SlideShare ist ein Scribd-Unternehmen logo

Deriving intelligence from USB stack interactions

NCC Group
NCC Group
Technologie
1 von 51
Downloaden Sie, um offline zu lesen
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Andy Davis, Research Director NCC Group Image from: p1fran.com
UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland
Agenda Part One: • Overview of the USB enumeration phase • Different USB stack implementations • USB testing platform • Installed drivers and supported devices • Fingerprinting techniques • Umap demo Part Two: • The Windows 8 RNDIS kernel pool overflow • Challenges faced when exploiting USB bugs • Conclusions
Part One: Information gathering • Why do we care? • If you connect to a device surely you already know the platform? • Embedded devices are mostly based on Linux anyway aren't they? • Allows you to focus your testing on only supported functionality
USB Background stuff Image from: blog.brickhousesecurity.com
Overview of the USB enumeration phase • What is enumeration for? • Assign an address • Speed of communication • Power requirements • Configuration options • Device descriptions • Identify class drivers • Lots of information exchange – implemented in many different ways Image from :http://ewalk2.blog117.fc2.com
The USB enumeration phase < Get Device descriptor > Set Address < Get Device descriptor < Get Configuration descriptor < Get String descriptor 0 < Get String descriptor 2 < Get Configuration descriptor < Get Configuration descriptor > Set Configuration
Enumeration phase peculiarities • Why is the device descriptor initially requested twice? • Why are there multiple requests for other descriptors? • Class-specific descriptors: < Get Hub descriptor < Get HID Report descriptor
Different USB stack implementations • Typical components of a USB stack • Windows USB driver stack • Linux USB stack • Embedded Access USB stack Image from: blogs.msdn.com
Typical components of a USB stack • Host Controller hardware • USB System software: • Host Controller Driver – Hardware Abstraction Layer • USB Driver • Class drivers • Application software Image from: www.wired.com
Windows USB driver stack Image from: msdn.microsoft.com
Linux USB stack Image from: www.linux-usb.org
Embedded Access USB stack Image from: www.embedded-access.com
Interacting with USB Image from: www.nvish.com
USB interaction requirements • Need to capture and replay USB traffic • Full control of generated traffic • Class decoders extremely useful • Support for Low/High/Full speed required • USB 3.0 a bonus
USB testing – gold-plated solution • Commercial test equipment
USB testing – the cheaper approach • Facedancer (http://goodfet.sourceforge.net/hardware/facedancer21)
Best solution: A combination of both • Device data can be carefully crafted • Host response data can be captured • Microsecond timing is also recorded • All class-specific data is decoded
Information enumeration Image from: network.nature.com
Target list • Windows 8 • Ubuntu Linux 12.04 LTS • Apple OS X Lion • FreeBSD 5.3 • Chrome OS • Linux-based TV STB
Installed drivers and supported devices • Enumerating supported class types – standard USB drivers • Enumerating all installed drivers • Other devices already connected
Enumerating supported class types Where is USB class information stored? Device Descriptor Interface Descriptor
Installed drivers and supported devices • Drivers are referenced by class (Device and Interface descriptors) • Also, by VID and PID: • For each device class VID and PID values can be brute-forced (can easily be scripted using Facedancer) • Although there may be some shortcuts…. • Valid PIDs and VIDs are available (http://www.linux-usb.org/usb.ids)
Enumerating installed drivers Not installed: All communication stops after “Set Configuration” Installed:
Sniffing the bus - Other connected devices • Data from other devices will be displayed on other addresses • Controlling other devices? (untested)
Fingerprinting techniques • Descriptor request patterns • Timing information • Descriptor types requested • Responses to invalid data • Order of Descriptor requests
OS Identification Linux-based TV STB Windows 8 < Get Max LUN (Mass Storage) > CBW: INQUIRY < MSC Data In < CSW - Status Passed > CBW: TEST UNIT READY < CSW - Status Passed > CBW: READ CAPACITY < MSC Data In < CSW - Status Passed > CBW: MODE SENSE < Get Max LUN (Mass Storage) > CBW: INQUIRY < MSC Data In < CSW - Status Passed > CBW: INQUIRY < MSC Data In < CSW - Status Passed > CBW: READ FORMAT CAPACITIES < MSC Data In < CSW - Status Passed
Application identification gphoto2 (Linux) “Photos” Metro app (Windows 8) > Image: OpenSession < Image: OK > Image: GetDeviceInfo < Image: DeviceInfo < Image: OK > Image: GetStorageIDs < Image: StorageIDs < Image: OK > Image: GetStorageInfo < Image: StorageInfo < Image: OK > Image: CloseSession < Image: OK > Image: OpenSession < Image: OK > Image: GetDeviceInfo < Image: DeviceInfo < Image: OK > Image: SetDevicePropValue > Image: DeviceProperty < Image: OK < Image: DeviceInfoChanged DeviceProperty includes some text: /Windows/6.2.9200 MTPClassDriver/6.2.9200.16384
