virtualised usb fuzzing using qemu and scapy
play

Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun - PowerPoint PPT Presentation

Sep 18, 2023 •183 likes •416 views

Intro Fuzzing Results Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c) 2015, CC-BY-SA 3.0 2015-10-01 1 / 25 Intro Fuzzing Results 1 Intro Motivation USB Architecture 2 Fuzzing Obtaining

  1. Intro Fuzzing Results Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c) 2015, CC-BY-SA 3.0 2015-10-01 1 / 25

  2. Intro Fuzzing Results 1 Intro Motivation USB Architecture 2 Fuzzing Obtaining valid USB communication QEMU Virtual USB Device 3 Results Stack Stress Test USB Fingerprinting Driver Flaws 2 / 25

  3. Intro Motivation Fuzzing USB Architecture Results Motivation What’s the problem? USB supported by every major OS USB widely deployed USB drivers in kernel space Not easy to assess security Development board? Inject messages into kernel? 3 / 25

  4. Digital Voting Pen Yes, it uses USB. hehe

  5. In-Flight entertainment Based on Linux or VxWorks

  7. Intro Motivation Fuzzing USB Architecture Results Architecture Host initiated communication → polling Yes, even with keyboards or mice packet-based SETUP IN OUT 8 / 25

  8. usb-kernel-ipe.pdf

  9. Device Descriptor Configuration Configuration Interface Interface Interface Endpoint Endpoint Endpoint Endpoint

  10. Device Descriptor 44 3e 48 00 69 00 00 00 00 00 12 00 00 00 QemuUSB 12 01 pipe direction ’D > H’ (device to h[...] pid IN 00 02 00 00 00 40 07 13 63 01 00 01 01 02 03 01 devaddr 0 devep 0 length 18 USBIn Descriptor length 18 type Device DeviceDescriptor bcdUSB 0x0200 bDeviceClass Base Class bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize 64 idVendor 0x1307 idProduct 0x0163 bcdDevice 256 iManufacturer 1 iProduct 2 iSerialNumber 3 bNumConfigurations1

  11. Intro Motivation Fuzzing USB Architecture Results Known USB issues The Playstation 3 Hack Configuration Descriptor overflow. . . m( 12 / 25

  12. Intro Motivation Fuzzing USB Architecture Results Known USB issues (cont.) Solaris FAIL Configuration Descriptor overflow by Andy Davies (CVE-2011-2295) BadUSB Put several classes onto one device 13 / 25

  13. Intro Motivation Fuzzing USB Architecture Results Physical Access? Often argued that it’s not in the OS’s threat model except, it is. . . Not necessarily needed due to: USB/IP Wireless USB 14 / 25

  14. Intro Obtaining valid USB communication Fuzzing QEMU Results Virtual USB Device Fuzzing Dumb Fuzzing coined in late 80’s feed program with random(?) data received a lot of attention ∼ 2004 Smart Fuzzing Modify existing valid structured data Checksums Cover more code Patent encumbered? Scapy Awesome (!) framework sniff, manipulate, craft, send (Ethernet) packets models packets in Python 15 / 25

  15. Intro Obtaining valid USB communication Fuzzing QEMU Results Virtual USB Device Obtaining Valid USB communication Read specs :-( mount none -t debugfs /sys/kernel/debug mount none -t usbmon see Documentation/usb/usbmon.txt :-( Using QEMU: Implement filter to pipe out communication (originally done by Moritz Jodeit) 16 / 25

  16. Intro Obtaining valid USB communication Fuzzing QEMU Results Virtual USB Device 17 / 25

  17. Intro Obtaining valid USB communication Fuzzing QEMU Results Virtual USB Device QEMU Full virtualisation (not Xen, OpenVZ, UML, etc. . . ) Free (as in speech) Virtualisation (not VMWare) Existing Virtual USB Drivers (Unusable) Existing infrastructure for USB indirection 18 / 25

  18. Intro Obtaining valid USB communication Fuzzing QEMU Results Virtual USB Device Virtual USB Device Take simple existing MSD or Serial driver Write out / Read in USB packets Implement desired behaviour externally cat and echo Or enhancing Scapy to read/write from pipes → Automaton class 19 / 25

