Exploiting Buffer Overruns in Software Defined Radio · 2018-09-12 · Software Defined Radio FPGA...
Transcript of Exploiting Buffer Overruns in Software Defined Radio · 2018-09-12 · Software Defined Radio FPGA...
Exploiting Buffer Overruns in Software Defined Radio
Principle InvestigatorMichael Fowler
Motivation
11/18/2016 GRCon'16 2
• Increasing proliferation of Software Defined Radios (SDRs)
• Allows for quick prototyping, testing, and deployment of reconfigurable communication systems
• Software implementation creates a new attack vector that can be vulnerable to cyber-security attacks
RF
Software Defined Radio
FPGA Demod
Host
RF
Hardware Radio
ASIC
Software implementation possibly vulnerable to attacks
Project Goals
11/18/2016 3
1. Finding vulnerabilities in software radio waveforms
• MAC/PHY layers
• Not necessarily detected through traditional cyber-security techniques.
2. Demonstrate over-the-air attacks against software vulnerabilities.
• Buffer overflow
3. Exploit the OS
GRCon'16
Buffer Overflows
11/18/2016 GRCon'16 4
Previous Stack Frames
Arguments
Local
char * Buffer
Return Address
Saved Base Pointer
Write
EBP
ESP
Stack
Growth
Higher
Addresses
• Buffer Overflows
• Common type of vulnerability caused by fixed size memory buffers
• Process writes to memory outside of the allocated buffer
• Stack Buffer Overflows
• Stack structure contains local variables, return address, and base pointers.
• Buffer overflow on the stack overwrites return address
• Could allow for arbitrary code execution or memory fault
Shell Code Injection
11/18/2016 GRCon'16 5
• Buffer overflow on the stack can allow return address of the current function to change.
• Allows possible code injection and execution remotely:
1. Executable shell code is written to original buffer
2. Rest of buffer/stack is overwritten with NOP sled.
3. New return address is injected pointing to memory on the sled.
Example Buffer Overflow in Waveform
11/18/2016 GRCon'16 6
• MAC layer framing protocol uses header/trailer sequences with a variable payload length (shown below)
• Assumption: Received frames will never exceed the size of the Maximum Transmission Unit (MTU).
• Improper length checking allows overflow
• Overflow results in memory corruption and possible crash (persistent jamming)
Buffer Contents (MTU) Buffer Contents (MTU)
Local/Class Variables
Overflow!
Write
Di rect io
n
Header Length Checksum Data Trailer
Normal Frame Max Length for Payload
Header (Max) Random Data
Attack Frame Attack Length Exceeds Maximum Payload Length
(Causes Overflow)
Kernel Exploit From a Waveform
11/18/2016 GRCon'16 7
• Exploit the underlying operating system through a buffer overflow exploit
• Barriers – Defenses in desktop operating systems (Linux/Windows/macOS) attempt to protect against overflows
• NX Bit/Executable Space Protection – Software managed, hardware feature that prevents execution from specific sections of memory (mainly the data segment/stack/heap)
• Address Space Layout Randomization (ASLR) – Kernel loads system executables to random memory locations
• Real-time and embedded operating systems may not have the same protections.
Linux Kernel
StandardLibraries
Host
RF Front EndAttacker SDR
Research Goals
11/18/2016 GRCon'16 8
• Exploit the underlying operating system of a software radio system through a vulnerability in the waveform.
• Consider both Linux and embedded/real-time systems (OpenWrt, FreeRTOS, etc.)
• Search for buffer overflows in open-source SDRs
• Demonstrate exploits of found vulnerabilities
• Patch found vulnerabilitiesSDR
VulnerabilityProof-of-Concept
Demonstrate Real WorldVulnerabilities
Secure Software Defined Radio Architectures
Project Risk Assessment
Seve
rity
5
4 2
3 1
2
1
1 2 3 4 5
Likelihood
Risk Description
1 Limited ability to exploit the kernel of the operating system.
2 Unable to discover vulnerabilities “in-the-wild” that can be exploited wirelessly
Project Deliverables
• Documentation and Demonstration of any discovered vulnerabilities in open source SDR frameworks.
• Final report documenting the work undertaken
11/18/2016 GRCon'16 11
Questions?