J I A N G S U U N I V E R S I T Y
英文翻译
专业:电子信息工程
班级:09电子信息工程1班
姓名:王雪
指导教师姓名:汪洋
指导教师职称:教授
2013年3月
2010 European Conference on Computer Network Defense
USB Device Drivers: A Stepping Stone into your Kernel
Moritz Jodeit
n.runs AG
Nassauer Str. 60, D-61440 Oberursel
moritz.jodeit@https://www.doczj.com/doc/009436069.html,
Martin Johns
SAP Research
Vincenz-Priessnitz-Str. 1, D-76131 Karlsruhe
martin.johns@https://www.doczj.com/doc/009436069.html,
Abstract—The widely–used Universal Serial Bus (USB) exposesa physical attack vector which has received comparativelylittle attention in the past. While most research on devicedriver vulnerabilities concentrated on wireless protocols, weshow that USB device drivers provide the same potential forvulnerabilities but offer a larger attack surface resulting fromthe universal nature of the USB protocol. To demonstratethe effectiveness of fuzzing USB device drivers, we present our prototypical implementation of a mutation–based, manin-the-middle USB fuzzing framework based on an emulated environment. We practically applied our framework to fuzz the communication between an Apple iPod device and a Windows XP system. This way, we found several potential vulnerabilities.This supports our claim that the USB architecture exposes realattack vectors and should be considered when assessing thephysical security of computer systems in the future.
I. INTRODUCTION
The Universal Serial Bus (USB) is a widely–used serial cable bus for connecting various peripherals to a host computer. Because of the widespread use and the ubiquitous nature of USB it provides an compelling attack surface. In this paper we are concentrating on attacks against device drivers and the USB stack itself.
The fact that device drivers provide the potential for exploitable vulnerabilities was already shown in [6] and [10].But compared to 802.11 wireless device drivers, USB has theproperty of being a universal transport medium for furtherprotocols. Hence, potential attacks are not limited to the USB related code inside the kernel but extend over a large number of different kernel sub-systems and device drivers reachable by USB devices which would not be associated with USB at a first glance. The USB protocol allows to reach those parts of the kernel which could otherwise not easily be attacked remotely.
This paper proposes a mutation–based USB fuzzing framework. Our approach is based on fuzzing in an emulated environment inspired by the work of Keil and Kolbitsch [9] for 802.11 wireless fuzzing. Instead of emulating USB devices in software we are attaching physically connected USB devices to the guest operating system running inside a virtual machine and fuzz the communication between the physical device and the virtual host.
Relying on a mutation–based approach gives us the flexibility to fuzz test a broad range of different device drivers without the need to emulate every single device which wouldbe very time consuming. Doing the fuzzing in an emulated
environment comes with various advantages. Besides the good target monitoring capabilities, virtual machine snapshots allow us to do exact matching between a specific USB device attachment and a potential crash.
II. TECHNICAL BACKGROUND
The USB architecture can be divided into three separate parts. These are the USB devices, the USB host and the USB interconnect, which connects all USB devices with a single USB host.
USB devices are either hubs or functions. A USB hub is a special device that provides one or more attachment pointsto the bus, while a function provides a specific capability.Examples are a USB mouse device which usually provides a HID (Human Device Interface) function while an external hard disk drive provides a mass storage function. Each USB host controller provides a root hub, which is the attachment point for all connected devices.
The USB host is the central point in the USB architecture.It interacts through the host controller with the rest of the USB system. Only a single USB host per bus is allowed. Tasks of the host include the management of all transfers, detection of device attachment and removal and configuration of new devices. It is important to note, that the host plays the active part in the whole communication. All transfers are initiated by the host and USB devices only answer to requests send by the host1.
Figure 1 shows the logical connection between a USB device and the host. Communication takes place using so called pipes. Pipes are unidirectional or bidirection communication channels between the host and a USB device. The end of each pipe connects to an endpoint.
Endpoints are compareable with IP sockets. They are the source or sink of a communication flow on the bus. Each endpoint has an associated direction which is either IN orOUT. IN endpoints transfer data from the device to the host,while OUT endpoints transfer data from the host to the device. Each USB device provides at least the endpoint 0 which is connected with the default control pipe. The main purpose of the default control pipe is to configure the device
1One exception is the USB OTG supplement[15] to the USB
specification[7].
2010 European Conference on Computer Network Defense
978-0-7695-4311-6/10 $26.00 ? 2010 IEEE
DOI 10.1109/EC2ND.2010.16
once it is attached. Depending on the purpose of the device multiple other endpoints may be provided.
Multiple pipes can be grouped into interfaces where each interface provides a specific functionality and is handled by a single USB device driver on the host. One interface may provide a mass storage device while a second interface may provide a USB printer.
Configurations group multiple interfaces and are mainly used to provide the same functionality with different settings.Only a single configuration can be active at a time.
Figure 1. Logical connection between a USB device and a host
A. Device Enumeration
When a new USB device is connected to the bus through a hub the device enumeration process starts. Each hub provides an IN endpoint, which is used to inform the host about newly attached devices. The host continually polls on this endpoint to receive device attachment and removal events from the hub.
Once a new device was attached and the hub notified the host about this event, the USB bus driver of the host enables the attached device and starts requesting information from the device. This is done with standard USB requests which are sent through the default control pipe to endpoint zero of the device. Information is requested in terms of https://www.doczj.com/doc/009436069.html,B descriptors are data structures that are provided by devices to describe all of their attributes. This includes e.g. the product/vendor ID, any device class affiliation, and strings describing the product and vendor. Additionally information about all available endpoints is provided. After the host read all the necessary information from the device it tries to find a matching device driver. The details of this process are dependant on the used operating system. For lack of space we are describing the process for Microsoft Windows only but similar concepts apply to other operating systems.
B. Device Driver Loading
After the first descriptors were read from the attached USB device, the host uses
the vendor and product ID from the device descriptor to find a matching device driver. Windows first tries to find the product/vendor ID combination in the registry. If the device was successfully enumerated inthe past, a match is found in the registry which indicates the associated device driver to be loaded. When no match in the registry is found, Windows does a lookup in its database of available device drivers which consists of a set of INF files.Each INF file describes a set of devices for which device drivers are available.
If neither the registry nor the INF files resulted in a match for the product/vendor ID combination, Windows tries to find a matching USB class driver. Class drivers are not specific to a single device but can handle a broad range of different devices which behave according to a class specification. Most operating systems provide a set of USB class drivers which allows some classes of USB devices to be connected without the need to install a separate device driver. The latest version of Windows comes with class drivers for many of the defined USB classes [14], such as the mass storage, audio or printer class.
To find a matching class driver, Windows uses the class, subclass and protocol values read from the descriptors. The same lookups as detailed above for the product/vendor ID combination are performed. .
After a matching device driver was found and loaded, it’s the task of the device driver to select one of the provideddevice configurations. The device driver selects one of the configurations based on its own capabilities and the availablebandwidth on the bus and activates this configuration on the attached device. At this point, all interfaces and their endpoints of the selected configuration are set up and thedevice is ready for use.
III. ATTACK SCENARIOS
In the case of the USB 2.0 standard [7], an attacker needs physical access to a system. Although nearly every system can be broken into with enough physical access, USB ports represent a special case. Often the system itself together with human interface devices, such as keyboards and mice, is protected against unauthorized access. However, USB ports are often considered safe to be provided to the user. In some cases, USB ports must even be provided to the user to accomplish the task of the respective system. USB-based hardware security tokens are one example.
If the attacker is an employee of a company he is trying to attack, he has lots of possibilities to unobtrusively attach malicious USB devices. But even if the attacker isn’t associated with the company to be attacked, there are lots of cases, where the attacker himself doesn’t need direct physical access but can get his malicious USB device attached to the USB port of a system by other means.
People with legitimate physical access to a system could be paid or bribed to act in the interest of the attacker. An example could be any employee or facility staff member that might have a financial interest.
Instead of bribery, people with legitimate physical access could also be tricked to attach an attacker–supplied device. When it comes to physical access, social engineering works very well. An attacker can either just place a few attractive or interesting looking USB devices in front of a company or just send them directly by
mail to the victim. Depending on how much money the attacker has available for the attack, the USB device can be in original package and could have diverse appearances, ranging from a simple USB flash drive up to an exclusive mobile phone with USB connectivity.
