Don't Trust Your USB! How to Find Bugs in USB Device Drivers

Presented at Black Hat Europe 2014, Oct. 16, 2014, 2:45 p.m. (30 minutes)

The Universal Serial Bus (USB) has become the standard interface for interconnecting computers with peripheral hardware today. USB is used to access human interface devices (HID) like keyboards and mice, storage devices like USB flash sticks or external harddrives but also webcams, soundcards, network cards (NIC), wireless cards, and bluetooth sticks etc. While the most common devices like keyboards, mice, and storage devices are handled via generic drivers by the kernel on the host system, many devices require specific drivers. Using the facedancer device created by Travis Goodspeed and Sergey Bratus, many implementation bugs in the generic drivers have been found. Systematic analysis of the hardware specific drivers using fuzzing based on the facedancer device is almost impossible because of the enormous amount of different devices and drivers. The current Linux kernel supports 15,000 different vendor and product ids which are mapped to several hundred drivers. These drivers might behave differently depending on the vendor/product id presented. One basic USB simulated test using the facedancer requires 2-7 seconds execution time and can only be parallized using several facedancer devices and as many physical hosts. Therefore, I developed the vUSBf framework. This framework implements a virtual USB fuzzer based on KVM and the USB redirection protocol in QEMU. It virtualizes the target systems and using parallization we are able to execute up to 150 tests/second on a single Intel system with 24 cores. Using the built-in cluster protocol, we are able to arbitrarily scale this using additional systems. The vUSBf framework allows the dynamic definition of several million testcases using a simple XML configuration. Each test is identified using a unique test id and thus is reproducible. We are triggering and detecting the following bugs in both Enterprise Linux kernels and the most current Linux kernels: - Null-pointer dereferences - Kernel paging requests - Kernel panic - Bad page state - Segfault While the actual exploitation of these bugs still needs to be tested and their severity to be determined, the vast amount of bugs we are finding, is frightening. About 0.3% of the tests trigger one of the above listed exceptions in the Linux kernels depending on the kernel used and the amount of drivers included. To validate the results some of the bugs were reproduced using the facedancer and physical hosts. This proves that these bugs might be reproduced using specialized hardware which than can attack, exploit, and maybe compromise the target system. The vUSBf framework uses several emulators for the fuzzing of different devices and stages of the usb connection. Further emulators can be added via a simple API and are currently in development. Additionally, first tests have been executed using Microsoft Windows as a target. The framework will be released as Open Source at the Black Hat Conference.

Presenters:

• Hendrik Schwartke
  Hendrik Schwartke has a master degree in Computer Science from the University of Applied Sciences Muenster. He works as a software developer at OpenSource Security Ralf Spenneberg. His main interrests are software security and hardware hacking.
• Ralf Spenneberg - OpenSource Training
  Ralf Spenneberg has used Linux since 1992 and worked as a system administrator since 1994. During this time, he worked on numerous Windows, Linux, and UNIX systems. Starting in 1998, he has been working as a freelancer in the Linux/UNIX field. Most of the time he provided Linux/UNIX training. His specialty is network administration and security (firewalling, VPNs, intrusion detection, forensics). He has published several German books on VPN, IDS, Firewalls and Mandatory Access Control. His two current companies, OpenSource Training and OpenSource Security, offer training and support in the Network Security field. OpenSource Training was the first Sourcefire Authorized Training Center worldwide.
• Sergej Schumilo - OpenSource Security Ralf Spenneberg
  Sergej Schumilo (23 years old) is studying computer sciences at the University of Applied Sciences in Muenster. Before his studies, he completed a formal education as an IT specialist. Currently, he is employed at OpenSource Security Ralf Spenneberg.

Links:

• https://www.blackhat.com/eu-14/briefings.html#Schumilo
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2014/Video/Don t Trust Your USB How to Find Bugs in USB Device Drivers.mp4
• https://www.youtube.com/watch?v=OAbzN8k6Am4
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers.pdf
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers-wp.pdf
• https://www.blackhat.com/docs/eu-14/materials/eu-14-Schumilo-Dont-Trust-Your-USB-How-To-Find-Bugs-In-USB-Device-Drivers-toolk-vusbf.tar.gz

Similar Presentations:

• LayerOne 2017 / Exploiting USB/IP in Linux
• Black Hat USA 2011 / USB: Undermining Security Barriers
• Still Hacking Anyway (SHA2017) / FaceDancer 2.0: easy USB hacking, sniffing, and spoofing