Association Redirection • Duration analysis

  19. RTS/CTS • RTS/CTS packets used to reserve media for large enough packets.

  20. RTS/CTS

  21. RTS/CTS

  22. RTS/CTS

  23. RTS/CTS

  24. RTS/CTS

  25. RTS/CTS

  26. RTS/CTS

  27. How many implementations use this? Nope. Most? Nope A few? None? Yes! (under normal conditions)

  28. RTS/CTS • If they didn’t bother to implement it, they care if other people have?

  29. RTS/CTS • Though code was written to analyze packet dumps, results were not deterministic enough to be useful. • Getting such a high resolution clock/timestamp very diffcult.

  30. Association Redirection • Active fingerprinting technique. • High resolution. • Mind-numbingly boring to automate.

  31. Association Redirection • Specified in standard: pg 376

  32. Quick Overview Important 802.11 fields: Src, Dst, BSSID

  34. Normal 802.11 Association

  35. Association Redirection Unsuccessful Successful

  37. So what weird things happen? • Cards de-auth flood null address (broadcom) • Cards think they are on both networks? (centrino) • Other less dramatic hijinks.

  38. Deauth-Flood example auth-reply

  39. Deauth-Flood example assoc-request

  40. Deauth-Flood example assoc-reply

  41. Deuath-Flood starts

  42. Association Redirection redux • If 1 weird standards quirk is good 3 must be better! – Instead of just source mangle as many things as possible: src, bssid, both

  43. Table2 here

  44. Assocation Redir redux • If 3 standards quirks work OK, why not 9? • Two more tables

  45. Tables 3 and 4 here

  46. Association Redirection summary • very possible to remotely version chipset • can’t really distinguish different drivers • - active technique, requires you to transmit packets.

  47. Duration analysis • Totally passive • Very accurate • Easy to automate • Only basic statistical techniques used.

  48. What is a duration?

  49. What influences duration values. • Rate (.11b, .11g) • Short slot time (g only) • Short pre amble

  50. Example atheros fingerprint Well behaved atheros card: CTS: 0 pwrmgmt: 1 frag: 0 order: 0 --------- <0 0> Duration( (314) ) //assoc request <0 4> Duration( (0) (314) ) //probe request <0 11> Duration( (314) ) //authentication <2 0> Duration( (162) (0) ) //data <2 4> Duration( (162) ) //null function data

  51. Example prism fingerprint poorly behaved prism card: CTS: 0 pwrmgmt: 1 frag: 0 order: 0 --------- <0 0> Duration( (258) ) //assoc req <0 4> Duration( (0) ) //probe req <0 11> Duration( (53389) ) //auth <0 12> Duration( (258) (314) ) //de-auth <2 0> Duration( (213) (0) (223) ) //data <2 4> Duration( (37554) ) //null-func

  52. Simple example • Duration match 2 prints here

  53. Simple example cont.

  54. Real life example (centrino)

  55. Unknown Ralink example tcpdump -i rausb0 -s 0 -w unknown.pcap

  56. So how’s it work? --MagicStats Duration summarry--- Atheros print Total number of unique durations: 12 Total volume: 95 CTS: 0 -------------------------------- pwrmgmt: 1 dur times_seen prob weight frag: 0 0, 25, 0.2632, 3.8000 order: 0 117, 8, 0.0842, 11.8750 --------- <0 0> Duration( (314) ) 127, 2, 0.0211, 47.5000 <0 4> Duration( (0) (314) ) 152, 1, 0.0105, 95.0000 <0 11> Duration( (314) ) 162, 15, 0.1579, 6.3333 213, 5, 0.0526, 19.0000 <2 0> Duration( (162) (0) ) 223, 1, 0.0105, 95.0000 <2 4> Duration( (162) ) 248, 2, 0.0211, 47.5000 258, 6, 0.0632, 15.8333 314, 28, 0.2947, 3.3929 37554, 1, 0.0105, 95.0000 53389, 1, 0.0105, 95.0000

  57. So how’s it work? • Compute fingerprint across input pcap. • Fuzzilly compare it to all known fingerprints. – For every matching duration in comparison print, add points proportional to weight for that duration. – Bonus points for matching type, subtype, and duration all at once.

