SlideShare ist ein Scribd-Unternehmen logo

Philip polstra

Als ODP, PDF herunterladen
Philip Polstra
Philip Polstra

DEFCON XX presentation on how to use a simple microcontroller device to make your USB mass storage device look like one that is authorized to be mounted. Also provides the ability to write block the drive to prevent deletion of security tools during use.

Technologie
1 von 60
Bypassing Endpoint Security for $20 or Less Philip A. Polstra, Sr. @ppolstra ppolstra.blogspot.com
Roadmap • Why this talk? • Who is this dude talking at me? • Brief history of USB • How does USB work? • It’s all descriptors and endpoints • Bulk-only mass storage devices • Bypassing endpoint security • Microcontrollers are fun (and cheap) • Food for thought
Why this talk? • Many organizations have begun to use endpoint security programs to restrict use of portable media • Many software tools do the USB equivalent of MAC filtering – only allow authorized VID/PID • For $18-30 can easily construct device to allow any mass storage device to impersonate authorized device • Allows injection/extraction
Who am I anyway? • Teach computer security at a private university • Like to hack hardware • Have been known to fly and build airplanes • Been known to play with USB devices
Brief History or USB • Non-universal serial, PS/2 ports, & LPT • 1996 USB 1.0 (1.5 or 12 Mbps) • 1998 USB 1.1 • 2000 USB 2.0 (1.5, 12, or 480 Mbps) • Long pause • 2008 USB 3.0 (up to 5 Gbps)
How does USB Work?
Hardware • Simple 4-wire connection (power, ground, 2 data wires) • Cabling prevents improper connections • Hot pluggable • Differential voltages provide greater immunity to noise • Cable lengths up to 16 feet are possible Pin Name Cable color Description 1 VBUS Red +5 V 2 D− White Data − 3 D+ Green Data + 4 GND Black Ground
Software • Automatic configuration • No settable jumpers • Enumeration • Standard device classes with corresponding drivers – HID – Printer – Audio – Mass Storage
Connecting a Device • Device is connected • Hub detects • Host (PC) is informed of new device • Hub determines device speed capability as indicated by location of pull-up resistors • Hub resets the device • Host determines if device is capable of high speed (using chirps) • Hub establishes a signal path • Host requests descriptor from device to determine max packet size • Host assigns an address • Host learns devices capabilities • Host assigns and loads an appropriate device driver (INF file) • Device driver selects a configuration
It’s all descriptors and endpoints
Endpoints • The virtual wire for USB communications • All endpoints are one way (direction relative to host) • Packet fragmentation, handshaking, etc. done by hardware (usually) • High bit of address tells direction 1=in 0=out • Types of endpoints – Control – Bulk transport – Interrupt – Isochronous
Control Endpoints • Primary mechanism for most devices to communicate with host • Every device must have at least one in and out control endpoint EP0 • Device must respond to standard requests – Get/set address, descriptors, power, and status • Device may respond to class specific requests • Device may respond to vendor specific requests
Control Endpoints (continued) • May have up to 3 transport stages: Setup, Data, Status • Setup stage – Host sends Setup token then data packet containing setup request – If device receives a valid setup packet, an ACK is returned – Setup request is 8 bytes – 1st byte is bitmap telling type of request & recipient (device, interface, endpoint) – Remaining bytes are parameters for request and response • Data stage (optional) – requested info transmitted • Status stage – zero length data packet sent as ACK on success
Interrupt & Isochronous Endpoints • Interrupt endpoints – Used to avoid polling and busy waits – Keyboards are a good example – Usually low speed (allows for longer cables, etc.) • Isochronous endpoints – Guaranteed bandwidth – Used primarily for time-critical apps such as streaming media
Bulk Endpoints • No latency guarantees • Good performance on an idle bus • Superseded by all other transport types • Full (8-64 byte packets) & high speed (512 byte packets) only • Used extensively in USB flash drives (and external hard drives) • Transactions consist of a token packet, 0 or more data packets, and an ACK handshake packet (if successful)
Descriptors • They describe things (duh!) • Have a standard format – 1st byte is the length in bytes (so you known when you’re done) – 2nd byte determines type of descriptor – Remaining bytes are the descriptor itself • Common types – Device: tells you basic info about the device – Configuration: how much power needed, number of interfaces, etc. – Interface: How do I talk to the device – Endpoint: Direction, type, number, etc. – String: Describe something in unicode text
Device Descriptor Offset Field Size Value Description 0 bLength 1 Number 18 bytes 1 bDescriptorType 1 Constant Device Descriptor (0x01) 2 bcdUSB 2 BCD 0x200 4 bDeviceClass 1 Class Class Code 5 bDeviceSubClass 1 SubClass Subclass Code 6 bDeviceProtocol 1 Protocol Protocol Code 7 bMaxPacketSize 1 Number Maxi Packet Size EP0 8 idVendor 2 ID Vendor ID 10 idProduct 2 ID Product ID 12 bcdDevice 2 BCD Device Release Number 14 iManufacturer 1 Index Index of Manu Descriptor 15 iProduct 1 Index Index of Prod Descriptor 16 iSerialNumber 1 Index Index of SN Descriptor 17 bNumConfigurations 1 Integer Num Configurations
Configuration Descriptor (header) Offset Field Size Value Description 0 bLength 1 Number Size in Bytes 1 bDescriptorType 1 Constant 0x02 2 wTotalLength 2 Number Total data returned 4 bNumInterfaces 1 Number Num Interfaces 5 bConfigurationValue 1 Number Con number 6 iConfiguration 1 Index String Descriptor 7 bmAttributes 1 Bitmap b7 Reserved, set to 1. b6 Self Powered b5 Remote Wakeup b4..0 Reserved 0. 8 bMaxPower 1 mA Max Power in mA/2
Interface Descriptor Offset Field Size Value Description 0 bLength 1 Number 9 Bytes 1 bDescriptorType 1 Constant 0x04 2 bInterfaceNumber 1 Number Number of Interface 3 bAlternateSetting 1 Number Alternative setting 4 bNumEndpoints 1 Number Number of Endpoints used 5 bInterfaceClass 1 Class Class Code 6 bInterfaceSubClass 1 SubClass Subclass Code 7 bInterfaceProtocol 1 Protocol Protocol Code 8 iInterface 1 Index Index of String Descriptor
Endpoint Descriptor Offset Field Size Value Description 0 bLength 1 Number Size of Descriptor (7 bytes) 1 bDescriptorType 1 Constant Endpoint Descriptor (0x05) 2 bEndpointAddress 1 Endpoint b0..3 Endpoint Number. b4..6 Reserved. Set to Zero b7 Direction 0 = Out, 1 = In 3 bmAttributes 1 Bitmap b0..1 Transfer Type 10 = Bulk b2..7 are reserved. I 4 wMaxPacketSize 2 Number Maximum Packet Size 6 bInterval 1 Number Interval for polling endpoint data
String Descriptors Offset Field Size Value Description 0 bLength 1 Number Size of Descriptor in Bytes 1 bDescriptorType 1 Constant String Descriptor (0x03) 2 bString n Unicode Unicode Encoded String N o t e : S tr in g 0 is
Now that we have learned a little about general devices, without further delay… Bulk-only mass storage Devices
USB Flash Drives • Hardware • Software • Filesystems • Talk to a flash drive
Hardware
Hardware (continued) • Typically utilize NAND flash memory • Memory degrades after 10,000 write cycles • Most chips not even close to high-speed USB speed (480 Mbps) • Can only be written in blocks (usually 512, 2048, or 4096 bytes) • Chips are somewhat easily removed from damaged drives for forensic recovery • Some controllers have JTAG capability which can be used for memory access • Some controller chips steal some flash memory for themselves
Hardware (continued) • Nearly all flash drives present themselves as SCSI hard drives • “Hard drive” sectors are typically 512, 2048, or 4096 bytes • SCSI transparent command set is used • Most drives are formatted as one partition or logical unit – Additional logical units can hide info from Windows machines • Reported size may not match actual media size – Info can be hidden in higher sectors – Some cheap drives are out there that grossly over report size – A typical 512 byte sector needs 16 bytes for error correction
Software • Usually implemented in firmware within specialized controller chips • Must: – Detect communication directed at drive – Respond to standard requests – Check for errors – Manage power – Exchange data
Filesystems • Most preformatted with FAT or FAT32 • NTFS • TrueFFS • ExtremeFFS • JFFS • YAFFS • Various UNIX/Linux file systems