Request patterns unique elements? • Windows 8 (HID) – 3 x Get Configuration descriptor requests (others have two) • Apple OS X Lion (HID) – Set Feature request right after Set Configuration • FreeBSD 5.3 (HID) – Get Status request right before Set Configuration • Linux-based TV STB (Mass Storage) – Order of class-specific requests
Timing information (work in progress…)
Timing information (work in progress…)
Using timing information? (work in progress…) • Large amount of variance over entire enumeration phase: • 4.055s, 3.834s, 3.612s, 3.403s, 3.089s • Much greater accuracy between specific requests: • Between String Descriptor #0 and #2 requests - 5002us, 5003us, 5003us, 4999us, 5001us • If we know the OS can we potentially determine the processor speed?
Descriptor types requested • Microsoft OS Descriptors (MOD) • Used for “unusual” devices classes • Devices that support Microsoft OS Descriptors must store a special USB string descriptor in firmware at the fixed string index of 0xEE. The request is:
Responses to invalid data • Different USB stacks respond to invalid data in different ways • Maximum and minimum values • Logically incorrect values • Missing data • In some cases: Crashes (potential vulnerabilities) • Other cases: Unique behaviour Image from: windows7.iyogi.com
Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:
Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:
Order of Descriptor requests • Some USB stacks request data from devices in a different order • Different drivers may request different descriptors multiple times • Sometimes descriptors are re-requested after enumeration is complete
Demo: umap Image from: us.cdn4.123rf.com
Umap overview • Supported device classes can be enumerated • Operating system information can be enumerated • Devices with specific VID/PID/REV can be emulated • The enumeration phase and class-specific data can be fuzzed • Endpoint protection systems configuration can be assessed • Endpoint protection systems USB protection can be circumvented • USB host implementations can be comprehensively tested
Part Two: Potentially exploitable USB bugs Image from: www.biro-media.hr
The Windows 8 RNDIS kernel pool overflow • MS13-027 • usb8023x.sys - default (Microsoft-signed) Windows Remote NDIS driver that provides network connectivity over USB. • When the following USB descriptor field is manipulated a Bug check occurs indicating a kernel pool overwrite: Configuration descriptor: bNumInterfaces field > actual number of USB interfaces
The Bug Check BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. <Truncated for brevity> Arguments: Arg1: 00000020, a pool block header size is corrupt. Arg2: 83e38610, The pool entry we were looking for within the page. Arg3: 83e38690, The next pool entry. Arg4: 08100008, (reserved) <Truncated for brevity> WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted. WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted. SYMBOL_NAME: usb8023x!SelectConfiguration+1bd
The SelectConfiguration() function
The crash point
Analysis #1 When bNumInterfaces = 3 (one more than it should be) and bNumEndpoints = 2 (valid value) Next kernel pool: 849c3b28 10 00 0a 04 56 61 64 6c-6b 8f 94 85 28 8c 90 85 ....Vadlk...(... becomes: 849c3b28 00 00 0a 04 56 61 64 6c-6b 8f 94 85 28 8c 90 85 ....Vadlk...(... So we’re overwriting "PreviousSize" in the next nt!_POOL_HEADER - this is what triggered the original Bug Check when ExFreePool() is called
Analysis #2 When bNumInterfaces = 3 (one more than it should be) and bNumEndpoints = 5 (three more than it should be) Next kernel pool: 84064740 17 00 03 00 46 72 65 65-48 2d 09 84 30 a8 17 84 ....FreeH-..0... becomes: 84064740 17 00 03 00 00 72 65 65-48 2d 09 84 30 a8 17 84 .....reeH-..0... So we’re now overwriting "PoolTag" in the next nt!_POOL_HEADER
What’s going on? kd> dt nt!_POOL_HEADER – +0x000 PreviousSize : Pos 0, 8 Bits – +0x000 PoolIndex : Pos 8, 8 Bits – +0x000 BlockSize : Pos 16, 8 Bits – +0x000 PoolType : Pos 24, 8 Bits – +0x004 PoolTag : Uint4B – +0x008 ProcessBilled : Ptr64 _EPROCESS By manipulating bNumInterfaces and bNumEndpoints in a USB Configuration descriptor we appear to have a degree of control over where in the next adjacent kernel memory pool we can overwrite a single byte with a null (the null write occurs four bytes after the end of the pool I control and I can also control its size and some elements of its contents so could also potentially overwrite the next pool header with something useful)
Some pseudo code
Challenges faced when exploiting USB bugs • Lack of feedback channel • The bug is often in kernel code • Descriptors are generally very size-constrained • Typical impact of USB exploitation typically restricted to privilege escalation • Modern operating systems e.g. Windows 8 have comprehensive exploit mitigation • What about USB over RDP? Image from: leadershipfreak.wordpress.com
Conclusions • The USB enumeration phase reveals useful information for fingerprinting • Class-specific communication is potentially even more revealing • Even vendors with mature SDL processes have USB bugs • USB bugs can potentially be exploited, to provide privilege escalation • …but it is extremely difficult to achieve reliably
Questions? Andy Davis, Research Director NCC Group andy.davis ‘at’ nccgroup ‘dot’ com

