hume@vt.eduwww.hume.vt.edu

Exploiting Buffer Overruns in Software Defined Radio

Principle InvestigatorMichael Fowler

mifowler@vt.edu

Motivation

11/18/2016 GRCon'16 2

• Increasing proliferation of Software Defined Radios (SDRs)

• Allows for quick prototyping, testing, and deployment of reconfigurable communication systems

• Software implementation creates a new attack vector that can be vulnerable to cyber-security attacks

RF

Software Defined Radio

FPGA Demod

Host

RF

Hardware Radio

ASIC

Software implementation possibly vulnerable to attacks

Project Goals

11/18/2016 3

1. Finding vulnerabilities in software radio waveforms

• MAC/PHY layers

• Not necessarily detected through traditional cyber-security techniques.

2. Demonstrate over-the-air attacks against software vulnerabilities.

• Buffer overflow

3. Exploit the OS

GRCon'16

Buffer Overflows

11/18/2016 GRCon'16 4

Previous Stack Frames

Arguments

Local

char * Buffer

Return Address

Saved Base Pointer

Write

EBP

ESP

Stack

Growth

Higher

Addresses

• Buffer Overflows

• Common type of vulnerability caused by fixed size memory buffers

• Process writes to memory outside of the allocated buffer

• Stack Buffer Overflows

• Stack structure contains local variables, return address, and base pointers.

• Buffer overflow on the stack overwrites return address

• Could allow for arbitrary code execution or memory fault

Shell Code Injection

11/18/2016 GRCon'16 5

• Buffer overflow on the stack can allow return address of the current function to change.

• Allows possible code injection and execution remotely:

1. Executable shell code is written to original buffer

2. Rest of buffer/stack is overwritten with NOP sled.

3. New return address is injected pointing to memory on the sled.

Example Buffer Overflow in Waveform

11/18/2016 GRCon'16 6

• MAC layer framing protocol uses header/trailer sequences with a variable payload length (shown below)

• Assumption: Received frames will never exceed the size of the Maximum Transmission Unit (MTU).

• Improper length checking allows overflow

• Overflow results in memory corruption and possible crash (persistent jamming)

Buffer Contents (MTU) Buffer Contents (MTU)

Local/Class Variables

Overflow!

Write

Di rect io

n

Header Length Checksum Data Trailer

Normal Frame Max Length for Payload

Header (Max) Random Data

Attack Frame Attack Length Exceeds Maximum Payload Length

(Causes Overflow)

Kernel Exploit From a Waveform

11/18/2016 GRCon'16 7

• Exploit the underlying operating system through a buffer overflow exploit

• Barriers – Defenses in desktop operating systems (Linux/Windows/macOS) attempt to protect against overflows

• NX Bit/Executable Space Protection – Software managed, hardware feature that prevents execution from specific sections of memory (mainly the data segment/stack/heap)

• Address Space Layout Randomization (ASLR) – Kernel loads system executables to random memory locations

• Real-time and embedded operating systems may not have the same protections.

Linux Kernel

StandardLibraries

Host

RF Front EndAttacker SDR

Research Goals

11/18/2016 GRCon'16 8

• Exploit the underlying operating system of a software radio system through a vulnerability in the waveform.

• Consider both Linux and embedded/real-time systems (OpenWrt, FreeRTOS, etc.)

• Search for buffer overflows in open-source SDRs

• Demonstrate exploits of found vulnerabilities

• Patch found vulnerabilitiesSDR

VulnerabilityProof-of-Concept

Demonstrate Real WorldVulnerabilities

Secure Software Defined Radio Architectures

Project Risk Assessment

Seve

rity

5

4 2

3 1

2

1

1 2 3 4 5

Likelihood

Risk Description

1 Limited ability to exploit the kernel of the operating system.

2 Unable to discover vulnerabilities “in-the-wild” that can be exploited wirelessly

Project Deliverables

• Documentation and Demonstration of any discovered vulnerabilities in open source SDR frameworks.

• Final report documenting the work undertaken

11/18/2016 GRCon'16 11

Questions?