device drivers
play

Device Drivers: Dont build a house on a shaky foundation johnny - PowerPoint PPT Presentation

Mar 06, 2024 •183 likes •881 views

Device Drivers: Dont build a house on a shaky foundation johnny cache, researcher david maynor, SecureWorks Overview Problems Nifty Fingerprinting Stuff Finding and Exploiting Vulns Shellcode Design DEMOS!!!!!!

  1. Device Drivers: Don’t build a house on a shaky foundation johnny cache, researcher david maynor, SecureWorks

  2. Overview • Problems • Nifty Fingerprinting Stuff • Finding and Exploiting Vulns • Shellcode Design • DEMOS!!!!!!

  3. Problems? • Speed to market is so important. • Some things don’t get tested properly • New hardware and committee designed protocols are especially susceptible.

  4. Problems (cont…) • Although what follows is mostly focused on 802.11a/b/g the lessons learned can be applied to lots of things – Bluetooth – New 802.11 specs – Wireless data (EDGE, EV-DO, HSDPA)

  5. 802.11 • Why is it so complicated • Does it have to be • Can we fix it? • Consequence’s of complexity: – Fingerprinting 802.11 implementations – Exploiting device drivers

  6. Why so complicated? • "Fear leads to anger. Anger leads to hate. Hate leads to protocols designed by committe.” --warlord (?)

  7. Why so complicated • Partly to ambitious, partly attempting to deal with legitimate problems. • -hidden nodes • -unreliable links • -other networks on same channel

  8. Can we fix it • Yes, all it costs is standards compliance. • Ignore management frames • Ignore (some?) control frames • Remove extra’s (more on these later),

  9. Why is this interesting? • Complexity is a hacker’s best friend. • If its not complex theres no room for bugs. No bugs means no fun. • 802.11 is not lacking in complexity.

  10. Ethernet • 3 fields: src, dst, type.

  11. 802.11 • Version • Type • Subtype • 8 flags. • 1,2,3 or 4 addresses, variable positions ����� ��� ��������� ���

  12. Not done yet.. • Positive acknowledgement • 11 management frames • 6 control frames • ..lots of subtypes for each. • ..various encryption fields (IV, MIC/ICV, etc)

  13. More features! • Ad-Hoc • Power savings • 2 types of MAC (PCF vs DCF) • .11e QoS • Geo-locating proposed? WTH does ‘media access control’ have to do with geo-locating

  14. What do you get when you remove the extras? Nintendo DS No Wi-Fi certification Nowhere near 802.11 compliant Ignores de-auth/disassociates Possibly ignores control packets Works great! (probably doesn’t roam very well)

  15. Fingerprinting 802.11 • Why bother – Target exploits – WIDS can monitor users’ chipset, driver. – Possibly refine OS fingerprints

  16. Fingerprinting 802.11 • Why is this cool – No other link layer protocol fingerprints that I know of • Why is this possible? – Complexity of the protocol

  17. How far down can you go? • Chipset families • Distinct drivers for chipsets • Different versions of the same driver • Firmware (?)

  18. Specific fingerprints • RTS/CTS window honouring • Association Redirection • Duration analysis

  19. RTS/CTS • RTS/CTS packets used to reserve media for large enough packets.

  20. RTS/CTS

  21. RTS/CTS

  22. RTS/CTS

  23. RTS/CTS

  24. RTS/CTS

  25. RTS/CTS

  26. RTS/CTS

  27. How many implementations use this? Nope. Most? Nope A few? None? Yes! (under normal conditions)

  28. RTS/CTS • If they didn’t bother to implement it, they care if other people have?

  29. RTS/CTS • Though code was written to analyze packet dumps, results were not deterministic enough to be useful. • Getting such a high resolution clock/timestamp very diffcult.

  30. Association Redirection • Active fingerprinting technique. • High resolution. • Mind-numbingly boring to automate.

  31. Association Redirection • Specified in standard: pg 376

  32. Quick Overview Important 802.11 fields: Src, Dst, BSSID

  34. Normal 802.11 Association

  35. Association Redirection Unsuccessful Successful

  37. So what weird things happen? • Cards de-auth flood null address (broadcom) • Cards think they are on both networks? (centrino) • Other less dramatic hijinks.

