Ekoparty 2011

I was invited to Ekoparty in Buenos Aires, Argentina. It all went very quickly, because when I was accepted for my talk on Virtualised USB Fuzzing using QEMU and Scapy, I couldn’t read email very well. I was abroad and had only a replacement laptop (which we got at MeeGo Summit in Dublin) at hand because my laptop broke down 🙁 And of top of that I wasn’t very well connected. Anyway, I got notice exactly two weeks before the conference and actually I had other plans anyway. But since it was in Argentina and I haven’t been there yet, I was very eager to go.

I was going from Hamburg via Amsterdam and Sao Paulo to Buenos Aires. And back from Buenos Aires via Charles de Gaule to Berlin. After my first fight I had a good break at Shiphol but when I wanted to board the next flight, I was denied at first. After a couple of minutes, some officials came and I was interrogated. Because my itinerary looked suspicious, they said. So I was asked and searched and the information I gave was promptly checked by they woman and her smart-phone. Weird stuff. The next flights and airports were fortunately much better.

The very first day of the conference was reserved for the keynote and workshops. Unfortunately, the workshops were held in Spanish only so I couldn’t really follow anything. But I still attended some folks playing around with an USRP. It was interesting enough despite the Spanish. They decoded normal FM radio, pager messages and other (analogue) radio messages flying through the ether. The keynote was held in Spanish, too, but two translators simultaneously translated the talk into English. It’s the first time that *I* am the one needing a translation device 😉 I didn’t fully get the keynote because the there was a lot of noise in the radio of the Spanglish :-/

The first talk by Agustin Gianni from Immunity was about Attacking the Webkit Heap and was, well, very technical. A bit too detailed for me as I don’t have much desire to exploit memory issues in Webkit, but it’s good to know that there people looking into that. Just after that, there was a talk about security of SAP products. The message I got was, to read the SAP advisories and documentation. Because he was showing exploits that used vulnerabilities that were either known and fixed or documented. It was still a bit interesting for me as I didn’t know much about SAP systems and could see what it’s actually about.

I don’t have much to say about the iOS forensic talk, because you can find the things he mentioned with a one liner: find / -name '*.db'.
Ryan McArthur talked about Machine Specific Registers which I didn’t even know what it was. But apparently CPUs have special registers that you usually don’t use. And these have special capabilities such as offering debug facilities. Also you can issue a simple instruction to detect whether you are in a virtual machine or not. That sounds damn interesting. With Intel it’s called Last Branch Recording. And he implementing something that would be able to trace programs like Skype. I wonder though what difference to PaiMai is. An implementation using these facilities apparently exists for Linux as well.

A bit off the wall was Marcos Nieto talking about making money with Facebook. So he realised that he could send the AJAX request, which some Flash game sends to the game server, himself. He didn’t think about writing a bot playing the game for him though. Instead, he used a proxy to capture the HTTP traffic his Flashplayer was generating and replaying that traffic with the proxy software. And the money part would then be to sell the account that had all the experience points on eBay. I hope it was just the translation and the crappy quality of the radio that made it seem so lame.

As for my presentation, I wasn’t too lucky with the MeeGo laptop I used, because it only has an Atom processor which doesn’t have KVM support. That is very bad if you want to do something with QEMU 🙁 But I tried to prepare my things well enough to not have many problems. But what happened then was really embarrassing. I prepared demos and I did that very thoroughly. I even recorded some videos as second line of defence in case something fails. But I didn’t expect anything to fail because my demos were simple enough, and just a few copy&paste jobs. That’s what I thought and Murphy proved me wrong. I hate him. So my demos did not work, of course. I still don’t really know why, but I guess that I left a QEMU instance running due to the nervousness. And that instance would still mess around with the pipes that I was using. So lessons learnt: Whenever you think it’s simple enough, think harder.

Demo-Video. If it doesn’t play inline (stupid wordpress) please download yourself.

