the avatar project improving embedded security with s e
play

The Avatar project: Improving embedded security with SE, KLEE and - PowerPoint PPT Presentation

The Avatar project: Improving embedded security with SE, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti About us Eurecom, a consortium of European


  1. The Avatar project: Improving embedded security with S²E, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti

  2. About us • Eurecom, a consortium of European universities in French riviera • Security research group – 9 people • Applied system security – Embedded systems – Networking devices – Critical infrastructures 02/02/2014 2

  3. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 3

  4. Software everywhere • Embedded devices are diverse – but all of them run software 02/02/2014 4

  5. Reasons for embedded security • Embedded devices are ubiquitous – Even if not visible, your lives depend on the m • Can operate for many years – Legacy systems, no (security) updates • Have large attack surfaces – Networking, forgotten debug interfaces, etc. • Sometime too easy to take-over/backdoor 02/02/2014 5

  6. Challenges in embedded security • No source code available – Often monolithic binary-only firmwares • No toolchain available • No documentation available • Unique tools (to flash and debug) for each manufacturer 02/02/2014 6

  7. Wishlist for security evaluation • Typical PC-security toolbox A – Advanced debugging techniques ≤0 >0 • Tracing B C • Fuzzing <8 ≥8 • Symbolic Execution • Tainting D E 0<x<8 – Integrated tools • IDA Pro • GDB • Netzob 02/02/2014 7

  8. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 8

  9. Why Avatar • Provide a framework for – In-vivo analysis of any kind of device – Advanced debugging – Easy prototyping • Integrated workbench – To use all techniques together on a live system • Not only focused on security – Debugging/profiling/tracing is hard in embedded environments 02/02/2014 9

  10. Avatar: basics • Emulate embedded devices’ firmwares • Forward peripheral accesses to the device under analysis • Do NOT attempt to emulate peripherals – No documentation – Reverse engineering is difficult 02/02/2014 10

  11. Avatar overview Avatar Target Emulator Emulator Proxy Backend Backend read/write memory read/write memory . . . mov r2, r0 mov r3, r1 value value add r3, r3, #1 add r2, ip, r2 interrupt ldr r2, [r2], #0 interrupt cmp r2, r3 . . . Firmware Embedded Plugins device 02/02/2014 11

  12. Avoid NIH syndrome • S²E (Qemu+Klee) – for emulation and symbolic execution • GDB and OpenOCD – to attach components and devices • Your own tools for analysis – IDA Pro, Capstone, Netzob... 02/02/2014 12

  13. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 13

  14. LLVM under the hood • S²E combines existing tools to achieve symbolic execution of x86/ARM binary code – Qemu translates binary code to an intermediate representation (TCG) – QEMU-LLVM translates TCG to LLVM bytecode – KLEE executes LLVM bytecode symbolically 02/02/2014 14

  15. S²E in a nutshell Emulator Avatar TCG Qemu Qemu config frontend Qemu Qemu GDB LLVM executer KLEE S²E S²E hooks QMP/Lua VM state Registers ● Symbolic RemoteMem CPU state ● states plugin Memory ● 02/02/2014 15

  16. Python3 framework Analysis script Avatar Emulator Target Config GDB/MI writer adapter GDB BinProto interface Target adapter Emulator backend backend QMP/Lua Telnet interface adapter Memory GDB forwarder adapter Analysis Plugins 02/02/2014 16

  17. Analysis platform • Avatar provides analysis glue – Orchestrate execution ⟷ – Bridge between emulator device – Intercept/manipulate memory accesses – External integration, exposing GDB or JSON interfaces 02/02/2014 17

  18. Embedded target Avatar Target device UART In-memory stub Open Target state OCD Registers ● CPU state ● Memory ● JTAG 02/02/2014 18

  19. Target communication • Either a debugging interface – JTAG – Debug Serial Interface • Or code injection and a communication channel – GDB Stub + Serial Port 02/02/2014 19

  20. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 20

  21. Usecases • Check for hidden backdoors in HDD firmware • Fuzzing/symbolic execution of SMS decoding on feature phone • Vulnerabilities check on programmable wireless sensors 02/02/2014 21

  22. Bottlenecks • Emulated execution is much slower than execution on the real device – Memory access forwarding through low- bandwidth channel is the bottleneck – In one case down to ~10 instr./sec. • Interrupts are tricky, can overwhelm emulation 02/02/2014 22

  23. Improving performance • Point of Interest is often far down in the firmware – Trap execution on device and transfer state to the emulator ● A large part of forwarded accesses are to non-IO memory – Detect and drop forwarding for non-IO memory regions (stack, heap and code in the emulator) ● High-periodicity interrupts can be synthesized to avoid saturation 02/02/2014 23

  24. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 24

  25. Limitations • State consistency – DMA memory changes not tracked • Timing consistency – Emulated execution time much slower than real execution time • Symbolic execution – Coherency between HW and SW • Bug-finding strategies to be improved 02/02/2014 25

  26. Recap • Avatar is a tool to – Enable dynamic analysis – And perform symbolic execution – On embedded devices – Where only binary code is available 02/02/2014 26

  27. Questions? Thank you for listening! Thanks to Pascal Sachs and Luka Malisa who built an earlier prototype of the system, and Lucian Cojocar for contributions 02/02/2014 27

  28. References • AVATAR web page: http://www.s3.eurecom.fr/tools/avatar/ • AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti • Howard: a dynamic excavator for reverse engineering data structures, Asia Slowinska, Traian Stancescu, Herbert Bos • KLEE webpage: http://ccadar.github.io/klee/ • S2E webpage: https://s2e.epfl.ch/ • S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • The S2E Platform: Design, Implementation, and Applications, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • QEMU webpage: http://qemu.org • Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos 02/02/2014 28

  29. Extra: GDB stub • GDB can connect to targets using a serial interface and a simple protocol • There is a stub implementation in the source code tree, but not for ARM and it’s bloated (for our purposes) • 6 primitives are enough to give debugging support with software breakpoints: Read bytes, write bytes, read registers, write registers, continue and get signal 02/02/2014 29

Recommend


More recommend