Talking to a Flash Drive • Bulk-Only Mass Storage (aka BBB) protocol used – All communications use bulk endpoints – Three phases: CBW, data-transport (optional), CSW – Commands sent to drive using a Command Block Wrapper (CBW) – CBW contains Command Block (CB) with actual command – Nearly all drives use a (reduced) SCSI command set – Commands requiring data transport will send/receive on bulk endpoints – All transactions are terminated by a Command Status Wrapper (CSW)
Command Block Wrapper typedef struct _USB_MSI_CBW { unsigned long dCBWSignature; //0x43425355 “USBC” unsigned long dCBWTag; // associates CBW with CSW response unsigned long dCBWDataTransferLength; // bytes to send or receive unsigned char bCBWFlags; // bit 7 0=OUT, 1=IN all others zero unsigned char bCBWLUN; // logical unit number (usually zero) unsigned char bCBWCBLength; // 3 hi bits zero, rest bytes in CB unsigned char bCBWCB[16]; // the actual command block (>= 6 bytes) } USB_MSI_CBW;
Command Block • 6-16 bytes depending on command • Command is first byte • Format Unit Example: typedef struct _CB_FORMAT_UNIT { unsigned char OperationCode; //must be 0x04 unsigned char LUN:3; // logical unit number (usually zero) unsigned char FmtData:1; // if 1, extra parameters follow command unsigned char CmpLst:1; // if 0, partial list of defects, 1, complete unsigned char DefectListFormat:3; //000 = 32-bit LBAs unsigned char VendorSpecific; //vendor specific code unsigned short Interleave; //0x0000 = use vendor default unsigned char Control; } CB_FORMAT_UNIT;
Command Block (continued) • Read (10) Example: typedef struct _CB_READ10 { unsigned char OperationCode; //must be 0x28 unsigned char RelativeAddress:1; // normally 0 unsigned char Resv:2; unsigned char FUA:1; // 1=force unit access, don't use cache unsigned char DPO:1; // 1=disable page out unsigned char LUN:3; //logical unit number unsigned long LBA; //logical block address (sector number) unsigned char Reserved; unsigned short TransferLength; unsigned char Control; } CB_READ10;
Command Block (continued) • Some Common SCSI Commands: FORMAT_UNIT=0x4, //required INQUIRY=0x12, //required MODE_SELECT6=0x15, MODE_SELECT10=0x55, MODE_SENSE6=0x1A, MODE_SENSE10=0x5A, READ6=0x08, //required READ10=0x28, //required READ12=0xA8, READ_CAPACITY10=0x25, //required READ_FORMAT_CAPACITIES=0x23, REPORT_LUNS=0xA0, //required REQUEST_SENSE=0x03, //required SEND_DIAGNOSTIC=0x1D, //required START_STOP_UNIT=0x1B, SYNCHRONIZE_CACHE10=0x35, TEST_UNIT_READ=0x00, //required VERIFY10=0x2F, WRITE6=0x0A, //required WRITE10=0x2A, WRITE12=0xAA
Command Status Wrapper • Read Sense command can be used for details on failed operations typedef struct _USB_MSI_CSW { unsigned long dCSWSignature; //0x53425355 “USBS” unsigned long dCSWTag; // associate CBW with CSW response unsigned long dCSWDataResidue; // difference between requested data and actual unsigned char bCSWStatus; //00=pass, 01=fail, 02=phase error, reset } USB_MSI_CSW;
Now that we know how bulk-only mass storage devices work… How do I bypass endpoint security?
Impersonating another device • Social engineering USB style • Providing an authorized VID/PID allows device connection – Backdoors and other useful items can be injected – Information can be extracted to portable media • Device design allows optional write blocking
Enough background. Let the fun begin… Microcontrollers are fun (and cheap)
Fun with Microcontrollers • Chip Choice • A Microcontroller-Based Impersonator
Chip Choice Options • AVR (as found in Arduino family) – Cheap – Well understood – Loads of code out there – Too underpowered to do USB without external components (<20MHz) • PIC family – Relatively cheap – Programming somewhat more involved than AVR – Newer chips SMD only, not easy DIP package – Some USB device code, but not host code out there
Chip Choice Winner • None of the above • FTDI Vinculum II – Relatively new chip – A little faster than AVRs (48 MHz) – Real-time multi-threaded OS – Libraries for several standard USB classes – BOMS is one – but we can’t use it for this project, unfortunately – Unlike AVR, different pin packages differ only with GPIO lines available – Same flash memory – Same RAM
Chip Choice • FTDI Vinculum II dual USB host/slave controller – 2 full-speed USB 2.0 interfaces (host or slave capable) – 256 KB E-flash memory – 16 KB RAM – 2 SPI slave and 1 SPI master interfaces – Easy-to-use IDE – Simultaneous multiple file access on BOMS devices • Several development modules available – Convenient for prototyping (only SMD chips available) – Cheap enough to embed in final device – One format is Arduino clone (Vinco)
Chip Choice (continued)
Chip Choice (continued)
Chip Choice (continued) l
Chip Choice (continued)
Package A - Small & only 4 Pins to Solder* *I f y o u a
Package B – Slightly Larger-No Soldering* * S e
Microcontroller-Based Impersonator • Enumerate an attached mass storage drive • When PC attempts to connect drive try to provide an authorized VID/PID • If unsuccessful try another VID/PID till it works
Impersonator High-Level Design • One thread associated with slave port to appear as a BOMS device – One thread watches control endpoint and services requests from host • One thread associated with the host port for talking to flash drive – Thread enumerates the device and gets endpoints. Then periodically checks to see if the drive is still there • Main thread bridges slave and host – Non-CBW packets (data packets) are passed through to host port – Whitelisted CBWs are also passed on to host port (if write blocking) • Timer thread – When enumeration starts timer is set – If drive is not connected another VID/PID is tried • Button thread – Reads buttons and adjusts status accordingly
The Main Thread • Waits for CBW packets to arrive on Bulk Out endpoint • Calls appropriate handler function based on command – Whitelisted commands: – Forward CBW to drive – Perform Data phase (if any) with drive and forward to PC – Received CSW from device and forward to PC – Non-whitelisted commands (when write blocking): – ACK CBW – Fake Data phase (if any) – Return CSW to PC • Some commands return success because Windows is unhappy with failures
Main Loop usbSlaveBoms_readCbw(cbw, slaveBomsCtx); switch (cbw->cb.formated.command) { case BOMS_INQUIRY: handle_inquiry(cbw); break; … }
Example Handler void handle_inquiry(boms_cbw_t *cbw) { unsigned char buffer[64]; unsigned short responseSize; boms_csw_t csw; if (forward_cbw_to_device(cbw)) { if (responseSize = receive_data_from_device(&buffer[0], 36)) { forward_data_to_slave(&buffer[0], responseSize); if (receive_csw_from_device(&csw)) { forward_csw_to_slave(&csw); } } } }
Timer Thread • When device descriptor requested start 1 second timer • When the enumeration complete reset timer • If timer expires try the next VID/PID from list • At end of list could resort to brute force
Complications • Windows & Linux treat drives differently – Windows will try to look for and autoplay media – Windows doesn’t appear to see other than first LUN – Early prototype experience (with writeblocker this is based on) – Worked fine under Linux – Caused BSoD on Windows (exploit?) – Linux seems to pull in a lot of data up front – Windows misbehaves if you correctly fail some commands such as Write
Endpoint security on Linux • Can use udev rules to emulate Windows endpoint security software on Linux • Open source provides a great value – Better value – Equally ineffective, but at a better price
And now what you really wanted to see… It’s demo time!
Demo Video
Food for thought • Speed up process by searching registry for previously mounted devices – USBDevView or something similar might be helpful • Use larger device to divine authorized device then use a collection of smaller devices preprogrammed to appropriate VID/PID • Like all devices this may be thwarted – Device operates at full speed only – Endpoint software could use proprietary drivers – Security through obscurity?
References • USB Complete: The Developers Guide (4th ed.) by Jan Axelson • USB Mass Storage: Designing and Programming Devices and Embedded Hosts by Jan Axelson • http://www.usb.org • http://www.ftdichip.com for more on VNC2 • http://seagate.com for SCSI references • Embedded USB Design by Example by John Hyde • My 44Con USB Flash Drive Forensics Video http://www.youtube.com/watch?v=CIVGzG0W-DM • Schematics and source code are available – Git hub usb-impersonator – Email ppolstra@gmail.com – Twitter @ppolstra
Questions?

