deriving intelligence from usb stack
play

Deriving intelligence from USB stack interactions Andy Davis, - PowerPoint PPT Presentation

Jun 19, 2023 •352 likes •874 views

Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Andy Davis, Research Director NCC Group Image from: p1fran.com UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco

  1. Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Andy Davis, Research Director NCC Group Image from: p1fran.com

  2. UK Offices North American Offices Australian Offices Manchester - Head Office San Francisco Sydney Cheltenham Atlanta Edinburgh New York Leatherhead Seattle London Thame European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland

  3. Agenda Part One: • Overview of the USB enumeration phase • Different USB stack implementations • USB testing platform • Installed drivers and supported devices • Fingerprinting techniques • Umap demo Part Two: • The Windows 8 RNDIS kernel pool overflow • Challenges faced when exploiting USB bugs • Conclusions

  4. Part One: Information gathering • Why do we care? • If you connect to a device surely you already know the platform? • Embedded devices are mostly based on Linux anyway aren't they? • Allows you to focus your testing on only supported functionality

  5. USB Background stuff Image from: blog.brickhousesecurity.com

  6. Overview of the USB enumeration phase • What is enumeration for? • Assign an address • Speed of communication • Power requirements • Configuration options • Device descriptions • Identify class drivers • Lots of information exchange – implemented in many different ways Image from :http://ewalk2.blog117.fc2.com

  7. The USB enumeration phase < Get Device descriptor > Set Address < Get Device descriptor < Get Configuration descriptor < Get String descriptor 0 < Get String descriptor 2 < Get Configuration descriptor < Get Configuration descriptor > Set Configuration

  8. Enumeration phase peculiarities • Why is the device descriptor initially requested twice? • Why are there multiple requests for other descriptors? • Class-specific descriptors: < Get Hub descriptor < Get HID Report descriptor

  9. Different USB stack implementations • Typical components of a USB stack • Windows USB driver stack • Linux USB stack • Embedded Access USB stack Image from: blogs.msdn.com

  10. Typical components of a USB stack • Host Controller hardware • USB System software: • Host Controller Driver – Hardware Abstraction Layer • USB Driver • Class drivers • Application software Image from: www.wired.com

  11. Windows USB driver stack Image from: msdn.microsoft.com

  12. Linux USB stack Image from: www.linux-usb.org

  13. Embedded Access USB stack Image from: www.embedded-access.com

  14. Interacting with USB Image from: www.nvish.com

  15. USB interaction requirements • Need to capture and replay USB traffic • Full control of generated traffic • Class decoders extremely useful • Support for Low/High/Full speed required • USB 3.0 a bonus

  16. USB testing – gold-plated solution • Commercial test equipment

  17. USB testing – the cheaper approach • Facedancer (http://goodfet.sourceforge.net/hardware/facedancer21)

  18. Best solution: A combination of both • Device data can be carefully crafted • Host response data can be captured • Microsecond timing is also recorded • All class-specific data is decoded

  19. Information enumeration Image from: network.nature.com

  20. Target list • Windows 8 • Ubuntu Linux 12.04 LTS • Apple OS X Lion • FreeBSD 5.3 • Chrome OS • Linux-based TV STB

  21. Installed drivers and supported devices • Enumerating supported class types – standard USB drivers • Enumerating all installed drivers • Other devices already connected

  22. Enumerating supported class types Where is USB class information stored? Device Descriptor Interface Descriptor

  23. Installed drivers and supported devices • Drivers are referenced by class (Device and Interface descriptors) • Also, by VID and PID: • For each device class VID and PID values can be brute-forced (can easily be scripted using Facedancer) • Although there may be some shortcuts…. • Valid PIDs and VIDs are available (http://www.linux-usb.org/usb.ids)

  24. Enumerating installed drivers Not installed: Installed: All communication stops after “Set Configuration”

  25. Sniffing the bus - Other connected devices • Data from other devices will be displayed on other addresses • Controlling other devices? (untested)

  26. Fingerprinting techniques • Descriptor request patterns • Timing information • Descriptor types requested • Responses to invalid data • Order of Descriptor requests

  27. OS Identification Linux-based TV STB Windows 8 < Get Max LUN (Mass Storage) < Get Max LUN (Mass Storage) > CBW: INQUIRY > CBW: INQUIRY < MSC Data In < MSC Data In < CSW - Status Passed < CSW - Status Passed > CBW: TEST UNIT READY > CBW: INQUIRY < CSW - Status Passed < MSC Data In > CBW: READ CAPACITY < CSW - Status Passed < MSC Data In > CBW: READ FORMAT CAPACITIES < CSW - Status Passed < MSC Data In > CBW: MODE SENSE < CSW - Status Passed

