Unified RF Fuzzing Under a Common API: Introducing TumbleRF Matt - - PowerPoint PPT Presentation

unified rf fuzzing under a common api
SMART_READER_LITE
LIVE PREVIEW

Unified RF Fuzzing Under a Common API: Introducing TumbleRF Matt - - PowerPoint PPT Presentation

Dec 15, 2022 377 likes •808 views

Troopers 2018 Unified RF Fuzzing Under a Common API: Introducing TumbleRF Matt Knight, Ryan Speers March 15, 2018 River Loop Security River Loop Security River Loop Security whois Troopers 2018 Matt Knight Ryan Speers Independent

slide-1
SLIDE 1

River Loop Security

Troopers 2018

River Loop Security River Loop Security

Unified RF Fuzzing Under a Common API: Introducing TumbleRF

Matt Knight, Ryan Speers March 15, 2018

slide-2
SLIDE 2

River Loop Security

Troopers 2018

whois

Matt Knight

  • Independent software, hardware, and

RF engineer

  • Security Researcher at River Loop

Security

  • BE in EE from Dartmouth College
  • RF, SDR, PHYs, and embedded systems

Ryan Speers

  • Director of Research at Ionic Security
  • Co-founder at River Loop Security
  • Computer Science from Dartmouth

College

  • Cryptography, embedded systems,

IEEE 802.15.4

slide-3
SLIDE 3

River Loop Security

Troopers 2018

Background

“Making and Breaking a Wireless IDS”, Troopers14 “Speaking the Local Dialect”, ACM WiSec

  • Ryan Speers, Sergey Bratus, Javier Vazquez, Ray Jenkins, bx, Travis

Goodspeed, and David Dowd

  • Idiosyncrasies in PHY implementations

Mechanisms for automating:

  • RF fuzzing
  • Bug discovery
  • PHY FSM fingerprint generation
slide-4
SLIDE 4

River Loop Security

Troopers 2018

Agenda

  • 1. Overview of traditional fuzzing techniques (software and networks)
  • 1. How these do and don’t easily map to RF
  • 2. RF fuzzing overview and state of the art
  • 3. Ideal fuzzer design
  • 4. TumbleRF introduction and overview
  • 5. TumbleRF usage example
slide-5
SLIDE 5

River Loop Security

Troopers 2018

Traditional Fuzzing Techniques

slide-6
SLIDE 6

River Loop Security

Troopers 2018

What is fuzzing?

Measured application of pseudorandom input to a system Why fuzz?

  • Automates discovery of crashes, corner cases, bugs, etc.
  • Unexpected input  unexpected state
slide-7
SLIDE 7

River Loop Security

Troopers 2018

What can one fuzz?

Interfaces

  • I/O
  • File format parsers
  • Network interfaces
slide-8
SLIDE 8

River Loop Security

Troopers 2018

Software Fuzzing State of the Art

Abundant fully-featured software fuzzers

  • AFL / AFL-Unicorn
  • Peach
  • Scapy

Software is easy to instrument and hook at every level What else can one fuzz?

slide-9
SLIDE 9

River Loop Security

Troopers 2018

Fuzzing Hardware

Challenges:

  • H/W is often unique, less “standard interfaces” to measure on
  • May not be able to simulate well in a test harness

Some Existing Techniques:

  • AFL-Unicorn: simulate firmware in Unicorn to fuzz
  • Bus Pirate: permutes pinouts and data rates to discover digital buses
  • JTAGulator: permutes pinouts that could match unlocked JTAG
slide-10
SLIDE 10

River Loop Security

Troopers 2018

Fuzzing RF

WiFuzz

  • MAC-focused 802.11 protocol fuzzer

Marc Newlin’s Mousejack research

  • Injected fuzzed RF packets at nRF24 HID dongles while looking for USB
  • utput

isotope:

  • IEEE 802.15.4 PHY fuzzer
slide-11
SLIDE 11

River Loop Security

Troopers 2018

Existing RF Fuzzing Limitations

Fuzzers are siloed / protocol-specific Generally limited to MAC layer and up RF is hard to instrument – what constitutes a crash / bug / etc? Implicit trust in chipset – one can only see what one’s radio tells you is happening

slide-12
SLIDE 12

River Loop Security

Troopers 2018

Trust and Physical Layer Vulnerabilities

Not all PHY state machines are created equal! Radio chipsets implement RF state machines differently

  • Differences can be fingerprinted and exploited
  • Initial results on 802.15.4 were profound
  • Specially-crafted PHYs can target certain chipsets while avoiding others
slide-13
SLIDE 13

River Loop Security

Troopers 2018

RF PHYs: A Primer

slide-14
SLIDE 14

River Loop Security

Troopers 2018

How Radios Work

Transmitter: digital data (bits)  analog RF energy discrete  continuous Receiver: analog RF energy  digital data (bits) continuous  discrete Receiving comes down to sampling and synchronization!