Empfohlen

Thotcon2013
Thotcon2013Thotcon2013
Thotcon2013
Philip Polstra
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
Philip Polstra
 
Cyberhijacking Airplanes Truth or Fiction
Cyberhijacking Airplanes Truth or FictionCyberhijacking Airplanes Truth or Fiction
Cyberhijacking Airplanes Truth or Fiction
Philip Polstra
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
Philip Polstra
 
Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...
Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...
Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...
Raul Chong
 
QEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentQEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded Development
GlobalLogic Ukraine
 
TMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxTMS320DM8148 Embedded Linux
TMS320DM8148 Embedded Linux
NEEVEE Technologies
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: Greybus
Anne Nicolas
 

Empfohlen

Thotcon2013
Thotcon2013Thotcon2013
Thotcon2013
Philip Polstra
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
Philip Polstra
 
Cyberhijacking Airplanes Truth or Fiction
Cyberhijacking Airplanes Truth or FictionCyberhijacking Airplanes Truth or Fiction
Cyberhijacking Airplanes Truth or Fiction
Philip Polstra
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
Philip Polstra
 
Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...
Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...
Rapidly developing IoT (Internet of Things) applications - Part 2: Arduino, B...
Raul Chong
 
QEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded DevelopmentQEMU and Raspberry Pi. Instant Embedded Development
QEMU and Raspberry Pi. Instant Embedded Development
GlobalLogic Ukraine
 
TMS320DM8148 Embedded Linux
TMS320DM8148 Embedded LinuxTMS320DM8148 Embedded Linux
TMS320DM8148 Embedded Linux
NEEVEE Technologies
 
Kernel Recipes 2015: Greybus
Kernel Recipes 2015: GreybusKernel Recipes 2015: Greybus
Kernel Recipes 2015: Greybus
Anne Nicolas
 
NXP IMX6 Processor - Embedded Linux
NXP IMX6 Processor - Embedded LinuxNXP IMX6 Processor - Embedded Linux
NXP IMX6 Processor - Embedded Linux
NEEVEE Technologies
 
Computing Overview
Computing OverviewComputing Overview
Computing Overview
Amir Villas
 