Empfohlen

NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 

Empfohlen

NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbgSam Bowne
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1Frank Avila Zapata
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 

Weitere ähnliche Inhalte

Was ist angesagt?

CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesSam Bowne
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360Scott Sutherland
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsSam Bowne
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksSam Bowne
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionSam Bowne
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaEC-Council
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesSam Bowne
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)Sam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)Sam Bowne
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersSam Bowne
 

Was ist angesagt? (20)

CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Attack all the layers secure 360
Attack all the layers secure 360Attack all the layers secure 360
Attack all the layers secure 360
 
Ch 10: Attacking Back-End Components
Ch 10: Attacking Back-End ComponentsCh 10: Attacking Back-End Components
Ch 10: Attacking Back-End Components
 
Ch 11: Hacking Wireless Networks
Ch 11: Hacking Wireless NetworksCh 11: Hacking Wireless Networks
Ch 11: Hacking Wireless Networks
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
 
CNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data CollectionCNIT 152: 6. Scope & 7. Live Data Collection
CNIT 152: 6. Scope & 7. Live Data Collection
 
The Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George DobreaThe Dark Side of PowerShell by George Dobrea
The Dark Side of PowerShell by George Dobrea
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Ch 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS VulnerabilitesCh 8: Desktop and Server OS Vulnerabilites
Ch 8: Desktop and Server OS Vulnerabilites
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)CNIT 128 8. Android Implementation Issues (Part 2)
CNIT 128 8. Android Implementation Issues (Part 2)
 
Windows server hardening 1
Windows server hardening 1Windows server hardening 1
Windows server hardening 1
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)CNIT 128 3. Attacking iOS Applications (Part 2)
CNIT 128 3. Attacking iOS Applications (Part 2)
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
CNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web ServersCNIT 123 Ch 10: Hacking Web Servers
CNIT 123 Ch 10: Hacking Web Servers
 