Another example where an attacker could trick other people to attach a malicious USB device to a system of interest is digital voting systems using so–called digital voting pens [2]. This is a system to speed up vote counting where each voter does his votes using a digital pen which records the coordinates of the vote using a small camera inside the pen. After the voter finished voting, the pen is given back to the election supervisor, who in turn attaches the pen to a USB docking station that is connected to the computer system used to store all votes. An attacker could either replace or modify the voting pen given to him, which would then get attached to the host system storing all the votes. A successful attack might then be used for election fraud.
Finally, the requirement of physical access might change with the Certified Wireless USB (CWUSB) extension [1] that introduces wireless USB.
IV. ATTACK VECTORS
An enabled USB port provides various attack vectors for a connected device. Potential attacks can go far beyond USB stack and device driver attacks. Figure 2 gives a simplified overview of the different components of a typical USB host architecture. At the bottom, we have the electrical layer. Its purpose is to encode and decode the electrical signals on the wire. The electrical layer connects directly to the USB stack, which is responsible for handling protocol details of the USB protocol. Each device driver registers itself at the USB stack.The only way a USB device driver can communicate with an attached device is through the USB stack. Consequently,the first attack target is the USB stack itself.
The name ―Universal Serial Bus‖ already suggests that a wide range of different classes of devices can be connected through USB. To provide their service to an attached device,
Figure 2. Relation between components of the USB host architecture
in many cases USB device drivers don’t run in isolation but communicate with various other kernel subsystem components.For example, a USB network card driver makes use of the network subsystem, while a mass storage device driver utilizes the I/O and SCSI subsystem of the kernel. Even when receivers for other protocols, such as IrDA, 802.11 or Bluetooth, are disabled, a connected USB device can still pretend to be of the respective communications class and, thus, get access to the protocol stacks otherwise not reachable for external attacks.
Finally, USB devices are not exclusively connected to kernel subsystems. Applications running in user–mode can communicate with USB devices, e.g., to provide the interaction with a user. Hence, data coming from a malicious USB device can reach applications running in user–mode which increases the attack surface even further.
V. IMPLEMENTATION
To practically find potential vulnerabilities in the components listed in the previous section, we built a USB fuzzing framework. This section discusses our design decisions and implementation.
A. System Design
The first consideration when building a USB fuzzer is the decision between a generation–based and mutation–based fuzzer [13]. The effort to build a complete generation–based fuzzer is comparable with the development of a new USB device driver and, thus, could get very time–consuming.Sticking to a mutation–based fuzzer
releases us from the task of emulating a USB device to get a specific device driver loaded and fuzzed. We just attach the corresponding device and modify the USB packets in transit. Consequently,a mutation–based fuzzer is the preferred choice for quickly getting first results.
To implement a mutation–based fuzzer we need a way to intercept the communication between an attached device and the USB host. The first option is to do the fuzzing on the target host itself. A small kernel component could be developed which would intercept the USB packets just before they are delivered to the respective device driver to be tested. Although this may be quickly implemented it has the disavantage that it is platform-specific. The other problem is that the fuzzing happens on the host we are trying to crash.
With the requirement that fuzzing should happen before the USB packets reach the target host, there are two possibilities.The first option is to utilize a hardware–based approach which enables us to physicaly connect the USB fuzzer to thetarget host. This would allow us to fuzz–test any device as long as a USB port is provided. The disadvantage is that it requires special–purpose hardware.
To overcome this limitation we chose the second option and perform the fuzzing in an emulated environment inspired by the work of Keil and Kolbitsch [9] for 802.11 wirelessfuzzing. The use of an emulated environment allows usto do the fuzzing before the USB packets reach the host but still gives us the freedom to build a software–only solution. Additionally, we get all the benefits of fuzzing inan emulated environment.
Besides the good automation and target monitoring capabilities of emulated environments one of the most useful features for our task are virtual machine snapshots. These allow us to store a snapshot of the current CPU, memory and disk state which can be restored at a later point in time.When fuzzing USB device drivers some systems were found to disable the USB port after repeatedly attaching malformed USB devices. To continue fuzzing in such a case, a reboot of the target system would normally be required. Virtual machine snapshots allow us to just restore to a known good state and continue fuzzing.
Another problem with repeatedly attaching fuzzed USB devices is the fact, that some memory corruption may not result in an immediate crash of the target host. A crash could happen at a later point in time triggered by some unrelated event. This complicates the linking of encountered crashes to a specific device attachment. To link each crash to one specific attachment, virtual machine snapshots can be used to restore a known good state after each attachment.
B. Architecture
To modify the USB communication between a USB device and the host we propose the man–in–the–middle components:
1) Receiving Component
2) Processing Component
3) Device Emulation Component
The receiving component is responsible for acquiring the USB packets from an attached USB device. It either talks directly to the connected device or reads in a
stored flow of communication, which was recorded beforehand. All USB packets are just forwarded between the USB device and the processing component.
The processing component conducts the optional modification or analysis of the USB communication. This is where the actual fuzzing or analysis of the raw USB packets can be implemented. The processing component can also record a flow of communication and store it for replaying at a later point in time. The processing component passes all the USB communication between the receiving component and the device emulation component.
The device emulation component forwards the USB communication it received from the processing component to a connected host system. From the perspective of the host, it acts like the real USB device.
Figure 3. Man–in–the–middle architecture
Our implementation is based on the QEMU machine emulator [4]. QEMU can emulate a complete PCI UHCI USB controller. Besides USB devices which are emulated directly by QEMU, it also allows to pass–through physically connected USB devices to the guest operating system. We utilize this functionality and implement the receiving component and the device emulation component directly into QEMU as a set of patches. The final architecture is shown in Fig. 4.
The receiving component passes on all USB packets between a physical USB device and the processing component.To get access to the physical USB device our implementation makes use of QEMU which in turn uses the USB device file system. This is a Linux file system that provides all the needed hardware details of attached USB devices to user–mode applications. To retrieve the descriptors of an attached USB device, the corresponding device files inside the mounted USB device file system can be read. Communication with a device takes place using ioctl() calls on the desired device file.
The dependance on QEMU for the receiving component instead of using the USB device file system directly is basically due to the fact that our current implementation is heavily based around QEMU. To fully take advantage of the
modular design, future versions will make use of the USB device file system directly.
Figure 4. Design of the mutation–based fuzzing framework The processing component is implemented externally as a Python library which is connected to the receiving component and the device emulation component using a set of named pipes. All USB packets exchanged between a USB device and the host are passed through the processing component. The processing component doesn’t implement any functionality itself but just provides simple Python bindings for easy access to the raw USB packets. Those bindings can be utilized by third–party extensions to easily create custom fuzzers or analysis tools.
VI. EVALUATION
To evaluate our implementation we created a simple fuzzer based on our framework which just randomly replaces bytes in the USB packets exchanged between the device and host. All IN packets are randomly selected for fuzzing while OUT packets are ignored. For each selected packet, a random number of bytes of the packet are replaced with random values while the most significant bit of each byte is set more frequently in the hope to trigger signedness issues.
As a fuzzing target we chose an Apple iPod Shuffledevice connected to a host system running Windows XP SP2 without additional patches. The only software additionally installed was the latest release of Apple’s iTunes software2.The iPod
Shuffle identifies itself as a mass storage device and, thus, is handled by the USB mass storage class driver of Windows XP. The reason we chose this device instead of some usual USB flash drive is because of the massive communication taking place just after it is attached. After the mass storage device is detected by the system the iTunes software is launched by a service running in the background which is installed as part of the iTunes application. The loaded iTunes application then reads various information from the device’s file system leading to multiple USB packets being exchanged. Fuzzing those packets gives us a good chance to reach various kernel components as well as the iTunes service responsible for the detection of attached iPods and the iTunes application running in user–mode.
The fuzz test consisted of repeatedly attaching the device, letting the host talk to the device for some time and then detaching it again. While doing this the state of the host was monitored to detect any anomalies or crashes. All these actions were performed using the Python API provided by our fuzzing framework. During the tests multiple bug checks were triggered leading to a kernel crash. The crashes encountered were triggered at various locations. While two of the kernel crashes happened inside the USB host controller driver, one crash was triggered in the USB mass storage driver and another one was triggered in the file system code responsible for reading the partition table from the attached device. Additionally a crash in the user–mode iPod service binary was triggered. Although no deep analysis of the found crashes was performed, at least one of them was caused by memory corruption, making it
APPLE IPOD FUZZING RESULTS
2Apple iTunes 8.1.1.10 was used.
