Academics say they discovered 26 new vulnerabilities in the USB driver stack employed by operating systems such as Linux, MacOS, Windows, and FreeBSD.
The research team, made up by Hui Peng from Purdue University and Mathias Payer from the Swiss Federal Institute of Technology Lausanne, said all the bugs were discovered with a new tool they created, named USBFuzz.
The tool is what security experts call a fuzzer. Fuzzers are applications that let security researchers send large quantities of invalid, unexpected, or random data as inputs to other programs.
Security researchers then analyze how the tested software behaves to discover new bugs, some of which may be exploited in a malicious way.
Academics developed a new portable USB fuzzer
To test USB drivers, Peng and Payer developed USBFuzz, a new fuzzer specifically designed to test the USB driver stack of modern-day operating systems.
"At its core, USBFuzz uses a software-emulated USB device to provide random device data to drivers (when they perform IO operations)," the researchers said.
"As the emulated USB device works at the device level, porting it to other platforms is straight-forward."
This allowed the research team to test USBFuzz not only on Linux, where most fuzzer programs work, but also other operating systems. Researchers said they tested USBFuzz on:
- 9 recent versions of the Linux kernel: v4.14.81, v4.15,v4.16, v4.17, v4.18.19, v4.19, v4.19.1, v4.19.2, and v4.20-rc2 (the latest version at the time of evaluation)
- FreeBSD 12 (the latest release)
- MacOS 10.15 Catalina (the latest release)
- Windows (both version 8 and 10, with most recent security updates installed)
Research team finds 26 new bugs
Following their tests, the research team said that with the help of USBFuzz, they discovered a total of 26 new bugs.
Researchers found one bug in FreeBSD, three in MacOS (two resulting in an unplanned reboot and one freezing the system), and four in Windows 8 and Windows 10 (resulting in Blue Screens of Death).
However, the vast majority of bugs, and the most severe, were found in Linux -- 18 in total.
Sixteen were memory bugs of high-security impact in various Linux subsystems (USB core, USB sound, and net-work), one bug resided in the Linux USB host controller driver, and the last in a USB camera driver.
Peng and Payer said they reported these bugs to the Linux kernel team, along with proposed patches to reduce "the burden on the kernel developers when fixing the reported vulnerabilities."
Of the 18 Linux bugs, the research team said 11 received a patch since their initial reports last year. Ten of these 11 bugs also received a CVE, a unique code that's assigned to major security flaws.
Other patches are also expected in the near future for the seven remaining issues.
"The remaining bugs fall into two classes: those still under embargo/being disclosed and those that were concurrently found and reported by other researchers," researchers said.
USBFuzz to be open-sourced
Payer published yesterday a draft of the research team's white paper describing their work on USBFuzz. Peng and Payer plan to present their research at the Usenix Security Symposium virtual security conference, scheduled for August 2020.
Similar work has been carried out in the past. A Google security engineer used a Google-made fuzzer named syzkaller to discover 79 bugs impacting Linux kernel USB drivers in November 2017.
Peng and Payer said that USBFuzz is superior to previous tools like vUSBf, syzkaller, and usb-fuzzer because their tool grants testers more control over the test data and is also portable across operating systems, unlike all the above, which usually work only on *NIX systems.
USBFuzz is scheduled to be released on GitHub as an open source project following Peng and Payer's Usenix talk. The repo will be available here.