contents
play

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The - PowerPoint PPT Presentation

Nov 08, 2023 •2.73k likes •3.29k views

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

  1. avatar 2 Marius Muench 34c3 - December 29, 2017

  2. Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1

  3. Binary Firmware Analysis

  4. Motivation • Amount of embedded devices steadily increasing • Misconfigurations, bugs, and vulnerabilities are common • A lot of reported vulnerabilities are ”low-hanging fruits” • Discovery of more complex bugs benefits from sophisticated tooling 2

  5. Major Challenges • Variety of platforms • Memory layout • Peripherals • Often no OS-level abstractions • Many devices use monolithic firmware • Hardware interactions are embedded in firmware code • Memory Mapped I/O • Interrupts • Variety of architectures 3

  6. https://en.wikipedia.org/wiki/List of ARM microarchitectures#Designed by ARM 3

  7. Further Challenges • Instrumentation • Emulation • Fault detection • Interrupt handling • Microarchitecture dependent instructions 4

  8. Tooling Landscape

  9. Binary Analysis Tools for Firmware • A lot of binary analysis tools for desktop software • Way less for embedded devices software • Especially when considering open source tools • Often, challenges for embedded devices exceed capabilities of static analysis tools • Assumuption about environment may not hold true • Difficult to infer peripheral behaviour and interrupts 5

  10. FiE • Based on KLEE • Targets MSP430 firmware • Symbolic Execution • Uses explicit analysis, memory and interrupt specifications Davidson, Drew, et al. ”FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution.” USENIX Security Symposium 2013. 6

  11. FiE • Based on KLEE • Targets MSP430 firmware • Symbolic Execution • Uses explicit analysis, memory and interrupt specifications • Requires source code of firmware Davidson, Drew, et al. ”FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution.” USENIX Security Symposium 2013. 6

  12. Firmadyne • Based on Qemu • Targets ARM & MIPS firmware • Instrumented Linux kernel • Automated analysis of web pages and SNMP implementations • Automated testing with known exploits Chen, Daming D., et al. ”Towards Automated Dynamic Analysis for Linux-based Embedded Firmware.” NDSS 2016. 7

  13. Firmadyne • Based on Qemu • Targets ARM & MIPS firmware • Instrumented Linux kernel • Automated analysis of web pages and SNMP implementations • Automated testing with known exploits • Works only for Linux based firmware with no too specific kernel modules Chen, Daming D., et al. ”Towards Automated Dynamic Analysis for Linux-based Embedded Firmware.” NDSS 2016. 7

  14. LuaQemu • Based on instrumented QEMU • Work in progress • Example targets BCM4358 firmware • Prototyping of Boards with LUA • Instrumentation capabilities https://github.com/Comsecuris/luaqemu 8

  15. LuaQemu • Based on instrumented QEMU • Work in progress • Example targets BCM4358 firmware • Prototyping of Boards with LUA • Instrumentation capabilities • Requires a significant amount of modeling and trial & error https://github.com/Comsecuris/luaqemu 8

  16. Avatar • Based on S 2 E (QEMU+KLEE) and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware • I/O forwarding • Orchestration • Symbolic Execution Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 9

  17. Avatar • Based on S 2 E (QEMU+KLEE) and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware • I/O forwarding • Orchestration • Symbolic Execution • Heavily tied to the S 2 E infrastructure • Requires the presence of the physical device Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 9

  18. Observations • A lot of focus on ARM • QEMU’s emulation capabilities are a common building block • Frameworks are heavily bound to underlying components 10

  19. The avatar 2 framework

  20. The big picture • Dynamic Multi-Target Orchestration and Instrumentation Framework • Focus on firmware analysis • Python based framework • Re-designed and re-implemented from scratch • Open source: https://github.com/avatartwo • Research project • Released in June 2017 11

  21. Who? • Developed by the Software and System Security Group at Eurecom • Specifically: • Marius Muench • Dario Nisi • Aur´ elien Francillon • Davide Balzarotti http://s3.eurecom.fr/ 12

  22. main goals • Target orchestration • Abstraction of debuggers, emulators and other frameworks • Easy addition of new targets • Separation of execution and memory • Enables I/O forwarding/remote memory • State transfer and synchronization • Don’t keep the state of analysed software local to single targets 13

  23. avatar 2 - components • avatar 2 core • Targets • Endpoints • Protocols 14

  24. avatar 2 - architecture overview Avatar 2 . . . T arget 0 T arget n . . . Execution Memory Register Execution Memory Register Protocol Protocol Protocol Protocol Protocol Protocol . . . Endpoint n Endpoint 0 15