The rest of the conference was relaxed and the talks were much better than the day before. I feel that the second day was saved for the big things while the first was thought of as a buffer for the people to arrive. There was the SSL talk which caught a lot of attention in international media even before the conference. For reference: The issue was assigned CVE-2011-3389. I was astonished, really, to hear *the* talk being held in Spanish. I absolutely expected that thing to go off in English. Unfortunately, I couldn’t understand much of the things that were told. It took me quite a while to understand that the “navigator” the translatress was constantly referring to is actually the browser… So I was disappointed by that talk, but the expectations were high so it was easy to be disappointed.

http://www.youtube.com/watch?v=lauFlKi56aM

So all in all it went fine. It’s a nice enough conference, really relaxed, maybe even too relaxed. Given that there was one track only, it didn’t really matter that things bent the schedule by two hours. I felt that generally things went off the radar of the organising folks, most likely due to organising a conference being very stressful 😉 But well, it would still have been nice if they actually provided the facilities they promised to give a talk, like a USB cable or a demo laptop 😉 I barely got a T-Shirt 😀

Practicum Status Update Week 10

  • As mentioned in the last report, I skipped one week in favour of the GUADEC.
  • I had a funny C problem. Consider the following two functions:
     
    static int
    safe_read (void *data, size_t length, FILE* file)
    {
    	int status = fread(data, length, 1, file);
     
    	if (status == -1) error_report("%s: read packet (%lu) data on stream %p "
    								   "failed (%d): %s",
    								   __FUNCTION__, length, file,
    								   status, strerror(errno));
    	status = fflush(file);
    	return status;
    }
     
    static int
    safe_write (void *data, size_t length, FILE* file)
    {
    	int status = fwrite(data, length, 1, file);
     
    	if (status == -1) error_report("%s: writing packet (%lu) data on stream %p "
    								   "failed (%d): %s",
    								   __FUNCTION__, length, file,
    								   status, strerror(errno));
    	status = fflush(file);
    	return status;
    }

    Now you might want to deduplicate the code and make it one big and two small functions:

     
    static int
    safe_operation (size_t (func) (void *, size_t, size_t, FILE*), void *data, size_t length, FILE* file)
    {
    	int status = func(data, length, 1, file);
    	const char *funcstr = "undeclared";
     
    //	switch (*func) {
    //		case fread:
    //			funcstr = "read";
    //			break;
    //		case fwrite:
    //			funcstr = "write";
    //			break;
    //		default:
    //			funcstr = "?";
    //			break;
    //	}
     
    	if (status == -1) error_report("%s: %s (%p) packet (%lu) data on stream %p "
    								   "failed (%d): %s",
    								   __FUNCTION__, funcstr, *func, length, file,
    								   status, strerror(errno));
    	status = fflush(file);
    	return status;
    }

    but it wouldn’t compile because fread and fwrite have slightly different signatures.
    The solution is to:

     
    typedef size_t (*fwrite_fn)(const void * __restrict, size_t, size_t, FILE * __restrict);
     
    static int
    safe_operation (fwrite_fn func, void *data, size_t length, FILE* file)
    {
            int status = func(data, length, 1, file);
            const char *funcstr = "undeclared";
     
            if (status == -1) error_report("%s: %s (%p) packet (%lu) data on stream %p "
                                                                       "failed (%d): %s",
                                                                       __FUNCTION__, funcstr, *func, length, file,
                                                                       status, strerror(errno));
            status = fflush(file);
            return status;
    }
     
    int
    main(void)
    {
            int x;
     
            safe_operation((fwrite_fn)fread, &x, sizeof x, stderr);
            safe_operation(fwrite, &x, sizeof x, stderr);
            return 0;
    }

    Thanks to Roland for pointing that out.

  • On smth unrelated: Fought with OpenSSL and it’s API and documentation. But more on that in a different post.
  • Fortunately, only Gajim crashed once. Well rhythmbox locks up, too, as it always does
  • Annoyed by the fact, that it takes ages to “make” a freshly made kernel!
    muelli@bigbox ~/git/linux-2.6 $ time make 
      CHK     include/linux/version.h
      CHK     include/generated/utsrelease.h
      CALL    scripts/checksyscalls.sh
      CHK     include/generated/compile.h
      CHK     include/linux/version.h
    make[2]: `scripts/unifdef' is up to date.
      TEST    posttest
    Succeed: decoded and checked 1382728 instructions
    Kernel: arch/x86/boot/bzImage is ready  (#14)
      Building modules, stage 2.
      MODPOST 2107 modules
    WARNING: modpost: Found 4 section mismatch(es).
    To see full details build your kernel with:
    'make CONFIG_DEBUG_SECTION_MISMATCH=y'
    
    real	14m7.842s
    user	1m33.747s
    sys	0m25.388s
    muelli@bigbox ~/git/linux-2.6 $ 
    
