toward the analysis of embedded firmware through
play

Toward the Analysis of Embedded Firmware through Automated - PowerPoint PPT Presentation

Jan 02, 2023 •242 likes •963 views

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia

  1. Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525.

  2. Let’s secure the IoT! 2 Pretender

  3. ....but there’s all this crazy hardware... 3 Pretender

  4. Our Analysis Goals: ● Fuzzing ○ Feed the program with lots of inputs until something bad happens ○ Make lots of copies of the code and its environment to make it feasible ● Symbolic Execution ○ Used to understand how data affects program behavior, and detect possible invalid behaviors ○ Needs a strong model of the code’s environment (software and hardware) to be tractable. 4 Pretender

  5. What if... 5 Pretender

  6. What if... 01010101 01010100 10101000 Extract! 6 Pretender

  7. What if... 01010101 01010100 Virtualize! 10101000 QEMU 7 Pretender

  8. What if... 01010101 01010101 01010100 Fuzz all the 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU things!!! 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010100 10101000 QEMU 10101000 QEMU 8 Pretender

  9. Re-hosting to the Rescue? “ Re-hosting” : the act of transferring a piece of software from one execution environment into another, such as from a hardware device to a software emulator 9 Pretender

  10. ....but there’s all this crazy hardware... 10 Pretender

  11. Uh oh... 11 Pretender

  12. Firmware is hard! Device-specific code S Y S C Device-specific code A L L S Operating System Libraries (HALs, libc) M M M M I I O O Hardware Peripherals Hardware Peripherals OS-based firmware Blobs 12 Pretender

  13. Peripherals are Hard! FLASH MEMORY RAM M E M O R CPU Y B On-chip U Peripherals S (MMIO) 13 Pretender

  14. Peripherals are Hard! FLASH On- Off- chip MEMORY chip RAM M E M O R CPU Timers Y I2C I2C Bus Interface B U Power Cfg S Serial USART / UART interface 14 Pretender

  15. Peripherals are Hard! 15 Pretender

  16. Peripherals are Hard! 16 Pretender

  17. Peripherals are Hard! Offset Register Name Offset Register Name 0x0 Control 1 0x0 Status 0x4 Control 2 0x4 Data (RX and TX) 0x8 Control 3 0x8 Baud Rate 0xC Baud Rate 0xC Control 1 0x10 GTPR 0x10 Control 2 0x14 RTOR 0x14 Control 3 … ... … … ... 0x18 GTPR 0x20 Data RX 0x24 Data TX STM32L152 Serial port STM32F072 Serial port 17 Pretender

  18. Peripherals are Hard! ● Obtained a dataset of Cortex-M memory layouts as used by debuggers (SVD files) ● Data self-published by vendors (and is therefore extremely incomplete) ● 463 distinct chip models, 13 vendors, 1592 unique peripherals ● Mainline QEMU supports 3 Cortex-M CPUs, and zero of the above dataset! 18 Pretender

  19. Emulation is Hard! ● Hardware-in-the-loop isn’t sufficient ○ One thread per device ○ One device reboot per execution ● Replay is not sufficient! ○ Can’t do fuzzing without input 19 Pretender

  20. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation 20 Pretender

  21. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program 21 Pretender

  22. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would 22 Pretender

  23. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would ● Automatic ○ Requires a minimum of human intervention 23 Pretender

  24. Re-hosting is hard! But are we doomed? Not yet.

  25. Can we observe the real hardware, to build models for an emulator?

  26. Pretender 26 Pretender

  27. Recording Inside the Device-specific code CPU Libraries (HALs, libc) M We want to record this, M but it’s inside the CPU! I O B Internal Peripherals u s s External Peripherals e s 27 Pretender

  28. Recording Now we just Inside the record here. CPU Device-specific code Problem solved? Libraries (HALs, libc) M M MMIO I B O Internal Peripherals QEMU u s R s P External Peripherals e AVATAR C s 28 Pretender

  29. Interrupts ● The current version of Avatar does not handle interrupts at all, but almost every firmware requires them ● Previous approaches leverage chip-specific hardware to observe interrupts ● Timing, masking, ordering, …. Cause extreme complications 29 Pretender

  30. Interrupt Recording QEMU Hardware RUNNING RUNNING Normal code Normal code MMIO… MMIO… MMIO... 30 Pretender

  31. Interrupt Recording QEMU Hardware INTERRUPT 0x2F!!! RUNNING STOPPED Normal code Interrupt Routine 31 Pretender

  32. Interrupt Recording Hardware QEMU STOPPED RUNNING Fake Interrupt Normal code Routine 32 Pretender

  33. Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine OK! Taking Interrupt 0x2F!! 33 Pretender

  34. Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine 34 Pretender

  35. Interrupt Recording QEMU Hardware RUNNING RUNNING Normal Code Normal Code OK! Done with Interrupt 0x2F!! 35 Pretender

  36. Modeling 1. Figure out which groups of memory locations are distinct “peripherals” 2. Figure out which interrupts those peripherals fire, and under which conditions 3. Assign a model to each location within the peripheral 36 Pretender

  37. Grouping Peripherals Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 37 Pretender

  38. Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 38 Pretender

  39. Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 Clustering: READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 39 Pretender

  40. Associating Interrupts Offset Value 0x0 ???????? 0x4 ???????? 0x8 ???????? 0xC ???????? 0x10 ???????? 40 Pretender

  41. Associating Interrupts Offset Value 0x0 ???????? 0x4 0xDEADBEEF 0x8 ???????? 0xC ???????? 0x10 ???????? 41 Pretender

  42. Associating Interrupts Offset Value Interrupt 0x2F! 0x0 ???????? Interrupt 0x2F! Interrupt 0x2F! 0x4 0xDEADBEEF Interrupt 0x2F! 0x8 ???????? 0xC ???????? 0x10 ???????? 42 Pretender