VII. RELATED WORK
The dominant focus of attention in respect to exploiting memory corruption vulnerabilities in device drivers has been on the realm of wireless communication. Several publications, such as [6] or [10], detail the complexity of 802.11 wireless device drivers and the resulting potential for vulnerabilities. Much effort has been put into the development of IEEE 802.11 wireless fuzzers [5] to practically find those vulnerabilities. While most publications concentrate on device drivers for wireless protocols, Barrall and Dewey showed in [3] that USB stacks and device drivers also provide the potential for vulnerabilities. They demonstrate their point with a vulnerability in USB related code of the Windows operating system. No details were made public though. Rafael Dominguez Vega continued research in that direction and demonstrated the exploitation of a Linux USB device driver bug in [17] using a custom-built USB device. Details about the actual vulnerability being exploited were
not disclosed. He also described some first USB fuzzing techniques.
The idea to use an emulated environment for fuzzing 802.11 wireless device drivers was first demonstrated by Keil and Kolbitsch in [9]. They utilize the emulated environment to circumvent the hard timing constraints when fuzzing 802.11 device drivers. The implementation of our USBfuzzing framework is based on this idea.
Furthermore, first approaches towards exploiting drivers drivers outside the wireless realm have been made: Ilja van Sprundel showed in [16] how to utilize fuzzing to uncover vulnerabilities in filesystem drivers. As the USB protocol grants a malicious device direct access to the system’s filesystem, v an Sprundel’s work is of high relevance in the context of this paper.
Finally, instead of exploiting implementation flaws in device drivers, Maximillian Dornseif demonstrated in [8] how the use of DMA in FireWire empower an attacker to read and write arbit rary physical memory of the host. Dornseif’s work work was refined by Piegdon and Pimenidis in [12]towards arbitrary code execution. Such attacks require the device to be the controlling instance on the bus which is in general not the case with USB. In the USB protocol the host controls all communication on the bus. However,David Maynor showed in [11] that DMA attacks against USB are nevertheless possible by utilizing the USB OTG extension [15] which allows USB devices to provide limited USB host functionality to communicate directly with other USB devices which would not be possible otherwise.
VIII. CONCLUSION AND FUTURE WORK
In this paper we discussed security implications of the Universal Serial Bus. After raising the awareness by listing potential attack scenarios, we explored the large attack surface provided by enabled USB ports. Subsequently, we described our implementation of a mutation–based USB using a fuzzer together with an iPod Shuffle device we demonstrated that USB device drivers not only provide the potential for vulnerabilities but can also be used as a stepping stone to trigger vulnerabilities in other kernel components not directly related to USB and even in user–mode applications communicating with attached devices. To find those vulnerabilities we used a simple random–based fuzzer without any knowledge of the underlying protocols being fuzzed. It is to be expected that the development of more intelligent fuzzers will result in even better results. We paved the way for the development of such fuzzers with our fuzzing framework.
Although we exclusively focused on attacks against the USB host in this paper, the presented framework can also be applied in reverse direction to fuzz test physical USB devices, such as smartphones or PDAs. This might provide a potential area for future research.
Despite the fact that fuzzing in an emulated environment provides various benefits, the actual exploitation of a vulnerability in a real–world scenario requires the use of hardwarewhich emulates a physical USB device. Further research into the creation of a separate hardware–based device emulation component is required.
Another area of interest for future research is the Certified Wireless USB (CWUSB) extension [1]. One of the design goals of the wireless USB specification is to keep the current software infrastructure including all the USB device drivers intact.
Wireless USB provides a wireless transport mechanism for the USB protocol and, thus, makes attacks against USB even more interesting since physical access is no longer required. In this context, CWUSB’s mechanisms used for authentication and encryption should be analyzed for their effectiveness.
REFERENCES
[1] Agere, Hewlett-Packard, Intel, Microsoft, NEC, Philips, and Samsung. Wireless
Universal Serial Bus Specification 1.0,May 2005.
[2] Joerg Arzt-Mergemeier, Willi Beiss, and Thomas Steffens. The Digital Voting Pen
at the Hamburg Elections 2008:Electronic Voting Closest to Conventional Voting.
In E-Voting and Identity, volume 4896/2007 of LNCS. Springer, 2007.
[3] Darrin Barrall and David Dewey. ‖Plug and Root,‖ the USB Key to the Kingdom.
Presentation at Black Hat USA, July 2005.
[4] Fabrice Bellard. QEMU, a Fast and Portable Dynamic Translator. In ATEC’05:
Proceedings of the USENIX Annual Technical Conference 2005, page 41.
USENIX Association,2005.
[5] Laurent Butti. Wi-Fi Advanced Fuzzing. Presentation at Black Hat Europe, 2007
[6] Johnny Cache and David Maynor. Device Drivers: Don’t build a house on a shaky
foundation. Presentation at Black Hat USA, August 2006.
[7] Compaq, Hewlett-Packard, Intel, Lucent, Microsoft, NEC,and Philips. Universal
Serial Bus Specification 2.0, 2000.
[8] Maximillian Dornseif. 0wned by an iPod. Presentation at PacSec, November 2004.
[9] Sylvester Keil and Clemens Kolbitsch. Stateful Fuzzing of Wireless Device
Drivers in an Emulated Environment. White Paper, Secure Systems Lab, https://www.doczj.com/doc/009436069.html,/papers/fuzz qemu.pdf (2009/05/17), September 2007. [10] David Maynor. Device Drivers 2.0. Presentation at Black Hat DC, February
2007.
[11] David Maynor. 0wn3d by everything else: USB/PCMCIA Issues. Presentation at
CanSecWest, May 2005.
[12] David R. Piegdon and Lexi Pimenidis. Targeting Physically Addressable
Memory. In Robin Sommer Bernhard M. Haemmerli, editor, Detection of Intrusions and Malware& Vulnerability Assessment (DIMVA 2007), volume 4579 of LNCS. Springer, July 2007.
[13] Michael Sutton, Adam Greene, and Pedram Amini. Fuzzing: Brute Force
Vulnerability Discovery. Addison-Wesley, 2007.
[14] USB Implementers Forum, Inc. Approved Class Specification Documents.
https://www.doczj.com/doc/009436069.html,/developers/devclass docs (2008/05/22).
[15] USB Implementers Forum, Inc. On-The-Go Supplement to the USB 2.0
Specification, 2006.
[16] Ilja van Sprundel. Fuzzing: Breaking Software in an Automated Fashion. talk at
the22thChaosCommunicationCongress(22C3),https://www.doczj.com/doc/009436069.html,c.de/congress/2005 /fahrplan/ attachments/582-paper fuzzing.pdf, December 2005.
[17] Rafael Dominguez Vega. ‖USB Attacks: Fun w ith Plug and 0wn. Presentation at Defcon 17, August 2009.
