Transcription
Understand USB (in Linux)Krzysztof OpasiakSamsung R&D Institute Poland
AgendaWhat USB is about?Plug and PlayHow BadUSB works?May I have my own USB device?Q&A1
What USB is about?
What Internet is about? It is about providing and using some services! Web pages File transfer Remote shell Mail Any other invented by programmer3
How it is done? Usually it's well known client-server architecture4
What USB is about? It is about providing and using some services! Additional storage Printing Ethernet External camera Any other invented by programmer5
How it is done? In a very different way than Internet6
USB Host vs USB DeviceHOSTDEVICE Can be extended May extend USB HOSTusing some devices Has Type-A connectorwith somefunctionalities Has Type-B connector7
How we connect them?8
Logical vs physical topologyPhysicalLogical9
What is USB device? Piece of Hardware forproviding desiredfunctionality Piece of additionalHardware for USBcommunication USB protocolimplementation Some useful protocolimplementation10
Endpoints Device may have up to 31 endpoints(including ep0) Each of them gets an unique Endpoint address Endpoint 0 may transfer data in both directions All other endpoints may transfer data in onedirection:IN Transfer data from device to hostOUT Transfer data from host to device11
Endpoint types Control Bi-directional endpoint Used for enumeration Can be used for application Interrupt Transfers a small amount of low-latency data Reserves bandwidth on the bus Used for time-sensitive data (HID)12
Endpoint types Bulk Used for large data transfers Used for large, time-insensitive data(Network packets, Mass Storage, etc). Does not reserve bandwidth on bus, uses whatevertime is left over Isochronous Transfers a large amount of time-sensitive data Delivery is not guaranteed (no ACKs are sent) Used for Audio and Video streams Late data is as good as no data Better to drop a frame than to delay and force are-transmission13
USB bus USB is a Host-controlled bus Nothing on the bus happens without the host firstinitiating it. Devices cannot initiate any communication. The USB is a Polled Bus. The Host polls each device, requesting data orsending data.14
What is USB host? Piece of hardware with some OS etc. Piece of USB Host side hardware(ehci, ohci, uhci, xhci) Drivers for USB hardware USB protocol implementation Drivers for some useful devices15
Plug and Play
Step by step Plug in device Detect Connection Set address Get device info Choose a devicedriver Choose configuration Choose drivers forinterfaces Use it ;)17
Detect Connection18
Detect ConnectionWhat with high-speed? We try to communicate using highspeed. If successful the device is HS and FS otherwise.18
Set address On plug-in device use default address 0x00 Only one device is enumerated at once Hosts assigns unique address for new device19
Get device info Each USB world entity is described by datastructure called descriptor Descriptors have different types, sizes andcontent But they all have a common headerFieldbLengthbDescriptorType data Size11bLength - 2ValueDescriptionNumberConstantNASize of the Descriptor in BytesDevice Descriptor (0x01)Payload20
Device mConfigurations1IntegerDescription18 bytesDevice Descriptor (0x01)USB Specification Number whichdevice complies too.Class Code (by USB Org)Subclass Code (by USB Org)Protocol Code (by USB Org)Maximum Packet Size for ZeroEndpoint. Valid Sizes are 8, 16,32, 64Vendor ID (by USB Org)Product ID (by Manufacturer)Device Release NumberIndex of Manufacturer String DescriptorIndex of Product String DescriptorIndex of Serial Number String DescriptorNumber of Possible Configurations21
Configuration Attributes1BitmapbMaxPower1mADescriptionSize of Descriptor in BytesConfiguration Descriptor (0x02)Total length in bytes of data returnedNumber of InterfacesValue to use as an argument to select this configurationIndex of String Descriptor describing this configurationD7 Reserved, set to 1.D6 Self PoweredD5 Remote WakeupD4.0 Reserved, set to 0.Maximum Power Consumptionin 2mA units22
Interface ubClassProtocolIndexDescription9 BytesInterface Descriptor (0x04)Number of InterfaceValue used to select alternativesettingNumber of Endpoints used for thisinterfaceClass Code (By USB Org)Subclass Code (By USB Org)Protocol Code (By USB Org)Index of String Descriptor Describing this interface23
