USB设备驱动器进入内核的垫脚石翻译.docx

USB设备驱动器进入内核的垫脚石翻译.docx

《USB设备驱动器进入内核的垫脚石翻译.docx》由会员分享，可在线阅读，更多相关《USB设备驱动器进入内核的垫脚石翻译.docx（27页珍藏版）》请在冰豆网上搜索。

USB设备驱动器进入内核的垫脚石翻译

2010EuropeanConferenceonComputerNetworkDefense

USBDeviceDrivers:

ASteppingStoneintoyourKernel

MoritzJodeit

n.runsAG

NassauerStr.60,D-61440Oberursel

moritz.jodeit@

MartinJohns

SAPResearch

Vincenz-Priessnitz-Str.1,D-76131Karlsruhe

martin.johns@

Abstract—Thewidely–usedUniversalSerialBus（USB）exposesaphysicalattackvectorwhichhasreceivedcomparativelylittleattentioninthepast.Whilemostresearchondevicedrivervulnerabilitiesconcentratedonwirelessprotocols,weshowthatUSBdevicedriversprovidethesamepotentialforvulnerabilitiesbutofferalargerattacksurfaceresultingfromtheuniversalnatureoftheUSBprotocol.TodemonstratetheeffectivenessoffuzzingUSBdevicedrivers,wepresent

ourprototypicalimplementationofamutation–based,manin-the-middleUSBfuzzingframeworkbasedonanemulatedenvironment.Wepracticallyappliedourframeworktofuzzthe

communicationbetweenanAppleiPoddeviceandaWindowsXPsystem.Thisway,wefoundseveralpotentialvulnerabilities.ThissupportsourclaimthattheUSBarchitectureexposesreal

attackvectorsandshouldbeconsideredwhenassessingthephysicalsecurityofcomputersystemsinthefuture.

I.INTRODUCTION

TheUniversalSerialBus（USB）isawidely–usedserialcablebusforconnectingvariousperipheralstoahostcomputer.BecauseofthewidespreaduseandtheubiquitousnatureofUSBitprovidesancompellingattacksurface.InthispaperweareconcentratingonattacksagainstdevicedriversandtheUSBstackitself.

Thefactthatdevicedriversprovidethepotentialforexploitablevulnerabilitieswasalreadyshownin[6]and[10].Butcomparedto802.11wirelessdevicedrivers,USBhasthepropertyofbeingauniversaltransportmediumforfurtherprotocols.Hence,potentialattacksarenotlimitedtotheUSBrelatedcodeinsidethekernelbutextendoveralargenumberofdifferentkernelsub-systemsanddevicedriversreachablebyUSBdeviceswhichwouldnotbeassociatedwithUSBatafirstglance.TheUSBprotocolallowstoreachthosepartsofthekernelwhichcouldotherwisenoteasilybeattackedremotely.

Thispaperproposesamutation–basedUSBfuzzingframework.OurapproachisbasedonfuzzinginanemulatedenvironmentinspiredbytheworkofKeilandKolbitsch[9]for802.11wirelessfuzzing.InsteadofemulatingUSBdevicesinsoftwareweareattachingphysicallyconnectedUSBdevicestotheguestoperatingsystemrunninginsideavirtualmachineandfuzzthecommunicationbetweenthephysicaldeviceandthevirtualhost.

Relyingonamutation–basedapproachgivesustheflexibilitytofuzztestabroadrangeofdifferentdevicedriverswithouttheneedtoemulateeverysingledevicewhichwouldbeverytimeconsuming.Doingthefuzzinginanemulatedenvironmentcomeswithvariousadvantages.Besidesthegoodtargetmonitoringcapabilities,virtualmachinesnapshotsallowustodoexactmatchingbetweenaspecificUSBdeviceattachmentandapotentialcrash.

II.TECHNICALBACKGROUND

TheUSBarchitecturecanbedividedintothreeseparateparts.ThesearetheUSBdevices,theUSBhostandtheUSBinterconnect,whichconnectsallUSBdeviceswithasingleUSBhost.

USBdevicesareeitherhubsorfunctions.AUSBhubisaspecialdevicethatprovidesoneormoreattachmentpointstothebus,whileafunctionprovidesaspecificcapability.ExamplesareaUSBmousedevicewhichusuallyprovidesaHID（HumanDeviceInterface）functionwhileanexternalharddiskdriveprovidesamassstoragefunction.EachUSBhostcontrollerprovidesaroothub,whichistheattachmentpointforallconnecteddevices.

TheUSBhostisthecentralpointintheUSBarchitecture.ItinteractsthroughthehostcontrollerwiththerestoftheUSBsystem.OnlyasingleUSBhostperbusisallowed.Tasksofthehostincludethemanagementofalltransfers,detectionofdeviceattachmentandremovaland

configurationofnewdevices.Itisimportanttonote,thatthehostplaystheactivepartinthewholecommunication.AlltransfersareinitiatedbythehostandUSBdevicesonlyanswertorequestssendbythehost1.

Figure1showsthelogicalconnectionbetweenaUSBdeviceandthehost.Communicationtakesplaceusingsocalledpipes.Pipesareunidirectionalorbidirectioncommunication

channelsbetweenthehostandaUSBdevice.Theendofeachpipeconnectstoanendpoint.