  38. Deauth-Flood example auth-reply

  39. Deauth-Flood example assoc-request

  40. Deauth-Flood example assoc-reply

  41. Deuath-Flood starts

  42. Association Redirection redux • If 1 weird standards quirk is good 3 must be better! – Instead of just source mangle as many things as possible: src, bssid, both

  43. Table2 here

  44. Assocation Redir redux • If 3 standards quirks work OK, why not 9? • Two more tables

  45. Tables 3 and 4 here

  46. Association Redirection summary • very possible to remotely version chipset • can’t really distinguish different drivers • - active technique, requires you to transmit packets.

  47. Duration analysis • Totally passive • Very accurate • Easy to automate • Only basic statistical techniques used.

  48. What is a duration?

  49. What influences duration values. • Rate (.11b, .11g) • Short slot time (g only) • Short pre amble

  50. Example atheros fingerprint Well behaved atheros card: CTS: 0 pwrmgmt: 1 frag: 0 order: 0 --------- <0 0> Duration( (314) ) //assoc request <0 4> Duration( (0) (314) ) //probe request <0 11> Duration( (314) ) //authentication <2 0> Duration( (162) (0) ) //data <2 4> Duration( (162) ) //null function data

  51. Example prism fingerprint poorly behaved prism card: CTS: 0 pwrmgmt: 1 frag: 0 order: 0 --------- <0 0> Duration( (258) ) //assoc req <0 4> Duration( (0) ) //probe req <0 11> Duration( (53389) ) //auth <0 12> Duration( (258) (314) ) //de-auth <2 0> Duration( (213) (0) (223) ) //data <2 4> Duration( (37554) ) //null-func

  52. Simple example • Duration match 2 prints here

  53. Simple example cont.

  54. Real life example (centrino)

  55. Unknown Ralink example tcpdump -i rausb0 -s 0 -w unknown.pcap

  56. So how’s it work? --MagicStats Duration summarry--- Atheros print Total number of unique durations: 12 Total volume: 95 CTS: 0 -------------------------------- pwrmgmt: 1 dur times_seen prob weight frag: 0 0, 25, 0.2632, 3.8000 order: 0 117, 8, 0.0842, 11.8750 --------- <0 0> Duration( (314) ) 127, 2, 0.0211, 47.5000 <0 4> Duration( (0) (314) ) 152, 1, 0.0105, 95.0000 <0 11> Duration( (314) ) 162, 15, 0.1579, 6.3333 213, 5, 0.0526, 19.0000 <2 0> Duration( (162) (0) ) 223, 1, 0.0105, 95.0000 <2 4> Duration( (162) ) 248, 2, 0.0211, 47.5000 258, 6, 0.0632, 15.8333 314, 28, 0.2947, 3.3929 37554, 1, 0.0105, 95.0000 53389, 1, 0.0105, 95.0000

  57. So how’s it work? • Compute fingerprint across input pcap. • Fuzzilly compare it to all known fingerprints. – For every matching duration in comparison print, add points proportional to weight for that duration. – Bonus points for matching type, subtype, and duration all at once.

  58. Fuzzy compare • For every matching duration in comparison print, add points proportional to weight for that duration. • Bonus points for matching type, subtype, and duration all at once.

  59. Also tracks a few other flags Flag value ratio prob weight CTS: 1 0/12 0.0000 inf CTS: 0 12/12 1.0000 1.0000 PwrMgmt: 1 8/12 0.6667 1.5000 PwrMgmt: 0 4/12 0.3333 3.0000 frag: 1 0/12 0.0000 inf frag: 0 12/12 1.0000 1.0000 order: 1 0/12 0.0000 inf order: 0 12/12 1.0000 1.0000

  60. how accurate is it? • When run across my own set of training data, the following results apply: • B-only (0x0021 flags, lexie) – 26 times better than random • mixed-BG (0x0401/0x0001 flags) – 18 times better than random