Emx Dev Boards - EmxARM9A03 - Overview
Emx Dev Boards - EmxARM9A03 - OverviewEmx Dev Boards - EmxARM9A03 - Overview
Emx Dev Boards - EmxARM9A03 - Overview
Emertxe Information Technologies Pvt Ltd
 
Linux Audio Drivers. ALSA
Linux Audio Drivers. ALSALinux Audio Drivers. ALSA
Linux Audio Drivers. ALSA
GlobalLogic Ukraine
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IV
Emertxe Information Technologies Pvt Ltd
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
Sherif Mousa
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15
The Linux Foundation
 
Destroying Router Security - NNC5ed
Destroying Router Security - NNC5edDestroying Router Security - NNC5ed
Destroying Router Security - NNC5ed
Jose Antonio Rodriguez Garcia
 
Case Study: Porting Qt for Embedded Linux on Embedded Processors
Case Study: Porting Qt for Embedded Linux on Embedded ProcessorsCase Study: Porting Qt for Embedded Linux on Embedded Processors
Case Study: Porting Qt for Embedded Linux on Embedded Processors
account inactive
 
BKK16-303 96Boards - TV Platform
BKK16-303 96Boards - TV PlatformBKK16-303 96Boards - TV Platform
BKK16-303 96Boards - TV Platform
Linaro
 
REDA services
REDA servicesREDA services
REDA services
Yuri Fonin
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protectionGet rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protection
Pawel Krawczyk
 
LCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot SoftwareLCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot Software
Andy Gelme
 
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 CamerasMIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI Alliance
 
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
LAS16-300: Mini Conference 2 Cortex-M Software - Device ConfigurationLAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
Linaro
 
Project ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN USB mediator introduction
Project ACRN USB mediator introduction
Project ACRN
 
Introduction to intel galileo board gen2
Introduction to intel galileo board gen2Introduction to intel galileo board gen2
Introduction to intel galileo board gen2
Harshit Srivastava
 
Asus Tinker Board
Asus Tinker BoardAsus Tinker Board
Asus Tinker Board
Niyazi SARAL
 
Windows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareWindows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardware
yeokm1
 
What's going on with SPI
What's going on with SPI What's going on with SPI
What's going on with SPI
Mark Brown
 
IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
Rômulo Jales
 
Vinculum-II Embedded Dual USB Host Controller IC
Vinculum-II Embedded Dual USB Host Controller ICVinculum-II Embedded Dual USB Host Controller IC
Vinculum-II Embedded Dual USB Host Controller IC
Premier Farnell
 

Weitere ähnliche Inhalte

Was ist angesagt?

XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15
The Linux Foundation
 
Case Study: Porting Qt for Embedded Linux on Embedded Processors
Case Study: Porting Qt for Embedded Linux on Embedded ProcessorsCase Study: Porting Qt for Embedded Linux on Embedded Processors
Case Study: Porting Qt for Embedded Linux on Embedded Processors
account inactive
 
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 CamerasMIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI Alliance
 
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
LAS16-300: Mini Conference 2 Cortex-M Software - Device ConfigurationLAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
Linaro
 

Was ist angesagt? (20)

NXP IMX6 Processor - Embedded Linux
NXP IMX6 Processor - Embedded LinuxNXP IMX6 Processor - Embedded Linux
NXP IMX6 Processor - Embedded Linux
 
Computing Overview
Computing OverviewComputing Overview
Computing Overview
 
Emx Dev Boards - EmxARM9A03 - Overview
Emx Dev Boards - EmxARM9A03 - OverviewEmx Dev Boards - EmxARM9A03 - Overview
Emx Dev Boards - EmxARM9A03 - Overview
 
Linux Audio Drivers. ALSA
Linux Audio Drivers. ALSALinux Audio Drivers. ALSA
Linux Audio Drivers. ALSA
 
Embedded Android : System Development - Part IV
Embedded Android : System Development - Part IVEmbedded Android : System Development - Part IV
Embedded Android : System Development - Part IV
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
 
XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15XenSummit NA 2012: Xen on ARM Cortex A15
XenSummit NA 2012: Xen on ARM Cortex A15
 
Destroying Router Security - NNC5ed
Destroying Router Security - NNC5edDestroying Router Security - NNC5ed
Destroying Router Security - NNC5ed
 
Case Study: Porting Qt for Embedded Linux on Embedded Processors
Case Study: Porting Qt for Embedded Linux on Embedded ProcessorsCase Study: Porting Qt for Embedded Linux on Embedded Processors
Case Study: Porting Qt for Embedded Linux on Embedded Processors
 
BKK16-303 96Boards - TV Platform
BKK16-303 96Boards - TV PlatformBKK16-303 96Boards - TV Platform
BKK16-303 96Boards - TV Platform
 
REDA services
REDA servicesREDA services
REDA services
 
Get rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protectionGet rid of TLS certificates - using IPSec for large scale cloud protection
Get rid of TLS certificates - using IPSec for large scale cloud protection
 
LCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot SoftwareLCA2018 Open Hardware MiniConference: LoliBot Software
LCA2018 Open Hardware MiniConference: LoliBot Software
 
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 CamerasMIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
MIPI DevCon 2016: Accelerating Software Development for MIPI CSI-2 Cameras
 
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
LAS16-300: Mini Conference 2 Cortex-M Software - Device ConfigurationLAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
LAS16-300: Mini Conference 2 Cortex-M Software - Device Configuration
 
Project ACRN USB mediator introduction
Project ACRN USB mediator introductionProject ACRN USB mediator introduction
Project ACRN USB mediator introduction
 
Introduction to intel galileo board gen2
Introduction to intel galileo board gen2Introduction to intel galileo board gen2
Introduction to intel galileo board gen2
 
Asus Tinker Board
Asus Tinker BoardAsus Tinker Board
Asus Tinker Board
 
Windows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardwareWindows 3.1 (WFW) on vintage and modern hardware
Windows 3.1 (WFW) on vintage and modern hardware
 
What's going on with SPI
What's going on with SPI What's going on with SPI
What's going on with SPI
 

Andere mochten auch

IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
Rômulo Jales
 
Simha_23_REFFIT_Biochar_ICT_Published Version
Simha_23_REFFIT_Biochar_ICT_Published VersionSimha_23_REFFIT_Biochar_ICT_Published Version
Simha_23_REFFIT_Biochar_ICT_Published Version
Prithvi Simha
 