USB设备驱动程序: 进入内核一个垫脚石
Moritz Jodeit
n.runs AG
Nassauer Str. 60, D-61440 Oberursel
moritz.jodeit@https://www.doczj.com/doc/009436069.html,
Martin Johns
SAP Research
Vincenz-Priessnitz-Str. 1, D-76131 Karlsruhe
martin.johns@https://www.doczj.com/doc/009436069.html,
摘要:广泛使用的通用串行总线(USB)外提出了一个物理攻击向量,这在过去相对地很少被关注。虽然大多数研究设备驱动程序漏洞集中在无线协议, 我们说,USB设备驱动程序同样为漏洞提供相同的潜力,同时提供一个由USB协议普遍的本性产生的更大的攻击表面。为了证明USB绒毛面的效力,我们介绍基于突变的原型安装。我们实际应用我们的框架来模糊了苹果iPod和Windows XP系统之间的通信。用这种方式,我们发现一些潜在的漏洞。这支持了我们的结论, USB 建筑暴露出的攻击向量,未来当评估计算机系统的物理安全性时需要考虑这些。
I.介绍
通用串行总线(USB)是一种广泛使用的串行电缆总线,将各种外围设备连接到主机。由于USB的广泛使用和无处不在的自然属性,它提供了一个引人注目的攻击面。在这篇文章中,我们专注于攻击设备驱动和USB堆栈本身。
事实上,设备驱动提供潜在的和可利用的漏洞已经在[6]和[10]中提及。但是比起802.11无线设备驱动程序,USB具有作为进一步协议的媒体传输的性能。因此,潜在的攻击并不局限于在内核中与USB相关代码,也会通过USB扩展到一个大的许多不同的内核的子系统和设备驱动程序,乍一看与USB没有关联。USB协议允许到达内核的这些部分,不容易被远程攻击。
本文提出了一种基于突变的USB模糊框架。我们的方法在仿真环境中以模糊为基础,灵感来自于Keil和Kolbitsch[9]802.11无线起毛的工作。
取代在软件中仿效USB设备,我们非常重视物理连接USB设备到客户操作系统内运行虚拟机之间的通信和模糊物理设备和虚拟主机。
依赖一个以突变为基础的方法给予我们的柔性来对不同的设备驱动程序进行大范围地模糊测试,而不需要浪费很多的时间来仿真每一个设备。在仿真环境中做起毛有很多优势。除了有好的目标监视功能,虚拟机快拍允许我们在一个特定的USB设备附件和潜在崩溃中做出精确匹配。
II.技术背景
USB体系结构可以分为三个独立的部分。这些是USB设备,USB主机和USB连接,用一个单个的USB主机连接所有的USB设备。
USB设备是集线器或是函数,一个USB集线器是一特殊的设备,提供一个或多个连接点到总线,而一个函数提供了一个特定的功能。举个例子,一个USB鼠标装置通常提供一个HID(人力设备接口)函数而外部硬盘驱动器提供了一种大容量存储功能。每一个USB 主机控制器提供了一个根中心,这是附件点为所有连接设备。
USB主机是USB系统结构中的一个中央点,它通过主机控制器与其他的
USB系统进行交互。每个总线只有一个USB主机被允许。主机的任务包括管理全部传输、检测设备附件、移除和新设备的配置。重要的是要注意,,主机在整个通信中扮演积极的角色。所有的传输是由主机和USB设备只能回复主机发送的请求。图1显示了USB设备和主机的逻辑连接。通信的发生使用被称为管道的东西。管道在主机和USB设备中间是单向或双向通信。
端点和IP接口可比较。他们是总线的源或汇通信流。每个端点都有一个关联的方向,无论是输入或输出。输入端点将数据从设备传送到主机, 输出端点将数据从主机传输到设备。每一个USB设备提供至少一个0端点,这与默认控制管道相连。默认控制管道的主要目的是一旦被附着能安装设备。根据设备的目的多个其他端点可能被提供。多个管道可以分为接口,每个接口提供了一个特定的功能和通过主机上一单个USB设备驱动程序来处理。一个接口可以提供海量存储设备而另一个接口可能提供一个USB打印机。配置多个接口,主要是用于提供相同的功能与不同的设置。一次只有一个单一的配置是可以活动的。
图1 USB设备和主机之间的逻辑连接
A.设备枚举
当一个新的USB设备通过一个中心设备连接到总线时枚举过程开始。每个中心提供了一个输入端点,用于通知主机关于新附加的设备。主机不断地检查这个端点来接收设备附件和从中心设备删除事件。一旦一个新的设备连接,中心设备收到关于这个事件主机的通知, 主机的USB总线驱动程序支持附加的设备,开始从该设备请求信息。这是做了标准USB请求,通过默认控制管道被发送到该
设备的0端点。信息以描述符的方式被请求。USB描述符是数据结构,通过设备提供来描述他们所有的属性。这包括如产品/供应商ID、任何设备类归属, 和字符串描述产品和供应商。此外,提供所有可用的端点信息。
主机从设备中读取所有有用的信息后,试着寻找匹配的设备驱动程序。这个过程的细节依赖于所使用的操作系统。由于缺乏空间,我们描述的过程仅在微软Windows下进行,但相似的概念适用于其他操作系统。
B.设备驱动程序加载
第一个描述符从所附的USB设备读取后的,主机采用来自设备描述符的供应商和产品ID找到一个匹配的设备驱动程序。Windows第一次试图找到产品/供应商ID组合在注册表中。过去,如果该设备被成功访问,在注册表中找到一个匹配项表示相关的设备驱动程序被加载。如果没有Windows匹配的注册表被发现,在其数据库中进行查找可用的设备驱动程序,它由一组的INF文件。每一个INF文件描述了一组设备的设备驱动程序。
如果没有注册表,也没有INF文件导致匹配的产品/供应商ID的组合,Windows试图找到一个匹配的USB类驱动程序。类驱动程序不具体到一个单一的设备,但可以根据一个类规范处理大范围的不同的设备的行为。大多数操作系统都提供了一组USB类驱动程序,允许某些类型的USB设备连接,而不需要安装一个单独的设备驱动程序。最新版本的Windows自带许多的类驱动程序定义的USB类[14],如质量存储,音频或打印机类。
要找到一个匹配的类驱动程序,Windows使类,子类和协议值读取描述符。像以上详述的产品/供应商ID组合一样进行查询。
匹配的设备驱动程序找到并加载后,设备驱动程序的任务就是来选择所提供的其中一个设备配置。设备驱动程序中选择基于自身的能力和可用带宽总线上一个的配置,并激活该配置连接的设备。在这一点上,所有的接口和他们的选定的配置端点的设置和设备已准备好使用。
III.攻击的情况下
在USB 2.0标准的情况下[7],攻击者需要通往系统的物理途径。虽然几乎所有的系统可分为足够的物理连接,但USB端口代表一个特殊的情况。通常情况下,系统本身连同人机接口设备,如键盘和鼠标,保护,以防止未经授权的访问。然而,USB端口通常被认为是安全的,将被提供给用户。在某些情况下,USB端口必须甚至可以向用户提供来完成任务的各自的系统。基于USB的硬件安全令牌就是一个例子。
如果攻击者是公司的雇员,他正试图攻击时,他很可能悄悄地附上恶意USB 设备。但是,有很多情况下,即使攻击者与被攻击的公司无关,攻击者自身并不需要直接的物理访问,但也能通过其他手段恶意通过其他USB设备连接到USB 端口的系统得到。
合法的物理访问系统的人可以支付,或在攻击者的利益贿赂下进行。例如可以是任何雇员或机构的工作人员,可能有财务上的利益。
取代贿赂,合法的物理访问的人也可以被附加攻击者提供的设备欺骗,。当它涉及到的物理访问,社会工程工作得很好。攻击者可以在前面的公司把一些有吸引力的或看上去有趣的USB设备,或只是给他们通过邮件直接的受害者。攻击者的攻击取决于资金,,USB设备可以是原包装,并可能有不同的外观,从一个简单的USB闪存驱动器到外部手机用USB连接。
另一个例子是使用所谓的数字投票笔的数字表决系统[2],攻击者可以欺骗
其他人恶意使用USB设备连接到利益的系统,。这是一个加速计票系统,每一个选民使用数字笔来投票,使用小型相机里面的笔记录的坐标。选民完成投票后,笔返回给竞选主管,并将投票笔连接到一个USB扩展以使用计算机系统来存储所有的票。攻击者可以替换或修改投票的笔,然后附着存储所有的选票的主机系统,成功的攻击可能被用于产生选举骗局。
最后,要求的认证无线USB(WUSB)的扩展,引入的无线USB的物理访问可能会改变。
IV.攻击向量
启用的USB端口已连接的设备提供了各种攻击向量。潜在的攻击远远超出了USB协议栈和设备驱动程序的攻击。图2给出了一个典型的USB主机架构的不同组件的简要概述。在底部,有电层。其目的是在电线上进行编码和解码的电信号。电层直接连接到USB协议栈,这是负责处理协议的USB协议的细节。每个设备驱动程序注册了自己在USB协议栈。一个USB设备驱动程序可以连接的设备进行通信的唯一方式是通过USB协议栈。因此,第一个攻击的目标是USB 协议栈本身。
已经表明,通用类型的设备可以通过USB连接名称为“通用串行总线”。
图2 USB主机架构的组件之间的关系
连接的设备提供服务,在许多情况下,USB设备驱动程序不独立运行,但与其他各种内核子系统组件同时运行。例如,一个USB网卡驱动程序使用的网络子
系统,而一个大容量存储设备驱动程序利用的I / O和SCSI子系统的内核。即使其他的协议,如IrDA,802.11或蓝牙,接收器被禁用时,一个连接的USB设备仍然可以假装是各自的通信类,因此,获得的协议栈,否则不到达外部的攻击。
最后,USB设备不完全连接到内核子系统。在用户模式下运行的应用程序可以与USB设备通信,例如,提供与用户的交互。因此,数据来自一个恶意的USB备可以达到,这进一步增加了在用户模式下运行的应用程序攻击面。
V.执行情况
要切实查找在上一节中列出的组件潜在的漏洞,我们建立了一个USB模糊测试框架。本节将讨论我们的设计决策和实施。
A.系统设计
建立一个USB的模糊测试时,首先要考虑的是一个基于代和基于突变为基础的模糊决策[13]。因此,努力建立一个完整的基于代的模糊测试相比于发展一个新的USB设备驱动程序可能会变得非常耗时的。
坚持建立一个突变的模糊测试获得一个特定的设备加载的驱动程序和模糊化,使我们从模拟USB设备的任务中释放出来,。我们只需将相应的设备和USB 数据包在传输过程中修改。因此,一个突变的模糊测试是迅速获得结果的最好选择。
我们需要一种方法,要实现一个基于突变的模糊测试拦截连接的设备和USB 主机之间的通信。第一个选项是在目标主机上做模糊化。一个小的内核组件开发USB数据包的拦截之前,它们被传送到相应的设备驱动程序以测试。虽然这可能很快就会实现,但它的劣势是特定于平台的。另一个问题是模糊发生在我们正试图崩溃的主机。起毛应该发生前的要求USB数据包到达目标主机,有两种可能性。第一种方案是利用一个基于硬件的方法,这将允许我们只要提供一个USB 端口进行模糊测试任何设备。它的缺点是,它需要专用的硬件。
