Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun - - PowerPoint PPT Presentation

virtualised usb fuzzing using qemu and scapy
SMART_READER_LITE
LIVE PREVIEW

Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun - - PowerPoint PPT Presentation

Sep 18, 2023 183 likes •422 views

Intro Fuzzing Results Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller (c) 2015, CC-BY-SA 3.0 2015-10-01 1 / 25 Intro Fuzzing Results 1 Intro Motivation USB Architecture 2 Fuzzing Obtaining

slide-1
SLIDE 1

Intro Fuzzing Results

Virtualised USB Fuzzing using QEMU and Scapy

Breaking USB for Fun and Profit Tobias Mueller (c) 2015, CC-BY-SA 3.0 2015-10-01

1 / 25

slide-2
SLIDE 2

Intro Fuzzing Results

1 Intro

Motivation USB Architecture

2 Fuzzing

Obtaining valid USB communication QEMU Virtual USB Device

3 Results

Stack Stress Test USB Fingerprinting Driver Flaws

2 / 25

slide-3
SLIDE 3

Intro Fuzzing Results Motivation USB Architecture

Motivation

What’s the problem?

USB supported by every major OS USB widely deployed USB drivers in kernel space Not easy to assess security

Development board? Inject messages into kernel?

3 / 25

slide-4
SLIDE 4

Digital Voting Pen

Yes, it uses USB. hehe

slide-5
SLIDE 5

In-Flight entertainment

Based on Linux or VxWorks

slide-6
SLIDE 6
slide-7
SLIDE 7

Intro Fuzzing Results Motivation USB Architecture

Architecture

Host initiated communication

→ polling Yes, even with keyboards or mice

packet-based

SETUP IN OUT

8 / 25

slide-8
SLIDE 8

usb-kernel-ipe.pdf

slide-9
SLIDE 9

Device Descriptor Configuration Interface Endpoint Configuration Interface Endpoint Endpoint Interface Endpoint

slide-10
SLIDE 10

Device Descriptor

QemuUSB 44 3e 48 00 pipe direction ’D>H’ (device to h[...] 69 00 00 00 pid IN 00 devaddr 00 devep 12 00 00 00 length 18 USBIn Descriptor 12 length 18 01 type Device DeviceDescriptor 00 02 bcdUSB 0x0200 00 bDeviceClass Base Class 00 bDeviceSubClass 00 bDeviceProtocol 40 bMaxPacketSize 64 07 13 idVendor 0x1307 63 01 idProduct 0x0163 00 01 bcdDevice 256 01 iManufacturer 1 02 iProduct 2 03 iSerialNumber 3 01 bNumConfigurations1

slide-11
SLIDE 11

Intro Fuzzing Results Motivation USB Architecture

Known USB issues

The Playstation 3 Hack Configuration Descriptor overflow. . . m(

12 / 25

slide-12
SLIDE 12

Intro Fuzzing Results Motivation USB Architecture

Known USB issues (cont.)

Solaris FAIL Configuration Descriptor overflow by Andy Davies (CVE-2011-2295) BadUSB Put several classes onto one device

13 / 25

slide-13
SLIDE 13

Intro Fuzzing Results Motivation USB Architecture

Physical Access?

Often argued that it’s not in the OS’s threat model except, it is. . . Not necessarily needed due to:

USB/IP Wireless USB

14 / 25

slide-14
SLIDE 14

Intro Fuzzing Results Obtaining valid USB communication QEMU Virtual USB Device

Fuzzing

Dumb Fuzzing

coined in late 80’s feed program with random(?) data received a lot of attention ∼ 2004

Smart Fuzzing

Modify existing valid structured data Checksums Cover more code Patent encumbered?

Scapy

Awesome (!) framework sniff, manipulate, craft, send (Ethernet) packets models packets in Python

15 / 25

slide-15
SLIDE 15

Intro Fuzzing Results Obtaining valid USB communication QEMU Virtual USB Device

Obtaining Valid USB communication

Read specs :-( mount none -t debugfs /sys/kernel/debug mount none -t usbmon see Documentation/usb/usbmon.txt :-( Using QEMU: Implement filter to pipe out communication (originally done by Moritz Jodeit)

16 / 25

slide-16
SLIDE 16

Intro Fuzzing Results Obtaining valid USB communication QEMU Virtual USB Device 17 / 25

slide-17
SLIDE 17

Intro Fuzzing Results Obtaining valid USB communication QEMU Virtual USB Device

QEMU

Full virtualisation (not Xen, OpenVZ, UML, etc. . . ) Free (as in speech) Virtualisation (not VMWare) Existing Virtual USB Drivers (Unusable) Existing infrastructure for USB indirection

18 / 25

slide-18
SLIDE 18

Intro Fuzzing Results Obtaining valid USB communication QEMU Virtual USB Device

Virtual USB Device

Take simple existing MSD or Serial driver Write out / Read in USB packets Implement desired behaviour externally cat and echo Or enhancing Scapy to read/write from pipes → Automaton class

19 / 25

slide-19
SLIDE 19

Intro Fuzzing Results Obtaining valid USB communication QEMU Virtual USB Device 20 / 25

slide-20
SLIDE 20

USB Stack stress testing

How many devices can you handle?

def r u n s i m p l e t e s t (qemu , timeout =4, d e l e t e=False ) : qemu . usb add ( ’mouse’) time . s l e e p ( timeout ) cmd = l i s t ( ’dmesg’) + [ ’space’ ] \ + [ ’minus’ ] + [ ’c’ ] + [ ’enter’ ] qemu . sendkeys (cmd) u s b d e v i c e s = qemu . u s b i n f o () i f d e l e t e : for d e v i c e in u s b d e v i c e s [ ’usbdevices’ ] : qemu . u s b d e l ( ’%d.%d’ % ( d e v i c e [ ’busnr’ ] , d e v i c e [ ’devaddr’ ] ) ) print qemu . c p u i n f o ()

slide-21
SLIDE 21

Intro Fuzzing Results Stack Stress Test USB Fingerprinting

USB Fingerprinting

Targetted attacks

OS Packet Sequence Retries Windows SETUP, IN, OUT 3 Linux 2.6.33 SETUP (9x), RESET 4+2 OpenBSD 4.7 SETUP, IN, OUT 7 FreeBSD 8.0 SETUP, IN, OUT 6

Tabelle : USB Stack Fingerprints of various operating systems

22 / 25

slide-22
SLIDE 22

Intro Fuzzing Results

Future Work

What’s next?

USB-3? (SuperSpeed, Device Initiated Communication) Making it work with GadgetFS Make that work on phones Get more OS fingerprints Exploit more drivers Run shellcode USB Firewall

24 / 25

slide-23
SLIDE 23

Intro Fuzzing Results

Q&A

Questions?

Muchas Gracias!

Tobi(as) Mueller Mail 4tmuelle@informatik.uni-hamburg.de

FF52 DA33 C025 B1E0 B910 92FC 1C34 19BF 1BF9 8D6D

25 / 25