Speaker Name: Binyamin Sharet
Title: Fuzzing USB Hosts with UMAP2
UMAP2 is the 2nd revision of UMAP, a USB host security assessment tool. UMAP2 is partially based on the Facedancer (HW and SW) by Travis Goodspeed and UMAP by Andy Davis from NCC Group. UMAP2 was developed by Cisco STARE and NCC Group, and all source code is released as an open source project in Github ((https://github.com/nccgroup/
When the Facedancer came out, it provided an easy, low-cost open-source and accessible way to emulate a USB device from a PC, and allowed research of USB host behavior and communication. Built on top of it, UMAP provided a way not only to emulate a USB device, but to perform tests, detect supported devices on the host and detect the underlying OS of the host. However, there are a few shortcomings for the Facedancer/UMAP combination:
Hardware-wise, it requires a designated HW (the Facedancer device), the communication is very slow and the USB controller only supports a small number of endpoints.
Software-wise, it is hard to extend, modify and fix the tool, the test cases are specific, limited and mixed with the valid emulation, and it is bound to the Facedancer.
UMAP2 addresses all those issues:
- It supports GadgetFS, allowing high-speed communication, usage of different HW platforms and emulation/fuzzing of more complex USB devices.
- It uses an external fuzzing engine (Kitty) which provides more complex test cases, and decouples the test logic from the emulation code.
- It is installed as a Framework, allowing easy implementation and extension of the functionality.
What should you bring (if you can)
- Laptop (Linux/OSX preferred, but windows is OK) with pip (python 2.7) installed
- Facedancer / Beaglebone black/green board
- USB mini cables
- FTDI cables (if you use BeagleBone)
- Some target (USB host) to test
We will be able to provide a limited amount of Facedancer/BeagleBone boards for the workshop.
About the Speaker
I am a security researcher in Cisco’s STARE center in Haifa, performing black-box evaluation of internal and 3rd party embedded devices. A few months ago we released Kitty – an open-source fuzzing framework that is designed to be flexible enough for building fuzzers for embedded devices and weird protocols/communication channels.