New fuzzing tool picks up insecure USB driver code

Two researchers say they have found a new approach to hunting for potentially serious bugs in the hardware drivers for the Universal Serial Bus interface, by emulating the peripherals in software.

Matthias Payer at the federal polytechnic school in Lausanne, Switzerland, and Hui Peng at Purdue University, United States, said [pdf] that they leveraged open-source components such as QEMU processor emulator to design a tool that's low-cost and hardware independent, called USBFuzz.

USBFuzz is designed to be portable across operating systems, and minimal knowledge of the complex USB standard is required to use it.

Fuzzing is a technique used by security researchers to supply random data to programs and devices, to see how well they handle unexpected input.

USBFuzz emulates USB devices, feeding random data to their hardware device drivers.

The researchers said that as device drivers run directly in the kernel of operating systems, or in privileged processes, bugs in these are security critical.

However, USB peripherals are legion and the drivers for them are not exhaustively tested due to the difficulty in providing unexpected inputs from the device side, the researchers aid.

In their paper, the researchers say USBFuzz helped unmask a total of 26 new bugs in a USB Microsoft LifeCam VX-800 webcam driver.

Of these, 16 memory bugs were high impact security flaws in the Linux USB Core, USB Sound and network subsystems.

The researchers also found three driver bugs in Apple's macOS, with two of the flaws unexpectedly rebooting the test system running in a virtual machine, and one freezing it completly.

They were also able to cause Blue Screens of Death (BSoD) faults in Windows 8 and Windows 10, and a single bug in a USB dongle driver for the most popular UNIX-like operating system in the world, FreeBSD.

USBFuzz build on prior efforts such as the hardware-based FaceDancer dumb fuzzer, and the Linux-only usb-fuzzer, and the researchers suggested that the emulator approach could be extended for testing other hardware device drivers as well.