  58. Fuzzy compare • For every matching duration in comparison print, add points proportional to weight for that duration. • Bonus points for matching type, subtype, and duration all at once.

  59. Also tracks a few other flags Flag value ratio prob weight CTS: 1 0/12 0.0000 inf CTS: 0 12/12 1.0000 1.0000 PwrMgmt: 1 8/12 0.6667 1.5000 PwrMgmt: 0 4/12 0.3333 3.0000 frag: 1 0/12 0.0000 inf frag: 0 12/12 1.0000 1.0000 order: 1 0/12 0.0000 inf order: 0 12/12 1.0000 1.0000

  60. how accurate is it? • When run across my own set of training data, the following results apply: • B-only (0x0021 flags, lexie) – 26 times better than random • mixed-BG (0x0401/0x0001 flags) – 18 times better than random

  61. Finding and exploiting vulns in drivers.

  62. Ways to find bugs? • Static auditing • Fuzzing

  63. Things to think about • Fuzzing can be frustrating – A bug could be triggered by something 8 packet chains ago – Hard to track down in ring0

  64. fuzz-e

  65. fuzz-e ( j ohnycsh @d i z : f uzz - e )$ . / f u zz -e -R -A -P a th0 -n 500 - r r t 2570 - i r ausb0 - c 11 -D . / des t -addys . t x t -w u20000 - s 00 :07 :0E :B9 :74 :BB -b 0 0 :07 :0E:B9 :74 :BB - E log . t x t -R random delays -A autonomous mode (don’t stop) -P passive interface to sniff on -n 500 send 500 packets per cycle -r rt2570 driver to inject with -i rausb0 inject on rausb0 -c 11 set channel to 11 -D dest-addys specify list of victims -w u20000 wait 200000 usecs (max) -s source address of packets -b bssid of packets -E log events to log.txt

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

3/6/12 Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5 million LOC and 70% of kernel Little exposure to this breadth of driver code from research Better understanding of drivers can lead to

484 views • 14 slides
Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2. Kernel Modules Friedrich Schiller University Jena 3. Char Drivers Department of Mathematics and 4. Advanced Char Drivers Computer Science 5.

531 views • 12 slides
Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller

Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller

Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller University Jena 2. Kernel Modules Department of Mathematics and 3. Char Drivers Computer Science 4. Advanced Char Drivers Jena, Germany 5.

529 views • 17 slides
Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Concurrent Device Drivers Martin Ellis Motivation Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX Drivers in CSP Previous Work The Problem Our Technique Resource Driver Martin Ellis

605 views • 32 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

Systems Design&amp;Programming Linux Device Drivers III CMPE 310 Char Drivers Well develop a device driver, scull , which treats an area of memory as a device. There are several types of scull devices: scull[0-3] This type has four

481 views • 19 slides
Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different about device drivers? Hardware access Writing device

634 views • 45 slides
Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW, NICTA, Open Kernel Labs (Australia) The problem with drivers 70% of OS crashes are caused by device drivers Drivers contain 1.5x-7x bugs per loc

557 views • 36 slides
HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd

HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd

HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd Edition (www.makelinux.net/ldd3)) Device Drivers -&gt; DD They are a well defined programming interface between the applications and the actual

486 views • 24 slides
Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter

Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter

Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1 Summer 2017 Outline Devices and device drivers I/O performance issues Device driver abstractions

1.92k views • 58 slides
Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device Driver? Hardware Functionality A device driver is the software that bridges Device Driver the two. 2 Focus of This Presentation

1.08k views • 93 slides
Kernel Modules KLD Device Drivers The kld interface allows system administrators to

Kernel Modules KLD Device Drivers The kld interface allows system administrators to

Dynamic Kernel Linker Facility - Kernel Modules KLD Device Drivers The kld interface allows system administrators to dynamically add and remove functionality from a Pseudo device example running system. Joystick device example This

