DON'T TRUST YOUR USB! HOW TO FIND BUGS IN USB DEVICE DRIVERS presented at BlackHatEU 2014

by Ralf Spenneberg, Sergej Schumilo, Hendrik Schwartke,

Summary : The Universal Serial Bus (USB) has become the standard interface for interconnecting computers with peripheral hardware today. USB is used to access human interface devices (HID) like keyboards and mice, storage devices like USB flash sticks or external harddrives but also webcams, soundcards, network cards (NIC), wireless cards, and bluetooth sticks etc. While the most common devices like keyboards, mice, and storage devices are handled via generic drivers by the kernel on the host system, many devices require specific drivers. Using the facedancer device created by Travis Goodspeed and Sergey Bratus, many implementation bugs in the generic drivers have been found. Systematic analysis of the hardware specific drivers using fuzzing based on the facedancer device is almost impossible because of the enormous amount of different devices and drivers. The current Linux kernel supports 15,000 different vendor and product ids which are mapped to several hundred drivers. These drivers might behave differently depending on the vendor/product id presented. One basic USB simulated test using the facedancer requires 2-7 seconds execution time and can only be parallized using several facedancer devices and as many physical hosts.
Therefore, I developed the vUSBf framework. This framework implements a virtual USB fuzzer based on KVM and the USB redirection protocol in QEMU. It virtualizes the target systems and using parallization we are able to execute up to 150 tests/second on a single Intel system with 24 cores. Using the built-in cluster protocol, we are able to arbitrarily scale this using additional systems.
The vUSBf framework allows the dynamic definition of several million testcases using a simple XML configuration. Each test is identified using a unique test id and thus is reproducible.
We are triggering and detecting the following bugs in both Enterprise Linux kernels and the most current Linux kernels:
- Null-pointer dereferences
- Kernel paging requests
- Kernel panic
- Bad page state
- Segfault
While the actual exploitation of these bugs still needs to be tested and their severity to be determined, the vast amount of bugs we are finding, is frightening. About 0.3% of the tests trigger one of the above listed exceptions in the Linux kernels depending on the kernel used and the amount of drivers included.
To validate the results some of the bugs were reproduced using the facedancer and physical hosts. This proves that these bugs might be reproduced using specialized hardware which than can attack, exploit, and maybe compromise the target system.
The vUSBf framework uses several emulators for the fuzzing of different devices and stages of the usb connection. Further emulators can be added via a simple API and are currently in development. Additionally, first tests have been executed using Microsoft Windows as a target.
The framework will be released as Open Source at the Black Hat Conference.