EndpointsarecompareablewithIPsockets.Theyarethesourceorsinkofacommunicationflowonthebus.EachendpointhasanassociateddirectionwhichiseitherINorOUT.INendpointstransferdatafromthedevicetothehost,whileOUTendpointstransferdatafromthehosttothedevice.EachUSBdeviceprovidesatleasttheendpoint0whichisconnectedwiththedefaultcontrolpipe.Themainpurposeofthedefaultcontrolpipeistoconfigurethedevice

1OneexceptionistheUSBOTGsupplement[15]totheUSB

specification[7].

2010EuropeanConferenceonComputerNetworkDefense

978-0-7695-4311-6/10$26.00©2010IEEE

DOI10.1109/EC2ND.2010.16

onceitisattached.Dependingonthepurposeofthedevicemultipleotherendpointsmaybeprovided.

MultiplepipescanbegroupedintointerfaceswhereeachinterfaceprovidesaspecificfunctionalityandishandledbyasingleUSBdevicedriveronthehost.Oneinterfacemay

provideamassstoragedevicewhileasecondinterfacemayprovideaUSBprinter.

Configurationsgroupmultipleinterfacesandaremainlyusedtoprovidethesamefunctionalitywithdifferentsettings.Onlyasingleconfigurationcanbeactiveatatime.

Figure1.LogicalconnectionbetweenaUSBdeviceandahost

A.DeviceEnumeration

WhenanewUSBdeviceisconnectedtothebusthroughahubthedeviceenumerationprocessstarts.EachhubprovidesanINendpoint,whichisusedtoinformthehostaboutnewlyattacheddevices.Thehostcontinuallypollsonthisendpointtoreceivedeviceattachmentandremoval

eventsfromthehub.

Onceanewdevicewasattachedandthehubnotifiedthehostaboutthisevent,theUSBbusdriverofthehostenablestheattacheddeviceandstartsrequestinginformationfromthedevice.ThisisdonewithstandardUSBrequestswhicharesentthroughthedefaultcontrolpipetoendpointzeroofthedevice.Informationisrequestedintermsofdescriptors.USBdescriptorsaredatastructuresthatareprovidedbydevicestodescribealloftheirattributes.Thisincludese.g.theproduct/vendorID,anydeviceclassaffiliation,andstringsdescribingtheproductandvendor.Additionallyinformationaboutallavailableendpointsisprovided.Afterthehostreadallthenecessaryinformationfromthedeviceittriestofindamatchingdevicedriver.Thedetailsof

thisprocessaredependantontheusedoperatingsystem.ForlackofspacewearedescribingtheprocessforMicrosoftWindowsonlybutsimilarconceptsapplytootheroperating

systems.

B.DeviceDriverLoading

AfterthefirstdescriptorswerereadfromtheattachedUSBdevice,thehostusesthevendorandproductIDfromthedevicedescriptortofindamatchingdevicedriver.Windowsfirsttriestofindtheproduct/vendorIDcombinationintheregistry.Ifthedevicewassuccessfullyenumeratedinthepast,amatchisfoundintheregistrywhichindicatestheassociateddevicedrivertobeloaded.Whennomatchintheregistryisfound,Windowsdoesalookupinitsdatabaseof

availabledevicedriverswhichconsistsofasetofINFfiles.EachINFfiledescribesasetofdevicesforwhichdevicedriversareavailable.

IfneithertheregistrynortheINFfilesresultedinamatchfortheproduct/vendorIDcombination,WindowstriestofindamatchingUSBclassdriver.Classdriversarenotspecifictoasingledevicebutcanhandleabroadrangeofdifferentdeviceswhichbehaveaccordingtoaclassspecification.MostoperatingsystemsprovideasetofUSB

classdriverswhichallowssomeclassesofUSBdevicestobeconnectedwithouttheneedtoinstallaseparatedevicedriver.ThelatestversionofWindowscomeswithclassdriversfor

manyofthedefinedUSBclasses[14],suchasthemassstorage,audioorprinterclass.

Tofindamatchingclassdriver,Windowsusestheclass,subclassandprotocolvaluesreadfromthedescriptors.Thesamelookupsasdetailedabovefortheproduct/vendorIDcombinationareperformed..

Afteramatchingdevicedriverwasfoundandloaded,it’sthetaskofthedevicedrivertoselectoneoftheprovideddeviceconfigurations.Thedevicedriverselectsoneoftheconfigurationsbasedonitsowncapabilitiesandtheavailablebandwidthonthebusandactivatesthisconfigurationontheattacheddevice.Atthispoint,allinterfacesandtheir

endpointsoftheselectedconfigurationaresetupandthedeviceisreadyforuse.

III.ATTACKSCENARIOS

InthecaseoftheUSB2.0standard[7],anattackerneedsphysicalaccesstoasystem.Althoughnearlyeverysystemcanbebrokenintowithenoughphysicalaccess,USBports

representaspecialcase.Oftenthesystemitselftogetherwithhumaninterfacedevices,suchaskeyboardsandmice,isprotectedagainstunauthorizedaccess.However,USBportsareoftenconsideredsafetobeprovidedtotheuser.Insomecases,USBportsmustevenbeprovidedtotheusertoaccomplishthetaskoftherespectivesystem.USB-basedhardwaresecuritytokensareoneexample.

Iftheattackerisanemployeeofacompanyheistryingtoattack,hehaslotsofpossibilitiestounobtrusivelyattachmaliciousUSBdevices.Buteveniftheattackerisn’tassociatedwiththecompanytobeattacked,therearelotsofcases,wheretheattackerhimselfdoesn’tneeddirectphysicalaccessbutcangethismaliciousUSBdeviceattachedtotheUSBportofasystembyothermeans.

Peoplewithlegitimatephysicalac