  • Trying to automatically create a FAT image and fill populate it with the built modules is more cumbersome than expected. guestmount is way too much overhead: It requires qemu and channels the data out over the network (sic!). I just want a FUSE implementation that is capable of writing a FAT image! There seems to be UMFUSE but it’s packaged for Debian/Ubuntu and not for Fedora.Find the sources is quite a challenge (it’s here: https://view-os.svn.sourceforge.net/svnroot/view-os/trunk/fuse-modules/fat) but I can’t build it, because they haven’t really prepared their code for anybody else to build it. After being harassed to generate the ./configure file (autoconf,; aclocal; autoconf), it also wants shtool to be installed AND in a local directory (/.-). I gave up as it kept bugging me about a missing config.sub. But I still wanted to get that FUSE module so I dug up my Ubuntu chroot and apt-get sourced the files, ./configure && make && make install. Beautiful. Turns out, that the official FUSE wiki lists two ways to mount a FATfs: the one I’ve just described and a dead project (FatFuse).

    I then threw together this shellscript:

    ##!/bin/bash
     
    MOD_DIR=/tmp/linux-modules/
    FAT_IMAGE=/tmp/modules.$$.fat
    FAT_MOUNT=/tmp/share/
    FAT_TARGET_IMAGE=/tmp/modules.fat
     
    make modules_install INSTALL_MOD_PATH="$MOD_DIR" &&
     
    bytes=$(( $(du -s $MOD_DIR | awk '{print $1}') + $(( 20 * 1024)) ))
    #
    # create FAT image
    dd if=/dev/zero of=$FAT_IMAGE bs=1024 count=$bytes &&
    mkfs.vfat $FAT_IMAGE &&
    fusefat -o nonempty -o rw+ $FAT_IMAGE $FAT_MOUNT &&
    cp -dRx $MOD_DIR/* $FAT_MOUNT
    fusermount -u $FAT_MOUNT &&
    echo $FAT_IMAGE &&
    ln -sf $FAT_IMAGE $FAT_TARGET_IMAGE

    and I start qemu like that:

    /opt/muelli/qemu/bin/qemu-system-x86_64 -drive file=/tmp/ubuntu-snapshots.qcow2,if=virtio -kernel ~/git/linux-2.6/arch/x86_64/boot/bzImage -append 'selinux=0 root=/dev/vda init=/sbin/init' -m 1G -drive file=/tmp/modules.fat,if=virtio,readonly=on -monitor stdio -loadvm 1

    which allows me to access the module on the FAT drive on /dev/vdb. I can also snapshot the booted machine which saves me an awful lot of time for booting. But it took me quite a while to make QEmu do that, because the snapshot parameter for the disk does not save snapshots! Also, the FAT drive has to marked as readonly for QEmu to only save snapshots on the only remaining writable drive. But QEmu fails to make a drive readonly if the selected interface is IDE. Thus, you need virtio… Thanks to the helpful folks on IRC…

  • So yeah, all in all, I didn’t make any substantial progress :-/ I hope to finish a Webcam in software soonish though.

Practicum Status Update Week 8

  • Over the weekend, I’ve talked at the ChaosBBQ in Dortmund, Germany. A nice and small conferency gathering.
  • This week I had only a few bugs (that I reported):
  • The filter stuff is actually more complex than I initially thought: I do indeed have to handle async USB URBs which makes the code look more ugly and taste more like spaghetti. Anyway, the filter stuff should fully work now *yay*.

    I hope the video works. If it doesn’t, please download first. So we can replace packets on the fly, in and out. And of course, you could design a more complex scenario: Let the first read pass by unmodified but after that modify the packets.