  25. Implemented Targets 16

  26. Implemented Targets GDB 16

  27. Implemented Targets GDB QEMU 16

  28. Implemented Targets GDB PANDA QEMU 16

  29. Implemented Targets GDB PANDA QEMU angr 1 1 Still under development 16

  30. Changes to QEMU Avatar 2 provides a costomized QEMU • All located in a single subfolder: hw/avatar • New board: Configurable Machine • Already present in the first avatar • Allows flexible configuration of emulated hardware • New peripheral: avatar-peripheral • Communicates with avatar 2 via posix message queues • Utilizes custom remote-memory protocol 17

  31. Additional features • Architecture independent design • Internal memory layout representation • Legacy python support • Peripheral modeling • Plugin System • Assembler/Disassembler • Orchestrator • Instruction Forwarder 18

  32. Examples

  33. avatar 2 -scripting: High-Level Overview An avatar 2 scripts needs to: 1. Create the Avatar-object 2. Define a set of targets 3. Optionally define memory layout 4. Specify an execution plan 19

  34. Hello World Demo 20

  35. Binary Instrumentation • Let’s move on to a real target! • Proof of concept implementation of HARVEY 2 • Malware for a COTS PLC • The plc utilizes multiple boards • Code injection via JTAG 2 Garcia, Luis, et al. ”Hey, My Malware Knows Physics Attacking PLCs with Physical Model Aware Rootkit.” NDSS 2016. 21

  36. Binary Instrumentation (Fragile) Demo 22

  37. Demo backup ;) 23

  38. Improving Fault Detection • Part of WYCINWYC 3 • Joint work with SIEMENS • Investigates challenges specific to fuzz testing embedded devices • Fault detection • Instrumentation • Scalability • Evaluates different strategies to aid fuzz-testing • Uses avatar 2 for partial and full emulation of the firmware 3 Muench, Marius, et.al. ”What you corrupt is not what you crash: Challenges in Fuzzing Embedded Devices” To be presented at NDSS 2018 24

  39. The setup • Two Targets • STM32l152re • PANDA • Target Software • expat, a popular XML-parser • Artificially inserted vulnerabilities • Orchestration • Board initilization on physical device • Emulation of main-loop inside PANDA • Analysis • 5 PANDA plugins to detect different types of vulnerabilities • Mimicry of existing techniques for desktop software • Doesn’t require modification of the firmware 25

  40. Evaluation • 100 Fuzzing sessions in different setups • Native • Partial emulation with I/O forwarding • Partial emulation with avatar 2 -peripherals • Full emulation • Plugins could detect previously undetected faults • Full emulation provided better performance than native fuzzing • More details in the paper: http://s3.eurecom.fr/docs/ndss18 muench.pdf 26

  41. Record & Replay • Dynamic binary analysis of firmware requires often the device • PANDA allows to record and replay execution • Allows exchange of executions fur further analysis without the device 27

  42. Record & Replay Demo 28

  43. Symbolic Execution and Complex Software (WIP) • Firefox with inserted bug • Executed concretely inside gdb until function of interest • Analysis of only one thread • Automated memory layout extraction from gdb • Transfer of layout into angr • Copy-On-Read • Symbolic function arguments 29

  44. Symbolic Execution and Complex Software (WIP) Preliminary Results: • Approximatly 10 minutes of runtime • 36 executed basic blocks • 21 uniquely accessed pages • Found the bug 30

  45. Examples: Recap 5 Examples: • Dynamic Instrumentation of GDB • Dynamic Instrumentation of a plc • Fault Detection with an development board and PANDA • Record and Replay with an development board and PANDA • Symbolic Execution with firefox and gdb 31

  46. Conclusion

  47. Conclusion • Dynamic firmware analysis is still a challenging topic • Avatar 2 aims to tackle some of the challenges • Multi-target orchestration is not limited to firmware 32

  48. Plans for 2018 • Move main development to github • Introduce proper versioning • More, exciting targets 33

Recommend

Contents Contents Fluid

Contents Contents Fluid

Physics-based Fluid Simulations for Computer Graphics Ryoichi Ando Contents Contents Fluid Solver Contents Fluid Solver Surface Tracker Contents Fluid Solver Surface

2.14k views • 175 slides
Contents Contents.....2 Butter

Contents Contents.....2 Butter

4/8/2019 Milkfat Ingredients, from Cream to AMF 2019 ADPI Dairy 360 Contents Contents.....2 Butter Definition..12 Churning Process..13 Farm Separated