Andere mochten auch

The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsNCC Group
 
Ncc group overview presentation august 2012 final
Ncc group overview presentation august 2012 finalNcc group overview presentation august 2012 final
Ncc group overview presentation august 2012 finalTony_Clarke
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
NCC Group Presentation
NCC Group PresentationNCC Group Presentation
NCC Group PresentationNCC AB
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupEC-Council
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Jonnyhyde
 
How Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris AngoveHow Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris AngoveHakka Labs
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesOllie Whitehouse
 

Andere mochten auch (19)

The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Ncc group overview presentation august 2012 final
Ncc group overview presentation august 2012 finalNcc group overview presentation august 2012 final
Ncc group overview presentation august 2012 final
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
NCC Group Presentation
NCC Group PresentationNCC Group Presentation
NCC Group Presentation
 
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC GroupA (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
A (not-so-quick) Primer on iOS Encryption David Schuetz - NCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010Ncc Group Escrow Overview 2010
Ncc Group Escrow Overview 2010
 
How Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris AngoveHow Spotify Helps Their Engineers Grow - Chris Angove
How Spotify Helps Their Engineers Grow - Chris Angove
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
 

Ähnlich wie Deriving intelligence from USB stack interactions

Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Jarod Wang
 
MattsonTutorialSC14.pptx
MattsonTutorialSC14.pptxMattsonTutorialSC14.pptx
MattsonTutorialSC14.pptxgopikahari7
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
EuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis MethodologiesEuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis MethodologiesBrendan Gregg
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 
Windows Remote Management - EN
Windows Remote Management - ENWindows Remote Management - EN
Windows Remote Management - ENKirill Nikolaev
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingRISC-V International
 
Sharing-Knowledge-OAM-3G-Ericsson .ppt
Sharing-Knowledge-OAM-3G-Ericsson .pptSharing-Knowledge-OAM-3G-Ericsson .ppt
Sharing-Knowledge-OAM-3G-Ericsson .pptwafawafa52
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Michael Man
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetesTed Jung
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009lilyco
 
sector-sphere
sector-spheresector-sphere
sector-spherexlight
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
What the Heck Just Happened?
What the Heck Just Happened?What the Heck Just Happened?
What the Heck Just Happened?Ken Evans
 
(CMP402) Amazon EC2 Instances Deep Dive
(CMP402) Amazon EC2 Instances Deep Dive(CMP402) Amazon EC2 Instances Deep Dive
(CMP402) Amazon EC2 Instances Deep DiveAmazon Web Services
 
Monitoring in Motion: Monitoring Containers and Amazon ECS
Monitoring in Motion: Monitoring Containers and Amazon ECSMonitoring in Motion: Monitoring Containers and Amazon ECS
Monitoring in Motion: Monitoring Containers and Amazon ECSAmazon Web Services
 

Ähnlich wie Deriving intelligence from USB stack interactions (20)

Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0Solaris Kernel Debugging V1.0
Solaris Kernel Debugging V1.0
 
MattsonTutorialSC14.pptx
MattsonTutorialSC14.pptxMattsonTutorialSC14.pptx
MattsonTutorialSC14.pptx
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
EuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis MethodologiesEuroBSDcon 2017 System Performance Analysis Methodologies
EuroBSDcon 2017 System Performance Analysis Methodologies
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 
Windows Remote Management - EN
Windows Remote Management - ENWindows Remote Management - EN
Windows Remote Management - EN
 
Getting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testingGetting started with RISC-V verification what's next after compliance testing
Getting started with RISC-V verification what's next after compliance testing
 
Hot tutorials
Hot tutorialsHot tutorials
Hot tutorials
 
Sharing-Knowledge-OAM-3G-Ericsson .ppt
Sharing-Knowledge-OAM-3G-Ericsson .pptSharing-Knowledge-OAM-3G-Ericsson .ppt
Sharing-Knowledge-OAM-3G-Ericsson .ppt
 
Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!Continuous Security: From tins to containers - now what!
Continuous Security: From tins to containers - now what!
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Sector Sphere 2009
Sector Sphere 2009Sector Sphere 2009
Sector Sphere 2009
 
sector-sphere
sector-spheresector-sphere
sector-sphere
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
 
What the Heck Just Happened?
What the Heck Just Happened?What the Heck Just Happened?
What the Heck Just Happened?
 
