the avatar project improving embedded security with s e
play

The Avatar project: Improving embedded security with SE, KLEE and - PowerPoint PPT Presentation

May 31, 2023 •429 likes •740 views

The Avatar project: Improving embedded security with SE, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti About us Eurecom, a consortium of European

  1. The Avatar project: Improving embedded security with S²E, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti

  2. About us • Eurecom, a consortium of European universities in French riviera • Security research group – 9 people • Applied system security – Embedded systems – Networking devices – Critical infrastructures 02/02/2014 2

  3. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 3

  4. Software everywhere • Embedded devices are diverse – but all of them run software 02/02/2014 4

  5. Reasons for embedded security • Embedded devices are ubiquitous – Even if not visible, your lives depend on the m • Can operate for many years – Legacy systems, no (security) updates • Have large attack surfaces – Networking, forgotten debug interfaces, etc. • Sometime too easy to take-over/backdoor 02/02/2014 5

  6. Challenges in embedded security • No source code available – Often monolithic binary-only firmwares • No toolchain available • No documentation available • Unique tools (to flash and debug) for each manufacturer 02/02/2014 6

  7. Wishlist for security evaluation • Typical PC-security toolbox A – Advanced debugging techniques ≤0 >0 • Tracing B C • Fuzzing <8 ≥8 • Symbolic Execution • Tainting D E 0<x<8 – Integrated tools • IDA Pro • GDB • Netzob 02/02/2014 7

  8. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 8

  9. Why Avatar • Provide a framework for – In-vivo analysis of any kind of device – Advanced debugging – Easy prototyping • Integrated workbench – To use all techniques together on a live system • Not only focused on security – Debugging/profiling/tracing is hard in embedded environments 02/02/2014 9

  10. Avatar: basics • Emulate embedded devices’ firmwares • Forward peripheral accesses to the device under analysis • Do NOT attempt to emulate peripherals – No documentation – Reverse engineering is difficult 02/02/2014 10

  11. Avatar overview Avatar Target Emulator Emulator Proxy Backend Backend read/write memory read/write memory . . . mov r2, r0 mov r3, r1 value value add r3, r3, #1 add r2, ip, r2 interrupt ldr r2, [r2], #0 interrupt cmp r2, r3 . . . Firmware Embedded Plugins device 02/02/2014 11

  12. Avoid NIH syndrome • S²E (Qemu+Klee) – for emulation and symbolic execution • GDB and OpenOCD – to attach components and devices • Your own tools for analysis – IDA Pro, Capstone, Netzob... 02/02/2014 12

  13. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 13

  14. LLVM under the hood • S²E combines existing tools to achieve symbolic execution of x86/ARM binary code – Qemu translates binary code to an intermediate representation (TCG) – QEMU-LLVM translates TCG to LLVM bytecode – KLEE executes LLVM bytecode symbolically 02/02/2014 14

  15. S²E in a nutshell Emulator Avatar TCG Qemu Qemu config frontend Qemu Qemu GDB LLVM executer KLEE S²E S²E hooks QMP/Lua VM state Registers ● Symbolic RemoteMem CPU state ● states plugin Memory ● 02/02/2014 15

  16. Python3 framework Analysis script Avatar Emulator Target Config GDB/MI writer adapter GDB BinProto interface Target adapter Emulator backend backend QMP/Lua Telnet interface adapter Memory GDB forwarder adapter Analysis Plugins 02/02/2014 16

  17. Analysis platform • Avatar provides analysis glue – Orchestrate execution ⟷ – Bridge between emulator device – Intercept/manipulate memory accesses – External integration, exposing GDB or JSON interfaces 02/02/2014 17

  18. Embedded target Avatar Target device UART In-memory stub Open Target state OCD Registers ● CPU state ● Memory ● JTAG 02/02/2014 18

  19. Target communication • Either a debugging interface – JTAG – Debug Serial Interface • Or code injection and a communication channel – GDB Stub + Serial Port 02/02/2014 19

  20. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 20

  21. Usecases • Check for hidden backdoors in HDD firmware • Fuzzing/symbolic execution of SMS decoding on feature phone • Vulnerabilities check on programmable wireless sensors 02/02/2014 21

  22. Bottlenecks • Emulated execution is much slower than execution on the real device – Memory access forwarding through low- bandwidth channel is the bottleneck – In one case down to ~10 instr./sec. • Interrupts are tricky, can overwhelm emulation 02/02/2014 22

  23. Improving performance • Point of Interest is often far down in the firmware – Trap execution on device and transfer state to the emulator ● A large part of forwarded accesses are to non-IO memory – Detect and drop forwarding for non-IO memory regions (stack, heap and code in the emulator) ● High-periodicity interrupts can be synthesized to avoid saturation 02/02/2014 23

  24. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 24

  25. Limitations • State consistency – DMA memory changes not tracked • Timing consistency – Emulated execution time much slower than real execution time • Symbolic execution – Coherency between HW and SW • Bug-finding strategies to be improved 02/02/2014 25

  26. Recap • Avatar is a tool to – Enable dynamic analysis – And perform symbolic execution – On embedded devices – Where only binary code is available 02/02/2014 26

  27. Questions? Thank you for listening! Thanks to Pascal Sachs and Luka Malisa who built an earlier prototype of the system, and Lucian Cojocar for contributions 02/02/2014 27

  28. References • AVATAR web page: http://www.s3.eurecom.fr/tools/avatar/ • AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti • Howard: a dynamic excavator for reverse engineering data structures, Asia Slowinska, Traian Stancescu, Herbert Bos • KLEE webpage: http://ccadar.github.io/klee/ • S2E webpage: https://s2e.epfl.ch/ • S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • The S2E Platform: Design, Implementation, and Applications, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • QEMU webpage: http://qemu.org • Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos 02/02/2014 28

