Star 0


This talk is about coverage-guided fuzzing of Linux kernel USB drivers looking for vulnerabilities, that can be exploited externally by a malicious USB device.

USB is one of the most common interfaces supported on modern computers and it exposes a large attack surface for external malicious devices. This includes electrical attacks, attacks on the USB host controller firmware, attacks on the OS kernel USB drivers or BadUSB-style attacks via a malicious keyboard or an Ethernet adapter. One of the ways to find security vulnerabilities in the OS kernel USB drivers is fuzzing. The existing approaches include using specialized hardware (e.g. the FaceDancer boards) plugged into a physical machine or using QEMU to emulate USB devices from the host system to the guest system.

This talk covers another approach to Linux kernel USB drivers fuzzing, that is based on the Linux USB Gadget subsystem. Fuzzing is done by emulating USB devices from user space, as if they would be plugged into a Linux machine externally. This approach doesn't require any external entities such as QEMU or specialized hardware and allows distributed fuzzing within VMs or on physical devices. Our implementation works as an extension to the state of the art Linux kernel fuzzer syzkaller. We use syzkaller template language for USB protocol descriptions and syzkaller fuzzing infrastructure to manage VMs and collect crashes. Our fuzzing extension collects coverage from the Linux USB subsystem, and that allows to perform coverage guided fuzzing, which significantly increases fuzzing efficiency.

Even though Linux is the main focus of this research, we'll show a way to apply the results to fuzzing other OSes. By taking advantage of the Linux USB Gadget subsystem it's possible to execute fuzzing test cases generated by syzkaller with a 5$ Raspberry Pi Zero connected externally to an arbitrary USB port.