  • Read a bit in “Essential Linux Device Drivers” which is an interesting to read book. I like the relaxed writing style. I haven’t gotten to the nitty gritty USB details yet though.
  • Wireshark can sniff USB communication, too. And it can save as a pcap file. And it dissects bits of the protocols. At least it shows the SCSI request for an USB Massstorage. I have to test whether it knows, say, webcams. First investigations show that it only supports USB Massstorage though. And it’d be interesting whether it can sniff the communication I’m filtering with QEmu.
  • Apparently, USB network magic for pcap is 0xdc:
    typedef struct pcap_hdr_s {
            guint32 magic_number;   /* magic number */
            guint16 version_major;  /* major version number */
            guint16 version_minor;  /* minor version number */
            gint32  thiszone;       /* GMT to local correction */
            guint32 sigfigs;        /* accuracy of timestamps */
            guint32 snaplen;        /* max length of captured packets, in octets */
            guint32 network;        /* data link type */
    } pcap_hdr_t;

    Wirehsark dumps the following:

    0000000: d4 c3 b2 a1 02 00 04 00 00 00 00 00 00 00 00 00  ................
    0000010: ff ff 00 00 dc 00 00 00 43 8e 44 4c d7 96 05 00  ........C.DL....

    So I might be able to implement saving to PCap at some stage.

  • Next week will be GUADEC! *yay* But that will also mean that I can’t work that much.
  • So my emulation seems to work now, too. I now need to speak the right protocol. So if you know a good resource that describes how a, say, USB Webcam behaves on the bus, drop me a line. Or anything that can dissect USB packets would be fine.

Practicum Status Update Week 7

  • Read about Radare. Apparently, they have “USB support” but I could only see a USB communication sniffer. So Radare doesn’t dissect USB pakets 🙁
  • Installed GDB from git, because the GDB in Fedora 13 crashes way too often. I didn’t file as many new bugs this week though 😉 I seem to have worked around all my crashers…
  • Fought a lot with git 🙁 It’s incredibly hostile. I tried to rebase stuff and it keeps bugging me with old commits still being visible although I’ve changed them 🙁 I probably haven’t understood what it does yet. Tried to fix as much as possible using git reflog. Of course, the man page references options (–verbose in my case) that are not existant. Brilliant. I don’t know why I actually expected git to help me.
    This is hilarious, too:

    muelli@bigbox ~/git/qemu $ git rebase setup_fds 
    First, rewinding head to replay your work on top of it...
    Applying: Temporary migration to usb_packet_filter_setup_fds
    Using index info to reconstruct a base tree...
    Falling back to patching base and 3-way merge...
    Auto-merging usb-linux.c
    CONFLICT (content): Merge conflict in usb-linux.c
    Failed to merge in the changes.
    Patch failed at 0001 Temporary migration to usb_packet_filter_setup_fds
    
    When you have resolved this problem run "git rebase --continue".
    If you would prefer to skip this patch, instead run "git rebase --skip".
    To restore the original branch and stop rebasing run "git rebase --abort".
    
    
    muelli@bigbox ~/git/qemu $ nano usb-linux.c # hack hack hack
    muelli@bigbox ~/git/qemu $ git add usb-linux.c
    muelli@bigbox ~/git/qemu $ git rebase --continue
    Applying: Temporary migration to usb_packet_filter_setup_fds
    No changes - did you forget to use 'git add'?
    
    When you have resolved this problem run "git rebase --continue".
    If you would prefer to skip this patch, instead run "git rebase --skip".
    To restore the original branch and stop rebasing run "git rebase --abort".
    
    muelli@bigbox ~/git/qemu $ 
    

    WTF?!

    That one is brilliant, too:

    muelli@bigbox ~/git/qemu $ git rebase -i setup_fds
    # Stupid me: I selected "f" for the very first entry in that edit window
    Cannot 'fixup' without a previous commit
    # Fair enough, let me restart then:
    muelli@bigbox ~/git/qemu $ git rebase setup_fds 
    Interactive rebase already started
    # O_o WTF? What else, besides aborting, could I possibly do anyway?!
    muelli@bigbox ~/git/qemu $ git rebase --abort
    muelli@bigbox ~/git/qemu $ git rebase setup_fds 
    # Now it works...
    
  • Reimplemented host side USB filters to obtain valid USB communication. I have various simple filters: PassThrough, Logging and Replacing. The first one does nothing but return the data w/o any modification. The second one writes the bytes it reads and writes to files. The third one replaces 512 “A”s with 512 “B”s. Still need separate packets from the device in question to the host from packets from the host to the device to obtain valid device behaviour without reading all of the documentation. That will give me a good starting point to actually do the fuzzing.

