avatar a framework for dynamic security analysis of
play

AVATAR: A Framework for Dynamic Security Analysis of Embedded - PowerPoint PPT Presentation

Feb 20, 2023 •631 likes •1.09k views

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurlien Francillon, Davide Balzarotti Outline Introduction AVATAR overview Framework components

  1. AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems’ Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurélien Francillon, Davide Balzarotti

  2. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 2

  3. Software is everywhere • Embedded devices are diverse – but all of them run software 2/24/14 3

  4. Reasons for embedded security • Embedded devices are ubiquitous – Even if invisible, they are essential to your life • Can operate for many years – Legacy systems, no (security) updates • Have a large attack surface – Networking, forgotten debug interfaces, etc 2/24/14 4

  5. Third party security evaluation • No source code available • No toolchain available • No documentation available • Distinct tools (to flash and debug) for each manufacturer 2/24/14 5

  6. Wishlist for security evaluation • Typical PC security toolbox – Advanced debugging techniques A • Tracing ≤ 0 > 0 • Fuzzing • Tainting B C • Symbolic Execution – Integrated tools < 8 ≥ 8 • IDA Pro D E • GDB 0 < x < 8 2/24/14 6

  7. Challenges • Advanced dynamic analysis needs emulation • Full emulation – Unknown peripherals – Firmware fails if peripherals are missing • Integration – Support multiple vendors and platforms 2/24/14 7

  8. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 8

  9. AVATAR • Orchestrate execution between emulator and device • Forward peripheral accesses to the device under analysis • Do not attempt to emulate peripherals – No documentation – Reverse engineering is difficult 2/24/14 9

  10. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 10

  11. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 11

  12. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 12

  13. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 IRQ ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 13

  14. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 14

  15. Emulator Emulator Avatar S 2 E Configuration LLVM Qemu Qemu GDB Klee Remote Memory Memory Analysis Registers plugins CPU state 2/24/14 15

  16. Avatar core Device Emulator Avatar Configuration interface GDB interface GDB interface plugins Analysis Remote plugins memory Analysis script 2/24/14 16

  17. Embedded target Device Avatar In-memory stub JTAG server Memory Registers CPU state 2/24/14 17

  18. Target communication • Either a debugging interface – JTAG – Debug Serial Interface • Or code injection and a communication channel – Custom GDB Stub + Serial Port 2/24/14 18

  19. Bottlenecks • Emulated execution is much slower than execution on the real device – Memory access forwarding through low- bandwidth channel is the bottleneck – In one case down to ~10 memory accesses/ sec. • Interrupts can saturate debug connection 2/24/14 19

  20. Improving performance • Transfer execution/state – From the device to the emulator – From the emulator to the device • Migrate memory and code snippets – Keep memory regions in the emulator – Execute IO-intensive pieces of code on the device 2/24/14 20

  21. Full separation mode Device Emulator Avatar State State Register Memory 2/24/14 21

  22. Memory access optimization Device Emulator Avatar State State Register Memory IO Memory 2/24/14 22

  23. Execute code snippets on the device Device Emulator Avatar State State Code 2/24/14 23

  24. Execute code snippets on the device Device Emulator State State Code Code 2/24/14 24

  25. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 25

  26. Use case: Hard Disk • Recover bootloader protocol with symbolic execution – Inject GDB stub – Instrument flash loading – Inject symbolic values for data read from serial port – Keep track of which input leads into which code flow http://www.s3.eurecom.fr/docs/ndss14_zaddach.pdf 2/24/14 26

  27. Use case: GSM Phone • Search vulnerabilities in SMS decoding routine – Connect through JTAG – Execute on device until SMS decoding – Replace SMS payload with symbolic values – Check for symbolic values in • program counter • load/store address 2/24/14 27

  28. Use case: Econotag • Find proof-of-concept bug in user application – Connect through JTAG – Execute on device until Zigbee packet arrives – Replace payload with symbolic values – Check for symbolic values in • program counter • load/store address 2/24/14 28

  29. We are adding more devices 2/24/14 29

  30. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 30

  31. Future work • Enhance state consistency – DMA memory changes not tracked • Automatically emulate peripherals • Improve symbolic execution – Coherency between HW and SW – Improve bug-finding strategies 2/24/14 31

  32. Conclusion • AVATAR is a modular open-source tool to – Enable dynamic analysis – And perform symbolic execution – On embedded devices – Where only binary code is available � A first step towards better analysis tools for embedded systems! 2/24/14 32

  33. Questions? • Thank you for listening! • Open source on github: https://github.com/eurecom-s3/avatar-python • Project page: http://s3.eurecom.fr/tools/avatar / Thanks to Pascal Sachs and Luka Malisa who built an earlier prototype of the system, and Lucian Cojocar for applying and extending AVATAR 2/24/14 33

  34. References • AVATAR web page: http://www.s3.eurecom.fr/tools/avatar/ • AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares, Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti • Howard: a dynamic excavator for reverse engineering data structures, Asia Slowinska, Traian Stancescu, Herbert Bos • KLEE webpage: http://ccadar.github.io/klee/ • S2E webpage: https://s2e.epfl.ch/ • S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems, italy Chipounov, Volodymyr Kuznetsov, George Candea • The S2E Platform: Design, Implementation, and Applications, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • QEMU webpage: http://qemu.org • Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos 2/24/14 34