  28. Application identification “Photos” Metro app (Windows 8) gphoto2 (Linux) > Image: OpenSession > Image: OpenSession < Image: OK < Image: OK > Image: GetDeviceInfo > Image: GetDeviceInfo < Image: DeviceInfo < Image: DeviceInfo < Image: OK < Image: OK > Image: GetStorageIDs > Image: SetDevicePropValue < Image: StorageIDs > Image: DeviceProperty < Image: OK < Image: OK > Image: GetStorageInfo < Image: DeviceInfoChanged < Image: StorageInfo < Image: OK > Image: CloseSession DeviceProperty includes some text: /Windows/6.2.9200 < Image: OK MTPClassDriver/6.2.9200.16384

  29. Request patterns unique elements? • Windows 8 (HID) – 3 x Get Configuration descriptor requests (others have two) • Apple OS X Lion (HID) – Set Feature request right after Set Configuration • FreeBSD 5.3 (HID) – Get Status request right before Set Configuration • Linux-based TV STB (Mass Storage) – Order of class-specific requests

  30. Timing information (work in progress…)

  31. Timing information (work in progress…)

  32. Using timing information? (work in progress …) • Large amount of variance over entire enumeration phase: • 4.055s, 3.834s, 3.612s, 3.403s, 3.089s • Much greater accuracy between specific requests: • Between String Descriptor #0 and #2 requests - 5002us, 5003us, 5003us, 4999us, 5001us • If we know the OS can we potentially determine the processor speed?

  33. Descriptor types requested • Microsoft OS Descriptors (MOD) • Used for “unusual” devices classes • Devices that support Microsoft OS Descriptors must store a special USB string descriptor in firmware at the fixed string index of 0xEE. The request is:

  34. Responses to invalid data • Different USB stacks respond to invalid data in different ways • Maximum and minimum values • Logically incorrect values • Missing data • In some cases: Crashes (potential vulnerabilities) • Other cases: Unique behaviour Image from: windows7.iyogi.com

  35. Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:

  36. Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:

  37. Order of Descriptor requests • Some USB stacks request data from devices in a different order • Different drivers may request different descriptors multiple times • Sometimes descriptors are re-requested after enumeration is complete

  38. Demo: umap Image from: us.cdn4.123rf.com

  39. Umap overview • Supported device classes can be enumerated • Operating system information can be enumerated • Devices with specific VID/PID/REV can be emulated • The enumeration phase and class-specific data can be fuzzed • Endpoint protection systems configuration can be assessed • Endpoint protection systems USB protection can be circumvented • USB host implementations can be comprehensively tested

  40. Part Two: Potentially exploitable USB bugs Image from: www.biro-media.hr

  41. The Windows 8 RNDIS kernel pool overflow • MS13-027 • usb8023x.sys - default (Microsoft-signed) Windows Remote NDIS driver that provides network connectivity over USB. • When the following USB descriptor field is manipulated a Bug check occurs indicating a kernel pool overwrite: Configuration descriptor: bNumInterfaces field > actual number of USB interfaces

  42. The Bug Check BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. <Truncated for brevity> Arguments: Arg1: 00000020, a pool block header size is corrupt. Arg2: 83e38610, The pool entry we were looking for within the page. Arg3: 83e38690, The next pool entry. Arg4: 08100008, (reserved) <Truncated for brevity> WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted. WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted. SYMBOL_NAME: usb8023x ! SelectConfiguration +1bd

  43. The SelectConfiguration() function

  44. The crash point

Recommend

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from

Deriving Filtering Algorithms Deriving Filtering Algorithms from Constraint Checkers from Constraint Checkers Nicolas Beldiceanu(1), Mats Carlsson(2) and Thierry Petit(1) (1) LINA FRE CNRS 2729, Ecole des Mines de Nantes, FR-44307 Nantes Cedex

642 views • 40 slides
Deriving Knowledge from Local Optima Networks for Evolutionary Optimization in Inventory Routing

Deriving Knowledge from Local Optima Networks for Evolutionary Optimization in Inventory Routing

Deriving Knowledge from Local Optima Networks for Evolutionary Optimization in Inventory Routing Problem Piotr Lipinski 1 , Krzysztof Michalak 2 GECCO 2019, Praha, July 13th, 2019 1 Computational Intelligence Research Group, Institute of

415 views • 41 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
Location Intelligence. Privacy Augsburg 2020 Anto Aasa http://aasa.ut.ee/augsburg Location

Location Intelligence. Privacy Augsburg 2020 Anto Aasa http://aasa.ut.ee/augsburg Location

Location Intelligence. Privacy Augsburg 2020 Anto Aasa http://aasa.ut.ee/augsburg Location intelligence (LI) or spatial intelligence process of deriving meaningful insight from geospatial data relationships to solve a particular

867 views • 83 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
Module 1: Introduction Deriving Business Information Deriving meaningful information from

Module 1: Introduction Deriving Business Information Deriving meaningful information from

