unified rf fuzzing under a common api
play

Unified RF Fuzzing Under a Common API: Introducing TumbleRF Matt - PowerPoint PPT Presentation

Dec 15, 2022 •377 likes •801 views

Troopers 2018 Unified RF Fuzzing Under a Common API: Introducing TumbleRF Matt Knight, Ryan Speers March 15, 2018 River Loop Security River Loop Security River Loop Security whois Troopers 2018 Matt Knight Ryan Speers Independent

  1. Troopers 2018 Unified RF Fuzzing Under a Common API: Introducing TumbleRF Matt Knight, Ryan Speers March 15, 2018 River Loop Security River Loop Security River Loop Security

  2. whois Troopers 2018 Matt Knight Ryan Speers Independent software, hardware, and Director of Research at Ionic Security • • RF engineer Co-founder at River Loop Security • Security Researcher at River Loop • Computer Science from Dartmouth • Security College BE in EE from Dartmouth College • Cryptography, embedded systems, • RF, SDR, PHYs, and embedded systems IEEE 802.15.4 • River Loop Security

  3. Background Troopers 2018 “Making and Breaking a Wireless IDS”, Troopers14 “Speaking the Local Dialect”, ACM WiSec Ryan Speers, Sergey Bratus, Javier Vazquez, Ray Jenkins, bx, Travis • Goodspeed, and David Dowd Idiosyncrasies in PHY implementations • Mechanisms for automating: RF fuzzing • Bug discovery • • PHY FSM fingerprint generation River Loop Security

  4. Agenda Troopers 2018 1. Overview of traditional fuzzing techniques (software and networks) 1. How these do and don’t easily map to RF 2. RF fuzzing overview and state of the art 3. Ideal fuzzer design 4. TumbleRF introduction and overview 5. TumbleRF usage example River Loop Security

  5. Troopers 2018 Traditional Fuzzing Techniques River Loop Security

  6. What is fuzzing? Troopers 2018 Measured application of pseudorandom input to a system Why fuzz? Automates discovery of crashes, corner cases, bugs, etc. • • Unexpected input  unexpected state River Loop Security

  7. What can one fuzz? Troopers 2018 Interfaces • I/O File format parsers • Network interfaces • River Loop Security

  8. Software Fuzzing State of the Art Troopers 2018 Abundant fully-featured software fuzzers • AFL / AFL-Unicorn Peach • Scapy • Software is easy to instrument and hook at every level What else can one fuzz? River Loop Security

  9. Fuzzing Hardware Troopers 2018 Challenges: • H/W is often unique, less “standard interfaces” to measure on May not be able to simulate well in a test harness • Some Existing Techniques: AFL-Unicorn: simulate firmware in Unicorn to fuzz • • Bus Pirate: permutes pinouts and data rates to discover digital buses JTAGulator: permutes pinouts that could match unlocked JTAG • … • River Loop Security

  10. Fuzzing RF Troopers 2018 WiFuzz • MAC-focused 802.11 protocol fuzzer Marc Newlin’s Mousejack research Injected fuzzed RF packets at nRF24 HID dongles while looking for USB • output isotope: IEEE 802.15.4 PHY fuzzer • River Loop Security

  11. Existing RF Fuzzing Limitations Troopers 2018 Fuzzers are siloed / protocol-specific Generally limited to MAC layer and up RF is hard to instrument – what constitutes a crash / bug / etc? Implicit trust in chipset – one can only see what one’s radio tells you is happening River Loop Security

  12. Trust and Physical Layer Vulnerabilities Troopers 2018 Not all PHY state machines are created equal! Radio chipsets implement RF state machines differently Differences can be fingerprinted and exploited • Initial results on 802.15.4 were profound • Specially-crafted PHYs can target certain chipsets while avoiding others • River Loop Security

