 제 이름은 종혁 송. 이 토크의 첫 번째와 두번째 토크입니다. 사실 첫 번째와 두번째 토크는 지금 CTF를 연구하고 있습니다. 그래서, 첫, 두번째, 두번째 토크는 저에게만 원하실 수 있습니다. 아무튼 오늘의 타이틀은 U.S.V. Fudging, U.S.V. In vehicles to discover the real-world vulnerabilities. 이 토크는 U.S.V. Fudging을 연구하고 있습니다. U.S.V. Fudging을 연구하고 있습니다. 오늘의 타이틀은 저에게만 원하실 수 있습니다. 첫 번째, 제 팀을 연구하고 있습니다. 사실 저희는 레드팀 멤버들입니다. 그리고 우리는 오픈시브 시클리티 리셀터와 아우터크립트입니다. 아우터크립트는 모빌리티 시클리티 기업입니다. 특별히 오토모드 시클리티에 포함되어 있습니다. 그래서 저에게 Fudging, U.S.V. Fudging, U.S.V. Fudging, U.S.V. Fudging을 연구하고 있습니다. 저희는 실제 기업을 연구하고 있습니다. 물론 우리는 U.S.V. Fudging을 연구하고 있습니다. 그래서 어떻게 U.S.V. Fudging을 연구하고 있습니다. 그리고 또 제가 연구하고 있습니다. 그리고 어떻게 연구하고 있습니다. 그래서 우리는 오토모드 시클리티에서 U.S.V. Fudging을 연구하고 있습니다. 3개의 U.S.V. Fudging를 연구하고 있습니다. 첫 번째, 블랙박스 Fudging입니다. OEM은 전체적인 기업을 연구하고 있습니다. 왜냐면 기업의 기업은 전체적인 기업을 연구하고 있습니다. 그래서 우리의 기업을 연구하고 있습니다. 그래서 우리는 Fudging에 의해 안전을 한 수 없게 하는 기업을 연구하고 있습니다. 그리고 우리의 기업은 전체적인 기업을 연구하고 있습니다. 그래서 이 기업을 연구하고 있습니다. 그 이유는 이 기업이 없을 거라고 합니다. 그래서 우리의 기업을 연구하고 있습니다. 이 기업을 연구하고 있습니다. 이 기업을 연구하고 있습니다. 그래서 우리의 기업을 연구하고 있습니다. 두 번째, U.S.V. Fudging은 전체적인 기업을 연구하고 있습니다. U.S.V. Fudging은 전체적인 기업을 연구하고 있습니다. 이 기업은 전체적인 기업을 연구하고 있습니다. 그래서 이 기업은 전체적인 기업을 연구하고 있습니다. 첫 번째, 폰트는 너무 작아졌어요. 첫 번째, 테스터로 말폰드 미디어 파일을 제거합니다. 두 번째, 테스터로 말폰드 파일을 연구하고 있습니다. 세 번째, 테스터로 말폰드 미디어 파일을 연구하고 있습니다. 이 U.S.V. 파일을 연구하고 있습니다. 가장 많은 미디어 파일을 연구하고 있습니다. U.S.V. Fudging은 전체적인 기업을 연구하고 있습니다. 세 번째, 미디어 파일을 연구하고 있습니다. 미디어 파일은 전체적인 기업을 연구하고 있습니다. 테스터로 말폰드 미디어 파일을 연구하고 있습니다. 모든 파일을 연구하고 있습니다. 테스터로 다시 다시 다시 말폰드 미디어 파일을 연구하고 있습니다. 가장 많은 미디어 파일은 전체적인 기업을 연구하고 있습니다. 이 기업은 전체적인 기업을 연구하고 있습니다. 미디어 파일은 전체적인 기업을 연구하고 있습니다. 전체적인 기업은 전체적인 기업을 연구하고 있습니다. 미디어 파일은 전체적인 기업을 연구하고 있습니다. 보통 10분이나 5분을 연구하고 있습니다. 테스터로 다시 다시 말폰드 미디어 파일을 연구하고 있습니다. 이 기업은 전체적인 기업을 연구하고 있습니다. 다른 것이 더 중요합니다. 이 기업은 전체적인 기업을 연구하고 있습니다. 테스터로 연구하고 있습니다. 테스터로. 오케이. 자, 다시 정보해 주자. 첫 번째, Each step requires many, many approach to testers. There are many steps in the test procedure. Testers should generate files, copy files and insert a stick and insert sticks. And every test site, testers should repeat that action again and again. It's very burden to testers. Second, There is a limit number of files that can be tested at the time. This is the main reason that testers should repeat these steps several times. Each media player in the car has the maximum number of files that can be played at the time. Even if you can put millions of files into a USB stick, the media player only takes the hundreds or thousands of files and plays only them. So, when all files on the USB sticks are played, the tester must generate new files again and put them into USB stick again and insert it into the car again. So, as you know, it's a forging test. So we need to test as many files as possible to find vulnerabilities. So testers should repeat those actions several times to test enough files. And third, To detect failures by forging, testers must keep an eye on the car while it's being paused. So testers usually in these tests, testers use media file forger. It's not connected to the car. It just generates map from the files in the PC. So forger cannot detect the failures caused by forging. Therefore, testers should observe the media player while forging is performed. As you know, as I said before, to find vulnerability, testers should test a large number of files. It means that he stay and watch the media player for a long time in the car. It's not that good. First, it's application forging. This method cannot do corner forging. So it's obvious because it's media player forging. But testing only media player is not enough to check all USB attacks. So in this talk, we suggested new automatic USB forging method which is practical and effective. We tried to remove the current limitations that I mentioned just before. So what's the requirements of the new forging method? First, forger should transmit malicious files to the car directly. Second, forger should monitor the car to detect failures caused by forging. So forger should be able to test the corner area. Therefore, in this talk, I would like to introduce automatic USB forging method that satisfies these three requirements. Actually, I'll explain later. Second requirement is difficult to completely satisfy. In some cases, we cannot satisfy the second requirement yet. Because it's black box forging, we cannot monitor the inside of the car. But we tried to suggest the best ways to detect failures in black box forging. So main contribution of the talk is that we did not develop new forging techniques. They are already great USB research. And we show how to apply them to forging cars. And finally, we found some vulnerabilities in several cars. I'm going to show how to do that. So how do we solve the challenges? So first, let's connect forger to the car directly by a USB cable. If forging is possible in this way, forging process becomes very simple. There are only two steps, connect forger and car, and just start forging. If it's possible, forger can automatically transmit my phone files to the car, and forger can monitor the car to detect failures. It means that testers don't have to move the files and don't have to