תחרות אלוף הידע
תחרות אלוף הידעתחרות אלוף הידע
תחרות אלוף הידע
sabal1
 
Search and Hyperlinking Task at MediaEval 2012
Search and Hyperlinking Task at MediaEval 2012Search and Hyperlinking Task at MediaEval 2012
Search and Hyperlinking Task at MediaEval 2012
MediaEval2012
 
MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...
MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...
MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...
MediaEval2012
 
Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...
Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...
Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...
MediaEval2012
 
The MediaEval 2012 Affect Task: Violent Scenes Detectio
The MediaEval 2012 Affect Task: Violent Scenes DetectioThe MediaEval 2012 Affect Task: Violent Scenes Detectio
The MediaEval 2012 Affect Task: Violent Scenes Detectio
MediaEval2012
 
Telefonica Research System for the Spoken Web Search task at Mediaeval 2012
Telefonica Research System for the Spoken Web Search task at Mediaeval 2012Telefonica Research System for the Spoken Web Search task at Mediaeval 2012
Telefonica Research System for the Spoken Web Search task at Mediaeval 2012
MediaEval2012
 
How INRIA identifies Geographic Location of a Video
How INRIA identifies Geographic Location of a VideoHow INRIA identifies Geographic Location of a Video
How INRIA identifies Geographic Location of a Video
MediaEval2012
 
MediaEval 2012 Opening
MediaEval 2012 OpeningMediaEval 2012 Opening
MediaEval 2012 Opening
MediaEval2012
 
DCU Search Runs at MediaEval 2012: Search and Hyperlinking Task
DCU Search Runs at MediaEval 2012: Search and Hyperlinking TaskDCU Search Runs at MediaEval 2012: Search and Hyperlinking Task
DCU Search Runs at MediaEval 2012: Search and Hyperlinking Task
MediaEval2012
 
Brave New Task: Musiclef Multimodal Music Tagging
Brave New Task: Musiclef Multimodal Music TaggingBrave New Task: Musiclef Multimodal Music Tagging
Brave New Task: Musiclef Multimodal Music Tagging
MediaEval2012
 
Event Detection via LDA for the MediaEval2012 SED Task
Event Detection via LDA for the MediaEval2012 SED TaskEvent Detection via LDA for the MediaEval2012 SED Task
Event Detection via LDA for the MediaEval2012 SED Task
MediaEval2012
 
Overview of MediaEval 2012 Visual Privacy Task
Overview of MediaEval 2012 Visual Privacy TaskOverview of MediaEval 2012 Visual Privacy Task
Overview of MediaEval 2012 Visual Privacy Task
MediaEval2012
 

Andere mochten auch (19)

IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
IMPLEMENTAÇÃO DO UNIVERSEAL HOST CONTROLLER INTERFACE (UHCI) PARA O MEMTE...
 
Vinculum-II Embedded Dual USB Host Controller IC
Vinculum-II Embedded Dual USB Host Controller ICVinculum-II Embedded Dual USB Host Controller IC
Vinculum-II Embedded Dual USB Host Controller IC
 
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
Am I being spied on: Low-tech ways of detecting high-tech surveillance (DEFCO...
 
Simha_23_REFFIT_Biochar_ICT_Published Version
Simha_23_REFFIT_Biochar_ICT_Published VersionSimha_23_REFFIT_Biochar_ICT_Published Version
Simha_23_REFFIT_Biochar_ICT_Published Version
 
תחרות אלוף הידע
תחרות אלוף הידעתחרות אלוף הידע
תחרות אלוף הידע
 
Search and Hyperlinking Task at MediaEval 2012
Search and Hyperlinking Task at MediaEval 2012Search and Hyperlinking Task at MediaEval 2012
Search and Hyperlinking Task at MediaEval 2012
 
MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...
MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...
MediaEval 2012 Visual Privacy Task: Privacy and Intelligibility through Pixel...
 
Mentor Strategy Session: Business Plan and Video
Mentor Strategy Session: Business Plan and VideoMentor Strategy Session: Business Plan and Video
Mentor Strategy Session: Business Plan and Video
 
Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...
Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...
Violent Scenes Detection with Large, Brute-forced Acoustic and Visual Feature...
 
The MediaEval 2012 Affect Task: Violent Scenes Detectio
The MediaEval 2012 Affect Task: Violent Scenes DetectioThe MediaEval 2012 Affect Task: Violent Scenes Detectio
The MediaEval 2012 Affect Task: Violent Scenes Detectio
 
Telefonica Research System for the Spoken Web Search task at Mediaeval 2012
Telefonica Research System for the Spoken Web Search task at Mediaeval 2012Telefonica Research System for the Spoken Web Search task at Mediaeval 2012
Telefonica Research System for the Spoken Web Search task at Mediaeval 2012
 
How INRIA identifies Geographic Location of a Video
How INRIA identifies Geographic Location of a VideoHow INRIA identifies Geographic Location of a Video
How INRIA identifies Geographic Location of a Video
 
Idea or opportunity?
Idea or opportunity?Idea or opportunity?
Idea or opportunity?
 
MediaEval 2012 Opening
MediaEval 2012 OpeningMediaEval 2012 Opening
MediaEval 2012 Opening
 
DCU Search Runs at MediaEval 2012: Search and Hyperlinking Task
DCU Search Runs at MediaEval 2012: Search and Hyperlinking TaskDCU Search Runs at MediaEval 2012: Search and Hyperlinking Task
DCU Search Runs at MediaEval 2012: Search and Hyperlinking Task
 
Brave New Task: Musiclef Multimodal Music Tagging
Brave New Task: Musiclef Multimodal Music TaggingBrave New Task: Musiclef Multimodal Music Tagging
Brave New Task: Musiclef Multimodal Music Tagging
 
John Richards: My Life Lessons As An Entrepreneur
John Richards: My Life Lessons As An EntrepreneurJohn Richards: My Life Lessons As An Entrepreneur
John Richards: My Life Lessons As An Entrepreneur
 
Event Detection via LDA for the MediaEval2012 SED Task
Event Detection via LDA for the MediaEval2012 SED TaskEvent Detection via LDA for the MediaEval2012 SED Task
Event Detection via LDA for the MediaEval2012 SED Task
 
Overview of MediaEval 2012 Visual Privacy Task
Overview of MediaEval 2012 Visual Privacy TaskOverview of MediaEval 2012 Visual Privacy Task
Overview of MediaEval 2012 Visual Privacy Task
 

Ähnlich wie Philip polstra

BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Ip address concepts
Ip address conceptsIp address concepts
Ip address concepts
myrajendra
 

