27.1.2009 18-00

possible backup topic?
 ssh statistical timing attack
 OS fingerprinting with USB token

how to defend against our attack?
 ask user before modprobe
  disable always during screensaver
 rm drivers that are not used
 fix the drivers
 develop future drivers with better tools
  automated fuzzing?

what should be learn to accomplish our attack?
 setting up dummy_hcd
 gadgetfs userland programming
 kernel debugging in virtual machine
 atmel AVR (usb) programming
 extra: coccinelle semantic patches?
 extra: write usb pretty printer, would benefit reverse-engineering too

presentation
 extra: include video or live demonstration?

22:48:49 <@lindi-> int length = urb->actual_length;
22:48:49 <@lindi-> ...
22:49:00 <@lindi-> memcpy (stv680->scratch[stv680->scratch_next].data,         (unsigned char *) urb->transfer_buffer, length);
22:50:03 <@lindi-> missä stv680->scratch[i].data = kmalloc (stv680->rawbufsize, GFP_KERNEL);
22:50:15 <@lindi-> ja stv680->rawbufsize = bufsize;   /* must be ./. by 8 */
22:50:32 <@lindi-> ja ... bufsize = (buffer[0] << 24) | (buffer[1] << 16) | (buffer[2] << 8) | (buffer[3]);


Kmalloc Internals: Exploring Linux Kernel Memory Allocation
-- http://jikos.jikos.cz/Kmalloc_Internals.html

  
29.1.2009 16-23

<@lindi-> Bus 001 Device 004: ID 0553:0202 STMicroelectronics Imaging Division (VLSI Vision) Aiptek PenCam 1

<@lindi-> tazle: kunhan on CONFIG_USB_GADGETFS=m  ja CONFIG_USB_GADGET_DUMMY_HCD=y CONFIG_USB_DUMMY_HCD=m

30.1.2009

<@tazle> duunista löytyi AT91SAM7S-EK

2.2.2009

Linux-USB Gadget API
-- http://it.linux-usb.org/gadget/ 

8-bit AVR Microcontroller with 64/128K bytes of ISP Flash and USB Controller
AT90USB1287
-- http://www.atmel.com/dyn/Products/product_card.asp?part_id=3875
-- http://www.atmel.com/dyn/resources/prod_documents/doc7593.pdf

Coccinelle: Semantic Patches for Collateral Evolutions
-- http://www.emn.fr/x-info/coccinelle/

linux-2.6.28/drivers/media/video/stv680.c

32-bit kernel 2.6.28 in qemu for gdb support
make -j3 EXTRAVERSION=usbroot V=1
make modules_install INSTALL_MOD_PATH=staging

mkinitramfs -o initrd.img-2.6.28usbroot 2.6.28usbroot

<@lindi-> tazle: mä taidan ajaa 64-bittisellä käyttiksellä 64-bittistä
          kvm:ää ja sen sisällä 32-bittistä qemua
<@lindi-> tazle: sen sisemmän qemun toivon pääsevän kvm:n
          usb-laitteisiin käsiksi
<@lindi-> tazle: sit voin ajaa gdb:tä toisella 32-bittisellä koneella


sudo mount -t usbfs -o devuid=$UID usbfs /proc/bus/usb

10.2. Linux Kernel Debugging
-- http://www.denx.de/wiki/DULG/DebuggingLinuxKernel

11.2.

found bug in dummy_hcd. it will "goto restart" infinitely if
giveback_urb happens to add stuff to list that causes another
giveback_urb.

Also NO_HZ might cause problems.

findendpoint failed since we did not define video data endpoint.

crash also windows with RNDIS


usb widely used serial bus

linux usb drivers typically reverse-engineered, low quality

qemu, gdb

dummy_hcd

gadgetfs

usbfs

libusb


stv680_start_stream
 sets streaming=1 but can fail allocation after that
 uses kfree and sets to NULL

stv680_stop_stream
 uses kfree but does not set stv680->sbuf[i].data to null

Qemu gadgetfs needs to use asynchronous IO
http://docs.openmoko.org/trac/ticket//1103

unplugging with gadgetfs causes panic: "softlockup: blocked tasks"
https://docs.openmoko.org/trac/ticket/2232
 ep_io does wait_event which does schedule
 changing to interruptible wait
  does not work. just hitting ctrl-c twice causes reboot


report dummy_hcd bug
 removed goto