lbm a security framework for peripherals within the linux
play

LBM: A Security Framework for Peripherals within the Linux Kernel - PowerPoint PPT Presentation

Jan 18, 2023 •175 likes •560 views

LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian*^, Grant Hernandez*, Joseph Choi*, Vanessa Frost*, Peter Johnson**, and Kevin Butler* *University of Florida, Gainesville, FL ^Purdue University, West Lafayette,

  1. LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian*^, Grant Hernandez*, Joseph Choi*, Vanessa Frost*, Peter Johnson**, and Kevin Butler* *University of Florida, Gainesville, FL ^Purdue University, West Lafayette, IN **Middlebury College, VT May 22, 2019 Florida Institute of Cyber Security (FICS) Research

  2. Peripherals Florida Institute of Cyber Security (FICS) Research 2

  3. Modern Peripherals Florida Institute of Cyber Security (FICS) Research 3

  4. Modern Peripherals Florida Institute of Cyber Security (FICS) Research 4

  5. Modern Peripherals What could possibly go wrong?? Florida Institute of Cyber Security (FICS) Research 5

  6. Malicious Peripherals Florida Institute of Cyber Security (FICS) Research 6

  7. Malicious Peripherals pairing (build trust) after pairing (still “trusted”) 5.3 Billion Devices Affected BadBluetooth Attacks 0day attacks over NFC! NFC Reader/Writers Table top (MDF) Tap’n Laptop Table Ghost Florida Institute of Cyber Security (FICS) Research 7

  8. Solution? t k p d e t c e p x e n u - l a n o i t c n u F Specially-crafted pkt Malformed pkt Florida Institute of Cyber Security (FICS) Research 8

  9. Challenges • Peripheral Diversity • USBFILTER (USENIX Sec’16), USBFirewall (ACSAC’17) • Bluetooth, NFC, etc. • Filtering (Rule) Complexity • Programmability vs. Usability • Extensibility Florida Institute of Cyber Security (FICS) Research 9

  10. Linux (e)BPF Modules (LBM) • A generic security framework for peripherals • Peripheral agnostic • LBM hooks Peripheral Diversity • eBPF • Filter DSL Filtering Complexity • Module extension • USB, Bluetooth, NFC Florida Institute of Cyber Security (FICS) Research 10

  11. LBM: Architecture if usb.devnum == 7: drop LLVM/ lbmtool Clang User Space bpf syscall lbm sysfs Kernel Space lbm1 Peripheral Subsystems Framework USB Bluetooth NFC lbm2 LBM Subsys Subsys Subsys lbm3 LBM LBM LBM TX TX TX LBM LBM LBM RX RX RX BPF/eBPF USB Packet BT Packet NFC Packet Florida Institute of Cyber Security (FICS) Research 11

  12. LBM: Hooks • Linux Security Modules (LSM) • > 100 (kernel 4.13) • Linux (e)BPF Modules (LBM) • 1 int lbm_filter_pkt( int subsys, int dir, void *pkt) lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_TX, ( void *)urb); lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_RX, ( void *)urb); Florida Institute of Cyber Security (FICS) Research 12

  13. LBM: Hook Placement L2CAP LBM RX SCO ACL LBM TX Storage Driver Input Driver Video Driver USB Core Bluetooth Core LBM TX LBM RX LBM TX LBM RX Host Controller Device Driver Host Controller Interface Host Controller Device Bluetooth Module Bluetooth Peripherals USB Peripherals Florida Institute of Cyber Security (FICS) Research 13

  14. LBM: Filter DSL & lbmtool eBPF Assembly LSTART: usb.idVendor == 0x413c && MOV64_REG(REG_9, REG_1) usb.idProduct == 0x3010 MOV64_REG(REG_1, REG_9) CALL_FUNC(FUNC_lbm_usb_get_idVendor) MOV64_REG(REG_1, REG_0) MOV64_IMM(REG_6, 1) lbmtool JMP_IMM(JEQ, REG_1, 16700, L1_) MOV64_IMM(REG_6, 0) L1_: MOV64_REG(REG_1, REG_9) Tree Semantic Parse CALL_FUNC(FUNC_lbm_usb_get_idProduct) Expr CST Shaping Analysis MOV64_REG(REG_2, REG_0) MOV64_IMM(REG_3, 1) JMP_IMM(JEQ, REG_2, 12304, L2_) MOV64_IMM(REG_3, 0) L2_: CodeGen IR IRGen AST JMP_IMM(JEQ, REG_6, 0, L3_) JMP_IMM(JEQ, REG_3, 0, L3_) MOV64_IMM(REG_4, 1) JMP_A(L4_) write L3_: MOV64_IMM(REG_4, 0) sysfs L4_: eBPF JMP_IMM(JNE, REG_4, 0, L5_) Loader call L6_: MOV64_IMM(REG_0, 0) Program sys_bpf EXIT_INSN() L5_: MOV64_IMM(REG_0, 1) LEND: EXIT_INSN() Florida Institute of Cyber Security (FICS) Research 14