Ähnlich wie Philip polstra (20)

Internet protocol
Internet protocolInternet protocol
Internet protocol
 
Protected addressing mode and Paging
Protected addressing mode and PagingProtected addressing mode and Paging
Protected addressing mode and Paging
 
Segmentation
SegmentationSegmentation
Segmentation
 
Computer System and Architecture
Computer System and ArchitectureComputer System and Architecture
Computer System and Architecture
 
Architecture of pentium family
Architecture of pentium familyArchitecture of pentium family
Architecture of pentium family
 
COMPUTER INTRODUCTION
COMPUTER INTRODUCTIONCOMPUTER INTRODUCTION
COMPUTER INTRODUCTION
 
OOPSLA Talk on Preon
OOPSLA Talk on PreonOOPSLA Talk on Preon
OOPSLA Talk on Preon
 
BLE Talk
BLE TalkBLE Talk
BLE Talk
 
Xdr ppt
Xdr pptXdr ppt
Xdr ppt
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...
SYBSC IT SEM IV EMBEDDED SYSTEMS UNIT IV Designing Embedded System with 8051...
 
Ch12- instruction sets- char & funct.pdf
Ch12- instruction sets- char & funct.pdfCh12- instruction sets- char & funct.pdf
Ch12- instruction sets- char & funct.pdf
 
Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
Ag32224229
Ag32224229Ag32224229
Ag32224229
 
CAN- controlled area network
CAN- controlled area networkCAN- controlled area network
CAN- controlled area network
 
Ip address concepts
Ip address conceptsIp address concepts
Ip address concepts
 
Session01_Intro.pdf
Session01_Intro.pdfSession01_Intro.pdf
Session01_Intro.pdf
 
Lec05
Lec05Lec05
Lec05
 
It322 intro 1
It322 intro 1It322 intro 1
It322 intro 1
 
02 direct3 d_pipeline
02 direct3 d_pipeline02 direct3 d_pipeline
02 direct3 d_pipeline
 

Kürzlich hochgeladen

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 

Kürzlich hochgeladen (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Philip polstra