(CMP402) Amazon EC2 Instances Deep Dive
(CMP402) Amazon EC2 Instances Deep Dive(CMP402) Amazon EC2 Instances Deep Dive
(CMP402) Amazon EC2 Instances Deep Dive
 
Monitoring in Motion: Monitoring Containers and Amazon ECS
Monitoring in Motion: Monitoring Containers and Amazon ECSMonitoring in Motion: Monitoring Containers and Amazon ECS
Monitoring in Motion: Monitoring Containers and Amazon ECS
 
MattsonTutorialSC14.pdf
MattsonTutorialSC14.pdfMattsonTutorialSC14.pdf
MattsonTutorialSC14.pdf
 

Kürzlich hochgeladen

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 

Kürzlich hochgeladen (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 

Deriving intelligence from USB stack interactions

  • 1. Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Andy Davis, Research Director NCC Group Image from: p1fran.com
  • 2. UK Offices Manchester - Head Office Cheltenham Edinburgh Leatherhead London Thame North American Offices San Francisco Atlanta New York Seattle Australian Offices Sydney European Offices Amsterdam - Netherlands Munich – Germany Zurich - Switzerland
  • 3. Agenda Part One: • Overview of the USB enumeration phase • Different USB stack implementations • USB testing platform • Installed drivers and supported devices • Fingerprinting techniques • Umap demo Part Two: • The Windows 8 RNDIS kernel pool overflow • Challenges faced when exploiting USB bugs • Conclusions
  • 4. Part One: Information gathering • Why do we care? • If you connect to a device surely you already know the platform? • Embedded devices are mostly based on Linux anyway aren't they? • Allows you to focus your testing on only supported functionality
  • 5. USB Background stuff Image from: blog.brickhousesecurity.com
  • 6. Overview of the USB enumeration phase • What is enumeration for? • Assign an address • Speed of communication • Power requirements • Configuration options • Device descriptions • Identify class drivers • Lots of information exchange – implemented in many different ways Image from :http://ewalk2.blog117.fc2.com
  • 7. The USB enumeration phase < Get Device descriptor > Set Address < Get Device descriptor < Get Configuration descriptor < Get String descriptor 0 < Get String descriptor 2 < Get Configuration descriptor < Get Configuration descriptor > Set Configuration
  • 8. Enumeration phase peculiarities • Why is the device descriptor initially requested twice? • Why are there multiple requests for other descriptors? • Class-specific descriptors: < Get Hub descriptor < Get HID Report descriptor
  • 9. Different USB stack implementations • Typical components of a USB stack • Windows USB driver stack • Linux USB stack • Embedded Access USB stack Image from: blogs.msdn.com
  • 10. Typical components of a USB stack • Host Controller hardware • USB System software: • Host Controller Driver – Hardware Abstraction Layer • USB Driver • Class drivers • Application software Image from: www.wired.com
  • 11. Windows USB driver stack Image from: msdn.microsoft.com
  • 12. Linux USB stack Image from: www.linux-usb.org
  • 13. Embedded Access USB stack Image from: www.embedded-access.com
  • 14. Interacting with USB Image from: www.nvish.com
  • 15. USB interaction requirements • Need to capture and replay USB traffic • Full control of generated traffic • Class decoders extremely useful • Support for Low/High/Full speed required • USB 3.0 a bonus
  • 16. USB testing – gold-plated solution • Commercial test equipment
  • 17. USB testing – the cheaper approach • Facedancer (http://goodfet.sourceforge.net/hardware/facedancer21)
  • 18. Best solution: A combination of both • Device data can be carefully crafted • Host response data can be captured • Microsecond timing is also recorded • All class-specific data is decoded
  • 20. Target list • Windows 8 • Ubuntu Linux 12.04 LTS • Apple OS X Lion • FreeBSD 5.3 • Chrome OS • Linux-based TV STB