582 views • 9 slides
17 www.scad.ae Table of Contents Table of Contents

17 www.scad.ae Table of Contents Table of Contents

Statistical Report Writing and Data Presentation Guide Methodology and Quality Guides - No. (17) 17 www.scad.ae Table of Contents Table of Contents

1.03k views • 41 slides
Level 1, V2.0 Level 1, V2.0 1 Course Contents Course Contents Course Contents Course

Level 1, V2.0 Level 1, V2.0 1 Course Contents Course Contents Course Contents Course

August 2008 Training Manual: Training Manual: KI7400 & 7800 Series Sources KI7400 & 7800 Series Sources Level 1, V2.0 Level 1, V2.0 1 Course Contents Course Contents Course Contents Course Contents 1 1. General features

590 views • 19 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

972 views • 66 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

1.19k views • 90 slides
CONTENTS CONTENTS 1 6 INTRODUCTION APPLICATION 2 ORGANIZATION 7 DISTRIBUTION

CONTENTS CONTENTS 1 6 INTRODUCTION APPLICATION 2 ORGANIZATION 7 DISTRIBUTION

CONTENTS CONTENTS 1 6 INTRODUCTION APPLICATION 2 ORGANIZATION 7 DISTRIBUTION PROCESS 3 8 BUSINESS SCOPE APPROVAL 4 9 FACILITY REFERENCE 5 10 PRODUCT SUMMARY CERTIFICATE 1. INTRODUCTION 1.

818 views • 19 slides
Introduction To Tcl/Tk Introduction To Tcl/Tk - Contents - Contents Whats Tcl/Tk? 3

Introduction To Tcl/Tk Introduction To Tcl/Tk - Contents - Contents Whats Tcl/Tk? 3

Introduction To Tcl/Tk Introduction To Tcl/Tk - Contents - Contents Whats Tcl/Tk? 3 Getting Started 4 Tcl Scripting 5 Basics 5 Variable Substitution 6 Command Substitution 6 Controlling Word Structure 7 Comment 7 Command Line

1.87k views • 18 slides
September 2019 02 CONTENTS 02 VILLA GUASTAVILLANI 03 CONTENTS 04 WHO WE ARE 05 PURPOSE

September 2019 02 CONTENTS 02 VILLA GUASTAVILLANI 03 CONTENTS 04 WHO WE ARE 05 PURPOSE

September 2019 02 CONTENTS 02 VILLA GUASTAVILLANI 03 CONTENTS 04 WHO WE ARE 05 PURPOSE 06 GENERATIVE EDUCATION 07 WHAT WE DO 08 KEY FACTS 09 OUR PROGRAMS 10 DIGITAL TRANSFORMATON 11 SUSTAINABILITY 12 ALUMNI 03 WHO WE ARE

502 views • 18 slides
Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts

Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts

Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts Quick Find Integration with PRIMER Undocking Menus User Defined Components Material Extra Data FAST-TCF Curve Table

1.58k views • 81 slides
Contents Contents Tables i i Figures v v 1.0 1.0 Introduction 1 1 2.0 2.0 Me

Contents Contents Tables i i Figures v v 1.0 1.0 Introduction 1 1 2.0 2.0 Me

i Contents Contents Tables i i Figures v v 1.0 1.0 Introduction 1 1 2.0 2.0 Me Methodology thodology 3 3 3.0 3.0 Knowsley 5 5 3.1 3.1 Drug Drug Te Testing sting Data Data 5 5 3.2 3.2 Assessments (DIR) 7 7 3.3 3.3

1.06k views • 68 slides
Engagement with the Commonwealth 1 PRESENTATION CONTENTS Contents Economic Impact Study

Engagement with the Commonwealth 1 PRESENTATION CONTENTS Contents Economic Impact Study

Engagement with the Commonwealth 1 PRESENTATION CONTENTS Contents Economic Impact Study UVAs Role in Economic Development Industry Attraction and Retention Addressing Workforce Needs Innovation, Entrepreneurship, and

416 views • 39 slides
MOCK-UP Table of Contents

MOCK-UP Table of Contents

Cr par Laura Belloni Introduction to the Canadian Securities Administrators MOCK-UP Table of Contents _______________________________________________________________________________________ 2 Table of Contents Message from the Chair

510 views • 30 slides
WELCOME TO THE EXTRAORDINARY GENERAL MEETING 21 NOVEMBER 2017 CONTENTS CONTENTS THE

WELCOME TO THE EXTRAORDINARY GENERAL MEETING 21 NOVEMBER 2017 CONTENTS CONTENTS THE

Local Property Overseas Property Purpose Built Student Construction Dormitory Development Development Accommodation WELCOME TO THE EXTRAORDINARY GENERAL MEETING 21 NOVEMBER 2017 CONTENTS CONTENTS THE RESOLUTIONS WHY THIS EGM IS

229 views • 18 slides
Contents Contents 1. Establishment of a Big Data Roadmap of the Korean Government 2.

