avatar 2 a multi target orchestration platform
play

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, - PowerPoint PPT Presentation

Sep 17, 2022 •2.53k likes •2.94k views

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien Francillon & Davide Balzarotti Workshop on Binary Analysis Research 2018 Introduction Dynamic B inaryA nalysis 1 Motivation Having a huge

  1. Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur´ elien Francillon & Davide Balzarotti Workshop on Binary Analysis Research 2018

  2. Introduction Dynamic B inaryA nalysis 1

  3. Motivation • Having a huge variety of tools is awesome • But analysis state is mostly local to the single tools • A lot of effort to integrate specific tools into other 2

  4. Being able to interconnect debuggers, emulators and analysis frameworks greatly benefits dynamic binary analysis 2

  5. A link to the past 2014: The avatar framework: • Connects S 2 E and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 3

  6. A link to the past 2014: The avatar framework: • Connects S 2 E and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware • Tightly coupled to S 2 E and OpenOCD/GDB Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 3

  7. Imagine a tool that ... 4

  8. Imagine a tool that ... 4

  9. Imagine a tool that ... 4

  10. Imagine a tool that ... 4

  11. Imagine a tool that ... 4

  12. Imagine a tool that ... 4

  13. Imagine a tool that ... 4

  14. Imagine a tool that ... 4

  15. Imagine a tool that ... 4

  16. One framework to orchestrate them all? • Capable of interconnecting a variety of tools • Expose a consistent API to the analyst • Easy scriptability • Operate in an highly asynchronous environment � Careful crafted architecture required 5

  17. Avatar 2 - The architecture Avatar 2 . . . T arget 0 T arget n Execution Memory Register . . . Execution Memory Register Protocol Protocol Protocol Protocol Protocol Protocol . . . Endpoint 0 Endpoint n 6

  18. Additional features • Architecture independent design • Internal memory layout representation • Legacy python support • Peripheral modeling • Plugin System • Assembler/Disassembler • Orchestrator • Instruction Forwarder 7

  19. Examples Example I: Example II: Facilitating replication Symbolic Execution & reproduction & Complex Software Example III: Record & Replay for Firmware 8

  20. Example I - Replicating Harvey • Proof of concept implementation of HARVEY [1] • Malware for a COTS PLC • The plc utilizes multiple boards • Code injection via JTAG [1] Garcia, Luis, et al. ”Hey, My Malware Knows Physics Attacking PLCs with Physical Model Aware Rootkit.” NDSS 2016. 9

  21. Figure 1: Harvey’s modifications to the GPIO-output ISR 1 1Taken from [1]. Original title: ”Figure 5. Original GPIO-output update ISR assembly code compared to 10 modified subroutine with branch to malicious code.”

  22. 1 from avatar2 import Avatar, ARMV7M, OpenOCDTarget 2 3 output_hook = ’’’mov r5,0xfffffffd mov r4, r5 4 mov r5, 0 5 b 0x2000233E’’’ 6 7 8 avatar = Avatar(arch=ARMV7M) 9 avatar.load_plugin(’assembler’) 10 11 t = avatar.add_target(OpenOCDTarget, openocd_script=’harvey.cfg’, gdb_executable=’arm-none-eabi-gdb’) 12 13 14 t.init() 15 t.set_breakpoint(0xd270) 16 t.cont() 17 t.wait() 18 19 t.inject_asm(’b 0x20002514’,addr=0x20002338) 20 t.inject_asm(output_hook,addr=0x20002514) 21 22 t.cont() 11

  23. Example I - Results • Implementation of PoC in approx. 30 lines of Python • All of this could –and has – been done without avatar 2 • Unified and centralized interface • Easy to exchange scripts • Modifications can easily be integrated 12

  24. Example II - Symbolic Execution of Firefox • Firefox with inserted bug • Executed concretely inside gdb until function of interest • Automated memory layout extraction from gdb • Transfer of layout into angr • Memory contents copied-on-read • Symbolic function arguments • Analysis of only one thread 13