  • 1. Bypassing Endpoint Security for $20 or Less Philip A. Polstra, Sr. @ppolstra ppolstra.blogspot.com
  • 2. Roadmap • Why this talk? • Who is this dude talking at me? • Brief history of USB • How does USB work? • It’s all descriptors and endpoints • Bulk-only mass storage devices • Bypassing endpoint security • Microcontrollers are fun (and cheap) • Food for thought
  • 3. Why this talk? • Many organizations have begun to use endpoint security programs to restrict use of portable media • Many software tools do the USB equivalent of MAC filtering – only allow authorized VID/PID • For $18-30 can easily construct device to allow any mass storage device to impersonate authorized device • Allows injection/extraction
  • 4. Who am I anyway? • Teach computer security at a private university • Like to hack hardware • Have been known to fly and build airplanes • Been known to play with USB devices
  • 5. Brief History or USB • Non-universal serial, PS/2 ports, & LPT • 1996 USB 1.0 (1.5 or 12 Mbps) • 1998 USB 1.1 • 2000 USB 2.0 (1.5, 12, or 480 Mbps) • Long pause • 2008 USB 3.0 (up to 5 Gbps)
  • 6. How does USB Work?
  • 7. Hardware • Simple 4-wire connection (power, ground, 2 data wires) • Cabling prevents improper connections • Hot pluggable • Differential voltages provide greater immunity to noise • Cable lengths up to 16 feet are possible Pin Name Cable color Description 1 VBUS Red +5 V 2 D− White Data − 3 D+ Green Data + 4 GND Black Ground
  • 8. Software • Automatic configuration • No settable jumpers • Enumeration • Standard device classes with corresponding drivers – HID – Printer – Audio – Mass Storage
  • 9. Connecting a Device • Device is connected • Hub detects • Host (PC) is informed of new device • Hub determines device speed capability as indicated by location of pull-up resistors • Hub resets the device • Host determines if device is capable of high speed (using chirps) • Hub establishes a signal path • Host requests descriptor from device to determine max packet size • Host assigns an address • Host learns devices capabilities • Host assigns and loads an appropriate device driver (INF file) • Device driver selects a configuration
  • 10. It’s all descriptors and endpoints
  • 11. Endpoints • The virtual wire for USB communications • All endpoints are one way (direction relative to host) • Packet fragmentation, handshaking, etc. done by hardware (usually) • High bit of address tells direction 1=in 0=out • Types of endpoints – Control – Bulk transport – Interrupt – Isochronous
  • 12. Control Endpoints • Primary mechanism for most devices to communicate with host • Every device must have at least one in and out control endpoint EP0 • Device must respond to standard requests – Get/set address, descriptors, power, and status • Device may respond to class specific requests • Device may respond to vendor specific requests
  • 13. Control Endpoints (continued) • May have up to 3 transport stages: Setup, Data, Status • Setup stage – Host sends Setup token then data packet containing setup request – If device receives a valid setup packet, an ACK is returned – Setup request is 8 bytes – 1st byte is bitmap telling type of request & recipient (device, interface, endpoint) – Remaining bytes are parameters for request and response • Data stage (optional) – requested info transmitted • Status stage – zero length data packet sent as ACK on success
  • 14. Interrupt & Isochronous Endpoints • Interrupt endpoints – Used to avoid polling and busy waits – Keyboards are a good example – Usually low speed (allows for longer cables, etc.) • Isochronous endpoints – Guaranteed bandwidth – Used primarily for time-critical apps such as streaming media
  • 15. Bulk Endpoints • No latency guarantees • Good performance on an idle bus • Superseded by all other transport types • Full (8-64 byte packets) & high speed (512 byte packets) only • Used extensively in USB flash drives (and external hard drives) • Transactions consist of a token packet, 0 or more data packets, and an ACK handshake packet (if successful)
  • 16. Descriptors • They describe things (duh!) • Have a standard format – 1st byte is the length in bytes (so you known when you’re done) – 2nd byte determines type of descriptor – Remaining bytes are the descriptor itself • Common types – Device: tells you basic info about the device – Configuration: how much power needed, number of interfaces, etc. – Interface: How do I talk to the device – Endpoint: Direction, type, number, etc. – String: Describe something in unicode text
  • 17. Device Descriptor Offset Field Size Value Description 0 bLength 1 Number 18 bytes 1 bDescriptorType 1 Constant Device Descriptor (0x01) 2 bcdUSB 2 BCD 0x200 4 bDeviceClass 1 Class Class Code 5 bDeviceSubClass 1 SubClass Subclass Code 6 bDeviceProtocol 1 Protocol Protocol Code 7 bMaxPacketSize 1 Number Maxi Packet Size EP0 8 idVendor 2 ID Vendor ID 10 idProduct 2 ID Product ID 12 bcdDevice 2 BCD Device Release Number 14 iManufacturer 1 Index Index of Manu Descriptor 15 iProduct 1 Index Index of Prod Descriptor 16 iSerialNumber 1 Index Index of SN Descriptor 17 bNumConfigurations 1 Integer Num Configurations
  • 18. Configuration Descriptor (header) Offset Field Size Value Description 0 bLength 1 Number Size in Bytes 1 bDescriptorType 1 Constant 0x02 2 wTotalLength 2 Number Total data returned 4 bNumInterfaces 1 Number Num Interfaces 5 bConfigurationValue 1 Number Con number 6 iConfiguration 1 Index String Descriptor 7 bmAttributes 1 Bitmap b7 Reserved, set to 1. b6 Self Powered b5 Remote Wakeup b4..0 Reserved 0. 8 bMaxPower 1 mA Max Power in mA/2
  • 19. Interface Descriptor Offset Field Size Value Description 0 bLength 1 Number 9 Bytes 1 bDescriptorType 1 Constant 0x04 2 bInterfaceNumber 1 Number Number of Interface 3 bAlternateSetting 1 Number Alternative setting 4 bNumEndpoints 1 Number Number of Endpoints used 5 bInterfaceClass 1 Class Class Code 6 bInterfaceSubClass 1 SubClass Subclass Code 7 bInterfaceProtocol 1 Protocol Protocol Code 8 iInterface 1 Index Index of String Descriptor
  • 20. Endpoint Descriptor Offset Field Size Value Description 0 bLength 1 Number Size of Descriptor (7 bytes) 1 bDescriptorType 1 Constant Endpoint Descriptor (0x05) 2 bEndpointAddress 1 Endpoint b0..3 Endpoint Number. b4..6 Reserved. Set to Zero b7 Direction 0 = Out, 1 = In 3 bmAttributes 1 Bitmap b0..1 Transfer Type 10 = Bulk b2..7 are reserved. I 4 wMaxPacketSize 2 Number Maximum Packet Size 6 bInterval 1 Number Interval for polling endpoint data
  • 21. String Descriptors Offset Field Size Value Description 0 bLength 1 Number Size of Descriptor in Bytes 1 bDescriptorType 1 Constant String Descriptor (0x03) 2 bString n Unicode Unicode Encoded String N o t e : S tr in g 0 is
  • 22. Now that we have learned a little about general devices, without further delay… Bulk-only mass storage Devices
  • 23. USB Flash Drives • Hardware • Software • Filesystems • Talk to a flash drive
  • 25. Hardware (continued) • Typically utilize NAND flash memory • Memory degrades after 10,000 write cycles • Most chips not even close to high-speed USB speed (480 Mbps) • Can only be written in blocks (usually 512, 2048, or 4096 bytes) • Chips are somewhat easily removed from damaged drives for forensic recovery • Some controllers have JTAG capability which can be used for memory access • Some controller chips steal some flash memory for themselves
  • 26. Hardware (continued) • Nearly all flash drives present themselves as SCSI hard drives • “Hard drive” sectors are typically 512, 2048, or 4096 bytes • SCSI transparent command set is used • Most drives are formatted as one partition or logical unit – Additional logical units can hide info from Windows machines • Reported size may not match actual media size – Info can be hidden in higher sectors – Some cheap drives are out there that grossly over report size – A typical 512 byte sector needs 16 bytes for error correction
  • 27. Software • Usually implemented in firmware within specialized controller chips • Must: – Detect communication directed at drive – Respond to standard requests – Check for errors – Manage power – Exchange data
  • 28. Filesystems • Most preformatted with FAT or FAT32 • NTFS • TrueFFS • ExtremeFFS • JFFS • YAFFS • Various UNIX/Linux file systems