  35. Injecting a debugger • Requires writing and executing memory – Debug menus allow this sometimes – A code execution vulnerability can be used • Requires a communication channel – Serial port, GPIO, Power consumption, … – GPIO • Requires an unused memory location in the firmware – Stub is about 3k of code 2/24/14 35

  36. Full separation mode Device Emulator Avatar State State Register Memory 2/24/14 36

  37. Memory access optimization Device Emulator Avatar State State Register Memory IO Memory 2/24/14 37

  38. Transfer execution from emulator to device Device Emulator State State Register Memory 2/24/14 38

  39. Transfer execution from emulator to device Device Emulator Avatar State State Register Memory 2/24/14 39

  40. Transfer execution from device to emulator Device Emulator State State Register Memory 2/24/14 40

  41. Transfer execution from device to emulator Device Emulator Avatar State State Register Memory 2/24/14 41

  42. Software interrupts • Software Interrupts – Are issued by an interrupt instruction in the code • Can be entirely emulated – Qemu manages calling of software interrupt handlers http://home.netcom.com/~swansont/interrupt.jpg 2/24/14 42

  43. Task completion interrupts • Triggered by application requests – Responses aligned with firmware execution speed – E.g., signal that a requested DMA transfer has finished • Can be forwarded from the device to the emulator – A stub on the device traps interrupts and forwards them 2/24/14 43

  44. External event interrupts • Signals an external event – Events aligned to wall-clock instead of execution time – E.g., that a time span has elapsed • Solution depends – Controllable interrupts can be forwarded – Uncontrollable interrupts need to be synthesized • Original interrupts are suppressed • Emulated interrupts are inserted according to emulated execution speed 2/24/14 44

Recommend

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench &lt;marius.muench@eurecom.fr&gt; PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
The Avatar project: Improving embedded security with SE, KLEE and Qemu

The Avatar project: Improving embedded security with SE, KLEE and Qemu

The Avatar project: Improving embedded security with SE, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno &lt;lucab@debian.org&gt;, J. Zaddach, A. Francillon, D. Balzarotti About us Eurecom, a consortium of European

740 views • 29 slides
Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October 2016 December 2019 Colleague Exploratory Analysis, Concept Publish final Literature Research engagement research refinements Go live

650 views • 9 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien Francillon &amp; Davide Balzarotti Workshop on Binary Analysis Research 2018 Introduction Dynamic B inaryA nalysis 1 Motivation Having a huge

2.94k views • 33 slides
Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the Security of International Spent Nuclear Fuel Transportation Adam D. Williams Global Security Research &amp; Analysis Sandia National Laboratories

505 views • 13 slides
Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Students could create their own avatar to guide them through the various sections of Create your own the website, this avatar could potentially remind them of areas they have yet to visit, avatar give them updates on how they can earn more

440 views • 3 slides
Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho Lee, Eunkyu Lee, and Yongdae Kim 2019 IEEE Symposium on Security and Privacy LTE communication is everywhere Public safety services Autonomous driving

605 views • 34 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and Alessandro Orso College of Computing Georgia Institute of Technology Partially supported by: NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech, DHS

671 views • 40 slides
Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems Dynamic Hydrologic Systems Lucy Marshall Assistant Professor of Watershed Analysis A i P f f W h d A l i Department of Land Resources and

580 views • 30 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 1 / 21 Introduction What is this lecture about? How do we find bugs in programs? ... by

363 views • 21 slides
Thinking on Uses of Dynamic Analysis for Software Security ben-holland.com $ whoami 2005

Thinking on Uses of Dynamic Analysis for Software Security ben-holland.com $ whoami 2005

Thinking on Uses of Dynamic Analysis for Software Security ben-holland.com $ whoami 2005 2010 B.S. in Computer Engineering Wabtec Railway Electronics, Ames Lab (DOE), Rockwell Collins: Software Engineer Intern 2010

890 views • 88 slides
IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IBM - CVUT Student Research Projects IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator etc.) Frantiek Kafka (kafkaf1@fel.cvut.cz) Lud k Krejzar (krejzl1@fel.cvut.cz) The aim of project the

732 views • 6 slides
Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline Contribute to Lower Fares Passenger Revenue Branding Food &amp; Beverage Avatar Vacations In-flight Entertainment TIcket

375 views • 35 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel &amp; Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, &quot;Software Unit Test Coverage and Adequacy,&quot; ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2009 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

793 views • 32 slides
Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1

Security Planning and Risk Analysis CS461/ECE422 Computer Security I Fall 2010 Slide #1 Overview Elements of Risk Analysis Quantitative vs Qualitative Analysis One Risk Analysis framework Slide #2 Reading Material Chapter

706 views • 32 slides
Rethinking dynamic visual variables: towards a framework of dynamic semiology Christine Zanin

Rethinking dynamic visual variables: towards a framework of dynamic semiology Christine Zanin

Rethinking dynamic visual variables: towards a framework of dynamic semiology Christine Zanin Associate Professor in geography, University Paris-Diderot Paris 7 Maher Ben Rebah Post PhD Researcher Groupe CARTOMOUV France CNRS Universit

362 views • 13 slides

More recommend