LBM: a Security Framework for Peripherals Within the Linux Kernel

LBM: a Security Framework for Peripherals Within the Linux Kernel

LBM: A Security Framework for Peripherals within the Linux Kernel Dave (Jing) Tian∗, Grant Hernandez∗, Joseph I. Choi∗, Vanessa Frost∗, Peter C. Johnson†, Kevin R. B. Butler∗ ∗University of Florida {daveti, grant.hernandez, choijoseph007, vfrost, butler}@ufl.edu †Middlebury College [email protected] Abstract—Modern computer peripherals are diverse in their However, with this virtually unconstrained functionality capabilities and functionality, ranging from keyboards and print- comes the threat of malicious devices that can compromise ers to smartphones and external GPUs. In recent years, periph- computer systems in myriad ways. The BadUSB attack [62] erals increasingly connect over a small number of standardized communication protocols, including USB, Bluetooth, and NFC. allows attackers to add functionality allowed by the USB pro- The host operating system is responsible for managing these tocol to device firmware with malicious intent. For example, devices; however, malicious peripherals can request additional a BadUSB flash drive presents not only expected behavior functionality from the OS resulting in system compromise, or of a storage device when plugged into a computer, but also can craft data packets to exploit vulnerabilities within OS registers keyboard functionality to allow it to inject malicious software stacks. Defenses against malicious peripherals to date only partially cover the peripheral attack surface and are limited keystrokes with the aim of gaining administrative privilege. to specific protocols (e.g., USB). In this paper, we propose Other examples of malicious USB functionality include charg- Linux (e)BPF Modules (LBM), a general security framework ers that can inject malware into iOS devices [51], or take that provides a unified API for enforcing protection against control of Android devices via AT commands [78]. Bluetooth malicious peripherals within the Linux kernel. LBM leverages peripherals are also vulnerable: the BlueBorne attack [11] the eBPF packet filtering mechanism for performance and extensibility and we provide a high-level language to facilitate the allows remote adversaries to craft Bluetooth packets that will development of powerful filtering functionality. We demonstrate cause a kernel stack overflow and enable privilege escalation, how LBM can provide host protection against malicious USB, while BleedingBit [12] exploits a stack overflow within the Bluetooth, and NFC devices; we also instantiate and unify existing Texas Instruments Bluetooth Low Energy (BLE) stack. We defenses under the LBM framework. Our evaluation shows that observe that malicious peripherals launch attacks in one of two the overhead introduced by LBM is within 1 μs per packet in most cases, application and system overhead is negligible, ways, either by (1) sending unexpected packets (I/O requests and LBM outperforms other state-of-the-art solutions. To our or responses) to activate extra functionality enabled by the knowledge, LBM is the first security framework designed to operating system, or by (2) crafting specially formed packets provide comprehensive protection against malicious peripherals (either legitimate or malformed) to exploit vulnerabilities within the Linux kernel. within the operating system’s protocol software stack. Current defenses against malicious peripherals are not I. INTRODUCTION comprehensive and are limited in scope. USBFILTER [79] Computer peripherals provide critical features to facilitate applies user-defined rules to USB packet filtering within the system use. The broad adoption of computers can be traced Linux kernel, but fails to prevent exploitation from malformed not only to the reduction in cost and size from mainframe packets. USBFirewall [43], on the other hand, provides bit- to microcomputer, but to the interactivity afforded by devices level protection by parsing individual incoming USB packets, such as keyboards and mice. Displays, printers, and scanners but offers limited support for user-defined filtering rules. Apple have become integral parts of the modern office environ- recently added USB restricted mode in iOS 11.4, shutting ment. Nowadays, smartphones and tablets can not only act down USB data connections after the device stays locked for as peripherals to a host computer, but can themselves support an hour [84], but this restriction can be bypassed [2]. Not only peripherals that attach to them. do these defenses lack comprehensive coverage, but they often The scope of functionality that peripherals can contain is focus primarily or solely on USB, providing no protection almost limitless, but the methods of connecting them to host against peripherals using other interfaces. computers have converged to a few select standards, such