• Research on the security test method of USB interface

    • source: ivan;
    • Time: 3/21/2020 7:39:23 PM
  • USB has become one of the necessary interfaces between computers and intelligent devices and is widely used in various social scenarios. In recent years, security incidents of all kinds of hardware products emerge one after another, and a variety of attack methods against the USB interface appear, resulting in serious security risks for related systems. Research on the safety test method of USB interface can effectively evaluate the safety strength of the equipment, reduce the potential safety hazard of the system, and improve the overall protection capability. By analyzing the attack points of USB interface, the corresponding security testing methods and protection means are put forward.

    0. the introduction

    Universal serial bus is a bus interface technology with the advantages of hot plug, small size, low cost and good expansibility. Its applications include mouse and keyboard, printer, smart phone and network card and other devices. After years of development, it has been upgraded to version 3.0 with a theoretical speed of up to 5.0 Gb/s.

    USB provides a variety of device protocol specifications, including USB MSC, USB HID, USB Power Delivery, and USB OTG. USB interface has cross-platform characteristics, each system platform follows the consistent USB standard, so once suffered a malicious attack, will affect the normal operation of a large number of devices. USB interface is faced with different levels of malicious attack direction, some sensitive data in the communication process there is a risk of information leakage, the relevant protocols and drivers also exist security risks.

    1. Data communication of USB interface

    The USB bus interface consists of a USB host, a USB device, and an interconnect between the two. During USB communication, by calling the Windows API function, the system I/O manager constructs the host request into an I/O request package and passes it to the USB function driver. After receiving the IRP, the USB function driver constructs the corresponding URB request block according to the operation instructions contained in the data payload, and puts the URB into a new IRP, and then passes the IRP down to the USB bus driver. The USB bus driver performs the corresponding operation according to the URB data in the IRP, and returns the result to the USB cable function driver after the operation is completed. The USB function driver returns the IRP containing the result data to the I/O manager, which then returns the result of this IRP operation to the application.

    The communication between the USB host and the USB device is controlled by the USB controller. The USB controllers on the host side and the device side are called the host controller and the device controller, respectively. The host controller driver and the USB device driver constitute the USB bus driver. The former is used to control the USB device inserted into the interface, while the latter is used to control the communication between the USB device and the host, so as to realize the specific business.

    USB host controller driver is composed of USB core driver and USB host controller driver. Among them, HCD realizes the hardware abstraction of the host controller, manages and detects various behaviors of the master controller hardware downward, and accepts the call and management of USBD upward. The main functions include initialization of the host controller, configuration of the root HUB device, provision of the corresponding interface functions, and completion of data transmission.

    USBD is the core of USB host driver and the only communication channel between USB device driver and HCD. On the one hand, USBD receives the non-usb format data stream from the upper driver, processes the data according to the protocol and passes it to HCD; on the other hand, it processes the HCD data from the lower layer and passes it to the upper device driver.

    According to the USB interface protocol specification, all data transfers on the USB bus are initiated by the USB host. When the USB device is connected to the hub, the hub will transmit the state change information to the USB host, and then the USB host will send commands to the USB device through the root hub to obtain all kinds of information of the USB device, including the transmission type, USB speed and device ID number of the USB device.

    USB transaction is the basic unit of data transmission between the USB host and the USB device. Each transaction is carried out in the form of 2 ~ 3 packets on the USB bus. Each packet contains the following 2 to 3 steps:

    (1) the USB host controller issues corresponding operating instructions to the USB device;

    (2) a read and write request is passed between the USB host controller and the USB device, and its direction depends on whether the first part of the command is read or written;

    (3) the data receiver shall report to the sender whether the data transmission is successful.

    2. Attack test method for USB interface

    Through the analysis of the communication process of USB interface, the attack test of USB interface can be carried out from the generation, distribution and processing of interactive data试。

    2.1 obtain sensitive data information by monitoring USB interface

    When the USB interface device interacts with the host, the attacker can bypass the data stream in the line by listening to the USB interface, and then parse the packet according to the format of USB bus protocol, so as to obtain the interactive data between the USB interface device and the host. Some devices with the function of identity authentication, such as authentication key and encryption usb flash drive, need to input sensitive information such as account number and password in the process of use. If the data is not protected in the process of interaction, it may lead to the disclosure of key information.