monitor the car during forging. So let's talk about the advantage first. First, it reduces the workload of testers by removing the test steps. Because in the previous method, it requires five steps, and more of the steps should be repeated several times to be tested in a number of files. But if forger can transmit the file to the car by itself, forging process becomes very simple. Second, in this test, forger can detect your failures, so tester doesn't need to monitor all the time. And third, forger can automatically generate my phone files and send them to the car. I don't know why it's moved to the next page. Sorry. Sorry, sorry. Forger automatically generates my phone files and send them to the car. So forging can continue without human interaction. And now we can do corner forging. So how can we do these things? Because of these two things, we can do that. First is Linux USB Gadget. We need to make the car recognize our device as a USB storage. To do that, we need to use Linux USB Gadget. Linux USB Gadget makes a Linux system appears to be a USB device to a host. So it's kind of a way to emulate the storage device. As I know, it's only available in Linux. So we need to prepare Linux device. So in our test, we use Raspberry Pi. So it means that we emulate the USB storage using the Raspberry Pi. So car recognizes a specific folder in the Raspberry Pi as a USB storage. So if we put some files in the folder, the media player will get the files and play them. Second thing is the USB Low Gadget. We also use USB Low Gadget for corner forging. It's a Linux corner module that implements a low-level interface for the Linux USB Gadget subsystem. Using the Low Gadget, USB Low Gadget, we can transmit arbitrary USB requests to the USB host. CISCOLOR already supports the USB forging using this Low Gadget. So we can just use the CISCOLOR to forge USB corner stacks in the car. So we use these two things to conduct USB forging to the real cars. So let's summarize. To USB Gadget mode and Low Gadget, we need a Linux device. In this research, we use the Raspberry Pi 4. And then connect the Raspberry Pi to the car by a USB cable. To transmit data, you should use a USB cable that supports data transmission. Some USB cables only support charging. The kinds of USB cables cannot be used in this forging. And we set up Raspberry Pi for USB forging. To do media player forging, we emulate Raspberry Pi as a USB storage using USB Gadget. And to do corner forging, we use Low Gadget. First, I'm going to tell you about how to do media player forging. This figure shows the overview. All these processes are automatically done by Fuzzer without human interaction, except the start command. First, we need to set up Raspberry Pi as a USB gadget. And second, the Fuzzer generates malformed media files into the folder. And third, Fuzzer mounts the folder as a USB storage. Then fourth, if the folder is mounted, then media player automatically recognizes it. Then media player gets all files in the folder and play them. During the files are playing, Fuzzer monitors Raspberry Pi's corner log, which is the message row for detecting failures caused by fuzzing. After all files are played, Fuzzer mounts the folder and removes all files in the folder, and go back to the step 2 and repeat the step. This is how to do USB fuzzing by directly connecting the fuzzer and the car. We can do this without the USB stick and without the human interaction. So the whole process can be done without the human interaction. So this is the initial setup for USB gadget mode. We do this first step in the previous slide. Because of time limit, I can explain the details in each line. But if you want more, you can find the details on the internet. There are already many good articles, papers explaining how to make a Raspberry Pi USB storage. And let's talk about how to generate malformed media files. To generate the media files, we collect normal media files to use them as seed files. Then we manipulate the seed files using bit flipping techniques. We just randomly choose 1% of bits of the seed files and flip the selected bits. That's all. It's very simple. Actually, you know there are already several file fuzzers. But in our tests, in our experience, they are not very useful to the media player in the car. We cannot figure out why. We cannot figure out the exact reason. But we just guess that most existing file fuzzers. The existing file fuzzer mutates the file signature part. It means that if file signature is mutated, the media player does not play the file. Most media players do not play the files which have incorrect file signature. So when we generate malformed files, we do not mutate the file signature part. That is our first tip in the car fuzzing. Fuzzing automatic media players. Next tip is if the file content is mutated too much, some media players don't play the media file also. Even if the media file has correct file signature. So this is why we just mutate only 1% of the file. I cannot say the 1% is the magic value for all cars, all cases. But maybe each car has different