Contents Contents 1. Establishment of a Big Data Roadmap of the Korean Government 2.

April 2013 Ki-bong Park Pilot Project MSIS2013(2013.4.23~ 25, Bangkok) Contents Contents 1. Establishment of a Big Data Roadmap of the Korean Government 2. Beginning of Big Data Use 3.

495 views • 7 slides
HANDOUTS 1 Slide 2 Handout contents Page 2-3 Handout contents 4 Introduction 5 - 6 Paying

HANDOUTS 1 Slide 2 Handout contents Page 2-3 Handout contents 4 Introduction 5 - 6 Paying

Slide 1 Civil Service Pensions Thinking about retirement HANDOUTS 1 Slide 2 Handout contents Page 2-3 Handout contents 4 Introduction 5 - 6 Paying your pension from HR to Capita Hartshead 7 - 8 Benefit Overview ( classic,

668 views • 38 slides
TO THE AA Investor presentation H1 17 Interims CONTENTS, IR CONTACTS AND DEFINITIONS CONTENTS

TO THE AA Investor presentation H1 17 Interims CONTENTS, IR CONTACTS AND DEFINITIONS CONTENTS

INTRODUCTION TO THE AA Investor presentation H1 17 Interims CONTENTS, IR CONTACTS AND DEFINITIONS CONTENTS IR CONTACTS DEFININTIONS THAT APPLY THROUGHOUT Jill Sherratt Trading Revenue: Revenue excluding Head of Investor Relations

834 views • 64 slides
Annual Results 2019 CONTENTS Presenters Contents Paul Williams Introduction and overview 01

Annual Results 2019 CONTENTS Presenters Contents Paul Williams Introduction and overview 01

Annual Results 2019 CONTENTS Presenters Contents Paul Williams Introduction and overview 01 Damian Wisniewski Results and fjnancial review 14 Nigel George Valuation and portfolio analysis 25 David Silverman Leasing, asset management and

1.36k views • 104 slides
Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of

Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of

Organizing My I.B. Portfolio Table of Contents The table of contents displays the order of the portfolio dividers & work samples . In what place order should the Identities & relationships divider be placed? (select a choice

1.29k views • 50 slides
2014 Investment Statement: Managing the Crowns B l Balance Sheet Sh t Contents Contents

2014 Investment Statement: Managing the Crowns B l Balance Sheet Sh t Contents Contents

2014 Investment Statement: Managing the Crowns B l Balance Sheet Sh t Contents Contents I t Introduction d ti O Overarching themes hi th Ri ht Right assets t Managed risks Fiscal sustainability Areas of focus Introduction

585 views • 39 slides
K K N bar N

K K N bar N

K K N bar N bar Nara Women's University Contents Contents Properties of (1405) state Meson exchange K bar N potential

594 views • 55 slides
31 December 2016 CONTENTS CONTENTS OVERVIEW MARKET REVIEW OPERATIONAL REVIEW FINANCIAL REVIEW

31 December 2016 CONTENTS CONTENTS OVERVIEW MARKET REVIEW OPERATIONAL REVIEW FINANCIAL REVIEW

Audited Annual Results for the year ended 31 December 2016 CONTENTS CONTENTS OVERVIEW MARKET REVIEW OPERATIONAL REVIEW FINANCIAL REVIEW OUTLOOK Disclaimer The information presented in this presentation is of a general nature and the

491 views • 34 slides
ICII ROBOTS ICII ROBOTS Ing. Frantiek Ducho Ing. Marian Kik Contents Contents

ICII ROBOTS ICII ROBOTS Ing. Frantiek Ducho Ing. Marian Kik Contents Contents

Institute of Control and Industrial Informatics Faculty of Electrical Engineering and Information T echnology Slovak University of T echnology ICII ROBOTS ICII ROBOTS Ing. Frantiek Ducho Ing. Marian Kik Contents Contents

415 views • 24 slides
DERWENT LONDON PLC CONTENTS Presenters Contents John Burns Introduction and overview 01 Simon

DERWENT LONDON PLC CONTENTS Presenters Contents John Burns Introduction and overview 01 Simon

INTERIM RESULTS 2018 DERWENT LONDON PLC CONTENTS Presenters Contents John Burns Introduction and overview 01 Simon Silver Results and financial review 08 Damian Wisniewski Valuation and portfolio analysis 19 Nigel George Developing a

1.19k views • 85 slides

More recommend