USB driver stacks are components that help computers communicate with external devices via the Universal Serial Bus (USB) connection. USB connections – used with devices like external hard drives, keyboards, mice, or cameras – can open up computers to attack if their operating systems contain vulnerabilities.
To help detect such vulnerabilities, EPFL researchers developed a software security tool called a fuzzer, which allows them to test a computer’s ability to thwart an attack by emulating a USB device. The tool, called USBFuzz, delivers bits of random data to a target computer before autonomously observing how well the computer’s software handles the unexpected inputs.
The work was carried out by Mathias Payer, head of the HexHive lab in the School of Computer and Communication Sciences (IC), and HexHive researcher Hui Peng, currently a PhD student at Purdue University.
“Fuzzing is an established approach to test software systems. USBFuzz now extends this approach to testing external peripherals across the software-hardware barrier,” Payer explains. “Peripherals are notoriously hard to test, and USBFuzz provides an automated approach to doing so.”
Solutions already underway
Using this approach, Payer and Peng have already identified 26 new vulnerabilities that could potentially be exploited by malicious actors. Sixteen of these were new, high security-impact memory bugs found in Linux operating systems that had already been subjected to extensive fuzzing tests. Three vulnerabilities were found in the macOS operating system, four in Windows, and one in FreeBSD.
“The discovery of bugs in FreeBSD, Windows, and macOS highlights the power of our cross-pollination efforts and demonstrates the portability of USBFuzz,” the researchers noted in a paper to be presented at the Usenix Security Symposium in August, 2020.
In addition to identifying the vulnerabilities, Payer and Peng have developed software solutions, or patches. The researchers say they are currently working with the security teams of Linux, Android, Microsoft, and Apple to report and fix the discovered vulnerabilities. Thus far, 11 of the new memory bugs have already been resolved.
“We are deeply impressed with the responsiveness and openness of the Linux kernel security community. Our bug reports were well received, and we worked with them to develop patches for the individual drivers,” Payer says.