503 views • 8 slides
Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers Device Drivers User User space program User User level I/O software &amp; libraries Kernel space Device independent OS software Operating

765 views • 5 slides
Devices and Device Drivers CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1

Devices and Device Drivers CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1

Devices and Device Drivers CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1 Fall 2015 Outline The role of devices Device drivers Classes of device driver Lecture 12 CS 111 Page 2 Fall 2015 So Youve Got Your

755 views • 59 slides
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could

XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could

XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex;

1.63k views • 95 slides
How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What

How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What

How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What is a device driver? Software that handles or manages a hardware controller for a particular device! What is a Controller? Is a piece of hardware

624 views • 31 slides
6QM Solution for IPv6 QoS Measurements Nov. 2004 Moscow Jordi Palet (Consulintel), Csar

6QM Solution for IPv6 QoS Measurements Nov. 2004 Moscow Jordi Palet (Consulintel), Csar

6QM Solution for IPv6 QoS Measurements Nov. 2004 Moscow Jordi Palet (Consulintel), Csar Olvera (Consulintel), Miguel A. Daz (Consulintel) {jordi.palet, cesar.olvera, miguelangel.diaz}@consulintel.es Introduction The QoS measurement

343 views • 19 slides
Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine

Exploiting Sequence of Events for Potential Attack Detection in Network Security using Machine Learning Ashrith Barthur, PhD Security Research @cyberbaggage H 2 O .ai Machine Intelligence Sequence of Events (SoE) What is a Sequence of

636 views • 35 slides
PacketExpert PacketBroker (Wire-speed Ethernet Tap) 818 West Diamond Avenue - Third Floor,

PacketExpert PacketBroker (Wire-speed Ethernet Tap) 818 West Diamond Avenue - Third Floor,

PacketExpert PacketBroker (Wire-speed Ethernet Tap) 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com Ethernet Technology 2

650 views • 46 slides
Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6

Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6

1 Probably the worlds best stateless traffic generation and analysis platform 2 1 2 4 5 6 3 OVERVIEW TYPES OF TESTS HARDWARE SOFTWARE AUTOMATION KEY FEATURES LEARN MORE 3 OVERVIEW Valkyrie is a full-featured stateless traffic

720 views • 43 slides
A networked-FPGA platform o ff ering fm exible Ethernet switching from Layer 1 all the way to full

A networked-FPGA platform o ff ering fm exible Ethernet switching from Layer 1 all the way to full

A networked-FPGA platform o ff ering fm exible Ethernet switching from Layer 1 all the way to full SDN via P4 Matthew Knight and Marc Durrenberger Networked FPGA platforms Opening up network packet visibility Increasing network flexibility Who

463 views • 21 slides
Evaluation of variance for TCP throughput Olga I. Bogoiavlenskaia PetrSU, Department of Computer

Evaluation of variance for TCP throughput Olga I. Bogoiavlenskaia PetrSU, Department of Computer

Evaluation of variance for TCP throughput Olga I. Bogoiavlenskaia PetrSU, Department of Computer Science olbgvl@cs.karelia.ru TCP Congestion Control In distributed packet switching network a sender is not aware about the workload

164 views • 12 slides
VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite

VoIP switching and billing suite Break through your data VoIP switching and billing suite components VoIP switch - SIP softswitch based on VoIP switch Opensips significantly re-developed by 5g 5g Future. Future Dynamic or static routing - a

156 views • 11 slides
Slot clouds getting more from orbital slots with networking Lloyd Wood Global Defense and Space

Slot clouds getting more from orbital slots with networking Lloyd Wood Global Defense and Space

Slot clouds getting more from orbital slots with networking Lloyd Wood Global Defense and Space Group, Cisco Systems http://www.cisco.com/go/gdsg Alex da Silva Curiel, Javad Anzalchi, Dave Cooke, Chris Jackson Surrey Satellite Technology Ltd

833 views • 18 slides

More recommend