为了克服这个限制,我们选择了第二个选项,并在模拟环境中执行起毛,工作的灵感来自Keil和Kolbitsch [9]802.11无线起毛。在USB数据包到达主机之前使用的模拟环境,使我们能够做起毛,但仍然给了我们建立一个纯软件的的解决方案的自由。此外,我们在模拟环境中的起毛的所有优点,。
除了良好的自动化和仿真环境中的监视目标的能力。我们任务最有用的特点之一是虚拟机快照功能。这些让我们来存储当前的CPU,内存快照和磁盘的状态,可以在稍后的时间点恢复。模糊USB设备驱动程序时发现一些系统经过反复安装畸形禁用USB端口USB设备。在这种情况下,重新启动要继续起毛目标系统通常会是必需的。虚拟机快照,让我们要恢复到一个已知的良好状态,并继续模糊化。
反复连接的另一个问题模糊化USB设备是一个事实,即一些内存损坏可能不导致目标主机立即崩溃。一个崩溃的可能发生在稍后的时间点触发一些无关事件。这个复杂的连接所遇到的崩溃到特定的设备连接。要连结各一个崩溃具体的附件,可用于虚拟机快照恢复后,每个附件已知的良好状态。
B.结构
要修改一个USB设备和主机,在图3中我们提出了人在中间的结构图之间的USB通信。它基于三个主要的组件:
1)接收组件
2)处理组件
3)设备仿真组件
接收组件是从连接的USB设备,USB数据包中获取的。它可直接与所连接的设备通信或读取存储的通信流量,这是事先录制的。所有的USB数据包是在USB设备和处理组件之间转发的。
处理部件进行可选的变形或分析的USB通信。这是实际的的模糊测试或分析的原始USB的数据包来实现的。处理组件,也可以录制的通信流,并将其存储在稍后的时间点重播。处理组件通过了所有的接收部件和设备模拟分量之间的USB通信。
设备模拟组件转发收到的USB通信,来自于处理组件连接到主机系统。从主机的角度看,它就像真正的USB设备。
图3 人在中间的系统
我们的安装是基于QEMU机模拟器[4]。QEMU可以模拟一个完整的PCI UHCI USB控制器。除了USB设备直接通过QEMU模拟,它也可以通过通过物理连接的USB设备的客户机操作系统。我们利用此功能,并实现接收组件和设备模拟组件,直接进入QEMU作为一系列的补丁。图4是最终的架构。
接收部件传递所有物理USB设备和处理元件之间的USB的数据包。为了得到物理USB设备的访问我们的安装使用QEMU,依次使用USB设备的文件系统。这是一个Linux的文件系统,可提供连接的USB设备到用户模式的应用程序所需的所有硬件的详细信息。要检索连接的USB设备,相应的描述符设备文件内安装USB设备的文件系统被读取。与设备的通信需要的地方使用ioctl()调用所需的设备文件。
依赖QEMU接收组件,而不是直接地使用USB设备的文件系统,本质上是由于一个事实,即我们的当前的安装在很大程度上基于周围QEMU所致。为了充分采取了模块化的设计的优势,未来的的版本将直接地使用USB设备的文件系统。
处理元件是在外部实现的,其使用一组命名为管道的连接到接收部件和设备模拟分量作为一个Python库。所有的USB数据包通过一个USB设备和主机之间交换。处理元件本身没有实现任何功能,只是提供了简单的Python绑定,方便地访问原始USB的数据包。这些绑定可以利用第三方的扩展,可以轻松地创建自定义模糊器或分析工具。
图4 突变为基础的模糊测试框架的设计
VI. 评价
要评估我们的实现中,我们创建了一个简单的fuzzer根据我们的框架,它只是随机替换在USB设备和主机之间交换的数据包的字节。所有的IN数据包中随机选择模糊测试,同时OUT数据包将被忽略。对于每个选定的数据包的字节的随机数,所取代每个字节的最重要的位的随机值,而更频繁地被设置在希望触发的符号的问题。
作为一个模糊目标,我们选择了一个苹果iPod Shuffle的移动设备连接到在Windows XP SP2运行的主机系统,无需额外的补丁。另外安装的唯一软件是最新发布的苹果的iTunes software2的。iPod shuffle自定义为一个大容量存储设备,因此,将其处理为Windows XP的USB海量存储类驱动程序。我们选择了这个设备,而不是一些常用的USB闪存驱动器的原因是因为大量的通信发生在连接后。海量存储设备被系统检测到后,启动iTunes软件作为iTunes的应用程序的一部分,这是安装在后台运行的服务。加载iTunes的应用程序,然后读取设备的文件系统,导致多个USB数据包交换各种信息。模糊这些数据包为我们提供了一个很好的机会,以达到不同的内核组件以及负责检测所连接的iPod和iTunes
骑缝章分两种,一种是盖有许多页纸的文件时,为了避免有人换掉其中几页纸又不想每页都去盖章,而把文件几页纸张的边缝连在一起盖章(我要用的应该是这个)。还有一种是在一张可以分成两半,留下底根的的介绍信上盖章,一个章盖在撕下的正本介绍单位落款处,一个章盖在将要撕开在地方,撕开后介绍信上有一半,底根上有一半,以防假冒。前一种应该叫paging seal,后一种才叫a seal on the perforation。 Instruction 1. the report is invalid when there is no ‘special stamp for inspection report’ or inspection organization stamp. -----报告无‘检验报告专用章’ 或检验单位公章无效。 2. The report copy is invalid when there is no ‘special stamp for inspection report’ or inspection organization stamp. ――复制报告未重新加盖‘检验报告专用章’或检验单位公章无效。 3. The report is invalid when there is no auditor and certifier’s signature. ――报告无审核、批准人签章无效。 4. The aultered report is invalid. ――报告涂改无效。 5. Telling the inspection organization in 15 days since you receive the report when you don’t agree, otherwise it is not accepted. ――对检验报告若有异议,应于收到报告之日起十五日内向检验单位提出,逾期不予受理。 6. The entrust inspection is responsibility for the received sample only. ――委托检验仅对来样负责。 未经本中心许可本报告不得用于任何广告宣传和成果鉴定,本报告部分复印无效。 ――The report could not be used f or any advertisement and evaluation. ------The part report copy is invalid. 国家汽车质量监督检验中心National Quality Control & Inspection Center for Automobiles 希望对大家有用. 一>质量检验报告单----Quality Inspection Report 一般包括: 1.日期----Date 2.检验员---Inspector 3.产品名称---Item Description 4.产品编号---Part Number/PT.NO 5.检验数量---Quantity Inspected 6.客户定单号---P.O.NO 7.发现问题详述:----Discrepancies found(一般与检验标准对照,列出不符合标准的差异) 8.不合格数量:Reject Number
伪球迷biased fans 紧身服straitjacket 团购group buying 奉子成婚shortgun marriage 婚前性行为premartial sex 开博to open a blog 家庭暴力family volience 问题家具problem furniture 炫富flaunt wealth 决堤breaching of the dike 上市list share 赌球soccer gambling 桑拿天sauna weather 自杀Dutch act 假发票fake invoice 落后产能outdated capacity 二房东middleman landlord 入园难kindergarten crunch 生态补偿ecological compensation 金砖四国BRIC countries 笑料laughing stock 泰国香米Thai fragrant rice 学历造假fabricate academic credentials 泄洪release flood waters 狂热的gaga eg: I was gaga over his deep blue eyes when I first set eyes on him 防暑降温补贴high temperature subsidy 暗淡前景bleak prospects 文艺爱情片chick flick 惊悚电影slasher flick 房奴车奴mortgage slave 上课开小差zone out 万事通know-it-all 毕业典礼commencement 散伙饭farewell dinner 毕业旅行after-graduation trip 节能高效的fuel-efficient 具有时效性的time-efficient 死记硬背cramming 很想赢be hungry for success 面子工程face job 捉迷藏play tag 射手榜top-scorer list 学历门槛academic threshold 女学究blue stocking
漂亮的英文翻译 1.你可知我百年的孤寂只为你一人守侯,千夜的恋歌只为你一人而唱。 You know my loneliness is only kept for you, my sweet songs are only sung for you. 2.如果活着,是上帝赋予我最大的使命,那么活者有你,将会是上帝赋予我使命的恩赐…… If living on the earth is a mission from the lord… living with you is the award of the lord… 3.你知道思念一个人的滋味吗,就像喝了一大杯冰水,然后用很长很长的时间流成热泪。 Do you understand the feeling of missing someone? It is just like that you will spend a long hard time to turn the ice-cold water you have drunk into tears.