  25. Example II - Results • Implementation in approx. 60 lines of Python • Execution statistics: • Approximatly 10 minutes of runtime 2 • 36 executed basic blocks • 21 uniquely accessed pages • Found the bug • angr alone was not able to find the bug • Could be achieved by tedious population of state without avatar 2 • Demonstrates State Transfer and Orchestration capabilities 2 Hardware: VM with four Intel Xeon E5-2650L cores and 16GB of RAM 14

  26. Example III - Recording Firmware Execution • Dynamic binary analysis of firmware often requires the device • PANDA [2] allows to record and replay execution • Allows exchange of executions for further analysis without the device [2] Whelan, Ryan J., et al. ”Repeatable Reverse Engineering with the Platform for Architecture-Neutral Dynamic Analysis.” MIT Lincoln Laboratory Lexington 2015. 15

  27. 1 from avatar2 import ARMV7M, Avatar, OpenOCDTarget, PandaTarget 2 3 avatar = Avatar(arch=ARMV7M) 4 avatar.load_plugin(’orchestrator’) 5 6 nucleo = avatar.add_target(OpenOCDTarget, [...]) 7 panda = avatar.add_target(PandaTarget, [...]) 8 9 rom = avatar.add_memory_range(0x08000000, 0x1000000, file=firmware) 10 11 ram = avatar.add_memory_range(0x20000000, 0x14000) 12 mmio= avatar.add_memory_range(0x40000000, 0x1000000, forwarded=True, forwarded_to=nucleo) 13 14 15 avatar.init_targets() 16 [...] 17 panda.begin_record(’panda_record’) 18 avatar.resume_orchestration(blocking=False) 19 [...] 20 avatar.stop_orchestration() 21 panda.end_record() 16

  28. Example III - Results • Implementation in approx. 30 lines of Python • Successful recording of firmware’s execution • Replayable without presence of hardware • Without avatar 2 , cumbersome implementation of peripherals required • Demonstration of separation between execution and memory 17

  29. Discussion • So far, only five targets implemented • Achieving genericity is difficult • Overhead for implementing new targets varies • Unsolved challenges for analysis of embedded devices • Interrupts • Debug access 18

  30. Conclusion • Multi-target orchestration is not limited to firmware • We are just at the beginning ... • More tomorrow morning! • ”What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices.” • Session 1A: IoT, Kon Tiki Ballroom, 12.20pm 19

  31. Artifacts? • The full framework is open source: https://github.com/avatartwo/avatar2 • Presented examples at: https://github.com/avatartwo/bar18_avatar2 • Pre-built vagrant box: avatar/2bar18 avatar2 20

  32. Backup slide #1: Changes to QEMU Avatar 2 provides a costomized QEMU • All located in a single subfolder: hw/avatar • New board: Configurable Machine • Already present in the first avatar • Allows flexible configuration of emulated hardware • New peripheral: remote memory • Communicates with avatar 2 via posix message queues • Utilizes custom remote-memory protocol 21

  33. Backup Slide #2: Event handling in avatar 2 • Targets are emitting events • Events are registered by protocols forwarded to the avatar 2 core • Fast queue for execution state updates • Enables callbacks and inspection mechanisms 22

Recommend

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench <marius.muench@eurecom.fr> PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Students could create their own avatar to guide them through the various sections of Create your own the website, this avatar could potentially remind them of areas they have yet to visit, avatar give them updates on how they can earn more

440 views • 3 slides
Embedded Multi-Target Tracking System CN052 Wang Shuhui, Wang Qiaoyuan, Wei Longping Lu Xiaofeng

Embedded Multi-Target Tracking System CN052 Wang Shuhui, Wang Qiaoyuan, Wei Longping Lu Xiaofeng

Embedded Multi-Target Tracking System CN052 Wang Shuhui, Wang Qiaoyuan, Wei Longping Lu Xiaofeng Outline 1. Introduction 2. System Platform 3. Hardware Architecture of Multi-target Detection 4. Hardware Architecture of Multi-target Tracking

