lbm a security framework for peripherals within the linux
play

LBM: A Security Framework for Peripherals within the Linux Kernel - PowerPoint PPT Presentation

LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian*^, Grant Hernandez*, Joseph Choi*, Vanessa Frost*, Peter Johnson**, and Kevin Butler* *University of Florida, Gainesville, FL ^Purdue University, West Lafayette,


  1. LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian*^, Grant Hernandez*, Joseph Choi*, Vanessa Frost*, Peter Johnson**, and Kevin Butler* *University of Florida, Gainesville, FL ^Purdue University, West Lafayette, IN **Middlebury College, VT May 22, 2019 Florida Institute of Cyber Security (FICS) Research

  2. Peripherals Florida Institute of Cyber Security (FICS) Research 2

  3. Modern Peripherals Florida Institute of Cyber Security (FICS) Research 3

  4. Modern Peripherals Florida Institute of Cyber Security (FICS) Research 4

  5. Modern Peripherals What could possibly go wrong?? Florida Institute of Cyber Security (FICS) Research 5

  6. Malicious Peripherals Florida Institute of Cyber Security (FICS) Research 6

  7. Malicious Peripherals pairing (build trust) after pairing (still “trusted”) 5.3 Billion Devices Affected BadBluetooth Attacks 0day attacks over NFC! NFC Reader/Writers Table top (MDF) Tap’n Laptop Table Ghost Florida Institute of Cyber Security (FICS) Research 7

  8. Solution? t k p d e t c e p x e n u - l a n o i t c n u F Specially-crafted pkt Malformed pkt Florida Institute of Cyber Security (FICS) Research 8

  9. Challenges • Peripheral Diversity • USBFILTER (USENIX Sec’16), USBFirewall (ACSAC’17) • Bluetooth, NFC, etc. • Filtering (Rule) Complexity • Programmability vs. Usability • Extensibility Florida Institute of Cyber Security (FICS) Research 9

  10. Linux (e)BPF Modules (LBM) • A generic security framework for peripherals • Peripheral agnostic • LBM hooks Peripheral Diversity • eBPF • Filter DSL Filtering Complexity • Module extension • USB, Bluetooth, NFC Florida Institute of Cyber Security (FICS) Research 10

  11. LBM: Architecture if usb.devnum == 7: drop LLVM/ lbmtool Clang User Space bpf syscall lbm sysfs Kernel Space lbm1 Peripheral Subsystems Framework USB Bluetooth NFC lbm2 LBM Subsys Subsys Subsys lbm3 LBM LBM LBM TX TX TX LBM LBM LBM RX RX RX BPF/eBPF USB Packet BT Packet NFC Packet Florida Institute of Cyber Security (FICS) Research 11

  12. LBM: Hooks • Linux Security Modules (LSM) • > 100 (kernel 4.13) • Linux (e)BPF Modules (LBM) • 1 int lbm_filter_pkt( int subsys, int dir, void *pkt) lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_TX, ( void *)urb); lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_RX, ( void *)urb); Florida Institute of Cyber Security (FICS) Research 12

  13. LBM: Hook Placement L2CAP LBM RX SCO ACL LBM TX Storage Driver Input Driver Video Driver USB Core Bluetooth Core LBM TX LBM RX LBM TX LBM RX Host Controller Device Driver Host Controller Interface Host Controller Device Bluetooth Module Bluetooth Peripherals USB Peripherals Florida Institute of Cyber Security (FICS) Research 13

  14. LBM: Filter DSL & lbmtool eBPF Assembly LSTART: usb.idVendor == 0x413c && MOV64_REG(REG_9, REG_1) usb.idProduct == 0x3010 MOV64_REG(REG_1, REG_9) CALL_FUNC(FUNC_lbm_usb_get_idVendor) MOV64_REG(REG_1, REG_0) MOV64_IMM(REG_6, 1) lbmtool JMP_IMM(JEQ, REG_1, 16700, L1_) MOV64_IMM(REG_6, 0) L1_: MOV64_REG(REG_1, REG_9) Tree Semantic Parse CALL_FUNC(FUNC_lbm_usb_get_idProduct) Expr CST Shaping Analysis MOV64_REG(REG_2, REG_0) MOV64_IMM(REG_3, 1) JMP_IMM(JEQ, REG_2, 12304, L2_) MOV64_IMM(REG_3, 0) L2_: CodeGen IR IRGen AST JMP_IMM(JEQ, REG_6, 0, L3_) JMP_IMM(JEQ, REG_3, 0, L3_) MOV64_IMM(REG_4, 1) JMP_A(L4_) write L3_: MOV64_IMM(REG_4, 0) sysfs L4_: eBPF JMP_IMM(JNE, REG_4, 0, L5_) Loader call L6_: MOV64_IMM(REG_0, 0) Program sys_bpf EXIT_INSN() L5_: MOV64_IMM(REG_0, 1) LEND: EXIT_INSN() Florida Institute of Cyber Security (FICS) Research 14

  15. LBM: Proof-of-Concept for NFC Step 1: Place hook Step II: Expose protocol fields lbm_filter_pkt(LBM_SUBSYS_INDEX_NFC, LBM_DIR_TX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_NFC, LBM_DIR_RX, ( void *)skb); Step III: Extend lbmtool nci.len > 10 && nci.mt == 5 NFC Kernel lbmtool Total # of lines 85 12 97 Florida Institute of Cyber Security (FICS) Research 15