  13. Troopers 2018 RF PHYs: A Primer River Loop Security

  14. How Radios Work Troopers 2018 Transmitter: digital data (bits)  analog RF energy discrete  continuous Receiver: analog RF energy  digital data (bits) continuous  discrete Receiving comes down to sampling and synchronization! River Loop Security

  15. Digitally Modulated Waveforms Troopers 2018 River Loop Security https://hackaday.com/2016/11/18/building-a-lora-phy-with-sdr/

  16. Digitally Modulated Waveforms Troopers 2018 Data Start of Frame Delimiter (SFD) / Sync Word Preamble River Loop Security https://hackaday.com/2016/11/18/building-a-lora-phy-with-sdr/

  17. RF PHY State Machines Troopers 2018 Seeking Preamble (Idle) Seeking SFD Present to MAC / Layer 2 Parser (Synchronizing) (optional) Check CRC Extract Length from Header Demodulate N River Loop Security Bits

  18. RF PHY State Machines Troopers 2018 Seeking Let’s dig in Preamble (Idle) Seeking SFD Present to MAC / Layer 2 Parser (Synchronizing) (optional) Check CRC Extract Length from Header Demodulate N River Loop Security Bits

  19. RF PHY State Machines Troopers 2018 Correlation = shift register clocking bits through at symbol rate looking for a pattern 1. Correlator looks for [1,0,1,0,…] Seeking 2. Correlator looks for [magic number] Preamble If found, a packet is on-air (Idle) Seeking SFD (Synchronizing) River Loop Security

  20. Sync Words and Magic Numbers Troopers 2018 Turns out not all sync words are created equally • 0x00000000 == 802.15.4 Preamble 0xA7 == 802.15.4 Sync Word • The isotope research showed some chipsets correlated on “different” preambles / sync words than others River Loop Security

  21. Sync Words and Magic Numbers Troopers 2018 Turns out not all sync words are created equally • 0x00000000 == 802.15.4 Preamble 0xA7 == 802.15.4 Sync Word • strategically malformed The isotope research showed some chipsets correlated on “different” preambles / sync words than others River Loop Security

  22. Sync Words and Magic Numbers Troopers 2018 Turns out not all sync words are created equally • 0x XXXX 0000 == 802.15.4 Preamble 0xA7 == 802.15.4 Sync Word • strategically malformed The isotope research showed some chipsets correlated on “different” preambles / sync words than others Short preamble? River Loop Security

  23. Sync Words and Magic Numbers Troopers 2018 Turns out not all sync words are created equally • 0x XXXX 0000 == 802.15.4 Preamble 0xA F == 802.15.4 Sync Word • strategically malformed The isotope research showed some chipsets correlated on “different” preambles / sync words than others Short preamble? Flipped bits in SFD? River Loop Security

  24. Troopers 2018 Fuzzing Shows the Way River Loop Security

  25. Troopers 2018 Ideal RF Fuzzer Design River Loop Security

  26. Ideal Features Troopers 2018 Extensible: easy to hook up new radios Flexible: modular to enable plugging and playing different engines / interfaces / test cases Reusable: re-use designs from one protocol on another Comprehensive: exposes PHY in addition to MAC River Loop Security

  27. Troopers 2018 TumbleRF River Loop Security

  28. Troopers 2018 TumbleRF Previously known as unfAPI (Un-Named Fuzzing API) River Loop Security

  29. TumbleRF Troopers 2018 Software framework enabling fuzzing arbitrary RF protocols Abstracts key components for easy extension River Loop Security

  30. TumbleRF Architecture Troopers 2018 Test Case Generator Harness Command Line Test Case Management Interface TX Interface (PHY Results Logging or MAC) River Loop Security

  31. Interfaces Troopers 2018 RF injection/sniffing functions abstracted to generic template To add a new radio, inherit base class and redefine its functions to map into any driver: [set/get]_channel() [set/get]_sfd() [set/get]_preamble() tx() rx_start() rx_stop() rx_poll() River Loop Security