383 views • 11 slides
Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard

Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard

Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard Vilalta, A. Mayoral, Raul Muoz, Ramon Casellas, Ricardo Martnez The need for generic control functions and a Transport API The NBI of the

679 views • 15 slides
A multi- -layer layer A multi A multi-layer research and training platform research and

A multi- -layer layer A multi A multi-layer research and training platform research and

Final Workshop of CDC 2002-2007 Tallinn, Brotherhood of the Blackheads, 21 22 January 2008 A multi- -layer layer A multi A multi-layer research and training platform research and training platform research and training platform for

769 views • 35 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Unicorn: Unified Resource Orchestration for Multi- Domain, Geo-Distributed Data Analytics Qiao

Unicorn: Unified Resource Orchestration for Multi- Domain, Geo-Distributed Data Analytics Qiao

Unicorn: Unified Resource Orchestration for Multi- Domain, Geo-Distributed Data Analytics Qiao Xiang 12 , Jace Liu 1 , Harvey Newman 3 , Tony Wang 12 , Y. Richard Yang 12 , Jensen Zhang 1 1 Tongji University, 2 Yale University, 3 California

885 views • 33 slides
Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October 2016 December 2019 Colleague Exploratory Analysis, Concept Publish final Literature Research engagement research refinements Go live

650 views • 9 slides
IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IBM - CVUT Student Research Projects IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator etc.) Frantiek Kafka (kafkaf1@fel.cvut.cz) Lud k Krejzar (krejzl1@fel.cvut.cz) The aim of project the

732 views • 6 slides
Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline Contribute to Lower Fares Passenger Revenue Branding Food & Beverage Avatar Vacations In-flight Entertainment TIcket

375 views • 35 slides
Drawing Parallels between Multi-label Classification and Multi-target Regression Grigorios

Drawing Parallels between Multi-label Classification and Multi-target Regression Grigorios

Drawing Parallels between Multi-label Classification and Multi-target Regression Grigorios Tsoumakas, Eleftherios Spyromitros-Xioufis, and Ioannis Vlahavas Machine Learning and Knowledge Discovery (MLKD) group Department of Informatics,

1.19k views • 34 slides
AI Driven Orchestration, Challenges & Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.)

AI Driven Orchestration, Challenges & Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.)

AI Driven Orchestration, Challenges & Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.) TELUS Communication Agenda Service Orchestration Journey Service Orchestration Operational Challenges Closed Loop Orchestration and Dynamic

222 views • 19 slides
Multi-Target Regression via Random Linear Target Combinations Grigorios Tsoumakas, Eleftherios

Multi-Target Regression via Random Linear Target Combinations Grigorios Tsoumakas, Eleftherios

Multi-Target Regression via Random Linear Target Combinations Grigorios Tsoumakas, Eleftherios Spyromitros-Xioufis Aikaterini Vrekou, Ioannis Vlahavas Department of Informatics Aristotle University of Thessaloniki Thessaloniki 54124, Greece

349 views • 20 slides
Cooperative Localization via DSRC and Multi-Sensor Multi-Target Track Association Presenter:

Cooperative Localization via DSRC and Multi-Sensor Multi-Target Track Association Presenter:

Cooperative Localization via DSRC and Multi-Sensor Multi-Target Track Association Presenter: Preeti Pillai Authors: Ahmed Hamdi Sakr and Gaurav Bansal Toyota InfoTechnology Center, Mountain View, California, U.S.A. PPNIV workshop, IEEE ITSC 2016

638 views • 20 slides
Heterogeneous Multi-Computer System A New Platform for Multi-Paradigm Scientific Simulation

Heterogeneous Multi-Computer System A New Platform for Multi-Paradigm Scientific Simulation

Heterogeneous Multi-Computer System A New Platform for Multi-Paradigm Scientific Simulation Taisuke Boku, Hajime Susa, Masayuki Umemura, Akira Ukawa Center for Computational Physics, University of Tsukuba Junichiro Makino, Toshiyuki

531 views • 29 slides
Search-based Testing of Procedural Programs: Iterative Single-Target or Multi-Target Approach?