  15. LBM: Proof-of-Concept for NFC Step 1: Place hook Step II: Expose protocol fields lbm_filter_pkt(LBM_SUBSYS_INDEX_NFC, LBM_DIR_TX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_NFC, LBM_DIR_RX, ( void *)skb); Step III: Extend lbmtool nci.len > 10 && nci.mt == 5 NFC Kernel lbmtool Total # of lines 85 12 97 Florida Institute of Cyber Security (FICS) Research 15

  16. LBM: FaceDancer Testing Target Florida Institute of Cyber Security (FICS) Research 16

  17. LBM: Protocol Stack Protection (( usb .setup_packet != 0) && /* For enumeration */ ( usb .request[0] == 0x80) && /* Get_Descriptor */ ( usb .request[1] == 0x06) && /* Make sure response contains at least 2 bytes */ (( usb .actual_length < 2) || /* Make sure the descriptor type matches */ (( usb .request[3] != usb . data [1]) || /* Device descriptor */ (( usb .request[3] == 1) && (( usb . data [0] != 18) || ( usb .actual_length != 18))) || /* Configuration descriptor */ (( usb .request[3] == 2) && (( usb . data [0] < 9) || ( usb .actual_length < 9))) || /* String descriptor */ (( usb .request[4] == 3) && (( usb . data [0] < 4) || ( usb .actual_length < 4)))))) Florida Institute of Cyber Security (FICS) Research 17

  18. LBM: USB Security • Defending against BadUSB (( usb .pipe == 1) && /* INT (Keystroke) */ (( usb .manufacturer != "X") || ( usb . product != "Y") || ( usb .serial != "Z") || ( usb .plugtime != 12345))) • Securing charging (( usb .busnum == 1) && ( usb .portnum == 1)) Florida Institute of Cyber Security (FICS) Research 18

  19. LBM: Bluetooth Security • Defending against BlueBorne (( bt . l2cap .cid == 0x1) && /* L2CAP Signaling */ /* Configuration Response */ ( bt . l2cap .sig.cmd.code == 0x5) && ( bt . l2cap .sig.cmd.len >= 66)) • Defending against BleedingBit (( bt . hci .conn == 1) && /* A link exists */ ( bt . hci .conn.type == 0x80)) /* BLE link */ Dynamic Kernel Patching Florida Institute of Cyber Security (FICS) Research 19

  20. LBM: Benchmarks 500 LB0 30 LB0--IT TKrouJKput Ln 0B/V 400 25 2verhead Ln us 20 300 128KB 1.8% < 1us 10B 15 200 10 100 5 0 0 1 10 100 VanLlla /B0 /B0--IT Stock LBM LBM-JIT 1um RI LB0 5uOes Florida Institute of Cyber Security (FICS) Research 20

  21. LBM: Discussion • BPF memory write • LLVM support • Stateless vs. Stateful policy • DMA-oriented protocols Florida Institute of Cyber Security (FICS) Research 21

  22. Conclusion • Linux (e)BPF Module • USB, Bluetooth, NFC • Effectiveness and Minimum Overhead https://github.com/fics/lbm Florida Institute of Cyber Security (FICS) Research 22

  23. Q&A https://davejingtian.org Thanks! Florida Institute of Cyber Security (FICS) Research 23

  24. Malicious Peripherals What about wireless peripherals? 5.3 Billion Devices Affected 0day attacks over NFC! Florida Institute of Cyber Security (FICS) Research 24

  25. LBM: Core Framework • An eBPF client • LBM filter = eBPF program • Load LBM filters lbm create_module bpf • Subsystem / Path sysfs syscall syscall • Verify LBM filters BPF verifier LBM MDB TX LBM FDB TX • Subsystem / No memory write LBM MDB RX LBM FDB RX LBM • Store/Manage/Run LBM filters LBM Filter Engine Core • SysFS (/sys/fs/bpf, /sys/kernel/security/lbm) BPF/eBPF Florida Institute of Cyber Security (FICS) Research 25