    The USB function driver is written by the developer, which realizes the basic operation of communication between the USB device and the host. In the USB driver structure hierarchy, the USB function driver is located above the HCD and does not deal with the actual hardware, while the USB function driver realizes the control of the hardware device by sending the IRP containing URB to USBD.

    As the basic carrier and core data structure for describing communication with USB devices, URB sends or receives data according to the needs of the driver. Each endpoint in the USB device will process a URB queue. When URB is created by the USB device driver, it carries the instruction data of the host and USB interface products and is arranged to the specific endpoint of the USB device.

    Therefore, one way to realize listening USB interface is to bypass the IPR package sent by the operating system to the driver in the way of software or hardware, and then parse the URB data carried in the IRP package when the device is performing sensitive data operation, so as to obtain the required sensitive data according to the context.

    2.2 get sensitive code information by decompiling USB device drivers and other files

    Decompilation technique can obtain the equivalent high level code by analyzing and transforming the low level code. By decomcompiling, we can locate and analyze the important functions of USB interface devices, and obtain the sensitive code information.

    In the USB driver system, the device function driver is mainly responsible for handling I/O requests. In user mode, all the I/O requests of all drivers are converted into irp-type data structures by the operating system, and most of the requests are processed in the dispatch function.

    The basic properties of IRP include MajorFunction and MinorFunction, which record the main and subtypes of the IRP, respectively. After the driver receives different types of IRP, the operating system distributes the IRP to different dispatch functions according to MajorFunction. In the dispatch function the IRP is processed and the type of MinorFunction to which the IRP belongs can be determined.

    With authentication, encryption and interactive functions such as USB interface equipment, the compiled software can be used to drive and DLL files such as decompiled, through the analysis of the source code of the compiled or pseudo code, to gain the target program sending functions or key processing information such as the function name, the parameter value, processing logic and the input and output paths, etc., for the subsequent preparation of data read, access control, etc.

    2.3 tamper with the interactive information of the USB interface through the mount filter driver

    When the USB interface device communicates with the host, it may damage the normal function of the device by intercepting the interactive packets and tampering with the packets. Or by means of constructing abnormal data and replaying instruction packets, USB interface products can receive wrong instructions, which may return some sensitive information, so as to attack USB interface devices.

    IRP transfers are first passed to the top of the device stack and then progressively to the driver below. Operating system in constructing the device stack, the I/O manager can make an initial driver device objects attached to another to create a device object, the driver associated with the initial device object decision of IRP, also will be sent to the additional device objects related drivers, the additional driver called filter driver.

    The filter driver can be inserted at any level of the Device stack, and the key code created by the filter driver is the Device class. The AddDevice function structure filter instance, will create the equipment through IoAttachDeviceToDeviceStack to bind to be filtered devices. Different irps need to be intercepted for different filtering functions. In this class, the IRP interception function is implemented by inserting a filter into the device stack, and a custom completion routine can be used to implement specific functions.

    Therefore, you can add filter driver to the function driver of USB interface device, use filter driver to check, modify and complete the IRP received by it, or construct your own IRP, so as to achieve the purpose of modifying data, and achieve effective attack test of USB interface products.

    2.4 obtain device permissions through USB HID attack

    For the host device with USB interface, you can obtain operation permission by controlling the user's keyboard. Using man-machine interface device attack, a USB interface device can be simulated as a keyboard, so that the host can identify it as a keyboard type, and then the host can be scripted to simulate keystroke attack.

    HID attacks are physical level attacks. In the driver, all HID defined device drivers provide a self-description package corresponding to the data type and format. The HID driver on the computer can parse the data and realize the dynamic correlation between data I/O and application functions.

    Due to the general host lack of strict detection measures for HID devices, just to identify the type of device, the computer can not distinguish which is a legitimate user device and which is a malicious device. HID attacks can be implemented by inserting a USB device with attack code, as the malicious code is loaded and executed. Therefore, by modifying the feedback information of the device to make the computer mistake other devices for HID devices, the basic trust between the computer and the peripheral devices input by the user can be exploited to achieve the attack, thus gaining control rights.