  • 21. Installed drivers and supported devices • Enumerating supported class types – standard USB drivers • Enumerating all installed drivers • Other devices already connected
  • 22. Enumerating supported class types Where is USB class information stored? Device Descriptor Interface Descriptor
  • 23. Installed drivers and supported devices • Drivers are referenced by class (Device and Interface descriptors) • Also, by VID and PID: • For each device class VID and PID values can be brute-forced (can easily be scripted using Facedancer) • Although there may be some shortcuts…. • Valid PIDs and VIDs are available (http://www.linux-usb.org/usb.ids)
  • 24. Enumerating installed drivers Not installed: All communication stops after “Set Configuration” Installed:
  • 25. Sniffing the bus - Other connected devices • Data from other devices will be displayed on other addresses • Controlling other devices? (untested)
  • 26. Fingerprinting techniques • Descriptor request patterns • Timing information • Descriptor types requested • Responses to invalid data • Order of Descriptor requests
  • 27. OS Identification Linux-based TV STB Windows 8 < Get Max LUN (Mass Storage) > CBW: INQUIRY < MSC Data In < CSW - Status Passed > CBW: TEST UNIT READY < CSW - Status Passed > CBW: READ CAPACITY < MSC Data In < CSW - Status Passed > CBW: MODE SENSE < Get Max LUN (Mass Storage) > CBW: INQUIRY < MSC Data In < CSW - Status Passed > CBW: INQUIRY < MSC Data In < CSW - Status Passed > CBW: READ FORMAT CAPACITIES < MSC Data In < CSW - Status Passed
  • 28. Application identification gphoto2 (Linux) “Photos” Metro app (Windows 8) > Image: OpenSession < Image: OK > Image: GetDeviceInfo < Image: DeviceInfo < Image: OK > Image: GetStorageIDs < Image: StorageIDs < Image: OK > Image: GetStorageInfo < Image: StorageInfo < Image: OK > Image: CloseSession < Image: OK > Image: OpenSession < Image: OK > Image: GetDeviceInfo < Image: DeviceInfo < Image: OK > Image: SetDevicePropValue > Image: DeviceProperty < Image: OK < Image: DeviceInfoChanged DeviceProperty includes some text: /Windows/6.2.9200 MTPClassDriver/6.2.9200.16384
  • 29. Request patterns unique elements? • Windows 8 (HID) – 3 x Get Configuration descriptor requests (others have two) • Apple OS X Lion (HID) – Set Feature request right after Set Configuration • FreeBSD 5.3 (HID) – Get Status request right before Set Configuration • Linux-based TV STB (Mass Storage) – Order of class-specific requests
  • 30. Timing information (work in progress…)
  • 31. Timing information (work in progress…)
  • 32. Using timing information? (work in progress…) • Large amount of variance over entire enumeration phase: • 4.055s, 3.834s, 3.612s, 3.403s, 3.089s • Much greater accuracy between specific requests: • Between String Descriptor #0 and #2 requests - 5002us, 5003us, 5003us, 4999us, 5001us • If we know the OS can we potentially determine the processor speed?
  • 33. Descriptor types requested • Microsoft OS Descriptors (MOD) • Used for “unusual” devices classes • Devices that support Microsoft OS Descriptors must store a special USB string descriptor in firmware at the fixed string index of 0xEE. The request is:
  • 34. Responses to invalid data • Different USB stacks respond to invalid data in different ways • Maximum and minimum values • Logically incorrect values • Missing data • In some cases: Crashes (potential vulnerabilities) • Other cases: Unique behaviour Image from: windows7.iyogi.com
  • 35. Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:
  • 36. Invalid data unique elements? Windows (all versions) If you send a specific, logically incorrect HID Report descriptor this happens:
  • 37. Order of Descriptor requests • Some USB stacks request data from devices in a different order • Different drivers may request different descriptors multiple times • Sometimes descriptors are re-requested after enumeration is complete