4.在这充满温馨的季节里,给你我真挚的祝福及深深的思念。 In such a soft and warm season, please accept my sincere blessing and deep concern for you. 5.一份不渝的友谊,执着千万个祝福,给我想念的朋友,温馨的问候。 For our ever-lasting friendship, send sincere blessings and warm greetings to my friends whom I miss so much. 6.想你,是一种美丽的忧伤的甜蜜的惆怅,心里面,却是一种用任何语言也无法表达的温馨。 It is graceful grief and sweet sadness to think of you, but in my heart, there is a kind of soft warmth that can’t be expressed with any choice of words. 7.不同的时间,不同的地点,不同的人群,相同的只有你和我;时间在变,空间在变,不变的只有对你无限的思念! You and I remains the same in different time, at different places,among different people; time is changing, space is changing and everything is changing except my miss to you! 8.没有杯子……咖啡是寂寞的……没有你……我是孤独的…… Coffee is lonely without cups. I am lonely without you. 9.每一天都为你心跳,每一刻都被你感动,每一秒都为你担心。有你的感觉真好。
1.point and click (鼠标)点击 2.integrated circuit 集成电路 3.online transactions 网上交易 https://www.doczj.com/doc/009436069.html,puter monitor 电脑显示器 5. projector 投影仪 6. screen saver 电脑保护系统 7. virtual currency 虚拟货币 8. computerized system 计算机系统 9. internet distance learning 网络远程教育 10. anti-virus programs 杀毒软件 11. bar code 条形码 12. cordless telephone 无线电话 13. cyberspace 网络空间 14. desktop 桌面,台式机 15. digital television 数字电视 16. video camera 摄像机 17. electronic hearing aid 电子助听器 18. fiber optic technology 光纤技术 19. firewall 防火墙 20. genetic engineering 基因工程 21. hacker 黑客 22. intelligent system 智能系统 23. it-industry 信息产业 24. minicomputer 小型计算机 25. multimedia learning system 多媒体学习系统 26. palmtop 掌上电脑 27. password 密码,口令 28. software package 软件包 29. solar collector 太阳能集热器 30. terminal 终端 文化教育词汇 1. educational background 教育背景 2. educational history 学历 3. curriculum 课程 4. major 主修 5. minor 未成年的;次要的;较小的未成年人副修 6. educational highlights 课程重点部分 7. specialized courses 专业课 8. social practice 社会实践 9. part-time jobs 兼职 10. extracurricular activities 课外活动 11. recreational activities 娱乐活动 12. academic activities 学术活动
发表日期:2015-09-29 07:48 来源:80后励志网编辑:80后点击:3321次 文章标签: 英语名言教育好文读书励志英语教育 文章导读:英语是国际性的语言,英语在我们的生活中使用率也越来越高,下面这50个很潮的英文单词,年轻人一定要学会哦! 50个很潮的英文单词,年轻人一定要学会! 1.预约券 reservation ticket 2.下午茶 high tea 3.微博 Microblog/ Tweets 4.裸婚 naked wedding 5.亚健康 sub-health 6.平角裤 boxers 7.愤青 young cynic 8.灵魂伴侣 soul mate 9.小白脸 toy boy 10.精神出轨 soul infidelity 11.人肉搜索 flesh search 12.浪女 dillydally girl 13.公司政治 company politics 14.剩女 3S lady(single,seventies,stuck)/left girls 15.山寨 copycat 16.异地恋 long-distance relationship 17.性感妈妈 yummy mummy ; milf(回复中指出的~) 18.钻石王老五 diamond bachelor;most eligible bachelor 20.时尚达人 fashion icon 21.御宅 otaku 22.上相的,上镜头的 photogenic 23.脑残体 leetspeak 24.学术界 academic circle 25.哈证族 certificate maniac 26.偶像派 idol type 27.住房公积金 housing funds 28.个税起征点 inpidual income tax threshold 29.熟女 cougar(源自电影Cougar Club) 30.挑食者 picky-eater 31.伪球迷 fake fans 32.紧身服 straitjacket 33.团购 group buying 34.奉子成婚 shotgun marriage 35.婚前性行为 premarital sex 36.开博 to open a blog 37.家庭暴力 family/domestic violence (由回复更正) 38.问题家具 problem furniture
漂亮的英文怎么写 【漂亮:pretty; beautiful; good-looking; handsome】 漂亮[piào liang] (好看;美观) handsome; good-looking; pretty; beautiful: be prettily dressed; 衣服穿得漂亮 trim oneself up; 把自己打扮得漂漂亮亮 This photograph flatters you. 这照片比你本人漂亮。 (出色) smart; remarkable; brilliant; splendid; beautiful: well done; 干得漂亮 speak prettily; 说得漂亮 You write a beautiful hand. 这字写得真漂亮。 pretty例句: 1.Today was a pretty project based intensive day. 今天是项目相当密集的一天。
2.She is a pretty girl. 她是个漂亮的女孩。 3.Morocco's king seems pretty safe. 摩洛哥国王看上去似乎很安全。 4.Life can be pretty complicated. 生活是非常复杂的。 5.Balancing national security concerns against moral responsibilities is never pretty. 平衡国家安全问题和道德责任从来不是一件容易的事。 beautiful例句: 1.But paris is more beautiful than tokyo. 但巴黎是比东京更美丽。 2.You have a beautiful house. 你有个漂亮的房子。 3.There is nothing more beautiful than a wedding. 没有什么比婚礼更美的了。 https://www.doczj.com/doc/009436069.html, 4.South africa is a beautiful country. 南非是一个美丽的国度。 5.Then she began a beautiful love song. 接着她开始演唱一首优美的爱情歌曲。
1)特困生super-sleepy students 2)讨债人debt collector 3)老赖deadbeat 4)另类offbeat 5)蕾丝边lesbian 6)油条flirtatious boy 7)晒黑族injustice exposer 8)新新人类new-new generation 9)麦霸microphone monopolist 10)楼主thread starter 11)姐弟恋cradle snatcher 12)达人pro/doyen 13)潮人trendsetter 14)性情中人unsophisticated person 15)钻石王老五diamond bachelor 16)毒枭drug lord 17)菜鸟rookie/novice 18)三夹板sandwich husband 19)熟女sophisticated lady 20)型男metro-sexual men 21)作女high-maintenance woman 22)潜规则hidden rule 23)傍大款live off a moneybags 24)爆料tip off/blow the whistle 25)拆烂污mess up knowingly 26)强档prime time 27)哑巴亏take it on the chin 28)找不着北lose one’s bearings 29)不折腾Don’t stir up turmoil. 30)双规double designation 31)高考状元college entrance exam ace 32)走光wardrobe malfunction 33)开光consecrate/bless/deify 34)骨感型boney clan 35)素人layman, bungler 36)敲门砖door opener, stepping stone 37)淘客online shopper 38)内鬼inner culprit 39)死党sworn friend 40)名嘴popular TV presenter 41)老娘舅avuncular arbitrator 42)奔奔族car-less drivers 43)考托exam scalper 44)医托hospital scalper, hospital stoolie
1 我的世界不允许你的消失,不管结局是否完美. No matter the ending is perfect or not, you cannot disappear from my world. 2 爱情是一个精心设计的谎言 Love is a carefully designed lie. 3 承诺常常很像蝴蝶,美丽的飞盘旋然后不见 Promises are often like the butterfly, which disappear after beautiful hover. 4 凋谢是真实的盛开只是一种过去 Fading is true while flowering is past 5 为什么幸福总是擦肩而过,偶尔想你的时候….就让….回忆来陪我. Why I have never catched the happiness? Whenever I want you ,I will be accompanyed by the memory of... 6 如果你为着错过夕阳而哭泣,那么你就要错群星了 If you weeped for the missing sunset,you would miss all the shining stars 7 如果只是遇见,不能停留,不如不遇见 If we can only encounter each other rather than stay with each other,then I wish we had never encountered . 8 宁愿笑著流泪,也不哭著说后悔心碎了,还需再补吗? I would like weeping with the smile rather than repenting with the cry,when my heart is broken ,is it needed to fix? 9 天空没有翅膀的痕迹,而鸟儿已飞过 There are no trails of the wings in the sky, while the birds has flied away. 10 当香烟爱上火柴时,就注定受到伤害 When a cigarette falls in love with a match,it is destined to be hurt 11 人活着总是要得罪一些人的就要看那些人是否值得得罪 When alive ,we may probably offend some people.However, we must think about whether they are deserved offended. 12 命里有时终需有命里无时莫强求 You will have it if it belongs to you,whereas you don't kveth for it if it doesn't appear in your life.