  19. Intro Obtaining valid USB communication Fuzzing QEMU Results Virtual USB Device 20 / 25

  20. USB Stack stress testing How many devices can you handle? def r u n s i m p l e t e s t (qemu , timeout =4, d e l e t e=False ) : qemu . usb add ( ’mouse’ ) time . s l e e p ( timeout ) cmd = l i s t ( ’dmesg’ ) + [ ’space’ ] \ + [ ’minus’ ] + [ ’c’ ] + [ ’enter’ ] qemu . sendkeys (cmd) u s b d e v i c e s = qemu . u s b i n f o () i f d e l e t e : for d e v i c e in u s b d e v i c e s [ ’usbdevices’ ] : qemu . u s b d e l ( ’%d.%d’ % ( d e v i c e [ ’busnr’ ] , d e v i c e [ ’devaddr’ ] ) ) print qemu . c p u i n f o ()

  21. Intro Stack Stress Test Fuzzing USB Fingerprinting Results USB Fingerprinting Targetted attacks OS Packet Sequence Retries Windows SETUP, IN, OUT 3 Linux 2.6.33 SETUP (9x), RESET 4+2 OpenBSD 4.7 SETUP, IN, OUT 7 FreeBSD 8.0 SETUP, IN, OUT 6 Tabelle : USB Stack Fingerprints of various operating systems 22 / 25

  22. Intro Fuzzing Results Future Work What’s next? USB-3? (SuperSpeed, Device Initiated Communication) Making it work with GadgetFS Make that work on phones Get more OS fingerprints Exploit more drivers Run shellcode USB Firewall 24 / 25

  23. Intro Fuzzing Results Q&A Questions? Muchas Gracias! Tobi(as) Mueller Mail 4tmuelle@informatik.uni-hamburg.de FF52 DA33 C025 B1E0 B910 92FC 1C34 19BF 1BF9 8D6D 25 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks.

Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks.

Scapy Bo Li What is Scapy Scapy is a packet manipulation tool for computer networks. forge or decode packets, send them on the wire, capture them, and match requests and replies Handle tasks scanning, tracerouting, probing, unit

144 views • 13 slides
Fuzzing your GSM phone using OpenBSC and scapy Harald Welte gnumonks.org gpl-violations.org

Fuzzing your GSM phone using OpenBSC and scapy Harald Welte gnumonks.org gpl-violations.org

GSM/3G security Implementing GSM protocols Security analysis Summary Fuzzing your GSM phone using OpenBSC and scapy Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org hmw-consulting.de 26C3 conference, December 2009,

484 views • 31 slides
Scapy en pratique Renaud Lifchitz Scapy en pratique 1 PyCON FR 17 Mai 2008 - Renaud

Scapy en pratique Renaud Lifchitz Scapy en pratique 1 PyCON FR 17 Mai 2008 - Renaud

Scapy en pratique Renaud Lifchitz Scapy en pratique 1 PyCON FR 17 Mai 2008 - Renaud Lifchitz Plan Qu'est-ce que Scapy ? Quelques notions rseaux Manipulations basiques Utilisation avance : scurit rseau

622 views • 27 slides
QEMU 2.0 and Beyond CloudOpen 2013 Anthony Liguori <anthony@codemonkey.ws> About QEMU

QEMU 2.0 and Beyond CloudOpen 2013 Anthony Liguori <anthony@codemonkey.ws> About QEMU

QEMU 2.0 and Beyond CloudOpen 2013 Anthony Liguori <anthony@codemonkey.ws> About QEMU is a fast full system simulator and virtualization engine QEMU is Open Source hardware emulation KVM Xen Android SDK (fork)

431 views • 22 slides
Merging QEMU-DM upstream Taking the '-dm' out of qemu-dm Anthony Liguori aliguori@us.ibm.com

Merging QEMU-DM upstream Taking the '-dm' out of qemu-dm Anthony Liguori aliguori@us.ibm.com

Merging QEMU-DM upstream Taking the '-dm' out of qemu-dm Anthony Liguori aliguori@us.ibm.com IBM Linux Technology Center XenSummit April 16th, 2007 Linux is a registered trademark of Linus Torvalds. What's qemu-dm? HVM device

