usbfuzz: a framework for fuzzing usb drivers by device ...0.1 ~ 3.0 exec/sec most of the execution...
TRANSCRIPT
![Page 1: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/1.jpg)
USBFuzz: A Framework for Fuzzing USB Drivers by Device Emulation
Hui Peng1, Mathias Payer2
1 2
![Page 2: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/2.jpg)
Testing drivers is challenging● Drivers depend on hardware/devices● Hard to generate unexpected device inputs● Many recent attacks/CVEs
2
Malicious Device
HACKED
![Page 3: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/3.jpg)
Motivation● Defenses against peripheral attacks are limited
○ Rule-based authorization policy (USBGuard) and USB Firewalls (LBM, USBFilter)■ Detect only known bugs
○ Isolation based approaches (Cinch) ■ Too expensive, not used in practice
● Fuzzing is a widely used automatic software testing technique● We propose a framework to apply fuzzing to USB drivers
○ Fixing bugs is better than defending against their exploitation
3
![Page 4: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/4.jpg)
Threat Model● Device controlled by attacker via:
○ Prepared device through physical interfaces, or○ Hijacking networked interfaces (e.g., USBRedir, etc)
● Attack vector○ Focusing on unexpected data from device side
4
![Page 5: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/5.jpg)
USB Fuzzing: Challenge & Existing Approaches● Challenge
○ How to feed random device input to drivers● Existing Approaches
○ Dedicated Hardware■ Umap + FaceDancer■ Hardware cost, not scalable, etc
○ Data injection in the IO stack■ Syzkaller usb-fuzz, PeriScope■ Not portable, some code paths are missed
○ Data injection through networked USB interface■ vUSBf■ Only supports dumb fuzzing
5
![Page 6: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/6.jpg)
USBFuzz: Device Emulation● Using emulated USB device in a virtualized kernel
○ Feeding random device inputs to USB drivers○ A host memory area exported to the guest system
■ Can be used for coverage collection
● Advantages○ Cheap, scalable, portable○ Supports coverage guided fuzzing
6
![Page 7: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/7.jpg)
USBFuzz Design● Guest system
○ Runs target system○ Fuzzing device○ Communicating device○ User Mode Agent
● Fuzzer○ Runs in host system○ Controls test execution○ Collect coverage info
Fuzzer
Kernel Virtual Machine (KVM)
Host Kernel
Virtualized Hardware
Fuzzing Device
Comm.Device
Target Kernel
(CPU, Memory etc)
User Mode Agent
Guest System
Fuzzer Generated InputTest Control & Exec Feedback
7
![Page 8: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/8.jpg)
Test Execution● A test starts from attaching the fuzzing device to guest system● Drivers are tested while performing IO ops on the fuzzing device● User Mode Agent detects end of a test by scanning kernel logs
8
Fuzzer Guest System (VM)
User Mode Agent
1. Attaching Fuzzing Device
2. I/O Operations
3. End of Test
4. Detaching Fuzzing Device
Fuzzing Loop
8
![Page 9: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/9.jpg)
Evaluation● Coverage guided fuzzing on Linux kernel
○ Adapted KCOV to collect coverage info
● Dumb fuzzing on FreeBSD, Windows and MacOS○ Seeded by inputs generated when fuzzing Linux kernel
9
![Page 10: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/10.jpg)
Bugs and CVEs● Bugs
● CVEs○ CVE-2018-20169, CVE-2018-19824, CVE-2019-15098, CVE-2019-15099, CVE-2018-19985,
CVE-2018-20344, CVE-2019-15117, CVE-2019-15118, CVE-2019-15504, CVE-2019-15505
10
OS/Kernel Details
Linux 26 new bugs, 16 of them are memory bugs
FreeBSD One in a USB bluetooth dongle driver
Windows 4, resulting Bluescreen on Windows 8 and Windows 10
MacOS 3, two resulting unplanned restart and one resulting freeze
![Page 11: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/11.jpg)
Fuzzing throughput● 0.1 ~ 3.0 exec/sec● Most of the execution time is spent on OS-device interaction● Similar throughput observed in syzkaller usb-fuzz
11
A sample of execution speed of USBFuzz A sample of execution speed of syzkaller usb-fuzz
![Page 12: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/12.jpg)
Case Study (1)
12
● USB devices are described by Device Descriptors● USB standard defines the first 2 bytes
○ The first byte indicates the length○ The second byte indicates the type
● Descriptors are read from the device side
struct usb_descriptor_header { __u8 bLength; __u8 bDescriptorType ;} __attribute__ ((packed));
struct usb_otg_descriptor { __u8 bLength; __u8 bDescriptorType ; __u8 bmAttributes;} __attribute__ ((packed));
Data structure representing the first 2 bytes of a descriptor Descriptor for USB On-The-Go
![Page 13: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/13.jpg)
Case Study (2)
13
● Bug detected in case of malicious descriptors● Attackers can masquerade long descriptors using short ones
int __usb_get_extra_descriptor (char *buffer, unsigned size, unsigned char type, void **ptr) { struct usb_descriptor_header *header; while (size >= sizeof(struct usb_descriptor_header )) { header = (struct usb_descriptor_header *)buffer; if (header->bLength < 2) { return -1; } if (header->bDescriptorType == type) { *ptr = header; return 0; } buffer += header->bLength; size -= header->bLength; } return -1;}
check on untrusted data
![Page 14: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/14.jpg)
Case Study (3)
14
● Security Impact○ Allowing Out-Of-Bounds Access
static int usb_enumerate_device_otg(struct usb_device * udev) { // ...... struct usb_otg_descriptor * desc = NULL; err = __usb_get_extra_descriptor( udev->rawdescriptors[0] , le16_to_cpu( udev->config[0].desc.wTotalLength ), USB_DT_OTG, (void **) &desc); if (err||!(desc->bmAttributes & USB_OTG_HNP)) return 0;
// ......}
struct usb_otg_descriptor { __u8 bLength;
__u8 bDescriptorType ; __u8 bmAttributes;} __attribute__ ((packed));
0x3, USB_DT_OTG
OOB Access
![Page 17: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/17.jpg)
Conclusion● Testing drivers is challenging● USBFuzz provides a device emulation based approach fuzz USB drivers● USBFuzz is cheap, portable and flexible● So far USBFuzz has found:
○ 26 bugs in Linux○ one bug in FreeBSD○ 4 bugs in Windows○ 3 bugs in MacOS
https://github.com/HexHive/USBFuzz
17
![Page 18: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/18.jpg)
EOF
18
![Page 19: USBFuzz: A Framework for Fuzzing USB Drivers by Device ...0.1 ~ 3.0 exec/sec Most of the execution time is spent on OS-device interaction Similar throughput observed in syzkaller usb-fuzz](https://reader036.vdocuments.site/reader036/viewer/2022071410/61041e37efa0c937b73b2b9e/html5/thumbnails/19.jpg)
Data injection in syzkaller usb-fuzz
19
USB Driver
Userspace program
Host Controller Driver
Host Controller
USB Driver
Userspace program
Host Controller
Driver
Dummy Controller
fuzzer