slide-15
SLIDE 15

River Loop Security

Troopers 2018

Digitally Modulated Waveforms

https://hackaday.com/2016/11/18/building-a-lora-phy-with-sdr/

slide-16
SLIDE 16

River Loop Security

Troopers 2018

Digitally Modulated Waveforms

https://hackaday.com/2016/11/18/building-a-lora-phy-with-sdr/

Preamble Start of Frame Delimiter (SFD) / Sync Word Data

slide-17
SLIDE 17

River Loop Security

Troopers 2018

RF PHY State Machines

Seeking Preamble (Idle) Seeking SFD (Synchronizing) (optional) Extract Length from Header Demodulate N Bits Check CRC Present to MAC / Layer 2 Parser

slide-18
SLIDE 18

River Loop Security

Troopers 2018

RF PHY State Machines

Seeking Preamble (Idle) Seeking SFD (Synchronizing) (optional) Extract Length from Header Demodulate N Bits Check CRC Present to MAC / Layer 2 Parser

Let’s dig in

slide-19
SLIDE 19

River Loop Security

Troopers 2018

Seeking Preamble (Idle) Seeking SFD (Synchronizing)

  • 1. Correlator looks for [1,0,1,0,…]
  • 2. Correlator looks for [magic number]

If found, a packet is on-air

RF PHY State Machines

Correlation = shift register clocking bits through at symbol rate looking for a pattern

slide-20
SLIDE 20

River Loop Security

Troopers 2018

Sync Words and Magic Numbers

Turns out not all sync words are created equally

  • 0x00000000 == 802.15.4 Preamble
  • 0xA7 == 802.15.4 Sync Word

The isotope research showed some chipsets correlated on “different” preambles / sync words than others

slide-21
SLIDE 21

River Loop Security

Troopers 2018

Sync Words and Magic Numbers

Turns out not all sync words are created equally

  • 0x00000000 == 802.15.4 Preamble
  • 0xA7 == 802.15.4 Sync Word

The isotope research showed some chipsets correlated on “different” preambles / sync words than others strategically malformed

slide-22
SLIDE 22

River Loop Security

Troopers 2018

Sync Words and Magic Numbers

Turns out not all sync words are created equally

  • 0xXXXX0000 == 802.15.4 Preamble
  • 0xA7 == 802.15.4 Sync Word

The isotope research showed some chipsets correlated on “different” preambles / sync words than others Short preamble? strategically malformed

slide-23
SLIDE 23

River Loop Security

Troopers 2018

Sync Words and Magic Numbers

Turns out not all sync words are created equally

  • 0xXXXX0000 == 802.15.4 Preamble
  • 0xAF

== 802.15.4 Sync Word The isotope research showed some chipsets correlated on “different” preambles / sync words than others Short preamble? Flipped bits in SFD? strategically malformed

slide-24
SLIDE 24

River Loop Security

Troopers 2018

Fuzzing Shows the Way

slide-25
SLIDE 25

River Loop Security

Troopers 2018

Ideal RF Fuzzer Design

slide-26
SLIDE 26

River Loop Security

Troopers 2018

Ideal Features

Extensible: easy to hook up new radios Flexible: modular to enable plugging and playing different engines / interfaces / test cases Reusable: re-use designs from one protocol on another Comprehensive: exposes PHY in addition to MAC

slide-27
SLIDE 27

River Loop Security

Troopers 2018

TumbleRF

slide-28
SLIDE 28

River Loop Security

Troopers 2018

TumbleRF

Previously known as unfAPI (Un-Named Fuzzing API)

slide-29
SLIDE 29

River Loop Security

Troopers 2018

TumbleRF

Software framework enabling fuzzing arbitrary RF protocols Abstracts key components for easy extension

slide-30
SLIDE 30

River Loop Security

Troopers 2018

TumbleRF Architecture

Test Case Generator TX Interface (PHY

  • r MAC)

Harness Test Case Management Command Line Interface Results Logging

slide-31
SLIDE 31

River Loop Security

Troopers 2018

Interfaces

RF injection/sniffing functions abstracted to generic template To add a new radio, inherit base class and redefine its functions to map into any driver:

[set/get]_channel() [set/get]_sfd() [set/get]_preamble() tx() rx_start() rx_stop() rx_poll()

slide-32
SLIDE 32

River Loop Security

Troopers 2018

Generators

Rulesets for generating fuzzed input (pythonically) Extend to interface with software fuzzers of your choice Implement 2 functions:

yield_control_case() yield_test_case()

Three generators currently:

  • Preamble length (isotope)
  • Non-standard symbols in preamble (isotope)
  • Random payloads in message
slide-33
SLIDE 33

River Loop Security

Troopers 2018

Harnesses

Monitor the device under test to evaluate test case results Manage device state in between tests Three handlers currently:

  • Received Frame Check: listen for given frames via an RF interface
  • SSH Process Check: check whether processes on target crashed (beta)
  • Serial Check: watch for specific ouptut via Arduino (beta)
slide-34
SLIDE 34

River Loop Security

Troopers 2018

T est Cases

Coordinate the generator, interface, and harness. Typically very lightweight. Extend BaseCase to implement run_test()

