DOCSLIB.ORG

A Mass-Storage-Based TOCTTOU Attack

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Mass-Storage-Based TOCTTOU Attack Read It Twice! A mass-storage-based TOCTTOU attack Collin Mulliner and Benjamin Mich´ele Security in Telecommunications Technische Universit¨at Berlin and Telekom Innovation Laboratories {collin,ben}@sec.t-labs.tu-berlin.de Abstract are mostly not hardened against hacking and modding. Here the effort mostly comes down to figuring out file Consumer electronics and embedded devices often al- and firmware formats or finding the serial console on low the installation of applications and firmware up- the hardware. More costly devices contain more sophis- grades from user-provided mass-storage devices. To ticated security measures. Here firmware upgrades are protect the integrity of these devices and the associ- protected by cryptographic signatures. Attacking the ated electronic markets, the software packages are pro- more costly and thus protected devices comes down to tected by cryptographic signatures. The software instal- finding and exploiting software bugs to achieve code ex- lation code assumes that files on attached mass-storage ecution often requiring a lot of effort. devices cannot change while the storage device is con- Many embedded systems and especially consumer nected. The software installation is therefore not bound electronics (CE) support the installation of software to the file integrity check, thus laying the founda- and firmware upgrades through attached mass-storage tions for a time-of-check-to-time-of-use (TOCTTOU) devices. Most commonly, USB mass-storage devices are attack. This work presents a TOCTTOU attack via ex- used for this, such as flash drives and hard disks. De- ternally attached mass-storage devices. The attack pending on the type of embedded system, Secure Dig- is based on emulating a mass-storage device to ob- ital (SD) and Compact Flash (CF) cards are also pop- serve and alter file access from the consumer device. ular. The TOCTTOU attack is executed by providing dif- In this paper we present a novel time-of-check-to- ferent file content to the check and installation code time-of-use (TOCTTOU) attack that targets file con- of the target device, respectively. The presented at- tent. We attack software installation and firmware up- tack effectively bypasses the file content inspection, grade code that reads files from an external mass- resulting in the execution of rogue code on the de- storage volume. Our attack is based on an emulated vice. mass-storage device that allows to change the content of files while the mass-storage volume is connected to Keywords: race condition, USB, mass-storage, con- the attacked target. sumer electronics, software attestation Our attack method is based on a number of obser- vations that are present on many different consumer electronics devices today. The main observation is that 1. Introduction code for software installation and firmware upgrade is separated into two parts: check and install. If each part Consumer electronics today are heavily targeted by implements its own file access it is potentially prone to the hacking and modding community with the primary a TOCTTOU attack. goal to modify or replace the software running the de- This work demonstrates a practical implementation vices. To fulfill this goal the attacker (the modder) has of such an attack against a Linux-based TV-set. We to execute his own code on the target device. In most show that we are able to install a shared library on the cases the attack further needs to gain system or root system, which is then loaded by the main application privileges on the target device. running on the TV-set. Our code runs with root privi- There are many ways to achieve code execution and leges. Our attack currently is the only method to root a firmware replacement mostly depending on the type specific series of Samsung TV-sets. We further present of device and software running on it. Low cost devices a tool to analyze the behavior of CE devices to deter- mine if a device might be susceptible to mass-storage- an attached mass-storage device will not change dur- based TOCTTOU attacks. ing the installation. In general, an installation consists Similar issues exist in the areas of trusted com- of the following steps: puting and software attestation. One party tries Check the software package or firmware upgrade. to verify or measure the integrity of another party This step verifies version numbers and crypto- (the other partie’s code) before accessing or us- graphic signatures of the packages that are going ing it. If a time window between measurement and to be installed. access exists, the software attestation might be vul- nerable to a TOCTTOU attack. Install the actual software or firmware upgrade. This step copies the files from the external