  61. Finding and exploiting vulns in drivers.

  62. Ways to find bugs? • Static auditing • Fuzzing

  63. Things to think about • Fuzzing can be frustrating – A bug could be triggered by something 8 packet chains ago – Hard to track down in ring0

  64. fuzz-e

  65. fuzz-e ( j ohnycsh @d i z : f uzz - e )$ . / f u zz -e -R -A -P a th0 -n 500 - r r t 2570 - i r ausb0 - c 11 -D . / des t -addys . t x t -w u20000 - s 00 :07 :0E :B9 :74 :BB -b 0 0 :07 :0E:B9 :74 :BB - E log . t x t -R random delays -A autonomous mode (don’t stop) -P passive interface to sniff on -n 500 send 500 packets per cycle -r rt2570 driver to inject with -i rausb0 inject on rausb0 -c 11 set channel to 11 -D dest-addys specify list of victims -w u20000 wait 200000 usecs (max) -s source address of packets -b bssid of packets -E log events to log.txt

Recommend

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5

3/6/12 Understanding Modern Device Drivers Why study device drivers? Linux drivers constitute ~5 million LOC and 70% of kernel Little exposure to this breadth of driver code from research Better understanding of drivers can lead to

484 views • 14 slides
Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2. Kernel Modules Friedrich Schiller University Jena 3. Char Drivers Department of Mathematics and 4. Advanced Char Drivers Computer Science 5.

531 views • 12 slides
Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller

Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller

Linux Device Drivers Linux Device Drivers Dr. Wolfgang Koch 1. Introduction Friedrich Schiller University Jena 2. Kernel Modules Department of Mathematics and 3. Char Drivers Computer Science 4. Advanced Char Drivers Jena, Germany 5.

529 views • 17 slides
Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX

Concurrent Device Drivers Martin Ellis Motivation Towards safer Concurrent Device Drivers Making Safer Concurrent Device Drivers. Modeling RMoX Drivers in CSP Previous Work The Problem Our Technique Resource Driver Martin Ellis

605 views • 32 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

UMBC A B M A L T F O U M B C I M Y O R T 1 (May 2, 2002) I E S R C E O

Systems Design&amp;Programming Linux Device Drivers III CMPE 310 Char Drivers Well develop a device driver, scull , which treats an area of memory as a device. There are several types of scull devices: scull[0-3] This type has four

481 views • 19 slides
Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Hardware and Device Drivers Bjrn Dbel Dresden, 2007-11-13 Outline What's so different about device drivers? Hardware access Writing device

634 views • 45 slides
Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW,

Dingo: Taming Device Drivers Leonid Ryzhyk Peter Chubb Ihor Kuz Gernot Heiser UNSW, NICTA, Open Kernel Labs (Australia) The problem with drivers 70% of OS crashes are caused by device drivers Drivers contain 1.5x-7x bugs per loc

557 views • 36 slides
HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd

HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd

HW/SW Codesign w/ FPGAs Microprogramming ECE 495/595 Introduction (Linux Device Drivers, 3rd Edition (www.makelinux.net/ldd3)) Device Drivers -&gt; DD They are a well defined programming interface between the applications and the actual

486 views • 24 slides
Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter

Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter

Operating System Principles: Devices, Device Drivers, and I/O CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1 Summer 2017 Outline Devices and device drivers I/O performance issues Device driver abstractions

1.92k views • 58 slides
Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device

Writing and Adapting Device Drivers for FreeBSD John Baldwin November 5, 2011 What is a Device Driver? Hardware Functionality A device driver is the software that bridges Device Driver the two. 2 Focus of This Presentation

1.08k views • 93 slides
Kernel Modules KLD Device Drivers The kld interface allows system administrators to

Kernel Modules KLD Device Drivers The kld interface allows system administrators to

Dynamic Kernel Linker Facility - Kernel Modules KLD Device Drivers The kld interface allows system administrators to dynamically add and remove functionality from a Pseudo device example running system. Joystick device example This

503 views • 8 slides
Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers

Abstraction via the OS Device Drivers Jonathan Misurda jmisurda@cs.pitt.edu Software Layers Device Drivers User User space program User User level I/O software &amp; libraries Kernel space Device independent OS software Operating