Raw Data vs. Business Information Capturing Raw Data Gathering data recorded in everyday operations Module 1: Introduction Deriving Business Information Deriving meaningful information from raw data to Data Warehousing Turning

345 views • 5 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

Elementary Data Structures Stacks, Queues, Vectors, Lists &amp; Sequences Trees The Stack ADT (2.1.1) The Stack ADT stores arbitrary objects Insertions and deletions Auxiliary stack follow the last-in first-out operations: scheme

473 views • 13 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

679 views • 19 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

1.06k views • 37 slides
Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call Stack higher %rsp holds lowest stack address addresses (address of &quot;top&quot; element) Topics stack grows Procedures toward lower

76 views • 5 slides
Service composition: Deriving Component Designs from Global Requirements Gregor v. Bochmann

Service composition: Deriving Component Designs from Global Requirements Gregor v. Bochmann

Service composition: Deriving Component Designs from Global Requirements Gregor v. Bochmann School of I nformation Technology and Engineering (SI TE) University of Ottawa Canada http://www.site.uottawa.ca/~ bochmann/talks/Deriving-3.ppt

707 views • 56 slides
Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate strings of entries of any (arbitrary) type in LIFO (last-in-first-out) order A kind of dual to Queue Remember, &quot;first&quot; and

450 views • 33 slides
Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An instruction r = F(a 1 ,a n ): Pops n operands from the stack Computes the operation F using the operands Pushes the result r on the stack Alex

362 views • 13 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Patrick Xia David

Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Patrick Xia David

Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Patrick Xia David Yarowsky code, resources, slides: www.github.com/pitrack/monolign Deriving Consensus for Multi-Parallel Corpora: An English Bible Study Deriving

1.05k views • 85 slides
Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an unbounded stack of symbols We'll represent these stacks as strings Left end of the string is the top of the stack For example, abc is a stack

406 views • 12 slides
Increasing Addresses Grows Stack Down Stack Pointer: %rsp Stack Top Sean Barker 2

Increasing Addresses Grows Stack Down Stack Pointer: %rsp Stack Top Sean Barker 2

Procedure Call Registers %rax %r8 %eax %r8d Return Arg 5 %rbx %r9 %ebx %r9d Arg 6 %rcx %r10 %ecx %r10d Arg 4 %rdx %r11 %edx %r11d Arg 3 %rsi %r12 %esi %r12d Arg 2 %rdi %r13 %edi %r13d Arg 1 %rsp %r14 %esp %r14d

483 views • 20 slides
Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules

Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules

Deriving Enforcement Mechanisms from Policies Deriving Enforcement Mechanisms from H. Janicke, et.al. Policies Motivation ITL Policy Rules Helge Janicke, Antonio Cau, Fran cois Siewe, Enforcement Hussein Zedan Summary Software

550 views • 16 slides
Sorting with Pop Stacks Stack sorting Pop stack sorting 1-pop-stack sortability 2-pop-stack

Sorting with Pop Stacks Stack sorting Pop stack sorting 1-pop-stack sortability 2-pop-stack

Sorting with Pop Stacks Lara Pudwell Sorting with Pop Stacks Stack sorting Pop stack sorting 1-pop-stack sortability 2-pop-stack sortability Polyominoes on a helix Lara Pudwell Width 2 Width 3 faculty.valpo.edu/lpudwell Wrapping up

1.3k views • 69 slides
Procedures and the Call Stack Topics Procedures Call stack Procedure/stack

Procedures and the Call Stack Topics Procedures Call stack Procedure/stack

Procedures and the Call Stack Topics Procedures Call stack Procedure/stack instructions Calling conventions Register-saving conventions Why Procedures? Why functions? Why methods? int contains_char(char* haystack,

892 views • 52 slides
Procedures and the Call Stack Topics Procedures Call stack Procedure/stack

Procedures and the Call Stack Topics Procedures Call stack Procedure/stack

Procedures and the Call Stack Topics Procedures Call stack Procedure/stack instructions Calling conventions Register-saving conventions Why Procedures? Why functions? Why methods? int contains_char(char* haystack,

705 views • 54 slides
Optimization for marking and sweeping Optimization for marking Use a marking stack

Optimization for marking and sweeping Optimization for marking Use a marking stack

Optimization for marking and sweeping Optimization for marking Use a marking stack Iterative marking Minimize stack depth to avoid stack overflow Knuth: treat marking stark circularly Kurokawa: remove items from stack that have

612 views • 16 slides
Stacks The stack ADT Stack Implementation using arrays using generic linked lists

Stacks The stack ADT Stack Implementation using arrays using generic linked lists

Stacks The stack ADT Stack Implementation using arrays using generic linked lists using List ADT Stack Examples EECS 268 Programming II 1 Stacks and Queues Linear data structures each item has specific first , next

497 views • 32 slides

More recommend