storage de- The contributions of this paper are the following: vice to the internal storage or flashes the firmware. • Read It Twice (RIT) Attack which is a mass- The check and installation phases are not com- storage-based TOCTTOU attack based on the bined in an atomic operation as file contents are condition that software installation and firmware assumed to be immutable while the mass-storage de- upgrade code are separated into two parts: check vice is plugged-in. and install. If each code part individually reads file(s) from an external mass-storage device an ex- Our RIT attack works as follows: ploitable TOCTTOU condition might exist. Our attack also specifically accounts for a possible ex- Given the file-X that is expected by the check-install isting block and file system cache on the target code. We have the benign file-B and the modified ver- device. Our approach is different from traditional sion file-M. We construct a mass-storage device that TOCTTOU attacks as we target the content of can observe the read requests to fileX. For the first ac- files and not their permissions. cess to fileX our mass-storage device serves the benign file-B. This is likely the check code that calculates and • USB-Mass-Storage RIT Attack Implemen- compares the cryptographic hashes or verifies other pa- tation and Evaluation against a Samsung TV- rameters contained in fileX. For the second read access set. Using this attack we were able to gain code to fileX our mass-storage device serves our modified execution and root privileges on our target device. file-M. This is likely the installation phase of software • Mass-Storage File Access Analysis Method install code. and tool for black box investigation of file ac- The attack succeeds if the check code verifies the sig- cess to external mass-storage devices. This anal- nature of the benign file file-B and then the install code ysis method allows to detect possible TOCTTOU uses the modified file file-M. Effectively our attack cir- conditions in firmware upgrade and software in- cumvents the signature check and/or file content in- stallation code of embedded systems that read files spection. from external mass-storage devices. 2.1. Boundary Conditions The rest of this paper is organized as follows. In Sec- tion 2 we introduce our novel Read It Twice attack. In There are two boundary conditions for our RIT at- Section 3 we provide a brief overview of our target, a tack that have to be resolved in real world implemen- TV-set. Section 4 presents our Mass-Storage File Ac- tations. These are: cess Analysis method and tool. Our method is general and can be used for black box analysis of arbitrary de- File size of the benign file and the modified file vices that read files from a USB mass-storage device. likely need to be equal. Further the filesystem us- In Section 5 we present a practical implementation of age must be exactly the same to guarantee that our RIT attack against the software installation sub- both files are located within the same blocks in system of our TV-set. In Section 6 we discuss related each filesystem image. work and in Section 7 we briefly conclude. Block cache. Embedded devices running sophisti- cated operating systems such as Linux, BSD, and 2. The Read It Twice Attack Windows implement a block cache. If the target file fits in the block or filesystem cache the at- Our Read It Twice (RIT) attack is based on the ob- tack has to be adjusted so that the install code servation that software installation and firmware up- will read the file from the attached device rather grade code on embedded devices assumes that files on than from the block cache. 2 Another boundary condition is that the target de- 1 <?xml version="1.0" encoding="utf-8"?> vice does not copy the software package or firmware up- 2 <contentlibrary> grade file to internal memory before checking it. This 3 <contentpack id="tocttou"> is an obvious countermeasure for our attack that we 4 <category>Wellness</category> briefly discuss in Section 5.3. In the remainder of this 5 <title language_id="English">tocttou</title> paper we will discuss these boundary conditions and 6 <startpoint language_id="English"> how we dealt with them to successfully launch our at- 7 tocttou.so</startpoint> tack. 8 <thumbnailpath>tocttou.bmp</thumbnailpath> 9 <totalsize>1</totalsize> 3. The Samsung TV-set 10 </contentpack> 11 </contentlibrary> Our target TV-set is the Samsung LE32B650T2- PXZG [13], a 32 inch version of the Samsung B se- Figure 1. Example clmeta.dat file that we used ries LCD-based television set. We chose this TV-set be- for testing and the RIT attack. cause this series has a very active modding community called SamyGO [15]. Through this community many technical details of this line of Samsung TVs are avail- nels, changing the TV settings, interacting with UPnP able to the general public.
