DefendingagainstmaliciousperipheralswithCinch
PresentedbyAvestaHojjatiCS598
ComputerSecurityinthePhysicalWorldUniversityofIllinois
BasedonslidesbySebastianAngel
Citation
• S.Angel,R.Wahby,M.Howald,J.Leners,M.Spilo,Z.Sun,A.Blumberg,M.Walfish."DefendingagainstMaliciousPeripheralswithCinch."USENIXSecurity2016
Peripherals’firmwarecanbemodifiedwithBadUSB [Nohl andLell,BlackHat2014]
USBarchitecturefrom30,000feet
Yourmachine
Drivers
HostController Hub
Governmentagenciesinterceptandmodifyshipments[GlennGreenwald,TheGuardian2014]
Peripheralscanexploitdrivervulnerabilities
13vulnerabilitiesinLinux’sUSBstackreportedin2016alone
Yourmachine
Drivers
HostController
$@$#$#%$%
Hub
PeripheralscanleverageDMAtoattackOSes
Yourmachine
Drivers
HostController
write“evil”to<kerneladdress>
Inception [Maartmann-Moe2014], Funderbolt [BlackHat2013]Hu
b
UsersReallyDoPluginUSBDrivesTheyFind[Tischer etal.,S&P2016]
Peripheralscanlieabouttheiridentity
Yourmachine
Drivers
HostController
Hi,whatareyou?
Hub
I’makeyboardJ
Hubsbroadcastmessagesdownstream
Compromisedhubscaneavesdropandmodifyalltraffic
Yourmachine
Drivers
HostController
File_for_SSD.txt
Hub
File_for_SSD.txt
• Don’tuseacomputer
• Closealltheports
Okay,sowhatcanwedo?
Aspartofthisinteraction,ourmachineroutinely:
• Determinestowhomitistalking
• Preventseavesdroppinganddatatampering
• Defendsagainstmalicioustraffic
Ourmachineinteractswithuntrusteddeviceseveryday…ontheInternet!
Howdoweapplythearsenalofnetworksecuritytoolstoperipheralbuses?
AndhowcanthisbedonewithminorornomodificationstoOSesandexistingdevices…
…whilekeepingthebusatarm’slength?Yourmachine
Drivers
HostController
Insertnetworksecuritylogicsomewherehere
• Makingperipheralbuseslook“remote”,preventingdirectactionwiththerestofthecomputer
• Trafficbetweenthe“remote”devicesandrestofthecomputershouldtravelthrougha“narrowchokepoint”,thisisessentialtoapplydefense
• ThesolutionshouldNOTrequiremodificationofthebus• Portability,nore-design,orre-implementationfordifferentOSes• Flexibilityandextensibility• Imposingreasonableoverhead
Designrequirements
• Cinchiseffective(butnotperfect!)againstthethreatsdescribed
• Cinchisportableandbackwards-compatible– WorkstransparentlyacrossOSes– RequiresnodriverorUSBprotocolmodifications
• Cinchseparatesthebusfromyourmachine,creatinganenforcementpoint
CinchbringsnetworkdefensestoUSB
Yourmachine
Drivers
Host
Controller
peripherals
Hub
Enforcer
• HowdidtheybuildCinch?
• WhatdefensescanbebuiltonCinch?
• Howwelldodefensesworkandwhatistheircost?
Intherestofthistalk…
• HowdidtheybuildCinch?
• WhatdefensescanbebuiltonCinch?
• Howwelldodefensesworkandwhatistheircost?
Intherestofthistalk…
• Whereandhowcanonecreatealogicalseparationbetweenthebusandthehost,whilearrangingforanexplicitcommunicationchannelthatapolicyenforcementmechanismcaninterposeon?
• Howcanoneinstantiatethisseparationandchannelwithnomodificationstobusstandards,OSes,ordriverstacks?
Whatdoweneedtoanswer?
Yourmachine
DriversHu
b
HostCon
troller
Yourmachine
HostController
Drivers
Hub
Whatwehavetoday
Whatwewant
Devicescanbeattachedtoanothermachine
Yourmachine
Drivers
sacrificialmachine
HostController
Drivers
Butthisrequiresanadditionalmachine…
Pragmaticchoice:leveragevirtualizationtechnologytoinstantiatethe(sacrificial)machineonthesamehardware
Hubnetwork
AnIOMMUcanbeusedtorestrictwhereinmemoryadevicemaywrite
VM
Hypervisor
VirtualCard
VM
Hypervisor
IOMMUData
Data Data
Devicecanonlywritetoconfiguredaddresses
RestrictI/OtoVM’saddressspace
Evil
Yourmachine
HostController
Drivers
Hub
Whatwehavetoday
Yourmachine(VM)
Drivers
sacrificialmachine(VM)
HostController
Drivers
Hubnetwork
Hypervisor
UnderCinch
HypervisorconfiguresIOMMUtomapbustosacrificialmachine
DevicesareattachedtoasacrificialVM
Yourmachine(VM)
Drivers
sacrificialmachine(VM)
HostController
Drivers
Hub
InterposingonVM-VMcommunication
Enforcer’sdesignisinspiredbytheClickmodularrouter[Kohleretal.,ACMTOCS2000]
Enforcer
Module3 Module2 Module1
ThearchitectureofCinch
Enforcessecuritypolicy
NormalOSwith
strippeddownUSBSTACK
Driver
• HowdidtheybuildCinch?
• WhatdefensescanbebuiltonCinch?
• Howwelldodefensesworkandwhatistheircost?
Intherestofthistalk…
Defense1:Enforcingalloweddevicebehavior
USBspecifications Constraintson:• Packetformats• Individualfields• Packetsequences
• Restrictedfieldvalues• Sizeswithinallowedrange• Properencoding(e.g.UTF-16)
Defense1:Enforcingalloweddevicebehavior
USBspecifications Constraintson:• Packetformats• Individualfields• Packetsequences
• Statesbasedonhistory• Transitionsbasedonincomingpackets
Allow/Droppacket
Defense2:Filteringknownexploits
Download/populatedatabasewithknownmalicioussignatures
Inspectincomingtrafficformatches
Allow/Droppacket
• Quickresponsetoanattack– Derivingasignatureisusuallyfasterthanunderstandingtheexploitandfindingtherootcause
• Usefulforclosed-sourceOSes– NoneedtowaitforOSvendorpatchvulnerability
Benefitsofsignature-baseddefenses
• Cannotpreventzero-dayattacks
• Tensionbetweenprotectionandcompatibility– Exactsignaturesarenotveryeffective– Verygeneralsignatures(e.g.wildcard/regex)canpreventbenigntraffic
• Signaturesdonotfixtheunderlyingproblem
Limitationsofsignature-baseddefenses
Defense3:authenticationandencryption
Defense3:authenticationandencryption
Yourmachine(VM)
Drivers
Enforcer
sacrificialmachine(VM)
HostController
Drivers
Hub
Unauthenticatedcleartext communication
Defense3:authenticationandencryption
AuthenticatedandencryptedcommunicationCleartext
InstallTLSendpointatdeviceandenforcer
Yourmachine(VM)
Drivers
Enforcer
sacrificialmachine(VM)
HostController
Drivers
Hub
Defense3:authenticationandencryption
CleartextAuthenticatedandencryptedcommunicationCleartext
Existingdevicescanberetrofittedwithanadapter
Yourmachine(VM)
Drivers
Enforcer
sacrificialmachine(VM)
HostController
Drivers
Hub
• CompliancewiththeUSBspecification– Preventscertaintypesofdriverbugsfrombeingexploited
• Signaturematching– Preventsknownexploitsandcanbeusedasaquickresponse
• Authenticationandencryption– Preventmasqueradingandeavesdroppingonthebus
• Other:Logandreplay,remoteauditing,exportingfunctionalityviahigher-layerprotocols(e.g.,accessflashdrivesviaNFS)
Summaryofdefenses
• HowdidtheybuildCinch?
• WhatdefensescanbebuiltonCinch?
• Howwelldodefensesworkandwhatistheircost?
Intherestofthistalk…
• HypervisorisLinuxrunningQEMU/KVM
• EnforcerisaLinuxuser-levelprocessanditiswritteninRust
• USBtransfersareencapsulated/decapsulated inTCP/IP
• TheybuilttheTLSadapteronaBeaglebone Black(arm-basedcomputer)
• Theyimplementedexploitsusingafacedancer21à
Implementationdetails
Howwelldodefenseswork?
• TheyimplementedexploitsforexistingUSBdrivervulnerabilities
• Theycarriedouta3-phasepenetrationtestingexercise
• Theyusedafuzzingtooltotest10,000invaliddevices– Summary:Cinch’senforcerpreventsall10,000– Subtlety:NoneofthetestsaffectedamachinewithoutCincheither
EvaluationofCinch’seffectivenesshappensin3ways
• LinuxCVEsreportedfromJantoJune2016.TheyaffectLinux4.5.1
• 5exploitsthatworkonWindows8.1
[Boteanu andFowler,BlackHatEurope2015]
TheyimplementedexploitsforexistingUSBdrivervulnerabilities
Theirfindings:• 16outof18exploitswerepreventedimmediately
• 2exploitssucceeded,butcanbepreventedwithasignature
• Phase1:RedteamhasvagueknowledgeofCinch• Phase2:Redteamhasaccesstoapre-configuredCinchbinary• Phase3:RedteamhasCinch’ssourcecode
Theycarriedouta3-phasepenetrationtestingexercise
Theirfindings:
• IncreasedknowledgeofCinch’sfunctionalityresultedinmoreintricateexploits
• Cinchisnotabletopreventpolymorphicattacks
Whatisthecostofthesedefenses?
Baseline:connectingdevicesdirectlytoyourmachine
Experiment1:transferring1GBfiletoaUSB3.0SSD
• Throughputreduction:38%(duetomemorycopies)• Memoryoverhead:200MB(duetosacrificialVM)• CPUoverhead:8X(duetovirtualizationandenforcer)
Experiment2:pingfromaremotemachineusingUSBEthernetadapter
• Round-triptimeincrease:~2ms
Performanceevaluationhighlights
• Weakagainstpolymorphicattacksonvulnerabledrivers
• Requiresidentifyingtrustedmanufacturers
• Requiresdevicesupport(oranadapter)forTLS
• RequireshardwaresupportforvirtualizingIO(IOMMU)
CinchbringsnetworkdefensestoUSB…
…butitalsoinheritstheirlimitations
• Cinchprovidesabackward-compatibleandportablewayofenhancingperipheralbuseswithtoolsfromnetworksecurity
• Cinch’senforcerismodularanddefensesarenaturalandeasytoimplement
• Cinchisnotperfect,buteliminatessomeattackclassesandincreasesthebarrierforothers
Summary
• WhatdoyouthinkabouttheirworkcomparetoGoodUSB &USBFILTER?
• Isthe38%throughputreduction worthit?• AnyfundamentalissueswithQEMUandKVMmodel?• USBee• CanGoodUSB,USBFILTER,Cinch;protectusagainstUSBee?
Discussion
Top Related