  32. Generators Troopers 2018 Rulesets for generating fuzzed input (pythonically) Extend to interface with software fuzzers of your choice Implement 2 functions: yield_control_case() yield_test_case() Three generators currently: • Preamble length (isotope) Non-standard symbols in preamble (isotope) • Random payloads in message • River Loop Security

  33. Harnesses Troopers 2018 Monitor the device under test to evaluate test case results Manage device state in between tests Three handlers currently: Received Frame Check: listen for given frames via an RF interface • SSH Process Check: check whether processes on target crashed (beta) • • Serial Check: watch for specific ouptut via Arduino (beta) River Loop Security

  34. T est Cases Troopers 2018 Coordinate the generator, interface, and harness. Typically very lightweight. Extend BaseCase to implement run_test() or build upon others, e.g.: Extend AlternatorCase to implement: does_control_case_pass() throw_test_case() Alternates test cases with known-good control case to ensure interface is still up River Loop Security

  35. TumbleRF Architecture: Demo Setup Troopers 2018 Test Case Generator Harness Command Line Test Case Comparison Logic Management Interface RX Interface TX Interface (PHY Results Logging or MAC) River Loop Security

  36. Example Generated Data: Preamble Length Troopers 2018 Standard IEEE802.15.4 preamble: 0x00000000 Preamble SFD Length 0x00 0x00 0x00 0x00 0xA7 0xLL River Loop Security

  37. Example Generated Data: Preamble Length Troopers 2018 bypassed River Loop Security Arbitrary PHY injection via modified gr-ieee802-15-4

  38. Troopers 2018 Demo River Loop Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Common Core State Standards & SBAC ~ Smarter Balanced Assessment Consortium Mary Boyle,

Common Core State Standards & SBAC ~ Smarter Balanced Assessment Consortium Mary Boyle,

Western Placer Unified School District Laguna Beach Unified School District Common Core State Overview Presentation Common Core State Standards Overview Parent Overview Presentation Western Placer Unified School District Common Core State

679 views • 36 slides
Common Core State Standards ~ Mathematics Whats the Difference? Mary Boyle, Deputy Supt

Common Core State Standards ~ Mathematics Whats the Difference? Mary Boyle, Deputy Supt

Western Placer Unified School District Laguna Beach Unified School District Common Core State Overview Presentation Common Core State Standards Overview Parent Overview Presentation Western Placer Unified School District Common Core State

593 views • 28 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Common Core State Standards ~ Literacy! Its More than Just ELA Mary Boyle, Deputy Supt

Common Core State Standards ~ Literacy! Its More than Just ELA Mary Boyle, Deputy Supt

Western Placer Unified School District Laguna Beach Unified School District Common Core State Overview Presentation Common Core State Standards Overview Parent Overview Presentation Western Placer Unified School District Common Core State

642 views • 31 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
Common Geometry Primitives (Unified Solids) Marek Gayer, CERN PH/SFT 1 st AIDA Annual Meeting,

Common Geometry Primitives (Unified Solids) Marek Gayer, CERN PH/SFT 1 st AIDA Annual Meeting,

Common Geometry Primitives (Unified Solids) Marek Gayer, CERN PH/SFT 1 st AIDA Annual Meeting, Hamburg Motivations for a common solids library Optimize and guarantee better long-term maintenance of Root and Gean4 solids libraries A rough

455 views • 32 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
Unified Command Unified Command Working Together for a Working Together for a Common

Unified Command Unified Command Working Together for a Working Together for a Common

Unified Command Unified Command Working Together for a Working Together for a Common Goal Common Goal Kevin C. Easton, Captain Kevin C. Easton, Captain Sarasota County Fire Sarasota County Fire Department Department

659 views • 21 slides
Mapping Metabolic Networks in 3D spheroids using Stable Isotope-Resolved Metabolomics (SIRM)

Mapping Metabolic Networks in 3D spheroids using Stable Isotope-Resolved Metabolomics (SIRM)