765 views • 5 slides
Devices and Device Drivers CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1

Devices and Device Drivers CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1

Devices and Device Drivers CS 111 Operating Systems Peter Reiher Lecture 12 CS 111 Page 1 Fall 2015 Outline The role of devices Device drivers Classes of device driver Lecture 12 CS 111 Page 2 Fall 2015 So Youve Got Your

755 views • 59 slides
XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could

XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could

XXX Tolerating Malicious Drivers in Linux Silas Boyd-Wickizer and Nickolai Zeldovich How could a device driver be malicious? Today's device drivers are highly privileged Write kernel memory, allocate memory, ... Drivers are complex;

1.63k views • 95 slides
How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What

How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What

How to develop Device Drivers for Linux OS? Presented from: Rashid Siddiqui For: Bin Tang What is a device driver? Software that handles or manages a hardware controller for a particular device! What is a Controller? Is a piece of hardware

624 views • 31 slides
Device From kernel-level code Drivers Interact with device(s) Send commands Read responses

Device From kernel-level code Drivers Interact with device(s) Send commands Read responses

Universit degli studi di Udine Universit degli studi di Udine Device Driver Receive requests From user-level code (through syscalls) Device From kernel-level code Drivers Interact with device(s) Send commands Read responses Handle

702 views • 38 slides
Naming Device Drivers Stefan Kalkowski Real-Time Today: Naming Dresden, 2007-11-27

Naming Device Drivers Stefan Kalkowski Real-Time Today: Naming Dresden, 2007-11-27

So far... Faculty of Computer Science Institute for System Architecture, Operating Systems Group Basics: Tasks and Threads Synchronization Memory Communication Naming Device Drivers Stefan Kalkowski Real-Time

338 views • 10 slides
Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is

Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is

Linux Device Drivers Modules A piece of code that can be added to the kernel at runtime is called a module A device driver is one kind of module Each module is made up of object code that can be dynamically linked to the running

388 views • 28 slides
Character device drivers Praktikum Kernel Programming December 17, 2014 - Albrecht Oster,

Character device drivers Praktikum Kernel Programming December 17, 2014 - Albrecht Oster,

Character device drivers Praktikum Kernel Programming December 17, 2014 - Albrecht Oster, Walter Knig Outline What is a character device driver? How can we use it? What does it look like? Lets write our own! 2 What is

374 views • 11 slides
Decaf: Moving Device Drivers to a Modern Language Ma$hew Renzelmann Michael Swi0

Decaf: Moving Device Drivers to a Modern Language Ma$hew Renzelmann Michael Swi0

Decaf: Moving Device Drivers to a Modern Language Ma$hew Renzelmann Michael Swi0 University of WisconsinMadison Driver Programming Is Not Easy __free_pages release_and_free_resource argv_free rpc_free_iostats

564 views • 37 slides
Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS

Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS

Static Analysis by Abstract Interpretation of Functional Properties of Device Drivers in TinyOS Abdelraouf Ouadjaout, Antoine Min, Noureddine Lasla, Nadjib Badache ENS &amp; UPMC, Paris CERIST &amp; USTHB, Algiers Workshop on Static

1.08k views • 42 slides
Integrating Concurrency Control and Energy Management in Device Drivers Chenyang Lu Why worry

Integrating Concurrency Control and Energy Management in Device Drivers Chenyang Lu Why worry

Integrating Concurrency Control and Energy Management in Device Drivers Chenyang Lu Why worry about energy? 16x Intel vs. Duracell 14x Processor (MIPS) 12x Hard Disk (capacity) 10x Improvement (compared to year 0) 8x Memory

808 views • 77 slides
TOS Arno Puder 1 Device Drivers Code that manages the details of interacting with a

TOS Arno Puder 1 Device Drivers Code that manages the details of interacting with a

TOS Arno Puder 1 Device Drivers Code that manages the details of interacting with a particular piece of hardware Interacting with hardware includes handling I/O and interrupts Linux kernel (2.6.x): 2.3 million lines of code in

565 views • 33 slides

More recommend