  16. LBM: FaceDancer Testing Target Florida Institute of Cyber Security (FICS) Research 16

  17. LBM: Protocol Stack Protection (( usb .setup_packet != 0) && /* For enumeration */ ( usb .request[0] == 0x80) && /* Get_Descriptor */ ( usb .request[1] == 0x06) && /* Make sure response contains at least 2 bytes */ (( usb .actual_length < 2) || /* Make sure the descriptor type matches */ (( usb .request[3] != usb . data [1]) || /* Device descriptor */ (( usb .request[3] == 1) && (( usb . data [0] != 18) || ( usb .actual_length != 18))) || /* Configuration descriptor */ (( usb .request[3] == 2) && (( usb . data [0] < 9) || ( usb .actual_length < 9))) || /* String descriptor */ (( usb .request[4] == 3) && (( usb . data [0] < 4) || ( usb .actual_length < 4)))))) Florida Institute of Cyber Security (FICS) Research 17

  18. LBM: USB Security • Defending against BadUSB (( usb .pipe == 1) && /* INT (Keystroke) */ (( usb .manufacturer != "X") || ( usb . product != "Y") || ( usb .serial != "Z") || ( usb .plugtime != 12345))) • Securing charging (( usb .busnum == 1) && ( usb .portnum == 1)) Florida Institute of Cyber Security (FICS) Research 18

  19. LBM: Bluetooth Security • Defending against BlueBorne (( bt . l2cap .cid == 0x1) && /* L2CAP Signaling */ /* Configuration Response */ ( bt . l2cap .sig.cmd.code == 0x5) && ( bt . l2cap .sig.cmd.len >= 66)) • Defending against BleedingBit (( bt . hci .conn == 1) && /* A link exists */ ( bt . hci .conn.type == 0x80)) /* BLE link */ Dynamic Kernel Patching Florida Institute of Cyber Security (FICS) Research 19

  20. LBM: Benchmarks 500 LB0 30 LB0--IT TKrouJKput Ln 0B/V 400 25 2verhead Ln us 20 300 128KB 1.8% < 1us 10B 15 200 10 100 5 0 0 1 10 100 VanLlla /B0 /B0--IT Stock LBM LBM-JIT 1um RI LB0 5uOes Florida Institute of Cyber Security (FICS) Research 20

  21. LBM: Discussion • BPF memory write • LLVM support • Stateless vs. Stateful policy • DMA-oriented protocols Florida Institute of Cyber Security (FICS) Research 21

  22. Conclusion • Linux (e)BPF Module • USB, Bluetooth, NFC • Effectiveness and Minimum Overhead https://github.com/fics/lbm Florida Institute of Cyber Security (FICS) Research 22

  23. Q&A https://davejingtian.org Thanks! Florida Institute of Cyber Security (FICS) Research 23

  24. Malicious Peripherals What about wireless peripherals? 5.3 Billion Devices Affected 0day attacks over NFC! Florida Institute of Cyber Security (FICS) Research 24

  25. LBM: Core Framework • An eBPF client • LBM filter = eBPF program • Load LBM filters lbm create_module bpf • Subsystem / Path sysfs syscall syscall • Verify LBM filters BPF verifier LBM MDB TX LBM FDB TX • Subsystem / No memory write LBM MDB RX LBM FDB RX LBM • Store/Manage/Run LBM filters LBM Filter Engine Core • SysFS (/sys/fs/bpf, /sys/kernel/security/lbm) BPF/eBPF Florida Institute of Cyber Security (FICS) Research 25

  26. LBM: USB • LBM hooks lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_TX, ( void *)urb); • 34 protocol fields lbm_filter_pkt(LBM_SUBSYS_INDEX_USB, LBM_DIR_RX, ( void *)urb); • 31 BPF helpers • 621 LoC Storage Driver Input Driver Video Driver USB Core LBM TX LBM RX Host Controller Device Driver Host Controller Device USB Peripherals Florida Institute of Cyber Security (FICS) Research 26

  27. LBM: Bluetooth • LBM hooks L2CAP LBM RX lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH, LBM_DIR_TX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH, SCO ACL LBM_DIR_RX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH_L2CAP, LBM TX LBM_DIR_TX, ( void *)skb); lbm_filter_pkt(LBM_SUBSYS_INDEX_BLUETOOTH_L2CAP, Bluetooth Core LBM_DIR_RX, ( void *)skb); • HCI/L2CAP LBM TX LBM RX • 30/28 protocol fields Host Controller Interface Bluetooth Module • 29/27 BPF helpers Bluetooth Peripherals • 683/744 LoC Florida Institute of Cyber Security (FICS) Research 27

  28. LBM: Protocol Stack Protection /* HCI-CMD */ (( bt . hci .type == 1) && ( bt . hci .len < 3)) || /* HCI-ACL */ (( bt . hci .type == 2) && ( bt . hci .len < 4)) || /* HCI-SCO */ (( bt . hci .type == 3) && ( bt . hci .len < 3)) || /* HCI-EVT */ (( bt . hci .type == 4) && ( bt . hci .len < 2))) Florida Institute of Cyber Security (FICS) Research 28

Recommend


More recommend