    3. Security detection method for USB interface

    Combined with a variety of attack testing methods for USB interface, the corresponding security detection methods can be carried out from the following aspects.

    3.1 detect whether the data transmission process of USB interface is encrypted

    The method to detect whether the data transmission process is encrypted can capture the interaction information between the USB device and the USB host by using USB listening software such as Bushound and Usbtrace, or hardware devices such as USB protocol analyzer.

    When conducting security test, firstly open the monitoring tool and insert the tested device. When the application program on the host enters sensitive information such as account and password, listen to the communication packet on the bypass line of the tool, and then analyze and compare the data. If the bypass data is found to be consistent with the input data, it indicates that the USB device has hidden trouble of plaintext data transmission.

    3.2 detect whether the data storage of the USB interface device is encrypted

    Methods that detect whether a data stored procedure is encrypted can be verified by reading and writing the storage space of a USB interface device. Firstly, the storage space data of USB products is read, and then the storage space is read again after writing specific data. Finally, the list of storage space data before and after is compared to verify whether there is an identifiable input instruction. If consistent data is found, it indicates that the USB interface device has hidden trouble of storing sensitive data in clear text.

    3.3 detect sensitive file protection measures of USB interface devices

    Sensitive file protection can be detected by checking whether the device software adopts anti-reverse engineering technology to prevent the attacker from decompilating and analyzing the device files. During the test, IDA and other decompiling software can be used to decompile the driver, DLL and other files, by analyzing the decompiling of the file code, to see whether you can get such as encryption function, data storage location, parameter Settings and some sensitive code information. If it is not decomcompiled, it indicates that the USB interface device is vulnerable to sensitive data leakage.

    3.4 detect the processing of error message by USB interface device

    Detect whether the USB interface device can correctly handle the wrong instruction data. During the test, the communication data of the USB interface device was tampered with by means of filter driver mount, and the response of the device was observed. If tampering with the data can cause the device to produce abnormal responses, it indicates that the device has not effectively processed the error information.

    3.5 detect the processing of playback information by USB interface products

    Detect whether the USB device can correctly handle the playback instruction data. The filter driver software is used to capture and replay the communication data of the USB interface device and observe the response of the device. If the replay data can cause the USB device to return the same sensitive data again, the USB device has not effectively processed the replay information.

    3.6 detect whether the USB interface device can recognize the malicious device

    Detect whether USB devices can identify and block malicious devices. When an external device is inserted, see if the device under test can collect the corresponding event in the security event log of the system, and identify the malicious device by analyzing the device name and ID. If the information of the external device is not judged, it means that the USB interface device cannot recognize the malicious device.

    4. Security defense method for USB interface

    USB interface devices with sensitive data transmission requirements should encrypt data during transmission. The authentication protocol or encryption algorithm is used to process the key information that needs to be transmitted, so as to ensure that the packet cannot obtain sensitive data even if it is captured by the attacker.

    USB interface devices with sensitive data storage requirements should encrypt data during stored procedures. Encryption algorithm is used to encrypt the sensitive information that needs to be stored so that the attacker cannot obtain sensitive data by reading the address space.

    Relevant code files of USB interface devices with sensitive information interaction function should be securely reinforced. By means of shell adding, obfuscation and other technical means, the relevant files are protected, which makes it impossible for the attacker to use device files to obtain sensitive code information through decompilation and unshell.

    USB devices should be able to detect and process abnormal data. By improving the processing mechanism of the USB interface product to the exception instruction, the product can make the correct response when the attacker sends the exception data and avoid entering the abnormal state.

    USB devices should be able to judge and process playback data. By using time stamp, serial number and other ways to protect the packet, so that when the attacker sends the same packet, the USB interface product can shield the malicious packet according to the mark.

    5 conclusion

    With the wide application of USB interface, the security situation of related devices is more and more serious. This paper analyzes a variety of attack methods and principles against USB interface, and puts forward the corresponding security testing means and defense ways, which can provide guidance for the follow-up research and testing of USB interface security testing tools.

top