Load more

Recommended publications
  • Chapter 12: Mass-Storage Systems
    Chapter 12: Mass-Storage Systems Overview of Mass Storage Structure Disk Structure Disk Attachment Disk Scheduling Disk Management Swap-Space Management RAID Structure Disk Attachment Stable-Storage Implementation Tertiary Storage Devices Operating System Issues Performance Issues Objectives Describe the physical structure of secondary and tertiary storage devices and the resulting effects on the uses of the devices Explain the performance characteristics of mass-storage devices Discuss operating-system services provided for mass storage, including RAID and HSM Overview of Mass Storage Structure Magnetic disks provide bulk of secondary storage of modern computers Drives rotate at 60 to 200 times per second Transfer rate is rate at which data flow between drive and computer Positioning time (random-access time) is time to move disk arm to desired cylinder (seek time) and time for desired sector to rotate under the disk head (rotational latency) Head crash results from disk head making contact with the disk surface That’s bad Disks can be removable Drive attached to computer via I/O bus Busses vary, including EIDE, ATA, SATA, USB, Fibre Channel, SCSI Host controller in computer uses bus to talk to disk controller built into drive or storage array Moving-head Disk Mechanism Overview of Mass Storage Structure (Cont.) Magnetic tape Was early secondary-storage medium Relatively permanent and holds large quantities of data Access time slow Random access ~1000 times slower than disk Mainly used for backup, storage of infrequently-used data, transfer medium between systems Kept in spool and wound or rewound past read-write head Once data under head, transfer rates comparable to disk 20-200GB typical storage Common technologies are 4mm, 8mm, 19mm, LTO-2 and SDLT Disk Structure Disk drives are addressed as large 1-dimensional arrays of logical blocks, where the logical block is the smallest unit of transfer.
    [Show full text]
  • Use External Storage Devices Like Pen Drives, Cds, and Dvds
    External Intel® Learn Easy Steps Activity Card Storage Devices Using external storage devices like Pen Drives, CDs, and DVDs loading Videos Since the advent of computers, there has been a need to transfer data between devices and/or store them permanently. You may want to look at a file that you have created or an image that you have taken today one year later. For this it has to be stored somewhere securely. Similarly, you may want to give a document you have created or a digital picture you have taken to someone you know. There are many ways of doing this – online and offline. While online data transfer or storage requires the use of Internet, offline storage can be managed with minimum resources. The only requirement in this case would be a storage device. Earlier data storage devices used to mainly be Floppy drives which had a small storage space. However, with the development of computer technology, we today have pen drives, CD/DVD devices and other removable media to store and transfer data. With these, you store/save/copy files and folders containing data, pictures, videos, audio, etc. from your computer and even transfer them to another computer. They are called secondary storage devices. To access the data stored in these devices, you have to attach them to a computer and access the stored data. Some of the examples of external storage devices are- Pen drives, CDs, and DVDs. Introduction to Pen Drive/CD/DVD A pen drive is a small self-powered drive that connects to a computer directly through a USB port.
    [Show full text]
  • Perfect Devices: the Amazing Endurance of Hard Disk Drives Giora J
    T TarnoTek Perfect Devices: The Amazing Endurance of Hard Disk Drives Giora J. Tarnopolsky TARNOTEK & INSIC - Information Storage Industry Consortium www.tarnotek.com [email protected] www.insic.org 2004 - Mass Storage Systems & Technologies Outline z Perfect Inventions z Hard Disk Drives & other consumer products z Hard Disk Drives: Developments 1990 - 2004 z Marketplace z How the technology advances have affected the product offerings z Technology z How market opportunities propelled basic research forward z Disk Drives at the Boundaries z INSIC and Data Storage Systems Research z Closing Remarks: Hard Disk Drive Endurance Giora J. Tarnopolsky HDD - Perfect Devices © 2002-2004\14 April 2004\2 TARNOTEK 2004 - Mass Storage Systems & Technologies PERFECT INVENTIONS Giora J. Tarnopolsky HDD - Perfect Devices © 2002-2004\14 April 2004\3 TARNOTEK 2004 - Mass Storage Systems & Technologies Nearly Perfect Inventions z Certain inventions are created “perfect:” their operation relies on a fundamental principle that cannot be improved, or does not merit improvement z This assures their endurance … z … and defines their domain of development, the limits of applicability of the invention z Examples of perfect inventions are the bicycle, the umbrella, the book, and the disk drive Giora J. Tarnopolsky HDD - Perfect Devices © 2002-2004\14 April 2004\4 TARNOTEK 2004 - Mass Storage Systems & Technologies Bicycle z Gyroscope effect assures stability of the rider z Under torque T, the bike turns but does not fall z Low ratio of vehicle mass to rider mass z ~ 15 % (as compared to ~2,200% for car) z Efficient r T z Rugged r dL z Mass-produced r dt L z Affordable Giora J.
