Professional Documents
Culture Documents
Alittleaboutme...
rafael.dominguezvega[at]mwrinfosecurity[dot]com http://labs.mwrinfosecurity.com
MainObjectives
Whatthistalkwillcover
Afewdemoshereandthere....
Onceuponatime...
USBAttacks
USBAttacks(cont.)
HowPwniesathomebecameResearch...
USBDriverTesting
BlackBoxTesting
WhiteBoxTesting
9
Andofcourse...BeerBasedTesting!
10
USBTechnicalBackground
Otherprotocols
Enumeration
Descriptors
StringDescriptor
DeviceDescriptor
const USB_DEVICE_DESCRIPTOR DeviceDescriptor = { sizeof(USB_DEVICE_DESCRIPTOR), /* bLength */ TYPE_DEVICE_DESCRIPTOR, /* bDescriptorType */ 0x0110, /* bcdUSB USB Version 1.1 */ 0, /* bDeviceClass */ 0, /* bDeviceSubclass */ 0, /* bDeviceProtocol */ 8, /* bMaxPacketSize 8 Bytes */ 0xBEEF, /* idVendor */ 0x1337, /* idProduct */ 0x0000, /* bcdDevice */ 1, /* iManufacturer String Index */ 0, /* iProduct String Index */ 0, /* iSerialNumber String Index */ 1 /* bNumberConfigurations */ };
14 Refer.MicrochipTechnologyInc.LowPinCountUSBDevelopmentKitUsersGuide
StringDescriptor
//Manufacturer string descriptor ROM struct{BYTE bLength;BYTE bDscType;WORD string[12];} sd002={sizeof(sd002),USB_DESCRIPTOR_STRING, { 'M','A','N','U','F','A','C','T','U','R','E','R' }}; //Product string descriptor ROM struct{BYTE bLength;BYTE bDscType;WORD string[7];} sd003={sizeof(sd003),USB_DESCRIPTOR_STRING, { 'P','R','O','D','U','C','T' }};
Refer.MicrochipTechnologyInc.LowPinCountUSBDevelopmentKitUsersGuide 15
USBDriverFuzzing
HardwareFuzzer(Itscool:P)
QEMUTesting
QEMUTesting(cont.)
18
QEMUTesting(cont.II)
Advantages
Disadvantages
19
FuzzingEngine Recompile
USBoverIPFuzzing
USBoverIPFuzzing(cont.)
21
USBoverIPFuzzing(cont.II)
Advantages
FuzzingEngine
Disadvantages
Relianceonthesoftware
22
HardwareFuzzer
LongerTermProject
24
LinuxUSBDriverBug
25
LinuxUSBDriverBug(cont.)
StringDescriptor
LinuxUSBDriverBug(cont.II)
KernelCrashDemo
28
CrashAnalysis
KGDB(cont.)
30
HardwareImplementation
ExploitDriverBug
PIC18F14K50
32
CrashAnalysis&ExploitDemo
33
Recommendations
References&FurtherReading
USBOfficialSite http://www.usb.org/ LinuxUSB http://www.linuxusb.org/ MicrochipTechnologyInc. http://www.microchip.com/ MicrochipTechnologyInc. LowPinCountUSBDevelopmentKitUsersGuide PIC18F13K50/14K50DataSheet BeyondLogic http://www.beyondlogic.org/
35
USBDesignbyExample:APracticalGuidetoBuildingI/O Devices(IntelUniversityPress)byJohnHyde
References&FurtherReading(cont.)
QEMU http://www.qemu.org/ USB/IP http://usbip.sourceforge.net/ WhitePaper:RedHatCrashUtility http://people.redhat.com/anderson/crash_whitepaper/ KGDB:LinuxKernelSourceLevelDebugger http://kgdb.linsyssoft.com/ EvaluatingSecurityAspectsoftheUniversalSerialBus http://www.informatik.unihamburg.de/SVS/archiv/slides/090113 OSJodeitEvaluating_Security_Aspects_of_USB.pdf
36
37
http://labs.mwrinfosecurity.com
Illgetbywithalittlehelpfrommyfriends...
38