看一下现在的潮流杂志和网站论坛,会发现当中时常会出现一些让新人迷惑的词汇。它们有的是在英语词典中找不到的或者是意思与词典中的解释不同的;也有一些是在中文的潮流文章中频频出现的英文词汇,作者直接引用英文有可能是找不到很好的中文词汇来解释,也有一种潮界约定俗成的感觉。大家都直接用英文写,久而久之,给一个中文翻译会一下子让人转不过弯来。 bling-bling:也可以写成bling bling,意思是贵重的,闪闪发光的珠宝首饰,尤指黑人以及hip-hop风格的人佩带的首饰。由于hip-hop的穿衣风格越来越受到大家的欢迎,所以bling-bling也越来越受到大家的追捧,并且被运用到很多服饰设计中,比如贴钻设计等等。CAMO:迷彩。其实可以算得上是Camoflauge的简写,由于Bape的大红,这个词也是随处可见。 boot-cut:牛仔裤型的一种,中文解释为靴型裤,这种裤型上半部合身略窄,膝盖以下线条微微展开。由于这种款型的裤子越来越受到大家的欢迎,所以在各潮流杂志和网站很常见。casual chic:时尚便装。这种衣服的类型很宽广,只要是现在流行的,不是正式的服装都可以归入这一类。 CDG:CDG PAL Y 日本潮牌川久保玲 JUNK FOOD:创立于1988年由NATALIE GROF和BLAINE HALVORSON两位设计师独特的想法去制作更好的T恤,当初以“FEEL GOOD”为品牌的出发点,现在逐渐成为好莱坞最炙手可热的品牌之一。它以轻松复古的感觉和怀旧的品牌就像芝麻街、HANNA BARBERA(EX:摩登原始人)、LOONEY TOONS(EX:兔宝宝)打动全世界成千上万人的心。 crossover:别注、合作的意思。现在最热的就是这个词了,一个品牌和另一个品牌或者某个个人合作,就可以称为crossover。 denim:很简单,就是牛仔裤或者牛仔布的意思,但是很多潮人就宁愿直呼英文名,仿佛这样才牛。 dope:外国人很怪,特别是美国人,他们喜欢用把一些偏词的意思改变后变成另一个词,然后成天挂在口上,外地人根本想不到变化后的意思会和原来的意思有什么联系。原意麻醉药、毒品,在潮界它的意思是“极好的,很好看的”。 detail:如果你在一些潮流文章中看到诸如“这款鞋的details做得很显用心”的话,不要怀疑你的眼睛,就是细节的意思,为什么明明可以中文而不写?我在开篇解释过了。 geek:原来的意思是指一种人,他们不爱运动,很爱呆在家里玩电脑,玩电子游戏,而且喜欢看漫画书。这种人通常学习很好。现在的潮界很搞怪,居然把geek做为一种穿一风格,而对于这种风格我不怎么了解,只是略微知道geek风格必备老式的黑框眼睛和格子衬衣。homme:这个词就有很多朋友问过我,而我的解释让他们大失神秘感。很多人看到什么Dior Homme,ELLE Homme时,还以为是什么特别系列或者分支,然而这个词的意思是“男式”的意思。 hi:鞋的专有词汇,中国人叫它“高邦”。 hi-end:这个词也是很常见的,但是本身的意思也没它在潮流文章中看起来那么神秘,就是“极其高级的”的意思,什么“hi-end风”也就是很简单的“追求奢侈品的风格”。 hoodie:这个词不是卫衣的意思,我们必须把这点弄清楚。其实被称为hoodie的要求还是很严格的,必须是带帽子的外套,而且前面肚子那里还要有个兜,像袋鼠那样。 icon:潮界它代表图标,比如Bape的猿人头我们可以说是它的logo,因为它注册了,同时也可以说是icon,因为那是个图案标识。 item:这个词就用得很多了,意思是“单品”,怎么解释呢?我还是举个例吧,你可能会看到一些潮流杂志上类似这样地写:“35th的东京真的很不错,作为一个爱鞋者,这双item你应该拥有。”
50个很潮的英文单词,年轻人一定要学会! 发表日期:2015-09-29 07:48 来源:80后励志网编辑:80后点击:3321次 文章标签: 英语名言教育好文读书励志英语教育 文章导读:英语是国际性的语言,英语在我们的生活中使用率也越来越高,下面这50个很潮的英文单词,年轻人一定要学会哦! 50个很潮的英文单词,年轻人一定要学会! 1.预约券 reservation ticket 2.下午茶 high tea 3.微博 Microblog/ Tweets 4.裸婚 naked wedding 5.亚健康 sub-health 6.平角裤 boxers 7.愤青 young cynic 8.灵魂伴侣 soul mate 9.小白脸 toy boy 10.精神出轨 soul infidelity 11.人肉搜索 flesh search 12.浪女 dillydally girl 13.公司政治 company politics 14.剩女 3S lady(single,seventies,stuck)/left girls 15.山寨 copycat 16.异地恋 long-distance relationship 17.性感妈妈 yummy mummy ; milf(回复中指出的~) 18.钻石王老五 diamond bachelor;most eligible bachelor
20.时尚达人 fashion icon 21.御宅 otaku 22.上相的,上镜头的 photogenic 23.脑残体 leetspeak 24.学术界 academic circle 25.哈证族 certificate maniac 26.偶像派 idol type 27.住房公积金 housing funds 28.个税起征点 inpidual income tax threshold 29.熟女 cougar(源自电影Cougar Club) 30.挑食者 picky-eater 31.伪球迷 fake fans 32.紧身服 straitjacket 33.团购 group buying 34.奉子成婚 shotgun marriage 35.婚前性行为 premarital sex 36.开博 to open a blog 37.家庭暴力 family/domestic violence (由回复更正) 38.问题家具 problem furniture 39.炫富 flaunt wealth 40.决堤 breaching of the dike 41.上市 list share 42.赌球 soccer gambling 43.桑拿天 sauna weather 44.自杀 Dutch act 45.假发票 fake invoice 46.落后产能 outdated capacity 47.二房东 middleman landlord 48.入园难 kindergarten crunch 49.生态补偿 ecological compensation 50.金砖四国 BRIC countrie
1.你可知我百年的孤寂只为你一人守侯,千夜的恋歌只为你一人而唱。 You know my loneliness is only kept for you, my sweet songs are only sung for you. 2.如果活着,是上帝赋予我最大的使命,那么活者有你,将会是上帝赋予我使命的恩赐…… If living on the earth is a mission from the lord… living with you is the award of the lord… 3.你知道思念一个人的滋味吗,就像喝了一大杯冰水,然后用很长很长的时间流成热泪。 Do you understand the feeling of missing someone? It is just like that you will spend a long hard time to turn the ice-cold water you have drunk into tears. 4.在这充满温馨的季节里,给你我真挚的祝福及深深的思念。 In such a soft and warm season, please accept my sincere blessing and deep concern for you. 5.一份不渝的友谊,执着千万个祝福,给我想念的朋友,温馨的问候。 For our ever-lasting friendship, send sincere blessings and warm greetings to my friends whom I miss so much. 6.想你,是一种美丽的忧伤的甜蜜的惆怅,心里面,却是一种用任何语言也无法表达的温馨。 It is graceful grief and sweet sadness to think of you, but in my heart, there is a kind of soft warmth that can’t be expressed with any choice of words.