    [Show full text]
  • USB Mass Storage Device (MSD) Bootloader
    Freescale Semiconductor Document Number: AN4379 Application Note Rev. 0, October 2011 Freescale USB Mass Storage Device Bootloader by: Derek Snell Freescale Contents 1 Introduction 1 Introduction................................................................1 Freescale offers a broad selection of microcontrollers that 2 Functional description...............................................2 feature universal serial bus (USB) access. A product with a 3 Using the bootloader.................................................9 USB port allows very easy field updates of the firmware. This application note describes a mass storage device (MSD) USB 4 Porting USB MSD device bootloader to bootloader that has been written to work with several other platforms.........................................................13 Freescale USB families. A device with this bootloader is 5 Developing new applications..................................15 connected to a host computer, and the bootloader enumerates as a new drive. The new firmware is copied onto this drive, 6 Conclusion...............................................................20 and the device reprograms itself. Freescale does offer other bootloaders. For example, application note AN3561, "USB Bootloader for the MC9S08JM60," describes a USB bootloader that was written for the Flexis JM family. The MSD bootloader described in this application note is offered as another option, and has these advantages: • It does not require a driver to be installed on the host. • It does not require an application to run on the host. • Any user can use it with a little training. The only action required is to copy a file onto a drive. • It can be used with many different host operating systems since it requires no host software or driver This bootloader was specifically written for several families of Freescale microcontrollers that share similar USB peripherals. These families include, but are not limited to, the following: • Flexis JM family MCF51JM © 2011 Freescale Semiconductor, Inc.
    [Show full text]
  • CS100: Introduction to Computer Science
    In-class Exercise: CS100: Introduction to n What is a flip-flop? n What are the properties of flip-flops? Computer Science n Draw a simple flip-flop circuit? Lecture 3: Data Storage -- Mass storage & representing information Review: bits, their storage and main memory Mass Storage or Secondary Storage n Bits n Magnetic disks n Boolean operations n CDs n Gates n DVDs n Flip-flops (store a single bit) n Magnetic tapes n Main memory (RAM) n Flash drives q Cell, Byte, Address Mass Storage or Secondary Storage Mass Storage Systems n On-line versus off-line n Magnetic Systems q Online - connected and readily available to the q Hard Disk machine q Floppy Disk q Offline - human intervention required q Tape n Typically larger than main memory n Optical Systems n Typically less volatile than main memory q CD n Typically slower than main memory q DVD n Flash Drives 1 Figure 1.9 A magnetic disk storage Magnetic Disks system n Floppy disk q Low capacity n 3.5 inch diskettes 1.44MB q A single plastic disk n Hard Disk system q High capacity systems q Multiple disks mounted on a spindle, multiple read/write heads move in unison n Cylinder: a set of tracks n Platter : a flat circular disk q Heads do not tough the surface of disks Measuring the Performance of Hard Disk Capacity of Hard Disk Systems Systems n (1) seek time n 5MB (1956 by IBM) q The time to move heads from one track to another n 20MB (1980s) n (2) rotation delay n 1 GB (1990s) q Half the time required for the disk to make a complete rotation n 20 GB – 768 GB (3/4) (2006) n (3) access time
    [Show full text]
  • Fitech Handheld User Manual Contents Introduction and Important Notes
    FiTech Handheld User Manual Contents Introduction and Important Notes ............................................................................................................... 2 Disconnect if Storing Vehicle .................................................................................................................... 2 Connecting to FiTech System ........................................................................................................................ 3 Buttons/Navigating ....................................................................................................................................... 3 Dashboard (View Live Data) .......................................................................................................................... 4 LARGE Gauges (View a Mini-Dash Panel) ..................................................................................................... 4 Showing Actual Dial Gauges! .................................................................................................................... 5 Making changes (Tuning) .............................................................................................................................. 5 PRO Tuning ................................................................................................................................................ 6 Reading and Clearing Faults (Fauld Code menu) .......................................................................................... 6 Writing Calibrations (Write Cal
    [Show full text]
  • Computer Hardware SIG Non-Removable Storage Devices – Feb
    Computer Hardware SIG Non-Removable Storage Devices – Feb. 1, 2012 A hard disk drive (HDD; also hard drive, hard disk, or disk drive) is a device for storing and retrieving digital information, primarily computer data. It consists of one or more rigid (hence "hard") rapidly rotating discs (often referred to as platters), coated with magnetic material and with magnetic heads arranged to write data to the surfaces and read it from them. Hard drives are classified as non-volatile, random access, digital, magnetic, data storage devices. Introduced by IBM in 1956, hard disk drives have decreased in cost and physical size over the years while dramatically increasing in capacity and speed. Hard disk drives have been the dominant device for secondary storage of data in general purpose computers since the early 1960s. They have maintained this position because advances in their recording capacity, cost, reliability, and speed have kept pace with the requirements for secondary storage Types of Hard Drives Parallel ATA (PATA), originally AT Attachment (old term IDE), is an interface standard for the connection of storage devices such as hard disks, solid-state drives, floppy drives, and optical disc drives in computers. The standard is maintained by X3/INCITS committee. It uses the underlying AT Attachment (ATA) and AT Attachment Packet Interface (ATAPI) standards. The Parallel ATA standard is the result of a long history of incremental technical development, which began with the original AT Attachment interface, developed for use in early PC AT equipment. The ATA interface itself evolved in several stages from Western Digital's original Integrated Drive Electronics (IDE) interface.