  43. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 43 Pretender

  44. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 44 Pretender

  45. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 Peripheral 4 READ Peripheral 4 generates Interrupt 0x2F! WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 45 Pretender

  46. Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xDEADBEEF ... ... … … ... ENTER 0x2F 46 Pretender

  47. Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xFACEBEEF WRITE 0x4 0xDEADBEEF … ... ... … … ... ... ... … … ... ISR ENTER 0x2F ISR ENTER 0x2F WRITE 0x4 0x0000BEEF ISR EXIT 0x2F … ... ... … … ... … ... ... … … ... ISR ENTER 0x2F WRITE 0x4 0xDEAD0000 47 Pretender

Recommend

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11, 2013 Andrei Costin/Jonas Zaddach www.firmware.re 1/104 About Jonas Zaddach PhD. candidate on "Development of novel binary analysis

1.25k views • 104 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

577 views • 34 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei Costin/Jonas Zaddach www.firmware.re 1/78 Administratrivia Please fill-in the BH13US Feedback Form - Thanks! The views of the authors are their

1.19k views • 78 slides
TPM2.0 practical usage Using a firmware TPM 2.0 on an embedded device Davide Guerri -

TPM2.0 practical usage Using a firmware TPM 2.0 on an embedded device Davide Guerri -

TPM2.0 practical usage Using a firmware TPM 2.0 on an embedded device Davide Guerri - dguerri@fb.com Production Engineer - Facebook London Agenda Trusted Platform Module 2.0: a practical example what is a TPM? using TPM2.0 (on a

612 views • 23 slides
Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with hardware innovations. Tom Melham University of Oxford Problem Firmware today facing greater complexity and shorter schedules coded at low

478 views • 14 slides
development upgrades Michael Brown NGM Firmware Lead Technologist Dell EMC Embedded Linux

development upgrades Michael Brown NGM Firmware Lead Technologist Dell EMC Embedded Linux

Reducing the pain of Yocto development upgrades Michael Brown NGM Firmware Lead Technologist Dell EMC Embedded Linux Conference 2017 Outline Easier Yocto upgrades in development - Introduction - Problem Statement - Dell EMC

167 views • 15 slides
Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura University of Hawaii December 14, 2012 US Firmware Meeting 1 v2 Firmware Version 2 firmware is largely done: New interface to the DAQ

273 views • 5 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench <marius.muench@eurecom.fr> PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook <keescook@chromium.org> (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
Embedded Firmware Diversity for Smart Electric Meters Stephen McLaughlin , Dmitry Podkuiko, Adam

Embedded Firmware Diversity for Smart Electric Meters Stephen McLaughlin , Dmitry Podkuiko, Adam

301 views • 18 slides
DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal Demonstrate upstream DAQ functions in firmware before design review - Have implementation ready before May 2020 10-second buffer Hit

466 views • 13 slides
Cochlear Implant Systems todays challenges in embedded firmware design December 7, 2009 Ren

Cochlear Implant Systems todays challenges in embedded firmware design December 7, 2009 Ren

Cochlear Implant Systems todays challenges in embedded firmware design December 7, 2009 Ren Roos Cochlear Implant Systems? Cochlear and CTC Cochlear Implant Systems for hearing impaired people First Cochlear implant, 1978,

590 views • 19 slides
Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do? Embedded Security Research 2009 RFID MiFare Classic (MFCUK) Click to edit Master text styles https://github.com/nfc-tools/mfcuk Second

1.12k views • 71 slides
Reversing and Exploiting an Apple Firmware Update K. Chen Black Hat USA, July 30th, 2009 K.

Reversing and Exploiting an Apple Firmware Update K. Chen Black Hat USA, July 30th, 2009 K.

Introduction Firmware Update Analysis Exploitation Reversing and Exploiting an Apple Firmware Update K. Chen Black Hat USA, July 30th, 2009 K. Chen Reversing and Exploiting an Apple Firmware Update Introduction Motivation Firmware Update

2.09k views • 190 slides
WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background ProtoDUNE WIB operated (and continuing) successfully FPGA was an Altera Aria V All-firmware design, included different firmware sets for

843 views • 47 slides
Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS alternative (coreboot, OpenEC) Figure out possible attack vectors via firmware trojans We will take only case of modern PC/Laptop/Server firmware(s).

747 views • 46 slides
OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware

OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware

OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware OpenPower System architecture Development collaboration Linux platform openpowerfoundation.org POWER8 Machine State Register (MSR) PR PR=1

496 views • 36 slides
Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY Silvie Schmidt Competence Centre for IT- Security at FH Campus Wien Project ELVIS Embedded Lab Vienna for IoT & Security Agenda

811 views • 37 slides
How the analysis of electrical current consumption of embedded systems could lead to code

How the analysis of electrical current consumption of embedded systems could lead to code

How the analysis of electrical current consumption of embedded systems could lead to code reversing ? Code extraction via Power analysis Focus on Embedded systems Yann ALLAIN / Julien MOINARD AGENDA Who we are Research

979 views • 71 slides
FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer Internet of Things 2 Internet of Things 3 Internet of Things - 233 CVEs assigned from Jan

922 views • 34 slides
OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

GSM/3G Network Security Introduction Security Problems and the Baseband OsmocomBB Project Summary OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org

830 views • 37 slides

More recommend