    That replace filter produced interesting results. I replaced every “A” transmitted by a “B”. On the host, I created a file on a mass storage with 4KB “A”s. When “cat”ting the file from the guest, I saw “A”s. But copying the file in the guest resulted in the new file having all “B”s. I expected the “cat” showing all “B”s, too. And as far as I can see, the “A”s are actually replaced for the “cat”.

    Of course, Istanbul crashed while trying to make that screencast.
    Note that the filter code actually changed by now, not only because I enhanced the protocol (in the version you’re seeing, only USB payload is exchanged. In the new version, also the PID, device address and device endpoint are filtered) but also because I refactored the communication bits into a USBPacket class.
    I missed to show the pen drive from the host point of view after having copied the file in the guest, but the “bbbb” file is full of “B”s.

  • I’m on my way to emulating a USB device, i.e. make the guest think it has a USB device attached but the device is a program running on the guest. I basically copied the USB serial driver and the HID driver and modified them to get packets from a pipe and send them to a pipe. I had serious problems with QEmu: QEmu didn’t register my new “device”. Now I called the right function to initialize the USB device and voila, it attaches it like it should.
    Now I need to obtain valid USB communication using the filter so that I can respond to incoming packets properly.
  • Dear lazyweb, I’m wondering whether I could make my OS load an application but then break on main() so that I can attach a debugger. I cannot run the application *with* GDB. Instead, I want to attach a GDB after the program is fully loaded. Maybe LD_PRELOADing on main() will work?

Practicum Status Update Week 6

  • So the plan is to modify a Linux driver to see results more easily (once the fuzzing part works). So I tried to get a working environment where I can boot my modified Linux kernel in. My problem being, that I don’t necessarily want to create initrds and somehow want the modules to be inside the guest machine. And I do want modules because I don’t want to boot after I’ve changed a tiny bit of the code. So I debootstrapped onto the filesystem on the host and tried to run Qemu with that directory as virtual FAT drive:
    sudo /opt/muelli/qemu/bin/qemu -monitor stdio -m 1G -kernel /opt/ubuntu/boot/vmlinuz-2.6.32-21-generic -initrd /opt/ubuntu/boot/initrd.img-2.6.32-21-generic -hda fat:ro:/opt/ubuntu/ -runas muelli
    But it fails because the directory is too big.
    I then debootstrapped into a fixed size container and for now I’m going with
    /opt/muelli/qemu/bin/qemu-system-x86_64 -m 1G -smp 1 -hda /opt/ubuntu.img -snapshot -kernel ~/git/linux-2.6/arch/x86_64/boot/bzImage -append ‘root=/dev/sda’
    But that doesn’t seem to work well, because the virtual machine just stops working. Attaching a debugger tells me that the qemu process basically stopped. Weird.
    I basically followed these instructions but in order to make Eclipse index my Linux Kernel, I had to start it with -vmargs -Xmx1024M.
    But debugging the kernel is a bit hard because something with the protocol is weird. The suggested fix doesn’t help.
  • QEmu wouldn’t install windows 7 x86_64, because of a “wrong CPU” type of error. Fortunately, the STOP codes are well documented. Trying to install it on x86 is not possible. I booted the ISO for two days without any success.
  • Found a good overview of USB classes per Windows Version. The USB classes themselves are not very well documented though. But in fairness, I haven’t read the 600+ pages spec yet.
  • Spent ages trying to make sscanf split a string on a colon. Jeez, it’s horrible. I even thought about doing a system("python -c 'mystring.split(':')'") or so… Ended up using strtok:
    if (((speedstr = strtok(copy, ":")) == NULL) || ((filterfilename = strtok(NULL, "\0")) == NULL)) {
    error_report();
    else {}
  • gdb attached to a process crashed from eclipse. GDB also likes to crash if the remote server went down.
    And listening to music with Rhythmbox is hard, too >.<
    QEmu crashes if given a wrong kernel image.
  • Found Patents related to fuzzing, but Zotero won’t import those to my library.
  • I had funny results with the filter: I replaced every “A” transmitted by a “B”. On the host, I created a file on a mass storage with 4KB “A”s. When “cat”ting the file from the guest, I saw “A”s. But copying the file in the guest resulted in the new file having all “B”s. I expected the “cat” showing all “B”s, too. And as far as I can see, the “A”s are actually replaced for the “cat”.