    [Show full text]
  • Contents the Mission and Introduction
    Westchester Community College Technology Use Policy Version 2 / April 2015 Contents The Mission and Introduction ............................................................................................................................ 2 Ownership .......................................................................................................................................................... 2 Prohibited Uses .................................................................................................................................................. 3 Monitoring & Privacy of Communications ........................................................................................................ 4 Software Licensing/Copyright Agreements ....................................................................................................... 4 PC Software & Auditing .................................................................................................................................... 5 Physical Security ................................................................................................................................................ 5 Unauthorized Access .......................................................................................................................................... 6 Personal Use ....................................................................................................................................................... 7 Legal Names to be used within College Systems
    [Show full text]
  • 1.8In USB to Micro SATA Hard Drive Enclosure
    1.8in USB to Micro SATA Hard Drive Enclosure Product ID: SAT1810U2 The SAT1810U2 external hard drive enclosure lets you turn a 1.8-inch Micro SATA SSD or HDD into a portable, external storage solution, connected through USB 2.0 to a netbook, laptop or desktop computer. This sturdy, yet lightweight HDD enclosure offers a cost-effective way to create an ultra portable storage solution that is completely powered by the USB host connection, eliminating the need for additional power outlets or adapters. www.startech.com 1 800 265 1844 Certifications, Reports Applications and Compatibility • Turn a 1.8in Micro SATA hard drive into a portable USB 2.0 external storage solution • Backup and archive data from a laptop, netbook hard drive • Create a very compact and portable hard drive for use between multiple locations Features • Supports 1.8" form factor hard drives (HDD) and solid state drives (SSD) • Durable and light-weight aluminum side panels • Powered directly from the USB port(s) • Supports 8mm and 5mm height drives • High Speed USB 2.0 compliant host interface, with support for transfer rates up to 480 Mbps • Compatible with SATA revision 1/2/3 (1.5/3.0/6.0 Gbps) drives • Supports USB Mass Storage Class Bulk-Only Transport • Compliant with Serial ATA 1.0a specifications • Supports SATA power saving Partial and Slumber modes • Plug-and-Play and Hot-swap compatible www.startech.com 1 800 265 1844 Warranty 2 Years Hardware Chipset ID Sunplus - SPIF301 Compatible Drive Types Micro SATA Drive Installation Fixed Drive Size 1.8in Fan(s) No Interface
    [Show full text]
  • How to Connect Android Devices to PC with USB Mass Storage Mode?