  • 29. Talking to a Flash Drive • Bulk-Only Mass Storage (aka BBB) protocol used – All communications use bulk endpoints – Three phases: CBW, data-transport (optional), CSW – Commands sent to drive using a Command Block Wrapper (CBW) – CBW contains Command Block (CB) with actual command – Nearly all drives use a (reduced) SCSI command set – Commands requiring data transport will send/receive on bulk endpoints – All transactions are terminated by a Command Status Wrapper (CSW)
  • 30. Command Block Wrapper typedef struct _USB_MSI_CBW { unsigned long dCBWSignature; //0x43425355 “USBC” unsigned long dCBWTag; // associates CBW with CSW response unsigned long dCBWDataTransferLength; // bytes to send or receive unsigned char bCBWFlags; // bit 7 0=OUT, 1=IN all others zero unsigned char bCBWLUN; // logical unit number (usually zero) unsigned char bCBWCBLength; // 3 hi bits zero, rest bytes in CB unsigned char bCBWCB[16]; // the actual command block (>= 6 bytes) } USB_MSI_CBW;
  • 31. Command Block • 6-16 bytes depending on command • Command is first byte • Format Unit Example: typedef struct _CB_FORMAT_UNIT { unsigned char OperationCode; //must be 0x04 unsigned char LUN:3; // logical unit number (usually zero) unsigned char FmtData:1; // if 1, extra parameters follow command unsigned char CmpLst:1; // if 0, partial list of defects, 1, complete unsigned char DefectListFormat:3; //000 = 32-bit LBAs unsigned char VendorSpecific; //vendor specific code unsigned short Interleave; //0x0000 = use vendor default unsigned char Control; } CB_FORMAT_UNIT;
  • 32. Command Block (continued) • Read (10) Example: typedef struct _CB_READ10 { unsigned char OperationCode; //must be 0x28 unsigned char RelativeAddress:1; // normally 0 unsigned char Resv:2; unsigned char FUA:1; // 1=force unit access, don't use cache unsigned char DPO:1; // 1=disable page out unsigned char LUN:3; //logical unit number unsigned long LBA; //logical block address (sector number) unsigned char Reserved; unsigned short TransferLength; unsigned char Control; } CB_READ10;
  • 33. Command Block (continued) • Some Common SCSI Commands: FORMAT_UNIT=0x4, //required INQUIRY=0x12, //required MODE_SELECT6=0x15, MODE_SELECT10=0x55, MODE_SENSE6=0x1A, MODE_SENSE10=0x5A, READ6=0x08, //required READ10=0x28, //required READ12=0xA8, READ_CAPACITY10=0x25, //required READ_FORMAT_CAPACITIES=0x23, REPORT_LUNS=0xA0, //required REQUEST_SENSE=0x03, //required SEND_DIAGNOSTIC=0x1D, //required START_STOP_UNIT=0x1B, SYNCHRONIZE_CACHE10=0x35, TEST_UNIT_READ=0x00, //required VERIFY10=0x2F, WRITE6=0x0A, //required WRITE10=0x2A, WRITE12=0xAA
  • 34. Command Status Wrapper • Read Sense command can be used for details on failed operations typedef struct _USB_MSI_CSW { unsigned long dCSWSignature; //0x53425355 “USBS” unsigned long dCSWTag; // associate CBW with CSW response unsigned long dCSWDataResidue; // difference between requested data and actual unsigned char bCSWStatus; //00=pass, 01=fail, 02=phase error, reset } USB_MSI_CSW;
  • 35. Now that we know how bulk-only mass storage devices work… How do I bypass endpoint security?
  • 36. Impersonating another device • Social engineering USB style • Providing an authorized VID/PID allows device connection – Backdoors and other useful items can be injected – Information can be extracted to portable media • Device design allows optional write blocking
  • 37. Enough background. Let the fun begin… Microcontrollers are fun (and cheap)
  • 38. Fun with Microcontrollers • Chip Choice • A Microcontroller-Based Impersonator
  • 39. Chip Choice Options • AVR (as found in Arduino family) – Cheap – Well understood – Loads of code out there – Too underpowered to do USB without external components (<20MHz) • PIC family – Relatively cheap – Programming somewhat more involved than AVR – Newer chips SMD only, not easy DIP package – Some USB device code, but not host code out there
  • 40. Chip Choice Winner • None of the above • FTDI Vinculum II – Relatively new chip – A little faster than AVRs (48 MHz) – Real-time multi-threaded OS – Libraries for several standard USB classes – BOMS is one – but we can’t use it for this project, unfortunately – Unlike AVR, different pin packages differ only with GPIO lines available – Same flash memory – Same RAM
  • 41. Chip Choice • FTDI Vinculum II dual USB host/slave controller – 2 full-speed USB 2.0 interfaces (host or slave capable) – 256 KB E-flash memory – 16 KB RAM – 2 SPI slave and 1 SPI master interfaces – Easy-to-use IDE – Simultaneous multiple file access on BOMS devices • Several development modules available – Convenient for prototyping (only SMD chips available) – Cheap enough to embed in final device – One format is Arduino clone (Vinco)
  • 46. Package A - Small & only 4 Pins to Solder* *I f y o u a
  • 47. Package B – Slightly Larger-No Soldering* * S e
  • 48. Microcontroller-Based Impersonator • Enumerate an attached mass storage drive • When PC attempts to connect drive try to provide an authorized VID/PID • If unsuccessful try another VID/PID till it works
  • 49. Impersonator High-Level Design • One thread associated with slave port to appear as a BOMS device – One thread watches control endpoint and services requests from host • One thread associated with the host port for talking to flash drive – Thread enumerates the device and gets endpoints. Then periodically checks to see if the drive is still there • Main thread bridges slave and host – Non-CBW packets (data packets) are passed through to host port – Whitelisted CBWs are also passed on to host port (if write blocking) • Timer thread – When enumeration starts timer is set – If drive is not connected another VID/PID is tried • Button thread – Reads buttons and adjusts status accordingly
  • 50. The Main Thread • Waits for CBW packets to arrive on Bulk Out endpoint • Calls appropriate handler function based on command – Whitelisted commands: – Forward CBW to drive – Perform Data phase (if any) with drive and forward to PC – Received CSW from device and forward to PC – Non-whitelisted commands (when write blocking): – ACK CBW – Fake Data phase (if any) – Return CSW to PC • Some commands return success because Windows is unhappy with failures
  • 51. Main Loop usbSlaveBoms_readCbw(cbw, slaveBomsCtx); switch (cbw->cb.formated.command) { case BOMS_INQUIRY: handle_inquiry(cbw); break; … }
  • 52. Example Handler void handle_inquiry(boms_cbw_t *cbw) { unsigned char buffer[64]; unsigned short responseSize; boms_csw_t csw; if (forward_cbw_to_device(cbw)) { if (responseSize = receive_data_from_device(&buffer[0], 36)) { forward_data_to_slave(&buffer[0], responseSize); if (receive_csw_from_device(&csw)) { forward_csw_to_slave(&csw); } } } }
  • 53. Timer Thread • When device descriptor requested start 1 second timer • When the enumeration complete reset timer • If timer expires try the next VID/PID from list • At end of list could resort to brute force
  • 54. Complications • Windows & Linux treat drives differently – Windows will try to look for and autoplay media – Windows doesn’t appear to see other than first LUN – Early prototype experience (with writeblocker this is based on) – Worked fine under Linux – Caused BSoD on Windows (exploit?) – Linux seems to pull in a lot of data up front – Windows misbehaves if you correctly fail some commands such as Write
  • 55. Endpoint security on Linux • Can use udev rules to emulate Windows endpoint security software on Linux • Open source provides a great value – Better value – Equally ineffective, but at a better price
  • 56. And now what you really wanted to see… It’s demo time!
  • 58. Food for thought • Speed up process by searching registry for previously mounted devices – USBDevView or something similar might be helpful • Use larger device to divine authorized device then use a collection of smaller devices preprogrammed to appropriate VID/PID • Like all devices this may be thwarted – Device operates at full speed only – Endpoint software could use proprietary drivers – Security through obscurity?
  • 59. References • USB Complete: The Developers Guide (4th ed.) by Jan Axelson • USB Mass Storage: Designing and Programming Devices and Embedded Hosts by Jan Axelson • http://www.usb.org • http://www.ftdichip.com for more on VNC2 • http://seagate.com for SCSI references • Embedded USB Design by Example by John Hyde • My 44Con USB Flash Drive Forensics Video http://www.youtube.com/watch?v=CIVGzG0W-DM • Schematics and source code are available – Git hub usb-impersonator – Email ppolstra@gmail.com – Twitter @ppolstra