Search-based Testing of Procedural Programs: Iterative Single-Target or Multi-Target Approach?

Search-based Testing of Procedural Programs: Iterative Single-Target or Multi-Target Approach? Simone Scalabrino Giovanni Grano Dario Di Nucci Rocco Oliveto Andrea De Lucia The overall cost of testing has been estimated at being at

568 views • 39 slides
The Avatar project: Improving embedded security with SE, KLEE and Qemu

The Avatar project: Improving embedded security with SE, KLEE and Qemu

The Avatar project: Improving embedded security with SE, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti About us Eurecom, a consortium of European

740 views • 29 slides
Smart Space Orchestration Orchestration The Internet of Things Cyber-Physical Systems Pervasive

Smart Space Orchestration Orchestration The Internet of Things Cyber-Physical Systems Pervasive

System Smart Space Orchestration Orchestration The Internet of Things Cyber-Physical Systems Pervasive Computing 2pace Marc-Oliver Pahl Distributed Smart ds2os.org/ System Overview Orchestration Part I: Flavours of Computing 2pace

380 views • 20 slides
Online Multi-Target Tracking Using Recurrent Neural Networks Anton Milan, S. Hamid Rezatofighi ,

Online Multi-Target Tracking Using Recurrent Neural Networks Anton Milan, S. Hamid Rezatofighi ,

Online Multi-Target Tracking Using Recurrent Neural Networks Anton Milan, S. Hamid Rezatofighi , Anthony Dick, Ian Reid, Konrad Schindler Outline Some applications of multi-target tracking The challenges Existing approaches Our

826 views • 48 slides
Performance Measures and the DukeMTMC Benchmark for Multi-Target Multi-Camera Tracking Ergys

Performance Measures and the DukeMTMC Benchmark for Multi-Target Multi-Camera Tracking Ergys

Performance Measures and the DukeMTMC Benchmark for Multi-Target Multi-Camera Tracking Ergys Ristani In collaboration with: Francesco Solera Roger Zou Rita Cucchiara Carlo Tomasi Outline Problem Definition Performance Measures

1.42k views • 123 slides
Swing Orchestration: Structural and sectional devices in big band swing Splanky, Count Basie

Swing Orchestration: Structural and sectional devices in big band swing Splanky, Count Basie

Swing Orchestration: Structural and sectional devices in big band swing Splanky, Count Basie Orchestra Comp. and Arr. Neil Hefti What is orchestration? Orchestration refers to the assignment of instruments to the various required elements of

123 views • 11 slides
Mobile Multi-Service Smart Room Client: Initial Study for Multi-Platform Development Andrey S.

Mobile Multi-Service Smart Room Client: Initial Study for Multi-Platform Development Andrey S.

Mobile Multi-Service Smart Room Client: Initial Study for Multi-Platform Development Andrey S. Vdovenko, Sergey A. Marchenkov, Dmitry G. Korzun Petrozavodsk State University Department of Computer Science This project is supported by grant

448 views • 15 slides
orchestration in 5G networks Diego R. Lpez Telefnica I+D IEEE 5G Berlin Summit 2 November

orchestration in 5G networks Diego R. Lpez Telefnica I+D IEEE 5G Berlin Summit 2 November

http://www.5gex.eu Supporting multi-domain resource orchestration in 5G networks Diego R. Lpez Telefnica I+D IEEE 5G Berlin Summit 2 November 2016 One 5G Network Multiple Industries to a network factory where resources and

303 views • 14 slides
Playtechs Turnkey Solution Multi Product Open Platform Multi Channel IMS

Playtechs Turnkey Solution Multi Product Open Platform Multi Channel IMS

July 2013 Playtechs Turnkey Solution Multi Product Open Platform Multi Channel IMS Full Player Lifecycle PTTS Case Study A pioneering full turnkey solution for the digital betting & gaming offering: Full

988 views • 33 slides

More recommend