🗊Презентация The baseband bane

Категория: Интернет
Нажмите для полного просмотра!
The baseband bane, слайд №1The baseband bane, слайд №2The baseband bane, слайд №3The baseband bane, слайд №4The baseband bane, слайд №5The baseband bane, слайд №6The baseband bane, слайд №7The baseband bane, слайд №8The baseband bane, слайд №9The baseband bane, слайд №10The baseband bane, слайд №11The baseband bane, слайд №12The baseband bane, слайд №13The baseband bane, слайд №14The baseband bane, слайд №15The baseband bane, слайд №16The baseband bane, слайд №17The baseband bane, слайд №18

Вы можете ознакомиться и скачать презентацию на тему The baseband bane. Доклад-сообщение содержит 18 слайдов. Презентации для любого класса можно скачать бесплатно. Если материал и наш сайт презентаций Mypresentation Вам понравились – поделитесь им с друзьями с помощью социальных кнопок и добавьте в закладки в своем браузере.

Слайды и текст этой презентации


Слайд 1





the baseband bane
Neerad Somanchi
Anjana Guruprasad
Описание слайда:
the baseband bane Neerad Somanchi Anjana Guruprasad

Слайд 2





A Typical Smartphone
How many processors?
The application processor (AP) – The one advertisements talk about
Qualcomm Snapdragon, Samsung Exynos, Apple A series
The communications processor (CP) – The Internet!
Low power ARM CPUs – Protocol Stack Processor
Qualcomm X12, Samsung Shannon S333
How many Operating Systems?
AP – Android, iOS
CP – RTOS to handle time critical operations
Proprietary, closed source
Nulceus OS, ThreadX, Shannon OS
Описание слайда:
A Typical Smartphone How many processors? The application processor (AP) – The one advertisements talk about Qualcomm Snapdragon, Samsung Exynos, Apple A series The communications processor (CP) – The Internet! Low power ARM CPUs – Protocol Stack Processor Qualcomm X12, Samsung Shannon S333 How many Operating Systems? AP – Android, iOS CP – RTOS to handle time critical operations Proprietary, closed source Nulceus OS, ThreadX, Shannon OS

Слайд 3


The baseband bane, слайд №3
Описание слайда:

Слайд 4





Radio access technology
Описание слайда:
Radio access technology

Слайд 5


The baseband bane, слайд №5
Описание слайда:

Слайд 6





GSM PROTOCOL STACK
Описание слайда:
GSM PROTOCOL STACK

Слайд 7





Baseband Protocol stack
Code base created in the 1990s… With a 1990s attitude towards security
Network elements like Base Transceiver Station(BTS) are considered trusted
Very expensive back then
Now - Rogue BTS can be fashioned for as little as 1500 USD
Layer 3 Protocol – Specified in GSM 04.08
Allows for variable length messages
Maximum Length: 255 Bytes (Length Field: One Byte)
Some messages specified to be encoded as variable length messages
…even though the message description implies that it is of fixed length
Potential Exploit!
Описание слайда:
Baseband Protocol stack Code base created in the 1990s… With a 1990s attitude towards security Network elements like Base Transceiver Station(BTS) are considered trusted Very expensive back then Now - Rogue BTS can be fashioned for as little as 1500 USD Layer 3 Protocol – Specified in GSM 04.08 Allows for variable length messages Maximum Length: 255 Bytes (Length Field: One Byte) Some messages specified to be encoded as variable length messages …even though the message description implies that it is of fixed length Potential Exploit!

Слайд 8





Finding Bugs
Fuzzing – Providing invalid, unexpected and random data as protocol messages
Baseband crashes, but no way to glean any information from crash logs
Static Analysis – Analyze code without executing it
No source code publicly available
Exception – Vitelcom TSM30 source code was leaked in 2004
Helped understand the general architecture of the GSM protocol stack code
Conclusion – Reverse engineer binaries
OTA firmware updates contain baseband firmware as well
Описание слайда:
Finding Bugs Fuzzing – Providing invalid, unexpected and random data as protocol messages Baseband crashes, but no way to glean any information from crash logs Static Analysis – Analyze code without executing it No source code publicly available Exception – Vitelcom TSM30 source code was leaked in 2004 Helped understand the general architecture of the GSM protocol stack code Conclusion – Reverse engineer binaries OTA firmware updates contain baseband firmware as well