  29. Extra: GDB stub • GDB can connect to targets using a serial interface and a simple protocol • There is a stub implementation in the source code tree, but not for ARM and it’s bloated (for our purposes) • 6 primitives are enough to give debugging support with software breakpoints: Read bytes, write bytes, read registers, write registers, continue and get signal 02/02/2014 29

Recommend

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurlien Francillon, Davide Balzarotti Outline Introduction AVATAR overview Framework components

1.09k views • 44 slides
Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October 2016 December 2019 Colleague Exploratory Analysis, Concept Publish final Literature Research engagement research refinements Go live

650 views • 9 slides
Improving Security of Autonomous UAVs Fleets by Using New Specific Embedded Secure Elements A

Improving Security of Autonomous UAVs Fleets by Using New Specific Embedded Secure Elements A

Improving Security of Autonomous UAVs Fleets by Using New Specific Embedded Secure Elements A Position Paper Raja Naeem Akram 1 , Pierre-Franois Bonnefoi 2 , Serge Chaumette 3 , Konstantinos Markantonakis 4 and Damien Sauveron 2 1 Department of

589 views • 24 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IBM - CVUT Student Research Projects IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator etc.) Frantiek Kafka (kafkaf1@fel.cvut.cz) Lud k Krejzar (krejzl1@fel.cvut.cz) The aim of project the

732 views • 6 slides
Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Students could create their own avatar to guide them through the various sections of Create your own the website, this avatar could potentially remind them of areas they have yet to visit, avatar give them updates on how they can earn more

440 views • 3 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench &lt;marius.muench@eurecom.fr&gt; PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt Gierlichs KU Leuven, COSIC IACR Summer school 2015 Chia Laguna, Italy Attack on channel between communicating parties Encryption and

412 views • 6 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael James Silbersack The FreeBSD Project Introduction Over the years, many security problems have been found in the TCP and IP protocols. This is not

539 views • 17 slides
Improving the Security of Edge Computing Services Update status of the support for AMD and Intel

Improving the Security of Edge Computing Services Update status of the support for AMD and Intel

Improving the Security of Edge Computing Services Update status of the support for AMD and Intel processors FOSDEM 2020 Piotr Krl 1 / 13 Who am I Piotr Krl Founder &amp; Embedded Systems Consultant open-source firmware @pietrushnic

142 views • 13 slides
Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline Contribute to Lower Fares Passenger Revenue Branding Food &amp; Beverage Avatar Vacations In-flight Entertainment TIcket

375 views • 35 slides
Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on Computation and Society Harvard University Talk Outline Why Phishing Works Dynamic Security Skins Embedded Security Indicators Talk

731 views • 57 slides
CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1 General Information A research project with 2-5 individuals Building a new system Improving an existing technique Performing a large

647 views • 9 slides
A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

1.03k views • 72 slides
Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems

Securing the connected world Flexible and scalable embedded security IP Pieter Willems pieter.willems@silexinsight.com V2.0 2019 Overview Silex Insight Introduction Embedded security markets and applications Security

590 views • 15 slides
Who we are Eshard - Embedded Security Company Software &amp; Hardware Security What do we

Who we are Eshard - Embedded Security Company Software &amp; Hardware Security What do we

Who we are Eshard - Embedded Security Company Software &amp; Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

752 views • 54 slides
Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi

Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi

Security Bugs in Embedded Interpreters Haogang Chen, Cody Cutler, Taesoo Kim, Yandong Mao, Xi Wang, Nickolai Zeldovich and M. Frans Kaashoek MIT CSAIL Embedded interpreters Host system Bytecode Embedded Output interpreter Input

1.39k views • 94 slides
Project Kick-off Meeting Belgrade, Dec. 20, 2017 B. Weckel IMPROVING ACADEMIC AND PROFESSIONAL

Project Kick-off Meeting Belgrade, Dec. 20, 2017 B. Weckel IMPROVING ACADEMIC AND PROFESSIONAL

Impr Improving Ac Acad ademic and and Prof rofessio ional Educ ducatio ion Cap Capacity in n Se Serbia in n the Area rea of of Saf Safety &amp; Sec Security (b (by y Means of of St Strategic Par artnership ip wit ith the EU)

343 views • 9 slides
Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark

Methodologies For Hacking Embedded Security Appliances (How we break really expensive boxes) About The Speakers Mark Carey is the Chief Scientist for Peak Security. Over 22 years of experience in engineering and security. - Keeper of

1.06k views • 103 slides
Systems Security: Hardware, embedded system and IoT security Stjepan Picek s.picek@tudelft.nl

Systems Security: Hardware, embedded system and IoT security Stjepan Picek s.picek@tudelft.nl

Systems Security: Hardware, embedded system and IoT security Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands April 23, 2018 Outline 1 General Information 2 Lightweight Cryptography 3 Random Number Generators 4

1.35k views • 64 slides
for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1

Attacker Models for hardware or embedded security Erik Poll Digital Security Radboud University Nijmegen 1 Security-sensitive hardware: examples 2 Naive attacker model Attacks on communication channels exploiting lousy crypto or insecure

904 views • 45 slides
EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque

EMSEC: Embedded Security and Cryptography Responsables: Gildas Avoine, Pierre-Alain Fouque Prsentation: Stphanie Delaune (CNRS) EMSEC team Embedded Security &amp; Cryptography 7 permanent researchers, 12 PhD students, and 2 post-docs

308 views • 11 slides

More recommend