430 views • 13 slides
QEMU internal APIs How abstractions inside QEMU (don't) work together Eduardo Habkost

QEMU internal APIs How abstractions inside QEMU (don't) work together Eduardo Habkost

QEMU internal APIs How abstractions inside QEMU (don't) work together Eduardo Habkost <ehabkost@redhat.com> 1 Contents Context: QEMU features and interfaces Overview of some internal QEMU APIs Interaction between different abstractions

899 views • 70 slides
Towards a more expressive and introspectable QEMU command line Markus Armbruster

Towards a more expressive and introspectable QEMU command line Markus Armbruster

Towards a more expressive and introspectable QEMU command line Markus Armbruster <armbru@redhat.com> KVM Forum 2017 Part I Things we want from the command line A simple example You could run QEMU like this: $ qemu -s -machine

953 views • 83 slides
Improving the QEMU Event Loop Fam Zheng Red Hat KVM Forum 2015 Agenda The event loops in

Improving the QEMU Event Loop Fam Zheng Red Hat KVM Forum 2015 Agenda The event loops in

Improving the QEMU Event Loop Fam Zheng Red Hat KVM Forum 2015 Agenda The event loops in QEMU Challenges Consistency Scalability Correctness The event loops in QEMU QEMU from a mile away Main loop from 10 meters The

523 views • 35 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
io_uring in QEMU: high-performance disk IO for Linux FOSDEM 2020 Julia Suvorova, Red Hat

io_uring in QEMU: high-performance disk IO for Linux FOSDEM 2020 Julia Suvorova, Red Hat

io_uring in QEMU: high-performance disk IO for Linux FOSDEM 2020 Julia Suvorova, Red Hat Software Engineer 1 Agenda What well discuss today io_uring API QEMU structure Features of io_uring and how they helped QEMU Benchmarks What

634 views • 20 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level overview of documented threat

IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level overview of documented threat

IWCG Privacy Update 26.10.2018 TPAC, Lyon Agenda 15m - High-level overview of documented threat vectors and potential mitigations based on issues and explainer at Privacy & Security repo

487 views • 31 slides
Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno

CSE 484 / CSE M 584: Computer Security and Privacy Web Tracking (Continued) Side Channels Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John

737 views • 40 slides
Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking

Bochspwn Reloaded Detecting Kernel Memory Disclosure with x86 Emulation and Taint Tracking Mateusz j00ru Jurczyk REcon 2017, Montreal Alternative title (cheers Alex Ionescu!) Memory Disclosure Alternative title KERNELBLEED Agenda

1.7k views • 140 slides
Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE

1.09k views • 81 slides
ACCESSIBILITY Is it another checkbox to be ticked? By Ann Mwangi CROSS FUNCTIONAL REQUIREMENTS

ACCESSIBILITY Is it another checkbox to be ticked? By Ann Mwangi CROSS FUNCTIONAL REQUIREMENTS

U S E R E X P E R I E N C E ACCESSIBILITY Is it another checkbox to be ticked? By Ann Mwangi CROSS FUNCTIONAL REQUIREMENTS 2 WHY ACCESSIBILITY Over 4 million people in Australia have some form of disability. That's 1 in 5 people. (ABS)

516 views • 22 slides
Micro Processor & Controller Organization Organization Outline Outline Project Examples

Micro Processor & Controller Organization Organization Outline Outline Project Examples

Micro Processor & Controller Organization Organization Outline Outline Project Examples CPU 8, 16, 32 Bits FPU General Architecture of Computer CPU - MEM - I/O Peripheral Memory Hierarchy Main Memory

254 views • 13 slides
Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT

Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT

Hiding @ Depth: Exploring & Subverting NAND Flash memory Josh m0nk Thomas (A DARPA CFT Project by MonkWorks, LLC) RIP 4.1.13 - Long Live CFT Thx Mudge Saturday, June 22, 13 My Path, And You Can Too! Saturday, June 22, 13 My Path,

379 views • 16 slides
Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc.

Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc.

Is it safe to run applications in Linux Containers? Jrme Petazzoni @jpetazzo Docker Inc. @docker Is it safe to run applications in Linux Containers? And, can Docker do anything about it? Question: Is it safe to run applications in

803 views • 59 slides

More recommend