Слайд 9





Reverse engineering binaries
Tools for identifying interesting code paths – IDA Pro Disassembler and Google BinDiff
Disassembler translates machine language into assembly language – inverse of assembler
BinDiff compares and identifies identical and similar functions in disassembled code
BinDiff generates function “fingerprints”
Run both tools on target binary and a known code base – VSM30 to the rescue!
Helped identify functions like memcpy() and memmov()
Then identify functions that used variable-length memory copies
Check if they employed sufficient length checking for the copied or moved data
Описание слайда:
Reverse engineering binaries Tools for identifying interesting code paths – IDA Pro Disassembler and Google BinDiff Disassembler translates machine language into assembly language – inverse of assembler BinDiff compares and identifies identical and similar functions in disassembled code BinDiff generates function “fingerprints” Run both tools on target binary and a known code base – VSM30 to the rescue! Helped identify functions like memcpy() and memmov() Then identify functions that used variable-length memory copies Check if they employed sufficient length checking for the copied or moved data

Слайд 10





The bugs!
Insufficient length checks, aka, unchecked memory copies
Found in binary once memcpy() et al. are identified
Object/structure lifecycle issues
Generous use of state machines in GSM
Use-after-free bugs, uninitialized variables, unhandled states
Harder to exploit these bugs
Code path pains
Code paths used for 3G (UMTS) can be triggered using GSM messages
Описание слайда:
The bugs! Insufficient length checks, aka, unchecked memory copies Found in binary once memcpy() et al. are identified Object/structure lifecycle issues Generous use of state machines in GSM Use-after-free bugs, uninitialized variables, unhandled states Harder to exploit these bugs Code path pains Code paths used for 3G (UMTS) can be triggered using GSM messages

Слайд 11





Example (Infineon Code base)
TMSI – Temporary Mobile Subscriber Identity
Always a 32 bit value
For some reason, encoded with a length field
Engineer A allocates only 32 bits for the TSMI value
Engineer B trusts the length field and copies the value sent by rogue BTS into location above
Results in a heap overflow
Tricky to exploit in a stable way – leads to a modem crash
Issue identified in iPhone 4 – Fixed in the subsequent point update to the OS
Описание слайда:
Example (Infineon Code base) TMSI – Temporary Mobile Subscriber Identity Always a 32 bit value For some reason, encoded with a length field Engineer A allocates only 32 bits for the TSMI value Engineer B trusts the length field and copies the value sent by rogue BTS into location above Results in a heap overflow Tricky to exploit in a stable way – leads to a modem crash Issue identified in iPhone 4 – Fixed in the subsequent point update to the OS

Слайд 12





Example (Qualcomm code base)
For authentication in GSM, BTS transmits a 16 byte challenge value called RAND
3G (UMTS) uses a variable length message called AUTN, but is specified to also be only 16 bytes long
Qualcomm stack accepts the AUTN challenge even when operating in GSM mode
Apparently a workaround used by Qualcomm for compatibility reasons
Rogue BTS sends AUTN message of length > 16 bytes
Stack overflow as only 16 bytes are provisioned for RAND challenges
Result – Remote code execution (before successful authentication)
Qualcomm fixed it after disclosure
Описание слайда:
Example (Qualcomm code base) For authentication in GSM, BTS transmits a 16 byte challenge value called RAND 3G (UMTS) uses a variable length message called AUTN, but is specified to also be only 16 bytes long Qualcomm stack accepts the AUTN challenge even when operating in GSM mode Apparently a workaround used by Qualcomm for compatibility reasons Rogue BTS sends AUTN message of length > 16 bytes Stack overflow as only 16 bytes are provisioned for RAND challenges Result – Remote code execution (before successful authentication) Qualcomm fixed it after disclosure

