inception system wide security testing of real
play

Inception: System-Wide Security Testing of Real- World Embedded - PowerPoint PPT Presentation

Sep 11, 2023 •250 likes •911 views

Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurlien Francillon (EURECOM) 08/15/18 Embedded Systems Are Everywhere [1]

  1. Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurélien Francillon (EURECOM) 08/15/18

  2. Embedded Systems Are Everywhere [1] https://community.arm.com/processors/b/bl og/posts/arm-cortex-m3-processor-the-core- of-the-iot 2 | Maxim Integrated | EURECOM

  3. Embedded Systems Are Everywhere [1] Low Power https://community.arm.com/processors/b/bl Micro-controllers og/posts/arm-cortex-m3-processor-the-core- of-the-iot 3 | Maxim Integrated | EURECOM

  4. Embedded Systems Are Everywhere Over 32 billions of ARM Cortex M3 shipped in 2018 [1] Cover a wide range of fields [1] Low Power https://community.arm.com/processors/b/bl Micro-controllers og/posts/arm-cortex-m3-processor-the-core- of-the-iot 4 | Maxim Integrated | EURECOM

  5. Why the Security of Such Systems Matters? 5 | Maxim Integrated | EURECOM

  6. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks 6 | Maxim Integrated | EURECOM

  7. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks • Difficulty to patch the code > Mask ROM → mask applied on the chip during the fabrication > Off-line devices 7 | Maxim Integrated | EURECOM

  8. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks • Difficulty to patch the code > Mask ROM → mask applied on the chip during the fabrication > Off-line devices • Store sensitive data > Bitcoin wallet > Payment terminal 8 | Maxim Integrated | EURECOM

  9. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks • Difficulty to patch the code > Mask ROM → mask applied on the chip during the fabrication > Off-line devices • Store sensitive data > Bitcoin wallet > Payment terminal • Drive sensitive hardware system > Physical damage > Production line outage > Signaling systems (red light) 9 | Maxim Integrated | EURECOM

  10. Exemple of Recent Security Issues Recent attacks 10 | Maxim Integrated | EURECOM

  11. Exemple of Recent Security Issues Recent attacks • Nintendo Switch Tegra X1 bootrom exploit 2018 > buffer overflow in the USB stack embedded in the mask ROM > Cannot be patched > Give access to the entire software stack 11 | Maxim Integrated | EURECOM

  12. How Can We Test Such Firmware Programs? • Symbolic Execution > High path coverage > Return test case for bugs 12 | Maxim Integrated | EURECOM

  13. Symbolic Execution Example i = symb_i Int buffer[2] i = < input > int buffer [ 2 ] = {0, 1}; 13 | Maxim Integrated | EURECOM

  14. Symbolic Execution Example i = symb_i Int buffer[2] FALSE TRUE i = < input > buffer[i] int buffer [ 2 ] = {0, 1}; 𝟏 ≤ 𝒋 < 𝟑 ¬(𝟏 ≤ 𝒋 < 𝟑) if( buffer [ i ] == 0 ) { Out of bounds access 14 | Maxim Integrated | EURECOM

  15. Symbolic Execution Example i = symb_i Int buffer[2] FALSE TRUE i = < input > buffer[i] int buffer [ 2 ] = {0, 1}; 𝟏 ≤ 𝒋 < 𝟑 ¬(𝟏 ≤ 𝒋 < 𝟑) if( buffer [ i ] == 0 ) { buffer [ i ] = 0xDEADBEEF ; } FALSE TRUE buffer[i] == 0 Out of bounds 𝒋 = 𝟏 ¬(𝒋 = 𝟏) access buffer[i] == 0xDEADBEAF 15 | Maxim Integrated | EURECOM

  16. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: 16 | Maxim Integrated | EURECOM

  17. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. 17 | Maxim Integrated | EURECOM

  18. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations 18 | Maxim Integrated | EURECOM

  19. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage 19 | Maxim Integrated | EURECOM

  20. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage 20 | Maxim Integrated | EURECOM

  21. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage Clang 21 | Maxim Integrated | EURECOM

  22. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage Clang LLVM bit-code 22 | Maxim Integrated | EURECOM

  23. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage Clang LLVM bit-code Klee 23 | Maxim Integrated | EURECOM

  24. Why testing source code instead of binary code ? Source VS Binary 24 | Maxim Integrated | EURECOM

  25. Why testing source code instead of binary code ? Source VS Binary b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 25 | Maxim Integrated | EURECOM

  26. Why testing source code instead of binary code ? Source VS Binary b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 26 | Maxim Integrated | EURECOM

  27. Why testing source code instead of binary code ? Source ( Klee/Clang …) VS Binary (SE2, angr, BAP) b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 define i8 @getElement ( i32 index) { define i8 @getElement ( i32 %index ){ entry: entry: store i32 %index , i32 * @R0 %0 = load i32 * %index .addr store i32 268436792, i32 * @R2 %1 = getelementptr inbounds %R2_1 = load i32 * @R2 [2 x i8 ]* @b1 , i32 0, i32 %0 %R0_1 = load i32 * @R0 %2 = load i8 * %1 %R2_2 = add i32 %R2_1 , %R0_1 ret i8 %2 %R3_0 = inttoptr i32 %R2_2 to i32 * } %R3_1 = bitcast i32 * %R3_0 to i8 * %R3_2 = load i8 * %R3_1 27 | Maxim Integrated | EURECOM %R3_3 = zext i8 %R3_2 to i32

  28. Why testing source code instead of binary code ? Source ( Klee/Clang …) VS Binary (SE2, angr, BAP) b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 define i8 @getElement ( i32 index) { define i8 @getElement ( i32 %index ){ entry: entry: store i32 %index , i32 * @R0 %0 = load i32 * %index .addr store i32 268436792, i32 * @R2 %1 = getelementptr inbounds %R2_1 = load i32 * @R2 [2 x i8 ]* @b1 , i32 0, i32 %0 %R0_1 = load i32 * @R0 %2 = load i8 * %1 %R2_2 = add i32 %R2_1 , %R0_1 ret i8 %2 %R3_0 = inttoptr i32 %R2_2 to i32 * } %R3_1 = bitcast i32 * %R3_0 to i8 * %R3_2 = load i8 * %R3_1 28 | Maxim Integrated | EURECOM %R3_3 = zext i8 %R3_2 to i32

  29. Source vs Binary • When source available testing binary is possible however: > Types are lost > Corruption will be detected later if at all > Worse on embedded systems • See: Muench et. al. What you corrupt is not what you crash, NDSS 2018 • Goal of Inception: improve testing for firmware during development > Limit requirements on code 29 | Maxim Integrated | EURECOM

  30. Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware ? 1000 100 108 10 98 80 22 1 STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 • Number of functions including assembly instructions in real world embedded software 30 | Maxim Integrated | EURECOM

  31. Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware ? 1000 • Assembly code : > Multithreading > Optimizations 100 > Side channel counter-measures > Hardware features e.g. ultra low power mode 108 10 98 80 22 1 STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 • Number of functions including assembly instructions in real world embedded software 31 | Maxim Integrated | EURECOM

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers Cryptography Network security System security Web security (recap) Protection File systems implement a protection system Who

800 views • 30 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Testing temperature measuring system for security and gas self-extinguishing for MPD detector

Testing temperature measuring system for security and gas self-extinguishing for MPD detector

Master rack fire protection HFC-236fa refrigerant Measurement stand Received data Testing temperature measuring system for security and gas self-extinguishing for MPD detector Author: Patryk Marcola Supervised by: mgr in. Marek Peryt

245 views • 9 slides
Embedded analy+cs delivers system-wide visibility for debug, safety, security and more... Design

Embedded analy+cs delivers system-wide visibility for debug, safety, security and more... Design

Embedded analy+cs delivers system-wide visibility for debug, safety, security and more... Design and Reuse IP-SoC Days Shanghai 2017 Agenda Some obvious statements Some problems with exis4ng approaches Key requirements The

323 views • 18 slides
SHAC PRESENTATION SEPTEMBER 2011 Members: Maura ORahilly - SAC system wide Kathy Carney

SHAC PRESENTATION SEPTEMBER 2011 Members: Maura ORahilly - SAC system wide Kathy Carney

SHAC PRESENTATION SEPTEMBER 2011 Members: Maura ORahilly - SAC system wide Kathy Carney Nurse Leader system wide Mark Talbot Administrator system wide Anne Ward School Committee rep Friend Weiler- SRO system wide Shannon Jones

501 views • 17 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied &amp; Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Testing Terminology System testing Types of errors Function testing Structure

Testing Terminology System testing Types of errors Function testing Structure

Outline Testing Terminology System testing Types of errors Function testing Structure Testing Dealing with errors Performance testing Quality assurance vs Acceptance testing Testing Installation testing

396 views • 11 slides
Real-Time Systems: Testing Your System in Linux Jiangnan Liu CSE 520S Spring 02/13/2020 With

Real-Time Systems: Testing Your System in Linux Jiangnan Liu CSE 520S Spring 02/13/2020 With

Real-Time Systems: Testing Your System in Linux Jiangnan Liu CSE 520S Spring 02/13/2020 With adaptions from Haoran Li What is meant by Time? Absolute time since some fixed past event, e.g.: q Seconds since start of the Unix Epoch (00:00:00

1.01k views • 34 slides
The Non-Virtual Reality of Testing or What's Feasible in Real World Testing Contents 1.

The Non-Virtual Reality of Testing or What's Feasible in Real World Testing Contents 1.

TER-10 The Non-Virtual Reality of Testing or What's Feasible in Real World Testing Contents 1. Introduction 2. Seven myths about testing and their demystification 3. A kind of conclusion Karol Frhauf, INFOGEM AG , CH-5400 Baden,

527 views • 23 slides
About us Since its inception in 1999, 9 EXPRESSION has created a place for itself by providing time

About us Since its inception in 1999, 9 EXPRESSION has created a place for itself by providing time

About us Since its inception in 1999, 9 EXPRESSION has created a place for itself by providing time bound services while consistently maintaining highest standards of quality. We have successfully catered to wide range of requirements in outdoor

268 views • 11 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
Real Tim e TRON TRON TRON Testing using UPPAAL W ith Mariius Mikucionis, Brian Nielsen, Arne

Real Tim e TRON TRON TRON Testing using UPPAAL W ith Mariius Mikucionis, Brian Nielsen, Arne

Real Tim e TRON TRON TRON Testing using UPPAAL W ith Mariius Mikucionis, Brian Nielsen, Arne Skou, Anders Hessel, Paul Pettersson Overview Introduction Informationsteknologi Conformance for Real-Time System Off-line Test

985 views • 80 slides
Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Introduction to Penetration Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking a system to find security vulnerabilities in order to fix them before a malicious party attacks the system Legal if

455 views • 9 slides
Real Tim e TRON TRON TRON TRON Testing Testing using UPPAAL W ith W ith Mariius

Real Tim e TRON TRON TRON TRON Testing Testing using UPPAAL W ith W ith Mariius

Real Tim e TRON TRON TRON TRON Testing Testing using UPPAAL W ith W ith Mariius Mikucionis, Brian Nielsen, Arne Skou, Anders Hessel, Paul Pettersson, Jacob I llum Rasm ussen Overview Introduction gi knolog Off-line Test

1.44k views • 61 slides
System Testing Steven J Zeil April 9, 2013 System Testing Outline Test Coverage 1

System Testing Steven J Zeil April 9, 2013 System Testing Outline Test Coverage 1

System Testing System Testing Steven J Zeil April 9, 2013 System Testing Outline Test Coverage 1 Coverage Measures C/C++ - gcov Java Oracles 2 expect *Unit GUI systems Web systems Selenium System Testing Test

886 views • 65 slides
since inception of new system Lessons for all parties Appeals against refusal of planning

since inception of new system Lessons for all parties Appeals against refusal of planning

Summary of the Commissions guidance on costs awards Data and commentary on costs decisions issued since inception of new system Lessons for all parties Appeals against refusal of planning permission Appeals in default of a

492 views • 23 slides
Automatic intrusion recovery with system-wide history Taesoo Kim MIT CSAIL Current focus of

Automatic intrusion recovery with system-wide history Taesoo Kim MIT CSAIL Current focus of

Automatic intrusion recovery with system-wide history Taesoo Kim MIT CSAIL Current focus of system security: preventing attacks System hardening tools/techniques (e.g.,) Firewall, AntiVirus 2 My work on preventing attacks

1.76k views • 116 slides
Inception Graduation Dispersion Dispersion Inception Origins Filling a need PhD

Inception Graduation Dispersion Dispersion Inception Origins Filling a need PhD

Thesis focus Inception Graduation Dispersion Dispersion Inception Origins Filling a need PhD student Case study of the community organic life cycle Adversity Germination of a grassroots Adversity Germination peer

216 views • 5 slides
Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for

Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Real-time Network Intrusion Detection System with Supporting Cyber Security Regulations for Nuclear Power Plants Jae-Hee Roh a , Seok-Ki Lee a , Choul-Woong Son

362 views • 4 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
Chapter 10: Case Studies So what happens in a real operating system? Operating systems in the real

Chapter 10: Case Studies So what happens in a real operating system? Operating systems in the real

Chapter 10: Case Studies So what happens in a real operating system? Operating systems in the real world Studied mechanisms used by operating systems Processes &amp; scheduling Memory management File systems Security How are

408 views • 22 slides
Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables

Linux System Security Tunables Linux System Security Tunables Linux System Security Tunables http://outflux.net/slides/2013/drupal/tunables.pdf R0Ng DrupalCon Portland 2013 Kees Cook &lt;keescook@google.com&gt; (pronounced Case) Who is

474 views • 33 slides

More recommend