    How to connect Android devices to PC with USB Mass Storage Mode? For recovering deleted, lost or formatted files (photos, videos, music) from your Android devices with any Photo Recovery software, you must connect your devices with PC in USB mode. However, some Android users don’t know how to do this. Here are some tips to help you connect different version Android devices to PC with USB Mass Storage Mode . To do it, you will need: • For Android 2.1 to 2.3.7 • For Android 4.0 to 4.1.2 • For Android 4.2 or newer How to use USB Mass Storage mode in Android 2.1-2.3.7 If you use Android 2.1-2.3.7 devices like Sony Xperia Samsung Galaxy Note , Samsung Galaxy S/S2 , Motorola Droid RAZR , Droid 4 , LG Optimus L3 , HTC Rezound , HTC Sensation , HTC Desire , Kindle Fire , etc. follow simple instructions to connect your device in the mass storage mode. 1. Turn on USB debugging by click Menu > Setting > Applications > Development > USB debugging 2. Plug the supplied USB cable into your PC and connect it to your device. A USB icon will appear in the status bar when the device has been recognized. 3. In the main screen of your Android device, use your finger to pull down the top status bar. Then touch USB Connected . 1 | P a g e www.diskdoctors.com 4. Touch Connect USB storage. 2 | P a g e www.diskdoctors.com Then tap “ Ok “. When the green Android icon turn orange, the phone is now in USB Mass Storage mode and should now appear as USB disk drives in “Devices with Removable Storage” and be assigned drive letters.
    [Show full text]
  • Files Transmission Using Media Transfer Protocol
    Files Transmission using Media Transfer Protocol Author: Conrad Chung, 2BrightSparks Introduction In this article we will describe what Media Transfer Protocol (MTP) is, as well as its advantages and disadvantages. The MTP protocol seeks to address concerns about the distribution of digital content in the consumer market as an increasing number of organizations create and distribute digital audio/video content. The aim of MTP is to deliver content via a secure, easy-to-use interface, and push it to a range of devices. What is Media Transfer Protocol? The Media Transfer Protocol, introduced by Microsoft, is a protocol designed for intelligent storage devices like smartphones and digital audio players. It is based on, and fully compatible with, the Picture Transfer Protocol (PTP). MTP allows the synchronization of files between portable devices and a personal computer (PC). A Brief History of MTP Standardized in 2000, PTP was originally developed to transfer images from a digital still camera to a PC. PTP is limited to transferring images and is an insufficient solution for media rich portable devices like smartphones and portable media players. Users required a method to transfer different file formats like media files, people contacts or video, which were not supported by PTP. Microsoft therefore introduced the MTP to address the shortcomings in PTP. Advantages of Media Transfer Protocol over USB Mass Storage Class Before the development of MTP, mobile phone manufacturers integrated USB Mass Storage Class (USB MSC) into their products to facilitate file transfers between PC and phones. However, since the standardization of MTP as a Universal Serial Bus (USB) device class in 2008, manufacturers have slowly started moving towards implementing support for MTP in their devices.
    [Show full text]
  • Secondary Storage
    Confirming Pages Secondary Storage Competencies After you have read this chapter, you should be able to: 1 Distinguish between primary and secondary storage. 2 Discuss the important characteristics of secondary storage including media, capacity, storage devices, and access speed. 3 Describe hard disk platters, tracks, sectors, and head crashes. 4 Compare internal and external hard drives. 5 Discuss performance enhancements including disk caching, RAIDs, file compression, and file decompression. 6 Define optical storage including compact, digital versatile, and high-definition discs. 7 Define solid-state storage including solid-state drives, flash memory, and USB drives. 8 Define cloud storage and cloud storage services. 9 Discuss mass storage devices, enterprise storage systems, and storage area networks. At one time, floppy disks were the only way to Some experts predict that the future of distribute software and the only way to share files secondary storage is holographic. Compact discs between personal computers. These disks were use two dimensions to record data, but advances everywhere, and they were essential, but they in optics now make it possible to record data in were also extremely fragile. Today’s compact three dimensions. This holographic data storage discs and USB flash drives are more reliable and could make it possible to inexpensively store hold more information than hundreds of floppy hundreds of today’s DVDs on one disc. Imagine a disks, and there are even more exciting advances single disk that can hold hundreds of movies and yet to come. thousands of songs. 220 oole16805_ch08_220-247.inddle16805_ch08_220-247.indd 222020 112/10/102/10/10 110:310:31 PPMM Confirming Pages chapter 8 221 oole16805_ch08_220-247.inddle16805_ch08_220-247.indd 222121 112/10/102/10/10 110:310:31 PPMM Confirming Pages Introduction Secondary storage devices are used to save, to back up, and even to transport files consisting of data or programs from one location or computer to another.
    [Show full text]