Security Research

Presented here are some of my recent public projects related to computer security.

What IoT device manufacturers should learn from the “IoT worm”

Click to view this project’s page. Top.

The research paper “IoT Goes Nuclear: Creating a ZigBee Chain Reaction” by Ronen, O’Flynn, Shamir, and Weingarten garnered moderate media attention (here, here, here, etc) in early November, 2016. As I have worked extensively in ZigBee offensive and defensive security, but never specifically on the ZigBee Light Link (ZLL) profile, I was interested to dig-in and see what the main techniques and issues were, and what lessons other device manufacturers should take away from this disclosure.

To view the entire entry, click here.

WESS 2012: Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems

Click to view this project’s page. Top.

At the 7th Workshop on Embedded Systems Security (WESS 2012), we presented a paper co-authored with myself and researchers at the Dartmouth Trust Lab. You can read a copy of the paper here. Perhaps our abstract gives you a better summary of something I’d write for here:

Any channel crossing the perimeter of a system provides an attack surface to the adversary. Standard network interfaces, such as TCP/IP stacks, constitute one such channel, and security researchers and exploit developers have invested much e ffort into exploring the attack surfaces and defenses there. However, channels such as USB have been overlooked, even though such code is at least as complexly layered as a network stack, and handles even more complex structures; drivers are notorious as a breeding ground of bugs copy-pasted from boilerplate sample code.

This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that e ective and ecient injection of trac into the buses is real and easily a ordable. Further, it presents a simple and inexpensive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.

S. Bratus, T. Goodspeed, P. Johnson, S.W. Smith, R. Speers. “Perimeter-Crossing Buses: a New Attack Surface for Embedded Systems.” 7th Workshop on Embedded Systems Security (WESS 2012). October 2012. To appear.

Api-Mote (IEEE 802.15.4/ZigBee Radio Interface)

Click to view this project’s page. Top.

I’m pleased to announce the progress of the Api-Mote Base. This platform was designed with a number of thoughts (enumerated below) in mind, as well as experience from both lab-research and field assessments. A test run of 15 boards have been received and most are populated. An initial firmware version based on the GoodFET project is completed, thanks to a quick port by Travis. KillerBee support will be provided.

So why a new device? Almost three years after beginning to work with IEEE 802.15.4 and ZigBee research and security assessments, I’ve gotten tired of the hardware available to interact with these protocols. There are a number of tools out there — but none that I’ve worked with support a few core criteria.

To view the entire entry, click here.

Scapy Support for USB Protocol on Facedancer Boards, MAX2420, etc.

Click to view this project’s page. Top.

Immediately following the public release of the Facedancer10 PCBs by neighbors Travis Goodspeed and Sergey Bratus at REcon 2012, I began to develop a Scapy layer to support interacting with the MAX2420 chip used.

The initial code released in the GoodFET repository by Travis has some great examples, one of which is using the Facedancer to emulate a device using the USB HID (human-interface-device) specification. However, when looking at modifying the code to extend it, or use it for fuzzing, a major issue is determining the meaning of fields and the legitimate (and illegitimate) values for them, as well as the relationships between fields. This information is crucial to both specification-compliant use, or fuzzing.

To view the entire entry, click here.

USENIX WOOT ’11 Paper: Packets-in-Packets

Click to view this project’s page. Top.

Packets in Packets: Orson Welles’ In-Band Signaling Attacks for Modern Radios” marks my first paper in a truly peer-reviewed publication. This was written thanks to some great collaboration with Travis Goodspeed as well as Sergey Bratus, Ricky Melgares, and Rebecca Shapiro in the Dartmouth Trust Lab.

To view the entire entry, click here.

GoodFET Development on Tmote Sky/TelosB (CC2420 Radio)

Click to view this project’s page. Top.

As part of my thesis research on 802.15.4 wireless sensor networks, I have recently become a developer on the GoodFET project. This project was started by Travis Goodspeed and “is an open-source JTAG adapter, loosely based upon the TI MSP430 FET UIF and EZ430U boards.” However, as you will see, it has grown into so much more. I started working on the GoodFET CCSPI (ChipCon SPI Flash) client and firmware which Travis had started to support the Tmote Sky and TelosB branded sensor boards.

To view the entire entry, click here.

Journal Article Published

Click to view this project’s page. Top.

Last winter, I wrote a research paper with my classmate Evan Tice ’09 studying the security of computing resources at Dartmouth College. It was very interesting to write, and thanks to Computing Services, we were able to study security logs and do some of our own analysis on the systems to supplement the publicly available information.

A sanitized form of our paper has been published in the Fall 2009 issue of the Dartmouth Undergraduate Journal of Science, and you can read it online here. For ease of reading, I have also posted it in the original PDF format.

Leave a Reply

Your email address will not be published. Required fields are marked *