Practicum Status Update Week 5

  • Implemented adding and removal of a filter. It works via the monitor or command line. And it does indeed seem to work:


    Sorry for that video being so poorly embedded in this wordpress instance. You might want to try to download the video directly.

    So yeah, we can potentially filter USB packets by now, which allows us in-place fuzzing. But that’s cumbersome because we need to have a device attached to the host. So the goal must be to be able to do USB communication without a device being attached to the host but with a program that emulates the USB device in question.

  • Of course I had problems to build Istanbul, the software I created the screencast with. Other stuff, including my IDE 🙁 just crashes, too…
  • I used qemu to pass a usb device through to the guest. Hence the Linux on the host detached the device. I desperately tried make Linux reattach the device. I tried to use ioctl() with USBDEVFS_CLAIMINTERFACE but it didn’t really work. After spending many hours, I just unplugged and replugged the pendrive…
    My code is pretty much

        int interface = atoi(argv[1]);
        fd = open("/dev/bus/usb/002/006", O_RDWR);
        result = ioctl(fd, USBDEVFS_RELEASEINTERFACE, &interface);
        //result = ioctl(fd, USBDEVFS_CLAIMINTERFACE, &interface);
        printf("Result: %d, errno: %d %s\n", result, errno, strerror(errno));
    

    and fails with Invalid Argument for RELEASE or for CLAIM with -EINVAL (Invalid Argument) or -ENOENT (No such file or directory). I have no idea what I am doing wrong. So if you do, please tell me 😛
    Oh, and these ioctls are not exported to Python I think. At least I couldn’t find the correct ioctl number for USBDEVFS_CLAIMINTERFACE without progamming a tiny C program to print it out for me.

  • Trying to test anything with QEmu is a pain though: It takes ages to boot anything with QEmu without KVM 🙁 It takes literally a whole night to boot into an Ubuntu installation CD.
  • trying to work with a minimal operating system created by the following command on my Ubuntu box:
    sudo ubuntu-vm-builder kvm lucid --addpkg openssh-server --addpkg screen --addpkg acpid --addpkg htop --addpkg cheese --flavour generic
  • For the record: I build my QEmu with the following command ./configure --prefix=/opt/muelli/qemu/ --disable-strip --extra-cflags="-O0 -DDEBUG" --disable-docs --enable-io-thread --enable-attr --enable-kvm --disable-xen --target-list="i386-softmmu x86_64-softmmu" --enable-curses && make && make install

Practicum Status Update Week 4

Again, a small summary of my last week.

  • Filed a couple of bugs that annoyed me. My favourite: My main monitor dies randomly. Let’s hope it’s not a hardware issue. That’d seriously put me back. In fact, it’s quite cumbersome to reanimate my monitor in the middle of a working session… Oh. And qemu crashes 🙁 That’s really unfortunate for me atm.
  • Subscribed and quickly unsubscribed qemu-devel mailinglist. Way too noisy. Those low-level people don’t seem to like using bug tracker or smth like ReviewPad to submit patches. Very stressful.
  • Enjoyed a long weekend in Hamburg including watching some Worldcup games
  • Read through Qemu code and tried to grasp how things play together.
  • Started to implement simple USB packet filter. spent ages resolving a logical error: I checked for retval != -23 whereas I should have checked for retval == -23 🙁
    We can haz new commands

    So I have exported a new command to the QEmu monitor. And we can even attach some logic to that new command:

    Logic attached, nothing works yet though

    Everything returns -1 at this stage though. So the actual implementation still needs to be done.

  • It literally takes a whole night for me to boot anything with qemu though 🙁 That’s a real pain and I cannot work that way. My CPU is one of the few modern Intel CPUs that does not support hardware virtualisation 🙁 I need to think of a solution.
  • I still don’t really have a timeline 😐
  • Our deadline is on 2010-08-20 and we are supposed to hand in 3 hard copies and one soft copy. I wondering whether I have to go back to Dublin to hand my hard copies in.

Practicum Status Update Week 2 and 3

So I figured that we are supposed to write a blog during our practicum phase. Here I am.