1。如果只是遇见,不能停留,不如不遇见。 If we can only encounter each other rather than stay with each other,then I wish we had never encountered. 2。宁愿笑着流泪,也不哭着说后悔。心碎了,还需再补吗? I would like weeping with the smile rather than repenting with the cry,when my heart is broken ,is it needed to fix? 3。没有谁对不起谁,只有谁不懂得珍惜谁。 No one indebted for others,while many people don't know how to cherish others. 4。命里有时钟需有命里无时莫强求 You will have it if it belongs to you,whereas you don't kvetch for it if it doesn't appear in your life. 5。当香烟爱上火柴时,就注定受到伤害 When a cigarette falls in love with a match,it is destined to be hurt. 6。爱情…在指缝间承诺指缝…。在爱情下交缠。 Love ,promised between the fingers Finger rift,twisted in the love 7。没有人值得你流泪,值得让你这么做的人不会让你哭泣。 No man or woman is worth your tears, and the one who is, won’t make you cry. 8。记住该记住的,忘记该忘记的。改变能改变的,接受不能改变的。Remember what should be remembered, and forget what should be forgotten.Alter what is changeable, and accept what is unchangeable. Love is like a butterfly. It goes where it pleases and it pleases where it goes. 爱情就像一只蝴蝶,它喜欢飞到哪里,就把欢乐带到哪里。 If I had a single flower for every time I think about you, I could walk forever in my garden. 假如每次想起你我都会得到一朵鲜花,那么我将永远在花丛中徜徉。 Within you I lose myself, without you I find myself wanting to be lost again. 有了你,我迷失了自我。失去你,我多么希望自己再度迷失。 At the touch of love everyone becomes a poet. 每一个沐浴在爱河中的人都是诗人。 Look into my eyes - you will see what you mean to me. 看看我的眼睛,你会发现你对我而言意味着什么。 Distance makes the hearts grow fonder. 距离使两颗心靠得更近。 I need him like I need the air to breathe. 我需要他,正如我需要呼吸空气。 If equal affection cannot be, let the more loving be me. 如果没有相等的爱,那就让我爱多一些吧。 Love is a vine that grows into our hearts.
英语潮词翻译 下午茶 high tea 微博 Microblog 裸婚 naked wedding 亚健康 sub-health 愤青 young cynic 灵魂伴侣 soul mate 小白脸 toy boy 人肉搜索 flesh search 公司政治 company politics 剩女 3S lady(single,seventies,stuck)/left girls 山寨 copycat 异地恋 long-distance relationship 钻石王老五 diamond bachelor 时尚达人 fashion icon 御宅 otaku 上相的,上镜头的 photogenic 脑残体 leetspeak 学术界 academic circle 哈证族 certificate maniac 偶像派 idol type 熟女 cougar(源自电影Cougar Club) 挑食者 picky-eater 伪球迷 fake fans 紧身服 straitjacket 团购 group buying 家庭暴力 family/domestic volience 炫富 flaunt wealth 决堤 breaching of the dike 上市 list share 赌球 soccer gambling 桑拿天 sauna weather 自杀 Dutch act 假发票 fake invoice 二房东 middleman landlord 入园难 kindergarten crunch 生态补偿 ecological compensation 金砖四国 BRIC countries 笑料 laughing stock 泰国香米 Thai fragrant rice 学历造假 fabricate academic credentials 泄洪 release flood waters
外贸产品质检报告英文 版 Document serial number【UU89WT-UU98YT-UU8CB-UUUT-UUT108】
C H A I N TRANSMISSION Inspection Report Conveying chain P- 80 Date of Inspection:2015/7/16 Description of Product: Product Drawing Pitch: 80mm Packaging: 40 pitches per section, totally 37 ections and 20 pitches per section, totally 1 ections 19 sections in one box, totally 2 boxes. Inspection1: The Size
Inspection 2:Hardness The requirements of the hardness
--- --- --- --------------------------------------------------------
Inspection 3:Packing 40 pitches per section, totally 37 ections and 20 pitches per section, totally 1 ections. Box size:100×100×100cm (2 boxes) How it packs:
Inspection 4:Loading Add res s:Z A la Noy ere e 3-
好漂亮的英文翻译 1.你可知我百年的孤寂只为你一人守侯,千夜的恋歌只为你一人而唱。 You know my loneliness is only kept for you, my sweet songs are only sung for you. 2.如果活着,是上帝赋予我最大的使命,那么活者有你,将会是上帝赋予我使命的恩赐…… If living on the earth is a mission from the lord… living with you is the award of the lord… 3.你知道思念一个人的滋味吗,就像喝了一大杯冰水,然后用很长很长的时间流成热泪。 Do you understand the feeling of missing someone? It is just like that you will spend a long hard time to turn the ice-cold water you have drunk into tears. 4.在这充满温馨的季节里,给你我真挚的祝福及深深的思念。 In such a soft and warm season, please accept my sincere blessing and deep concern for you. 5.一份不渝的友谊,执着千万个祝福,给我想念的朋友,温馨的问候。 For our ever-lasting friendship, send sincere blessings and warm greetings to my friends whom I miss so much. 6.想你,是一种美丽的忧伤的甜蜜的惆怅,心里面,却是一种用任何语言也无法表达的温馨。 It is graceful grief and sweet sadness to think of you, but in my heart, there is a kind of soft warmth that can’t be expressed with any choice of words. 7.不同的时间,不同的地点,不同的人群,相同的只有你和我;时间在变,空间在变,不变的只有对你无限的思念! You and I remains the same in different time, at different places,among different people; time is changing, space is changing and everything is changing
预约券reservation ticket 下午茶high tea 微博Microblog 裸婚naked wedding 亚健康sub-health 平角裤boxers 愤青young cynic 灵魂伴侣soul mate 小白脸toy boy 精神出轨soul infidelity 人肉搜索flesh search 浪女dillydally girl 公司政治company politics 剩女3S lady(single,seventies,stuck)/left girls 山寨copycat 异地恋long-distance relationship 性感妈妈yummy mummy 钻石王老五diamond bachelor 时尚达人fashion icon 御宅otaku 上相的,上镜头的photogenic 脑残体leetspeak 学术界academic circle 哈证族certificate maniac 偶像派idol type 住房公积金housing funds 个税起征点individual income tax threshold 熟女cougar(源自电影Cougar Club) 挑食者picky-eater 伪球迷fake fans 紧身服straitjacket 团购group buying 奉子成婚shotgun marriage 婚前性行为premarital sex 开博to open a blog 家庭暴力family/domestic volience 问题家具problem furniture 炫富flaunt wealth 决堤breaching of the dike 上市list share 赌球soccer gambling 桑拿天sauna weather 自杀Dutch act 假发票fake invoice
很潮的英文词组 预约券 reservation ticket 下午茶 high tea 微博 Microblog/ Tweets 裸婚 naked wedding 亚健康 sub-health 平角裤 boxers 愤青 young cynic 灵魂伴侣 soul mate 小白脸 toy boy 精神出轨 soul infidelity 人肉搜索 flesh search 浪女 dillydally girl 公司政治 company politics 剩女 3S lady(single,seventies,stuck)/left girls 山寨 copycat 异地恋 long-distance relationship 性感妈妈 yummy mummy ; milf(回复中指出的~)钻石王老五 diamond bachelor 时尚达人 fashion icon 御宅 otaku 上相的,上镜头的 photogenic 脑残体 leetspeak 学术界 academic circle 哈证族 certificate maniac 偶像派 idol type 住房公积金 housing funds 个税起征点 individual income tax threshold 熟女 cougar(源自电影Cougar Club) 挑食者 picky-eater 伪球迷 fake fans 紧身服 straitjacket 团购 group buying 奉子成婚 shotgun marriage 婚前性行为 premarital sex 开博 to open a blog 家庭暴力 family/domestic violence (由回复更正)