Defending against malicious peripherals with Cinch · Peripherals’ firmware can be modified with BadUSB [Nohl and Lell, Black Hat 2014] USB architecture from 30,000 feet Your machine

DefendingagainstmaliciousperipheralswithCinch

PresentedbyAvestaHojjatiCS598

ComputerSecurityinthePhysicalWorldUniversityofIllinois

BasedonslidesbySebastianAngel

Citation

• S.Angel,R.Wahby,M.Howald,J.Leners,M.Spilo,Z.Sun,A.Blumberg,M.Walfish."DefendingagainstMaliciousPeripheralswithCinch."USENIXSecurity2016

Peripherals’firmwarecanbemodifiedwithBadUSB [Nohl andLell,BlackHat2014]

USBarchitecturefrom30,000feet

Yourmachine

Drivers

HostController Hub

Governmentagenciesinterceptandmodifyshipments[GlennGreenwald,TheGuardian2014]

Peripheralscanexploitdrivervulnerabilities

13vulnerabilitiesinLinux’sUSBstackreportedin2016alone

Yourmachine

Drivers

HostController

$@$#$#%$%

Hub

PeripheralscanleverageDMAtoattackOSes

Yourmachine

Drivers

HostController

write“evil”to<kerneladdress>

Inception [Maartmann-Moe2014], Funderbolt [BlackHat2013]Hu

b

UsersReallyDoPluginUSBDrivesTheyFind[Tischer etal.,S&P2016]

Peripheralscanlieabouttheiridentity

Yourmachine

Drivers

HostController

Hi,whatareyou?

Hub

I’makeyboardJ

Hubsbroadcastmessagesdownstream

Compromisedhubscaneavesdropandmodifyalltraffic

Yourmachine

Drivers

HostController

File_for_SSD.txt

Hub

File_for_SSD.txt

• Don’tuseacomputer

• Closealltheports

Okay,sowhatcanwedo?

Aspartofthisinteraction,ourmachineroutinely:

• Determinestowhomitistalking

• Preventseavesdroppinganddatatampering

• Defendsagainstmalicioustraffic

Ourmachineinteractswithuntrusteddeviceseveryday…ontheInternet!

Howdoweapplythearsenalofnetworksecuritytoolstoperipheralbuses?

AndhowcanthisbedonewithminorornomodificationstoOSesandexistingdevices…

…whilekeepingthebusatarm’slength?Yourmachine

Drivers

HostController

Insertnetworksecuritylogicsomewherehere

• Makingperipheralbuseslook“remote”,preventingdirectactionwiththerestofthecomputer

• Trafficbetweenthe“remote”devicesandrestofthecomputershouldtravelthrougha“narrowchokepoint”,thisisessentialtoapplydefense

• ThesolutionshouldNOTrequiremodificationofthebus• Portability,nore-design,orre-implementationfordifferentOSes• Flexibilityandextensibility• Imposingreasonableoverhead

Designrequirements

• Cinchiseffective(butnotperfect!)againstthethreatsdescribed

• Cinchisportableandbackwards-compatible– WorkstransparentlyacrossOSes– RequiresnodriverorUSBprotocolmodifications

• Cinchseparatesthebusfromyourmachine,creatinganenforcementpoint

CinchbringsnetworkdefensestoUSB

Yourmachine

Drivers

Host

Controller

peripherals

Hub

Enforcer

• HowdidtheybuildCinch?

• WhatdefensescanbebuiltonCinch?

• Howwelldodefensesworkandwhatistheircost?

Intherestofthistalk…

• HowdidtheybuildCinch?

• WhatdefensescanbebuiltonCinch?

• Howwelldodefensesworkandwhatistheircost?

Intherestofthistalk…

• Whereandhowcanonecreatealogicalseparationbetweenthebusandthehost,whilearrangingforanexplicitcommunicationchannelthatapolicyenforcementmechanismcaninterposeon?

• Howcanoneinstantiatethisseparationandchannelwithnomodificationstobusstandards,OSes,ordriverstacks?

Whatdoweneedtoanswer?

Yourmachine

DriversHu

b

HostCon

troller

Yourmachine

HostController

Drivers

Hub

Whatwehavetoday

Whatwewant

Devicescanbeattachedtoanothermachine

Yourmachine

Drivers

sacrificialmachine

HostController

Drivers

Butthisrequiresanadditionalmachine…

Pragmaticchoice:leveragevirtualizationtechnologytoinstantiatethe(sacrificial)machineonthesamehardware

Hubnetwork

AnIOMMUcanbeusedtorestrictwhereinmemoryadevicemaywrite

VM

Hypervisor

VirtualCard

VM

Hypervisor

IOMMUData

Data Data

Devicecanonlywritetoconfiguredaddresses

RestrictI/OtoVM’saddressspace

Evil

Yourmachine

HostController

Drivers

Hub

Whatwehavetoday

Yourmachine(VM)

Drivers

sacrificialmachine(VM)

HostController

Drivers

Hubnetwork

Hypervisor

UnderCinch

HypervisorconfiguresIOMMUtomapbustosacrificialmachine

DevicesareattachedtoasacrificialVM

Yourmachine(VM)

Drivers

sacrificialmachine(VM)

HostController

Drivers

Hub

InterposingonVM-VMcommunication

Enforcer’sdesignisinspiredbytheClickmodularrouter[Kohleretal.,ACMTOCS2000]

Enforcer

Module3 Module2 Module1

ThearchitectureofCinch

Enforcessecuritypolicy

NormalOSwith

strippeddownUSBSTACK

Driver

• HowdidtheybuildCinch?

• WhatdefensescanbebuiltonCinch?

• Howwelldodefensesworkandwhatistheircost?

Intherestofthistalk…

Defense1:Enforcingalloweddevicebehavior

USBspecifications Constraintson:• Packetformats• Individualfields• Packetsequences

• Restrictedfieldvalues• Sizeswithinallowedrange• Properencoding(e.g.UTF-16)

Defense1:Enforcingalloweddevicebehavior

USBspecifications Constraintson:• Packetformats• Individualfields• Packetsequences

• Statesbasedonhistory• Transitionsbasedonincomingpackets

Allow/Droppacket

Defense2:Filteringknownexploits

Download/populatedatabasewithknownmalicioussignatures

Inspectincomingtrafficformatches

Allow/Droppacket

• Quickresponsetoanattack– Derivingasignatureisusuallyfasterthanunderstandingtheexploitandfindingtherootcause

• Usefulforclosed-sourceOSes– NoneedtowaitforOSvendorpatchvulnerability

Benefitsofsignature-baseddefenses

• Cannotpreventzero-dayattacks

• Tensionbetweenprotectionandcompatibility– Exactsignaturesarenotveryeffective– Verygeneralsignatures(e.g.wildcard/regex)canpreventbenigntraffic

• Signaturesdonotfixtheunderlyingproblem

Limitationsofsignature-baseddefenses

Defense3:authenticationandencryption

Defense3:authenticationandencryption

Yourmachine(VM)

Drivers

Enforcer

sacrificialmachine(VM)

HostController

Drivers

Hub

Unauthenticatedcleartext communication

Defense3:authenticationandencryption

AuthenticatedandencryptedcommunicationCleartext

InstallTLSendpointatdeviceandenforcer

Yourmachine(VM)

Drivers

Enforcer

sacrificialmachine(VM)

HostController

Drivers

Hub

Defense3:authenticationandencryption

CleartextAuthenticatedandencryptedcommunicationCleartext

Existingdevicescanberetrofittedwithanadapter

Yourmachine(VM)

Drivers

Enforcer

sacrificialmachine(VM)

HostController

Drivers

Hub

• CompliancewiththeUSBspecification– Preventscertaintypesofdriverbugsfrombeingexploited

• Signaturematching– Preventsknownexploitsandcanbeusedasaquickresponse

• Authenticationandencryption– Preventmasqueradingandeavesdroppingonthebus

• Other:Logandreplay,remoteauditing,exportingfunctionalityviahigher-layerprotocols(e.g.,accessflashdrivesviaNFS)

Summaryofdefenses

• HowdidtheybuildCinch?

• WhatdefensescanbebuiltonCinch?

• Howwelldodefensesworkandwhatistheircost?

Intherestofthistalk…

• HypervisorisLinuxrunningQEMU/KVM

• EnforcerisaLinuxuser-levelprocessanditiswritteninRust

• USBtransfersareencapsulated/decapsulated inTCP/IP

• TheybuilttheTLSadapteronaBeaglebone Black(arm-basedcomputer)

• Theyimplementedexploitsusingafacedancer21à

Implementationdetails

Howwelldodefenseswork?

• TheyimplementedexploitsforexistingUSBdrivervulnerabilities

• Theycarriedouta3-phasepenetrationtestingexercise

• Theyusedafuzzingtooltotest10,000invaliddevices– Summary:Cinch’senforcerpreventsall10,000– Subtlety:NoneofthetestsaffectedamachinewithoutCincheither

EvaluationofCinch’seffectivenesshappensin3ways

• LinuxCVEsreportedfromJantoJune2016.TheyaffectLinux4.5.1

• 5exploitsthatworkonWindows8.1

[Boteanu andFowler,BlackHatEurope2015]

TheyimplementedexploitsforexistingUSBdrivervulnerabilities

Theirfindings:• 16outof18exploitswerepreventedimmediately

• 2exploitssucceeded,butcanbepreventedwithasignature

• Phase1:RedteamhasvagueknowledgeofCinch• Phase2:Redteamhasaccesstoapre-configuredCinchbinary• Phase3:RedteamhasCinch’ssourcecode

Theycarriedouta3-phasepenetrationtestingexercise

Theirfindings:

• IncreasedknowledgeofCinch’sfunctionalityresultedinmoreintricateexploits

• Cinchisnotabletopreventpolymorphicattacks

Whatisthecostofthesedefenses?

Baseline:connectingdevicesdirectlytoyourmachine

Experiment1:transferring1GBfiletoaUSB3.0SSD

• Throughputreduction:38%(duetomemorycopies)• Memoryoverhead:200MB(duetosacrificialVM)• CPUoverhead:8X(duetovirtualizationandenforcer)

Experiment2:pingfromaremotemachineusingUSBEthernetadapter

• Round-triptimeincrease:~2ms

Performanceevaluationhighlights

• Weakagainstpolymorphicattacksonvulnerabledrivers

• Requiresidentifyingtrustedmanufacturers

• Requiresdevicesupport(oranadapter)forTLS

• RequireshardwaresupportforvirtualizingIO(IOMMU)

CinchbringsnetworkdefensestoUSB…

…butitalsoinheritstheirlimitations

• Cinchprovidesabackward-compatibleandportablewayofenhancingperipheralbuseswithtoolsfromnetworksecurity

• Cinch’senforcerismodularanddefensesarenaturalandeasytoimplement

• Cinchisnotperfect,buteliminatessomeattackclassesandincreasesthebarrierforothers

Summary

• WhatdoyouthinkabouttheirworkcomparetoGoodUSB &USBFILTER?

• Isthe38%throughputreduction worthit?• AnyfundamentalissueswithQEMUandKVMmodel?• USBee• CanGoodUSB,USBFILTER,Cinch;protectusagainstUSBee?

Discussion