  • I missed the first official week, which was right after the exams anyway. I doubt anybody was able to do anything after the Biometrics exam.
  • In the second week, I moved back to Germany. Slowly though: I attended LinuxTag and visited a friend…
  • The third week began with some administrative stuff (i.e. taxes and care about a grant). I also almost finished running GNOME Foundation Board of Directors elections: Preliminary Result.
  • More work related: I tried to updated from Fedora 12 to Fedora 13 (to get latest QEmu and tools). Didn’t work (as expected) out of the box. Encountered (and reported) a couple of annoying bugs. My favourite: The update tool tries to mount /boot and swap. But /boot is left unclean because the preupgrade tool apparently does a hard reboot (i.e. w/o unmounting the filesystems properly). And swap can’t be found by the upgrade tool (for whatever reason). In both cases the installer just stops working and reboots the machine (sic!), as opposed to just fsck /boot or continue w/o swap.
  • Began to set up working environment: LaTeX Template, cloned qemu repository, looked a bit at QEmu code.
  • Tried to install some Operating Systems to break. Microsoft didn’t let me.
  • Read some stuff
  • Filed two bugs against Zotero (my bibliography tool): One problem in fullscreen mode and one with proxied URLs.
  • Went to a regulars’ table (for the first time after 9 month) and found out that one of them runs a company and they do USB security assessment atm. They are trying to make QEmu emulate a mass storage that returns a good file on the first read and a bad file (i.e. virus) on the second read. Sounded interesting, we’ll keep in touch and exchange details.
  • Right now I’m missing kind of a plan for my work. I haven’t really structured my work or broken it up. So I’m trying to see how many weeks I actually have (I know that I’ll go at least to GUADEC, the annual GNOME conference, for one week. I might even be invited to GNOME.Asia in Taiwan…) and what I could possibly do in that time.
  • I do have a high level idea of what needs to be done, i.e.
    • Patch QEmu to pipe USB communication in and out,
    • write some backend that uses these pipes to communicate with the guest,
    • find a smart algorithm to create/modify fishy USB packets (i.e. try to understand how a webcam communicates and set funny values for resolution on purpose),
    • try to exploit an Operating System (probably best to start off with a self-broken USB driver or application)
  • I’ll try to have a roadmap by the beginning of the next week.

Trying to download from MSDN-AA: Annoying Secure Digital Container

I thought I’d give Windows technology a try (actually, I just need something to break) and tried to download Microsoft Operating Systems via e-academy.com (MSDN-AA). But instead of an ISO, you get a Portable Executable *facepalm*. Turns out that this binary downloads “Secure Digital Containers” from, i.e. here or here. These SDCs contain the ISO and are, according to this site, encrypted. The key is supposed to be in that downloader binary. However, no tool exists to decrypt those SDC files 🙁

I burnt half a day on that. Now going to look for Torrents of the ISOs… Are there official SHA1sums of the ISOs?

Or, dear lazyweb, do you know anybody that reverse engineered the downloader and is able to provide a free tool that unpacks the ISO from the SDC? 🙂

Practicum: Virtualised USB Fuzzing

Alright, I finally decided on my practicum subject. Together with my supervisor, we came up with the following exposé. I either wanted to do that or to do something in Mobile (Phone) OS security.

USB is omnipresent and so far, mostly Operating System behaviour has been exploited, i.e. automatically run an application off a CDROM. USB-Stack, USB-Driver or application security has not yet been in the focus of security research, probably because it is infeasible to create many USB test devices.

If various USB behaviour could be implemented easily and cheaply, a great diversity of maliciously acting USB devices could be tested with little effort.

The goal is to implement a USB fuzzing framework using a virtualisation software that allows to automatically test different USB behaviour to stress-test USB-Stacks, drivers and applications.

While hardware approaches would be possible, a virtual approach using virtualisation software will be taken. That allows any guest Operating System, including Windows and Linux, to be tested, as well as cheap and quick creation of tests and reliable reproduction of the obtained results.

Ideally, this results in exploits for each of the three identified vulnerable layers:

  • USB Stack in the Operating System
  • USB Driver for the attached device (i.e. Webcam)
  • Application using data from the USB device

Thus following questions will be addressed:

  • How secure are USB stacks when it comes to weird devices?
  • How resistant are drivers when specially crafted payload is sent?
  • How good are applications that act upon a new USB device and read its data?
Creative Commons Attribution-ShareAlike 3.0 Unported
This work by Muelli is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported.