embedded devices security firmware reverse engineering
play

Embedded Devices Security Firmware Reverse Engineering Jonas - PowerPoint PPT Presentation

Oct 24, 2022 •403 likes •1.19k views

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei Costin/Jonas Zaddach www.firmware.re 1/78 Administratrivia Please fill-in the BH13US Feedback Form - Thanks! The views of the authors are their

  1. Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei Costin/Jonas Zaddach www.firmware.re 1/78

  2. Administratrivia • Please fill-in the BH13US Feedback Form - Thanks! • The views of the authors are their own and do not represent the position of their employers or research labs • By attending this workshop, you agree to use the tools and knowledge acquired only for legal purposes and for activities you have explicit authorization for Andrei Costin/Jonas Zaddach www.firmware.re 2/78

  3. About – Jonas Zaddach • PhD. candidate on "Development of novel binary analysis techniques for security applications" at EURECOM • Co-founder of FIRMWARE.RE • jonas@firmware.re • jonas.zaddach@eurecom.fr Andrei Costin/Jonas Zaddach www.firmware.re 3/78

  4. About – Andrei Costin • PhD. candidate on "Software security in embedded systems" at EURECOM • Co-founder of FIRMWARE.RE • Author of MFCUK and BT5-RFID (RFID security) • Researcher on security of: printers, ADS-B • andrei@firmware.re • andrei.costin@eurecom.fr Andrei Costin/Jonas Zaddach www.firmware.re 4/78

  5. About – EURECOM Andrei Costin/Jonas Zaddach www.firmware.re 5/78

  6. About – EURECOM Table: Eurecom Research Results – Publications Year Total No. of publ. Cosigned with Ext. Labs Cosigned with Intl. Labs Conf. Journals/Papers Books/Chapters Scientific Reports Patents H-number/Avg. Top 10 2012 276 152 113 173 45 3 17 1 18,00 / 26,20 2011 240 156 108 160 35 19 14 0 16,00 / 23,40 2010 267 141 100 179 39 10 15 0 15,04 / 22,60 Andrei Costin/Jonas Zaddach www.firmware.re 6/78

  7. Introduction Introduction Andrei Costin/Jonas Zaddach www.firmware.re 7/78

  8. Workshop Roadmap • 1st part (14:15 – 15:15) • Little bit of theory • Overview of state of the art • 2nd part (15:30 – 16:30) • Encountered formats, tools • Unpacking end-to-end • 3rd part (17:00 – 18:00) • Emulation introduction • Awesome exercises – find your own 0day! Andrei Costin/Jonas Zaddach www.firmware.re 8/78

  9. What is a Firmware? (Ascher Opler) • Ascher Opler coined the term "firmware" in a 1967 Datamation article • Currently, in short: it’s the set of software that makes an embedded system functional Andrei Costin/Jonas Zaddach www.firmware.re 9/78

  10. What is firmware? (IEEE) • IEEE Standard Glossary of Software Engineering Terminology, Std 610.12-1990, defines firmware as follows: • ¨ The combination of a hardware device and computer instructions and data that reside as read-only software on that device. • Notes: (1) This term is sometimes used to refer only to the hardware device or only to the computer instructions or data, but these meanings are deprecated. • Notes: (2) The confusion surrounding this term has led some to suggest that it be avoided altogether˙ " Andrei Costin/Jonas Zaddach www.firmware.re 10/78

  11. Common Embedded Device Classes • Networking – Routers, Switches, NAS, VoIP phones • Surveillance – Alarms, Cameras, CCTV, DVRs, NVRs • Industry Automation – PLCs, Power Plants, Industrial Process Monitoring and Automation • Home Automation – Sensoring, Smart Homes, Z-Waves, Philips Hue • Whiteware – Washing Machine, Fridge, Dryer • Entertainment gear – TV, DVRs, Receiver, Stereo, Game Console, MP3 Player, Camera, Mobile Phone, Toys • Other Devices - Hard Drives, Printers • Cars • Medical Devices Andrei Costin/Jonas Zaddach www.firmware.re 11/78

  12. Common Processor Architectures • ARM (ARM7, ARM9, Cortex) • Intel ATOM • MIPS • 8051 • Atmel AVR • Motorola 6800/68000 (68k) • Ambarella • Axis CRIS Andrei Costin/Jonas Zaddach www.firmware.re 12/78

  13. Common Buses • Serial buses - SPI, I2C, 1-Wire, UART • PCI, PCIExpress • AMBA Andrei Costin/Jonas Zaddach www.firmware.re 13/78

  14. Common Communication Lines • Ethernet - RJ45 • RS485 • CAN/FlexRay • Bluetooth • WIFI • Infrared • Zigbee • Other radios (ISM-Band, etc/) • GPRS/UMTS • USB Andrei Costin/Jonas Zaddach www.firmware.re 14/78

  15. Common Directly Addressable Memory • DRAM • SRAM • ROM • Memory-Mapped NOR Flash Andrei Costin/Jonas Zaddach www.firmware.re 15/78

  16. Common Storage • NAND Flash • SD Card • Hard Drive Andrei Costin/Jonas Zaddach www.firmware.re 16/78

  17. Common Operating Systems • Linux • Perhaps most favourite and most encoutered • VxWorks • Cisco IOS • Windows CE/NT • L4 • eCos • DOS • Symbian • JunOS • Ambarella • etc. Andrei Costin/Jonas Zaddach www.firmware.re 17/78

  18. Common Bootloaders • U-Boot • Perhaps most favourite and most encoutered • RedBoot • BareBox • Ubicom bootloader Andrei Costin/Jonas Zaddach www.firmware.re 18/78

  19. Common Libraries and Dev Envs • busybox + uClibc • Perhaps most favourite and most encoutered • buildroot • openembedded • crosstool • crossdev Andrei Costin/Jonas Zaddach www.firmware.re 19/78

  20. What Challenges Do Firmwares Bring? • Non-standard formats • Encrypted chunks • Non-standard update channels • Firmwares come and go, vendors quickly withdraw them from support/ftp sites • Non-standard update procedures • Printer’s updates via vendor-specific PJL hacks • Gazillion of other hacks Andrei Costin/Jonas Zaddach www.firmware.re 20/78

  21. Updating to a New Firmware • Firmware Update built-in functionality • Web-based upload • Socket-based upload • USB-based upload • Firmware Update function in the bootloader • USB-boot recovery • Rescue partition, e.g.: • New firmware is written to a safe space and integrity-checked before it is activated • Old firmware is not overwritten before new one is active • JTAG/ISP/Parallel programming Andrei Costin/Jonas Zaddach www.firmware.re 21/78

  22. Updating to a New Firmware – Pitfalls • TOCTOU attacks • Non-mutual-authenticating update protocols • Non-signed packages • Non-verified signatures • Incorectly/inconsistently verified signatures • Leaking signature keys Andrei Costin/Jonas Zaddach www.firmware.re 22/78

  23. Why Are Most Firmwares Outdated? Vendor-view • Profit and fast time-to-market first • Support and security comes (if at all!) as an after-thought • Great platform variety raises compilation and maintenance effort • Verification process is cumbersome, takes a lot of time and effort • E.g. for medical devices depends on national standards which require strict verification procedure, sometimes even by the state. Andrei Costin/Jonas Zaddach www.firmware.re 23/78

  24. Why Are Most Firmwares Outdated? Customer-view • ”If it works, don’t touch it!” • High effort for customers to install firmwares • High probability something goes wrong during firmware upgrades • ”Where do I put this upgrade CD into a printer – it has no keyboard nor a monitor nor an optical drive?!” Andrei Costin/Jonas Zaddach www.firmware.re 24/78

  25. Firmware Formats Firmware Formats Andrei Costin/Jonas Zaddach www.firmware.re 25/78

  26. Firmware Formats – Typical Objects Inside • Bootloader (1st/2nd stage) • Kernel • File-system images • User-land binaries • Resources and support files • Web-server/web-interface Andrei Costin/Jonas Zaddach www.firmware.re 26/78

  27. Firmware Formats – Components Category View • Full-blown (full-OS/kernel + bootloader + libs + apps) • Integrated (apps + OS-as-a-lib) • Partial updates (apps or libs or resources or support) Andrei Costin/Jonas Zaddach www.firmware.re 27/78

  28. Firmware Formats – Packing Category View • Pure archives (CPIO/Ar/Tar/GZip/BZip/LZxxx/RPM) • Pure filesystems (YAFFS, JFFS2, extNfs) • Pure binary formats (SREC, iHEX, ELF) • Hybrids (any breed of above) Andrei Costin/Jonas Zaddach www.firmware.re 28/78

  29. Firmware Formats – Flavors • Ar • YAFFS • JFFS2 • SquashFS • CramFS • ROMFS • UbiFS • xFAT • NTFS • extNfs • iHEX • SREC/S19 • PJL • CPIO/Ar/Tar/GZip/BZip/LZxxx/RPM Andrei Costin/Jonas Zaddach www.firmware.re 29/78

  30. Firmware Analysis Firmware Analysis Andrei Costin/Jonas Zaddach www.firmware.re 30/78

  31. Firmware Analysis – Overview • Get the firmware • Reconnaissance • Unpacking • Reuse engineering (check code.google.com and sourceforge.net) • Localize point of interest • Decompile/compile/tweak/fuzz/pentest/fun! Andrei Costin/Jonas Zaddach www.firmware.re 31/78

  32. Firmware Analysis – Getting the Firmware Many times not as easy as it sounds! In order of increasing complexity of getting the firmware image • Present on the product CD/DVD • Download from manufacturer FTP/HTTP site • Many times need to register for manufacturer spam :( • Google Dorks • FTP index sites (mmnt.net, ftpfiles.net) • Wireshark traces (manufacturer firmware download tool or device communication itself) • Device memory dump Andrei Costin/Jonas Zaddach www.firmware.re 32/78

  33. Firmware Analysis – Reconnaissance • strings on the firmware image/blob • Fuzzy string matching on a wide embedded product DB • Find and read the specs and datasheets of device Andrei Costin/Jonas Zaddach www.firmware.re 33/78

  34. Firmware Analysis – Unpacking • Did anyone pay attention to the previous section?! Andrei Costin/Jonas Zaddach www.firmware.re 34/78

Recommend

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11, 2013 Andrei Costin/Jonas Zaddach www.firmware.re 1/104 About Jonas Zaddach PhD. candidate on "Development of novel binary analysis

1.25k views • 104 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

577 views • 34 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY Silvie Schmidt Competence Centre for IT- Security at FH Campus Wien Project ELVIS Embedded Lab Vienna for IoT & Security Agenda

811 views • 37 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I

Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I

Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I maintain libfreenect, a set of reverse-engineered Kinect drivers. http://github.com/OpenKinect/libfreenect What well cover Introduction

437 views • 26 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook <keescook@chromium.org> (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

629 views • 35 slides
ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

643 views • 35 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise Automation Twitter: @ collinrm CanSecWest March 2018 About Me Security since ~1994 (hard to tell) BS, MS, PhD in computer science (all focused on

1.29k views • 80 slides
Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide

Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide

Universit` a degli Studi di Milano Facolt` a di Scienze e Tecnologie Dipartimento di Informatica Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide Fattori < joystick@security.di.unimi.it > A.A.

413 views • 9 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs

Reverse engineering basics @KirilsSolovjovs on twitter Mg.sc.comp. Kirils Solovjovs http://kirils.org for more Possible Security Reverse engineering? www.indiamart.com Contents Hardware architecture Processors and machine language

536 views • 25 slides
Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia

963 views • 71 slides
Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

ELC 2010 Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2 Creating an Embedded Product Time to market Linux kernel Quality uClibc Features Busybox Cost Other open source

494 views • 35 slides
Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Reverse engineering Reverse engineer Did anyone analyze f1 something similar A binary file f2

Asm2Vec : Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization Steven H. H. Ding Benjamin C. M. Fung Philippe Charland Data Mining and Security Lab Mission Critical Cyber Security

625 views • 23 slides
Continuing to secure the Internet of Things Connected embedded devices Everything in our

Continuing to secure the Internet of Things Connected embedded devices Everything in our

Safety & Security for the Connected World Continuing to secure the Internet of Things Connected embedded devices Everything in our embedded world is becoming connected to The Internet Other connected devices Personal devices

248 views • 11 slides
LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me

LoRa Reverse Engineering and AES EM Side-Channel Attacks using SDR Pieter Robyns About me PhD student at Hasselt University since 2014 Since 2016 on FWO SBO research grant Researching wireless security Protocol security,

803 views • 57 slides
Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do? Embedded Security Research 2009 RFID MiFare Classic (MFCUK) Click to edit Master text styles https://github.com/nfc-tools/mfcuk Second

1.12k views • 71 slides
CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Reverse Engineering Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Assembly code and binary formats (ELF)

630 views • 23 slides

More recommend