media players, so you should find your values. And there's one more. Each automotive media player supports different media file types. So before you generate malformed media files, you should check the supported file types and generate only those files. Because the media players will only play the files that they support. So you don't need to generate files that are not supported by the media player. Usually media players support many file types. It's just some example of them. Now let's talk about how to detect failures. To detect failures caused by fuzzing, as you can see our fuzzer monitor kernel log which is dmessage. But I think you probably noticed that it is not perfect to detect failures. Because Raspberry Pi dmessage log cannot show the exact state of the target media player or exact state of the car. It's just Raspberry Pi's kernel log. But you know this is black box fuzzing. The only thing we can use is Raspberry Pi dmessage log. That is currently our best option. So we have to identify the target state by only using this log. So let me explain more detail about how our fuzzer detect failures by the dmessage log. There are two cases. First, we found out that some issues are rebooted if the media player is crashed. In that case, USB connection between Raspberry Pi and issue is disconnected because issue is rebooted. After issue is rebooted, Raspberry Pi and issue are connected by USB again. At that time, USB connection log is created at dmessage. So fuzzer can detect failures, fuzzer can know or there is something wrong using the dmessage log. And there is a second case. Some issue is just shut down and not rebooted again. In this case, there is no USB reconnection log in the dmessage. Because issue is not rebooted. So fuzzer cannot know the failures. So the fuzzer just try to mount the next folder that contains new files. But the mount will be failed because issue is shut down. So at that time fuzzer can detect failures. Of course, it's not real-time detection, but it's the best option we can do now. Let's look at these figures. Left figure shows the fuzzer's log and right figure shows the dmessage log. At this time, we conducted fuzzing using 100 files at each trial. As I mentioned before, our fuzzer repeats mount and amount folder several times. So there will be USB reconnection log as many as the number of mounts. In this figure, in this log, we mount test folder three times. But there are four USB connection logs in dmessage. And the last log is a little bit different from other logs. So fuzzer can notice that there is something wrong in the media player or issue. So in this way, the fuzzer can detect failures. Actually, of course, there is a limitation of our methods. We are doing black box fuzzing. fuzzer in Raspberry Pi cannot know exactly which file is currently playing in the media player. fuzzer generates hundreds or thousands files in the folder and mounts the folder. Then media player gets all files and play them. So when a crash is detected, fuzzer cannot know which file caused the crash. fuzzer should find the file causing the crash by replaying the files again one by one. To solve this limitation, we tried two things. First, we can just put only one file in the folder and mount the folder and play just only one file. If we do fuzzing like this, when crash is occurred, we can exactly know which file is causing the crash because there is only one file. But in this case, mount and amount is required for the number of files. Mount and amount is our very slow operation. So we have to test the large number of files. So we need to reduce the number of mount and amount. So in our experience, playing only one file at once is not a good idea. So we need to find appropriate number of files each one cycle. This is why we generated and played only 100 files at each trial in the previous slide. We can play more files, but we don't. Because if there are too many files played at once, it's difficult to find the file cause the crash. I cannot say 100 number is the ideal number for all fuzzing. It's very different for each cases, so you should find the basic number of files for your own test. And actually, there is one more limitation. In some cases, some issue is not rebooted and shut down, even if the media player is crashed. In this case, USB is not disconnected, even if the media player is crashed and stopped. So fuzzer cannot detect failures. Test have to monitor car again. It's one of our limitation and it's one of our future work to solve this one. We found these cases in GM Volvo cars. What they are in common is that they use Android Automotive OS. So we just guess Android Automotive OS is not good cases for our fuzzing. So until now, I'll talk about how to fuzz automotive media player by USB. But to test or text over USB port, media player fuzzing is not enough. Let's test automotive kernel by USB. You know, there is already great research project about fuzzing USB kernel stack. In this project, this also implements low gadget for USB kernel fuzzing. And he also implements USB fuzzer using the low