  26. LBM: USB • LBM hooks lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_TX, ( void *)urb); • 34 protocol fields lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_RX, ( void *)urb); • 31 BPF helpers • 621 LoC Storage Driver Input Driver Video Driver USB Core LBM TX LBM RX Host Controller Device Driver Host Controller Device USB Peripherals Florida Institute of Cyber Security (FICS) Research 26

  27. LBM: Bluetooth • LBM hooks L2CAP LBM RX lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH, LBM_DIR_TX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH, SCO ACL LBM_DIR_RX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH_L2CAP, LBM TX LBM_DIR_TX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH_L2CAP, Bluetooth Core LBM_DIR_RX, ( void *)skb); • HCI/L2CAP LBM TX LBM RX • 30/28 protocol fields Host Controller Interface Bluetooth Module • 29/27 BPF helpers Bluetooth Peripherals • 683/744 LoC Florida Institute of Cyber Security (FICS) Research 27

  28. LBM: Protocol Stack Protection /* HCI-CMD */ (( bt . hci .type == 1) && ( bt . hci .len < 3)) || /* HCI-ACL */ (( bt . hci .type == 2) && ( bt . hci .len < 4)) || /* HCI-SCO */ (( bt . hci .type == 3) && ( bt . hci .len < 3)) || /* HCI-EVT */ (( bt . hci .type == 4) && ( bt . hci .len < 2))) Florida Institute of Cyber Security (FICS) Research 28

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WIPTECH PERIPHERALS PVT .L TD. A Quality Product from: WIPTECH PERIPHERALS PVT .L TD.

WIPTECH PERIPHERALS PVT .L TD. A Quality Product from: WIPTECH PERIPHERALS PVT .L TD.

A Quality Product from: WIPTECH PERIPHERALS PVT .L TD. A Quality Product from: WIPTECH PERIPHERALS PVT .L TD. WIPTECH, a pioneer in its field, has become the benchmark for the security electric fencing industry. The Wiptech

254 views • 22 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Who is

474 views • 33 slides
Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod

Automatic Placement of Authorization Hooks in the Linux Security Modules Framework Vinod Ganapathy vg@cs.wisc.edu University of Wisconsin, Madison Joint work with Trent Jaeger Somesh Jha tjaeger@cse.psu.edu jha@cs.wisc.edu Pennsylvania

604 views • 41 slides
Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security

Tizen, Security and The Internet of Things Casey Schaufler 1 Casey Schaufler Security Dinosaur Smack Linux Security Module Manager Tizen and Linux Kernel Security 2 Tizen Linux based operating system Project of the Linux

486 views • 23 slides
TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux

CE Linux Forum Worldwide Embedded Linux Conference 2007 April 17-19, 2007 TOMOYO Linux A Lightweight and Manageable Security System for PC and Embedded Linux http://tomoyo.sourceforge.jp/ Toshiharu Harada Tetsuo Handa NTT DATA

654 views • 47 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 9 Linux Security &amp; Logging Linux Security Real-World Linux Security RHEL

739 views • 41 slides
Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands

Basic Linux Original slides from GTFO Security outline Linux What it is? Commands Filesystem / Shell Package Management Services run on Linux mail dns web central authentication router

1.55k views • 23 slides
TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux PDF version of ELC2007 slide is available: CE Linux Forum Wiki TomoyoLinux http://tree.celinuxforum.org/CelfPubWiki/TomoyoLinux (bookmark and

890 views • 48 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
LCD interfacing +Other Peripherals in AVR Microcontrollers Contents A brief overview over

LCD interfacing +Other Peripherals in AVR Microcontrollers Contents A brief overview over

Microprocessors , Lecture 11: LCD interfacing +Other Peripherals in AVR Microcontrollers Contents A brief overview over the AVR peripherals not covered by the course LCD University of Tehran 2 AVR peripherals University of Tehran 3

551 views • 28 slides
Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees

Linux Kernel Self Protection Project Linux Security Summit, Los Angeles September 14, 2017 Kees (Case) Cook keescook@chromium.org https://outflux.net/slides/2017/lss/kspp.pdf Agenda Background Security in the context of

652 views • 52 slides
Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG,

Linux Security State of Linux Security in 2016 Michael Boelen michael.boelen@cisofy.com DBLUG, 7 December 2016 Michael Boelen Open Source Lynis, Rootkit Hunter Business and Community Founder of CISOfy Board member and

454 views • 18 slides
Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux

Linux Overview Amir Hossein Payberah payberah@gmail.com 1 Agenda Linux Overview Linux Distributions Linux vs Windows Linux Architecture Linux Security 2 What is Linux? Similar Operating System To Microsoft Windows, Sun

