Virtualised USB Fuzzing using QEMU and Scapy - Breaking ... · Intro Fuzzing Results Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Pro t Tobias Mueller School

IntroFuzzingResults

Virtualised USB Fuzzing using QEMU and ScapyBreaking USB for Fun and Profit

Tobias Mueller

School of ComputingDublin City University

2011-09-23

1 / 28

IntroFuzzingResults

1 IntroMotivationUSB TriviaUSB Architecture

2 FuzzingObtaining valid USB communicationQEMUVirtual USB Device

3 ResultsStack Stress TestUSB FingerprintingDriver Flaws

2 / 28

IntroFuzzingResults

About meMotivationUSB TriviaUSB Architecture

About me

Tobi(as) Mueller

Mail [email protected] F452 FDA0 99D8 CB7E

54F7 DC03 BAA3 D349 2A2A

Talk ∼ 40 mins

Ask immediately

Demos

3 / 28

IntroFuzzingResults


MotivationWhat’s the problem?

USB supported by every major OS

USB widely deployed

USB drivers in kernel space

Not easy to assess security

Development board?Inject messages into kernel?

4 / 28

Digital Voting PenYes, it uses USB. hehe

In-Flight entertainmentBased on Linux or VxWorks

IntroFuzzingResults


USB

<1990: Serial and Parallel ports

IO and IRQs

>1990: USB *yay*

cheap to build

hotplug

auto config

However

<5 metres

device 6→ device

8 / 28

IntroFuzzingResults


Architecture

Host initiated communication

→ pollingYes, even with keyboards or mice

packet-based

SETUPINOUT

9 / 28

Kernelspace

Userspace

USB Stack

Device Driver Device Driver

Subsystem

Electrical Layer

Application Application Application

Subsystem

Abbildung: Key components of a system with USB support

Device Descriptor

Configuration

Interface

Endpoint

Configuration

Interface

Endpoint Endpoint

Interface

Endpoint

Device Descriptor

QemuUSB44 3e 48 00

pipe direction ’D>H’ (device to h[...]

69 00 00 00

pid IN

00

devaddr 0

00

devep 0

12 00 00 00

length 18

USBIn

Descriptor

12

length 18

01

type Device

DeviceDescriptor

00 02

bcdUSB 0x0200

00

bDeviceClass Base Class

00

bDeviceSubClass 0

00

bDeviceProtocol 0

40

bMaxPacketSize 64

07 13

idVendor 0x1307

63 01

idProduct 0x0163

00 01

bcdDevice 256

01

iManufacturer 1

02

iProduct 2

03

iSerialNumber 3

01

bNumConfigurations1

IntroFuzzingResults


Recent USB issues

The Playstation 3 Hack

Configuration Descriptor overflow. . . m(

13 / 28

IntroFuzzingResults


Recent USB issues (cont.)

Solaris FAIL

Configuration Descriptor overflow by Andy Davies(CVE-2011-2295)

14 / 28

IntroFuzzingResults


Physical Access?

Often argued that it’s not in the OS’s threat model

except, it is. . .

Not necessarily needed due to:

USB/IPWireless USB

15 / 28

IntroFuzzingResults

Obtaining valid USB communicationQEMUVirtual USB Device

Fuzzing

Dumb Fuzzing

coined in late 80’sfeed program with random(?) datareceived a lot of attention ∼ 2004

Smart Fuzzing

Modify existing valid structured dataChecksumsCover more codePatent encumbered?

Scapy

Awesome (!) frameworksniff, manipulate, craft, send (Ethernet) packetsmodels packets in Python

16 / 28

IntroFuzzingResults


Obtaining Valid USB communication

Read specs :-(

mount none -t debugfs /sys/kernel/debug

mount none -t usbmon

see Documentation/usb/usbmon.txt:-(

Using QEMU: Implement filter to pipe out communication(originally done by Moritz Jodeit)

17 / 28

IntroFuzzingResults


Virtual Machine

Host

Filter

(QEMU) USB Device

18 / 28

IntroFuzzingResults


Small demo

19 / 28

IntroFuzzingResults


QEMU

Full virtualisation (not Xen, OpenVZ, UML, etc. . . )

Free (as in speech) Virtualisation (not VMWare)

Existing Virtual USB Drivers (not VirtualBox as of end 2010)

20 / 28

IntroFuzzingResults


Virtual USB Device

Take simple existing MSD or Serial driver

Write out / Read in USB packets

Implement desired behaviour externally

cat and echo

Or enhancing Scapy to read/write from pipes

→ Automaton class

21 / 28

IntroFuzzingResults


Virtual Machine

Host

Virtual USBSoftware Device(QEMU)

22 / 28

IntroFuzzingResults


Small demo

23 / 28

USB Stack stress testingHow many devices can you handle?

def r u n s i m p l e t e s t ( qemu , t i m e o u t =4, d e l e t e=F a l s e ) :qemu . usb add (’mouse’ )t ime . s l e e p ( t i m e o u t )cmd = l i s t (’dmesg’ ) + [ ’space’ ] \

+ [ ’minus’ ] + [ ’c’ ] + [ ’enter’ ]qemu . s e n d k e y s (cmd)u s b d e v i c e s = qemu . u s b i n f o ( )i f d e l e t e :

f o r d e v i c e i n u s b d e v i c e s [ ’usbdevices’ ] :qemu . u s b d e l (’%d.%d’ %

( d e v i c e [ ’busnr’ ] , d e v i c e [ ’devaddr’ ] ) )

p r i n t qemu . c p u i n f o ( )

IntroFuzzingResults

Stack Stress TestUSB FingerprintingDriver Flaws

USB FingerprintingTargeted attacks

OS Packet Sequence RetriesWindows SETUP, IN, OUT 3Linux 2.6.33 SETUP (9x), RESET 4+2OpenBSD 4.7 SETUP, IN, OUT 7FreeBSD 8.0 SETUP, IN, OUT 6

Tabelle: USB Stack Fingerprints of various operating systems

25 / 28

IntroFuzzingResults

Stack Stress TestUSB FingerprintingDriver Flaws

Driver Flaws

Demo: Who’s got Linux?

26 / 28

IntroFuzzingResults

Future WorkWhat’s next?

USB-3? (SuperSpeed, Device Initiated Communication)

Making it work with GadgetFS

Make that work on N900

Get more fingerprints

Exploit more drivers

Run shellcode

USB Firewall

27 / 28

IntroFuzzingResults

Q&AQuestions?

Muchas Gracias!

Preguntas?!

28 / 28

Documents

Virtualised USB Fuzzing using QEMU and Scapy - Breaking ... · Intro Fuzzing Results Virtualised USB Fuzzing using QEMU and Scapy Breaking USB for Fun and Pro t Tobias Mueller School