gadget and this fuzzer integrated into CISCOLOR. You know CISCOLOR is the best fuzzer for kernel fuzzing. So we just use CISCOLOR to fuzz USB kernel stack in the car. But let's think about it. CISCOLOR is the coverage guided fuzzer and it requires kernel build for fuzzing. But we are doing black box fuzzing now. We don't have source code of the car. So it's difficult to use CISCOLOR as it is. So how can you generate the fuzzing inputs for USB kernel stack in the car? But we can do fuzzing using CISCOLOR. Actually, CISCOLOR for USB already found about 300 or more bugs in this kernel USB stack. That bugs are reported to the CISCOLOR appspot.com. In the reports, there are codes to replace the bug. So we can use the reproduction codes for our fuzzing input. We just collect the reproduction codes and just execute the code by using CISCOLOR programs. CISCOLOR provides a way to reproduce the bug with a specific input. So you can reproduce the bug founded by CISCOLOR using those two programs. I think many of you guys in here already know how to use CISCOLOR. Anyway, this is the example code. This is an example command to replace the bug founded by CISCOLOR. In this case, the name of the reproduction code is crash01.law. And the figure in the bottom shows one of the reproduction codes in the CISCOLOR appspot.com. This figure shows that the bug list reported in the CISCOLOR appspot.com. Actually, there are a lot of bugs on this site except the USB bugs. So you should filter only the USB bugs. The link in the bottom will show the only USB bugs. And there is one more thing. Actually, all reported bugs don't contain the reproduction code. So you can only find the reproduction codes in the articles if CISCOLOR is written in the profile. So you don't need to collect all the bugs. So this is the overview of the fuzzing USB kernel stack in the car. It's very simple. Fuzzer, just collect the reproduction codes from the CISCOLOR appspot.com. And then just replace the codes. Of course, we can also mutate the data part of the reproduction code. But actually, we can find the vulnerability using just the original code. So in the kernel fuzzing, we also monitor the message log to detect failures caused by fuzzing. All cars we tested were rebooted if a kernel crashes. So fuzzer can detect all failures by using this method. So now let's talk about testing with real cars. Actually, this is the most challenging part in the car hacking. Because we don't have enough test cars. So even if we have a very good idea, it's very difficult to prove using the real cars. Luckily, our fuzzing test can be performed without disassembling the car. And it does not cause the serious damage to the car. So we can test using the rental car. So we rented the cars for a day or just a few hours and tested them. There were not many different types of cars that we could rent. But we rented as many and impossible and tested them. These are the summary of the vulnerabilities we found. We found vulnerabilities from Reynolds and Chevrolet and Volkswagen. And we also found a vulnerability in Agile. Actually, Agile is tested on the Raspberry Pi. And actually, number 7 vulnerability is not reported because we found number 6 and 7 vulnerability in the same version. And we just only reported number 6 first. And Volkswagen passed the vulnerability very quickly before we reported number 7. And number 7 vulnerability is not working on the patched version. So we cannot report that. We should report number 6 and 7 at the same time. It's our miss because we're quite busy at that time. We just forgot to report number 7. Anyway, I'm going to show our demo video. So media player lost the player again. There is Raspberry Pi here. Pitch just controlled Raspberry Pi. And it's just shut down. This is the media player frozen case. And this issue is shut down and not rebooted again. So Tesla tried to turn off the car and turn on the car again. Interestingly, car is back working on normally. But the head union is still not working on. So we have to hard reset the head union issue. Yes, this is the first demo. So we can crash the head union issue by the media player crash. In this test, we tested while driving. You can see the head union issue is rebooted. This is the rebooted case. And it's also media player pausing. There is Raspberry Pi over there. So you can see that issue is rebooted by crash even if the car is moving. Third video show the corner frozen demo. It's also moving. There is Raspberry Pi. And issue is rebooted even if the car is moving. The last demo is also corner frozen. OK, these are our demo video. So let's conclude my talk. The current USB fuzzing using the automotive industry has many limitations. It's complicated. It requires huge workload to test us. This limitation can be addressed by directly connecting fuzzer and car via USB cable. And USB gadget and low gadget makes it possible. So we can significantly reduce the workload of the testers. And also we can test the USB corner stack. And also we can find real-world vulnerabilities. OK, it's end of my talk. Thank you.