  • r build upon others, e.g.:

Extend AlternatorCase to implement: does_control_case_pass() throw_test_case()

Alternates test cases with known-good control case to ensure interface is still up

slide-35
SLIDE 35

River Loop Security

Troopers 2018

TumbleRF Architecture: Demo Setup

Test Case Generator TX Interface (PHY

  • r MAC)

Harness Test Case Management RX Interface Command Line Interface Results Logging Comparison Logic

slide-36
SLIDE 36

River Loop Security

Troopers 2018

Example Generated Data: Preamble Length

Preamble SFD Length 0x00 0x00 0x00 0x00 0xA7 0xLL

Standard IEEE802.15.4 preamble: 0x00000000

slide-37
SLIDE 37

River Loop Security

Troopers 2018

Example Generated Data: Preamble Length

Arbitrary PHY injection via modified gr-ieee802-15-4

bypassed

slide-38
SLIDE 38

River Loop Security

Troopers 2018

Demo

slide-39
SLIDE 39

River Loop Security

Troopers 2018

Results Dump

Test: preamble_length_apimote.json (using Dot15d4PreambleLengthGenerator) Case 0: 0 valid, 50 invalid example case: a70a230800ffff000007fba6 Case 1: 0 valid, 50 invalid example case: 70aa308220f0ff0f0070d0eafa Case 2: 45 valid, 5 invalid example case: 00a70a230804ffff00000757b6 Case 3: 0 valid, 50 invalid example case: 0070aa308260f0ff0f007010e0fb Case 4: 50 valid, 0 invalid example case: 0000a70a230808ffff000007a387 Case 5: 0 valid, 50 invalid example case: 000070aa3082a0f0ff0f007050fff8 Case 6: 50 valid, 0 invalid example case: 000000a70a23080cffff0000070f97 Case 7: 0 valid, 50 invalid example case: 00000070aa3082e0f0ff0f007090f5f9 Case 8: 48 valid, 2 invalid example case: 00000000a70a230810ffff0000074be4 Case 9: 0 valid, 50 invalid example case: 0000000070aa308220f1ff0f0070d0c1fe Test: preamble_length_cc2531.json (using Dot15d4PreambleLengthGenerator) Case 0: 0 valid, 50 invalid example case: a70a230800ffff000007fba6 Case 1: 0 valid, 50 invalid example case: 70aa308220f0ff0f0070d0eafa Case 2: 13 valid, 37 invalid example case: 00a70a230804ffff00000757b6 Case 3: 0 valid, 50 invalid example case: 0070aa308260f0ff0f007010e0fb Case 4: 48 valid, 2 invalid example case: 0000a70a230808ffff000007a387 Case 5: 0 valid, 50 invalid example case: 000070aa3082a0f0ff0f007050fff8 Case 6: 50 valid, 0 invalid example case: 000000a70a23080cffff0000070f97 Case 7: 0 valid, 50 invalid example case: 00000070aa3082e0f0ff0f007090f5f9 Case 8: 49 valid, 1 invalid example case: 00000000a70a230810ffff0000074be4 Case 9: 0 valid, 50 invalid example case: 0000000070aa308220f1ff0f0070d0c1fe Test: preamble_length_rzusbstick.json (using Dot15d4PreambleLengthGenerator) Case 0: 0 valid, 50 invalid example case: a70a230800ffff000007fba6 Case 1: 0 valid, 50 invalid example case: 70aa308230f0ff0f007060a8fa Case 2: 0 valid, 50 invalid example case: 00a70a230805ffff0000077cb2 Case 3: 0 valid, 50 invalid example case: 0070aa308270f0ff0f0070a0a2fb Case 4: 0 valid, 50 invalid example case: 0000a70a230809ffff0000078883 Case 5: 0 valid, 50 invalid example case: 000070aa3082b0f0ff0f0070e0bdf8 Case 6: 37 valid, 13 invalid example case: 000000a70a23080effff000007599f Case 7: 0 valid, 50 invalid example case: 00000070aa308200f1ff0f0070b044fe Case 8: 41 valid, 9 invalid example case: 00000000a70a230813ffff00000736e8 Case 9: 0 valid, 50 invalid example case: 0000000070aa308250f1ff0f0070c00cff

slide-40
SLIDE 40

River Loop Security

Troopers 2018

Why Care? Those results can allow for WIDS evasion and selective targeting.

slide-41
SLIDE 41

River Loop Security

Troopers 2018

Get Involved

Contribute something:

  • Generator for some cool new fuzzing idea you have
  • Harness to check the state of a device you care about testing
  • Interface to transmit with your favorite radio

Improve the code:

  • Written carefully to be extensible, but… things can use improvement
  • More dynamic plugin loading
  • Improve plugin CLI parameter registration
  • ...
slide-42
SLIDE 42

River Loop Security

Troopers 2018

Thank You

Troopers and ERNW Crew: Niki, Enno, Rachelle, et al. River Loop Security Ionic Security