Mapping Metabolic Networks in 3D spheroids using Stable Isotope-Resolved Metabolomics (SIRM) Teresa W.-M. Fan 1, *, Salim S. El-Amouri 1 , Jessica K. A. Macedo 1 , and Andrew N. Lane 1 1 Center for Environ. & Systems Biochemistry; Markey Cancer

581 views • 11 slides
Geochemical methods in geothermal exploration and exploitation Magns lafsson Iceland

Geochemical methods in geothermal exploration and exploitation Magns lafsson Iceland

Geochemical methods in geothermal exploration and exploitation Magns lafsson Iceland GeoSurvey (SOR) The focus in the talk will be on the role of geochemistry in exploring and exploiting high-temperature geothermal systems (T >

684 views • 33 slides
Linking hydroperiod with water use and nutrient accumulation in Everglades tree island habitats Xin

Linking hydroperiod with water use and nutrient accumulation in Everglades tree island habitats Xin

Linking hydroperiod with water use and nutrient accumulation in Everglades tree island habitats Xin Wang, Leonel Sternberg, Vic Engel, Mike Ross University of Miami Tree islands in the Everglades Tree island habitats are important feature in the

321 views • 19 slides
1 EX/11-2Ra The Isotope Effect in GAM Turbulence Interplay and Anomalous Transport in

1 EX/11-2Ra The Isotope Effect in GAM Turbulence Interplay and Anomalous Transport in

1 EX/11-2Ra The Isotope Effect in GAM Turbulence Interplay and Anomalous Transport in Tokamak A.D. Gurchenko 1 , E.Z. Gusakov 1 , P. Niskala 2 , A.B. Altukhov 1 , L.A. Esipov 1 , D.V. Kouprienko 1 , M.Yu. Kantor 1 , S.I. Lashkul 1 , S.

547 views • 8 slides
Isotope Production from Compact Neutron Sources Mikael Jensen Professor of Applied Nuclear

Isotope Production from Compact Neutron Sources Mikael Jensen Professor of Applied Nuclear

Danish CANS workshop 2016 Isotope Production from Compact Neutron Sources Mikael Jensen Professor of Applied Nuclear Physics The Hevesy Laboratory DTU Nutech, Technical University of Denmark ~ 10 6 n/sec One of the 6 Ra/Be NBI sources

544 views • 25 slides
LUCIFER Low background Underground Cryogenic Installation For Elusive Rates Marco Vignati INFN

LUCIFER Low background Underground Cryogenic Installation For Elusive Rates Marco Vignati INFN

LUCIFER Low background Underground Cryogenic Installation For Elusive Rates Marco Vignati INFN Roma NPB 2012, Shenzhen, 24 Sept. 2012 Bolometric searches of 0 DBD Bilenky and Giunti, 2012 1 CUORICINO: Current Bound 11kg 130 Te bkg = 0.17

604 views • 27 slides
Neutrinoless Double Beta Decay and new Physics Manfred Lindner 8. Mai 2013 M. Lindner, MPIK .

Neutrinoless Double Beta Decay and new Physics Manfred Lindner 8. Mai 2013 M. Lindner, MPIK .

Neutrinoless Double Beta Decay and new Physics Manfred Lindner 8. Mai 2013 M. Lindner, MPIK . 1 Adding Neutrino Masses to the SM Simplest and suggestive possibility: add 3 right handed singlets (1 L ) n R n R n L n R g N x n _ _ c

544 views • 38 slides
Nuclear Research Reactors And Nuclear Research Reactors And Their Utilization Their Utilization By

Nuclear Research Reactors And Nuclear Research Reactors And Their Utilization Their Utilization By

Nuclear Research Reactors And Nuclear Research Reactors And Their Utilization Their Utilization By Dr. Dilip Kumar Lahiri Introduction Introduction Sub Atomic Particles a) Electrons ) b) Protons b) Protons c) Neutrons c) Neutrons Structure

769 views • 44 slides

More recommend