USB BothInterfaceBothInterfaceBothUse class information in the Interface DescriptorsAudioCommunications and CDC ControlHID (Human Interface Device)PhysicalImagePrinterMass StorageHubCDC-DataSmart CardContent SecurityVideoPersonal HealthcareAudio/Video DevicesBillboard Device ClassDiagnostic DeviceWireless ControllerMiscellaneousApplication SpecificVendor Specific24
Device Info Summary Host gets info about new devices from suitableUSB descriptors Most important data at this moment: ceSubClassbInterfaceProtocol25
Set Configuration Which configuration is the most suitable? We have enough power for it (bMaxPower?) It has at least one interface If device has only one config just use it Choose the one which first interface is not Vendorspecific All interfaces of choosen configuration becomesenabled so let's use them26
What USB driver really is? Piece of kernel code Usually provides something to userspace(network interface, tty, etc.) Implementation of some communication protocol27
How to choose a suitable driver? struct usb driver vs struct usb device driver When device needs special handling: Using VID and PID and interface id Driver probe()s for each interface in device that matchvid and pid When driver implements some well defined,standardized protocol Using bInterfaceClass, bInterfaceSubClass etc. Driver probe() for each interface which has suitableidentity No matter what is the VID and PID Driver will not match if interface hasn't suitable class28
Big picture29
What's next? We have the driver which provides something touserspace but what's next? It depends on interface type: Network devices - Network manager should handlenew interface setup Pendrives, disks etc - automount service shouldmount new block device Mouse, keyboard - X11 will start listening for inputevents And many many other things are going to be handledAUTOMATICALLY without any user action 30
How BadUSB works?
USB security summary Between plug in and start using there is no user interactionDrivers are probed automaticallyUserspace starts using new device automaticallyDevice introduce itself as it wantsThere is no relation between physical outfit anddescriptors32
My beautiful tablet33
BadUSB attack scenario User connect hacked device Device looks like pendrive, tablet But sends descriptor taken from some keyboard And implements HID protocol Kernel creates new input source and X11 just starts using them34
How dangerous it is? I just downloaded image and changed the background but what else it can do?There is a version of this attack which spoofsDNS on host and redirects them to USB deviceAny command which doesn't require sudo can beexecutedanything!anything!anything!35
How to protect? Don't connect unknown devices found on a street Limit number of input source to X11 Use device authorization Use interface authorization36
Device/interface authorization Each USB device has authorized attribute in sysfs directoryEach HCD has authorized default entry in sysfsIf we set this to false each new device on this buswill be unauthorized by defaultDrivers will not be able to bind to itThis gives us time to use lsusb to check it37
My tablet (once again)38
May I have my own USBdevice?
Yes, you can!NeedSuitable hardwareImplementation of USBprotocolImplementation of someuseful protocolSolutionGet some board with UDCcontroller (BBB, Odroid etc.)Use one from Linux kernel!A lot of protocols are available out of box in Linux kernel!40
How to do this? That's a very good topic for tutorial! If you would like to learn this, feel free to join mytutorial: Wednesday, 14:00 room: Liffey Hall 241
Q&A
Thank you!Krzysztof OpasiakSamsung R&D Institute Poland 48 605 125 174k.opasiak@samsung.com43
References Tame The USB gadgets Talkative Beast, Krzysztof OpasiakMake your own USB gadget,Andrzej PietrasiewiczUSB and the Real World, Alan OttUSB in a NutshellUSB specificationBadUSB attack44
05h Interface Physical 06h Interface Image 07h Interface Printer 08h Interface MassStorage 09h Device Hub 0Ah Interface CDC-Data 0Bh Interface SmartCard 0Dh Interface ContentSecurity 0Eh Interface Video 0Fh Interface PersonalHealthcare 10h Interface Audio/VideoDevices 11h De