Слайд 13





‘AT + s0 = n’ feature exploited
Hayes AT command set – a specific command language developed for modems in 1981
Short text strings combined to produce commands for operations like dialing, hanging up and changing connection parameters
AT + S0 is a Hayes command to turn on auto-answer
Code exists in Infineon and Qualcomm stacks to enable this feature
For instance, *5005*AANS# enables auto answer on the iPhone 4
First, locate the AT command handler function for setting S0 register
Requires examining memory and register contents at runtime
Enter, JTAG
Joint Test Action Group – developed standards for on-chip instrumentation
Processors use JTAG-specified port to provide debugging information
Software Patch allows JTAG access in HTC dream (Qualcomm baseband)
Описание слайда:
‘AT + s0 = n’ feature exploited Hayes AT command set – a specific command language developed for modems in 1981 Short text strings combined to produce commands for operations like dialing, hanging up and changing connection parameters AT + S0 is a Hayes command to turn on auto-answer Code exists in Infineon and Qualcomm stacks to enable this feature For instance, *5005*AANS# enables auto answer on the iPhone 4 First, locate the AT command handler function for setting S0 register Requires examining memory and register contents at runtime Enter, JTAG Joint Test Action Group – developed standards for on-chip instrumentation Processors use JTAG-specified port to provide debugging information Software Patch allows JTAG access in HTC dream (Qualcomm baseband)

Слайд 14


The baseband bane, слайд №14
Описание слайда:

Слайд 15





Target – HTC Dream (Qualcomm)
Rogue BTS - Ettus Research USRPv1, provides RF processing capability
Supports two daughter RF boards, for transmit and receive
OpenBTS, running on a laptop, modified with patches to perform the exploit
Phone tries to authenticate with the rogue BTS
Use the AUTN exploit previously discussed, which causes a stack buffer overflow
Overwrite the program counter and register r0 of the stack frame
PC with the entry point of s0 register handler, r0 with value 1
Overwrite the subsequent stack frame’s PC as well to ensure smooth execution (no crash)
With the rogue AUTN message, less than 100 bytes long, this exploit is possible
Auto answer is enabled without the user being aware
Описание слайда:
Target – HTC Dream (Qualcomm) Rogue BTS - Ettus Research USRPv1, provides RF processing capability Supports two daughter RF boards, for transmit and receive OpenBTS, running on a laptop, modified with patches to perform the exploit Phone tries to authenticate with the rogue BTS Use the AUTN exploit previously discussed, which causes a stack buffer overflow Overwrite the program counter and register r0 of the stack frame PC with the entry point of s0 register handler, r0 with value 1 Overwrite the subsequent stack frame’s PC as well to ensure smooth execution (no crash) With the rogue AUTN message, less than 100 bytes long, this exploit is possible Auto answer is enabled without the user being aware

Слайд 16





Impact
Place Rogue BTS in crowded/sensitive areas
Audio routing on most chipsets is done on baseband CPU
Which means it has access to the built-in mic
Baseband processors have large quantities of RAM available
Record audio, store in ram, piggy back onto the next data connection
Shared memory architecture – AP can also be compromised
Higher layer security features are bypassed
Brick phones permanently
Описание слайда:
Impact Place Rogue BTS in crowded/sensitive areas Audio routing on most chipsets is done on baseband CPU Which means it has access to the built-in mic Baseband processors have large quantities of RAM available Record audio, store in ram, piggy back onto the next data connection Shared memory architecture – AP can also be compromised Higher layer security features are bypassed Brick phones permanently

Слайд 17





Solutions?
Open source baseband stack 
Quicker at identifying bugs
But still hard to patch them as phones need to be carrier certified – long process
Isolation
Cut off baseband access to the mic when not on a call
Stringent quality control by CP manufacturers
Use tools like coverity to check for possible buffer overflows
Problem is worse with 3G
Radio Resource Control protocol specifications almost 1800 pages long
Messy, complicated
LTE is cleaner
Описание слайда:
Solutions? Open source baseband stack Quicker at identifying bugs But still hard to patch them as phones need to be carrier certified – long process Isolation Cut off baseband access to the mic when not on a call Stringent quality control by CP manufacturers Use tools like coverity to check for possible buffer overflows Problem is worse with 3G Radio Resource Control protocol specifications almost 1800 pages long Messy, complicated LTE is cleaner

Слайд 18





References
Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks - Ralf-Philipp Weinmann, University of Luxembourg
Описание слайда:
References Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks - Ralf-Philipp Weinmann, University of Luxembourg



Теги The baseband bane
Похожие презентации
Mypresentation.ru
Загрузить презентацию