1.11k views • 55 slides
Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com

Linux Hardening Locking Down Linux To Increase Security Michael Boelen michael.boelen@cisofy.com s-Hertogenbosch, 1 March 2016 Meetup: Den Bosch Linux User Group Goals 1. Learn what to protect 2. Know some strategies 3. Learn tooling Focus

912 views • 60 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides
Synthesis of of 4-phenylcoumarin fr from 2- hydroxybenz nzophenone imine and d diethyl

Synthesis of of 4-phenylcoumarin fr from 2- hydroxybenz nzophenone imine and d diethyl

13 rd International Electroni nic Conference on Synthetic Organic Chem hemistry (ECSOC- 13), 1-30 Novermber 2009 http://www.mdpi.org/ rg/ecsoc-13 &amp; http://www.usc.es/congreso sos/ecsoc/13/ [E013] Synthesis of of 4-phenylcoumarin fr from

169 views • 3 slides
MICROSERVICES VS. REVERSE-PROXY Emile Vauge ContainerCon 2016 $ whoami French DevOps &amp;

MICROSERVICES VS. REVERSE-PROXY Emile Vauge ContainerCon 2016 $ whoami French DevOps &amp;

MICROSERVICES VS. REVERSE-PROXY Emile Vauge ContainerCon 2016 $ whoami French DevOps &amp; Developer I Docker , I Go Worked @ Thales, Airbus, Lyra, Zenika Creator and maintainer of traek.io BUT WHY ANOTHER REVERSE-PROXY?

620 views • 25 slides
Problems in the appearance of silicon photomultipliers: a brief history and perspectives Ziraddin

Problems in the appearance of silicon photomultipliers: a brief history and perspectives Ziraddin

Problems in the appearance of silicon photomultipliers: a brief history and perspectives Ziraddin (Zair) Sadygov Joint Institute for Nuclear Research On behalf the MAPD collaboration E-mail: zsadygov@gmail.com Z. Sadygov, ICASiPM 2018,

610 views • 21 slides
Transacted Memory for Smart Cards Pieter Hartel, Univ. Twente, NL Michael Butler, Univ.

Transacted Memory for Smart Cards Pieter Hartel, Univ. Twente, NL Michael Butler, Univ.

Transacted Memory for Smart Cards Pieter Hartel, Univ. Twente, NL Michael Butler, Univ. Southampton, UK Eduard de Jong, Sun Micro systems, USA Mark Longley, Univ. Southampton, UK 1 Overview What is transacted memory? Combining Z,

168 views • 15 slides
A.I.S. Class 24: Outline I Learning Objectives for Chapter 3 I Hardware I Software I Systems

A.I.S. Class 24: Outline I Learning Objectives for Chapter 3 I Hardware I Software I Systems

A.I.S. Class 24: Outline I Learning Objectives for Chapter 3 I Hardware I Software I Systems Configuration I Group Work for Chapter 3 I XML &amp; XBRL Dr. Peter R Gillett November 30, 2005 1 Learning Objectives for Chapter 3 I After studying

366 views • 18 slides
Plasma Physics Kinetic plasma description A. Flacco Structure from particle description to

Plasma Physics Kinetic plasma description A. Flacco Structure from particle description to

Plasma Physics Kinetic plasma description A. Flacco Structure from particle description to PDF 3 Kinetic Description 5 Vlasov Equation 9 n th -order momentum equation 10 A. Flacco/ENSTA - PA201: Introduction Page 2 of 21

814 views • 21 slides
Q UANTITATIVE TEXTURE OF OF FERROELECTRIC MODIFIED LEAD ED LEAD FERROELECTRIC MODIFI TITANATE

Q UANTITATIVE TEXTURE OF OF FERROELECTRIC MODIFIED LEAD ED LEAD FERROELECTRIC MODIFI TITANATE

Q UANTITATIVE TEXTURE Q UANTITATIVE TEXTURE OF OF FERROELECTRIC MODIFIED LEAD ED LEAD FERROELECTRIC MODIFI TITANATE THIN FILMS TITANATE THIN FILMS J. Ricote, D. Chateigner, L. Pardo , M. Alguer , J. Mendiola , M.L. Calzada

417 views • 19 slides
INPUT DEVICES An input device is any peripheral used to provide data and control signals to a

INPUT DEVICES An input device is any peripheral used to provide data and control signals to a

8/29/2010 Device: is an instrument that performs a simple task. Input: something put into a system. INPUT DEVICES An input device is any peripheral used to provide data and control signals to a computer. Maninder Kaur An input

286 views • 7 slides

More recommend