In this paper, we propose Linux (e)BPF Modules (LBM), as USB [10] for wired connections and Bluetooth [15] for a general security framework that provides a unified API for wireless. As a result, most modern operating systems provide enforcing protection against malicious peripherals within the support for these standards (and the peripherals that use them) Linux kernel. LBM requires only a single hook for incoming by default, implementing the respective software stacks inside and outgoing peripheral data to be placed in each peripheral the kernel and running different device drivers to support subsystem, and modules for filtering specific peripheral packet various classes of peripherals. types (e.g., USB request blocks or Bluetooth socket buffers) can then be developed. Importantly for performance and discusses additional dimensions of our work; Section VII extensibility, we leverage the Extended BSD Packet Filter explains limitations of our work; Section VIII summarizes (eBPF) mechanism [25], which supports loading of filter related work; and Section IX concludes. programs from user space. Unlike previous solutions, LBM is II. BACKGROUND designed to be a general framework suitable for any peripheral protocol. As a result, existing solutions such as USBFIL- A. Peripheral Security TER and USBFirewall can be easily instantiated using LBM. USB. The Universal Serial Bus (USB) has been around since Moreover, new peripherals can be easily supported by adding 1996 with the release of the version 1.0 specification [23]. extensions into the LBM core framework. To demonstrate the USB emerged to provide a single, ubiquitous means to connect generality and flexibility of LBM, we have fully instantiated peripherals that would support a variety of applications with USBFILTER and USBFirewall using the LBM framework, different performance requirements. Since its inception, USB developed hooks for the Bluetooth Host Control Interface has undergone many revisions (1.1, 2.0, 3.0, 3.1, and most (HCI) and Logical Link and Adaptation Protocol (L2CAP) recently 3.2 and Type-C). The set of supported peripheral layers, and demonstrated a hook mechanism for the Near-Field devices expanded with each version, and the current USB Communication (NFC) protocol. Our evaluation shows that the version 3.2 [10] supports a data transfer rate of 20 Gbits per general overhead introduced by LBM is within 1 μs per packet second, much improved over the 12 Mbits per second of v1.0. across different peripherals in most cases; the application and Numerous attacks have been demonstrated by vulnerable system benchmarks demonstrate a negligible overhead from or malicious USB peripherals. BadUSB [62] attacks work LBM; and LBM has a better performance when compared to by altering the firmware of USB devices so they register as other state-of-the-art solutions. deceptive device types when plugged into a machine. For We summarize our contributions1 below: example, a USB mass storage device could masquerade as • Design and implement LBM as a general security frame- a keyboard to gain the ability to inject malicious keystrokes. work to defend against malicious peripherals. The LBM A malicious USB charger can inject malware into iOS de- core is designed as a high-performance packet filtering vices [51] or take full control of Android devices via AT framework based on eBPF. LBM hooks are provided to commands [78]. MouseJack [61] affects wireless mice and extend support for different peripheral subsystems. keyboards that communicate with a computer through a USB • Develop a high-level filter language to facilitate writing dongle. An adversary may inject keystrokes by spoofing either LBM rules. Users can write LBM rules in a high-level, a mouse or keyboard, and in some cases may even pair a fake PCAP-like language to apply different policies to periph- keyboard with a victim’s dongle. eral data packets, to avoid having to write filters in the More vulnerabilities with the USB protocol stack and complex, low-level BPF assembly language. Our user- device drivers have been identified with the help of tools space LBMTOOL utility translates LBM rules into eBPF such as FaceDancer [30] and syzkaller [31]. On one hand, instructions and loads them into the LBM core. these vulnerabilities are mostly implementation bugs within • Develop support for USB, Bluetooth, and NFC in LBM. the software stack. On the other hand, malicious USB We extend LBM to support multiple peripheral protocols devices can exploit these vulnerabilities to compromise the by exposing useful protocol fields to the user space and whole system by sending out specially-crafted USB packets. extending LBMTOOL to recognize LBM rules for differ- For a comprehensive exploration of the variety of available ent peripherals. We demonstrate LBM’s extensibility by USB

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us