  • 38. Demo: umap Image from: us.cdn4.123rf.com
  • 39. Umap overview • Supported device classes can be enumerated • Operating system information can be enumerated • Devices with specific VID/PID/REV can be emulated • The enumeration phase and class-specific data can be fuzzed • Endpoint protection systems configuration can be assessed • Endpoint protection systems USB protection can be circumvented • USB host implementations can be comprehensively tested
  • 40. Part Two: Potentially exploitable USB bugs Image from: www.biro-media.hr
  • 41. The Windows 8 RNDIS kernel pool overflow • MS13-027 • usb8023x.sys - default (Microsoft-signed) Windows Remote NDIS driver that provides network connectivity over USB. • When the following USB descriptor field is manipulated a Bug check occurs indicating a kernel pool overwrite: Configuration descriptor: bNumInterfaces field > actual number of USB interfaces
  • 42. The Bug Check BAD_POOL_HEADER (19) The pool is already corrupt at the time of the current request. <Truncated for brevity> Arguments: Arg1: 00000020, a pool block header size is corrupt. Arg2: 83e38610, The pool entry we were looking for within the page. Arg3: 83e38690, The next pool entry. Arg4: 08100008, (reserved) <Truncated for brevity> WARNING: SystemResourcesList->Flink chain invalid. Resource may be corrupted, or already deleted. WARNING: SystemResourcesList->Blink chain invalid. Resource may be corrupted, or already deleted. SYMBOL_NAME: usb8023x!SelectConfiguration+1bd
  • 45. Analysis #1 When bNumInterfaces = 3 (one more than it should be) and bNumEndpoints = 2 (valid value) Next kernel pool: 849c3b28 10 00 0a 04 56 61 64 6c-6b 8f 94 85 28 8c 90 85 ....Vadlk...(... becomes: 849c3b28 00 00 0a 04 56 61 64 6c-6b 8f 94 85 28 8c 90 85 ....Vadlk...(... So we’re overwriting "PreviousSize" in the next nt!_POOL_HEADER - this is what triggered the original Bug Check when ExFreePool() is called
  • 46. Analysis #2 When bNumInterfaces = 3 (one more than it should be) and bNumEndpoints = 5 (three more than it should be) Next kernel pool: 84064740 17 00 03 00 46 72 65 65-48 2d 09 84 30 a8 17 84 ....FreeH-..0... becomes: 84064740 17 00 03 00 00 72 65 65-48 2d 09 84 30 a8 17 84 .....reeH-..0... So we’re now overwriting "PoolTag" in the next nt!_POOL_HEADER
  • 47. What’s going on? kd> dt nt!_POOL_HEADER – +0x000 PreviousSize : Pos 0, 8 Bits – +0x000 PoolIndex : Pos 8, 8 Bits – +0x000 BlockSize : Pos 16, 8 Bits – +0x000 PoolType : Pos 24, 8 Bits – +0x004 PoolTag : Uint4B – +0x008 ProcessBilled : Ptr64 _EPROCESS By manipulating bNumInterfaces and bNumEndpoints in a USB Configuration descriptor we appear to have a degree of control over where in the next adjacent kernel memory pool we can overwrite a single byte with a null (the null write occurs four bytes after the end of the pool I control and I can also control its size and some elements of its contents so could also potentially overwrite the next pool header with something useful)
  • 49. Challenges faced when exploiting USB bugs • Lack of feedback channel • The bug is often in kernel code • Descriptors are generally very size-constrained • Typical impact of USB exploitation typically restricted to privilege escalation • Modern operating systems e.g. Windows 8 have comprehensive exploit mitigation • What about USB over RDP? Image from: leadershipfreak.wordpress.com
  • 50. Conclusions • The USB enumeration phase reveals useful information for fingerprinting • Class-specific communication is potentially even more revealing • Even vendors with mature SDL processes have USB bugs • USB bugs can potentially be exploited, to provide privilege escalation • …but it is extremely difficult to achieve reliably
  • 51. Questions? Andy Davis, Research Director NCC Group andy.davis ‘at’ nccgroup ‘dot’ com