analyzing embedded software technologies on risc v64
play

Analyzing embedded software technologies on RISC-V64 using Ghidra - PowerPoint PPT Presentation

Aug 30, 2022 •149 likes •524 views

Presented by: Joris Jonkers Both & Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1 Introduction RISC-V64 - Like ARM but open source - One

  1. Presented by: Joris Jonkers Both & Patrick Spaans Supervisor: Alexandru Geana Analyzing embedded software technologies on RISC-V64 using Ghidra driving your security forward 1

  2. Introduction RISC-V64 - Like ARM but open source - One base image - Extendable with extensions (e.g. M for multiplications) - 2

  3. Introduction RISC-V64 - Like ARM but open source - One base image - Extendable with extensions (e.g. M for multiplications) - Security of embedded systems 3

  4. Introduction RISC-V64 - Like ARM but open source - One base image - Extendable with extensions (e.g. M for multiplications) - Security of embedded systems Ghidra SRE Framework 4

  5. Introduction RISC-V64 - Like ARM but open source - One base image - Extendable with extensions (e.g. M for multiplications) - Security of embedded systems Ghidra SRE Framework Kendryte K210 SoC - System on a Chip - Maix-bit - AI capable IoT device 5

  6. Related Work Ghidra only recently open source Analyzing security using reverse engineering is not a new concept - Udupa et al. in 2005 - Zaddach and Costin in 2013 6

  7. RISC-V64 Supported extensions { I → base integer instruction set M → standard integer multiplication & division extension G A → standard atomic instruction extension F → single-precision floating-point extension D → standard double-precision floating-point extension C → standard extension for compressed instructions Q → standard extension for quad-precision floating-point 7

  8. RISC-V64 Supported extensions { I → base integer instruction set M → standard integer multiplication & division extension G A → standard atomic instruction extension F → single-precision floating-point extension D → standard double-precision floating-point extension C → standard extension for compressed instructions Q → standard extension for quad-precision floating-point So, Risc-V64GC == Risc-V64IMAFDC... 8

  9. Research Question In what ways can a disassembly and decompile tool be used to analyze and enhance the working of embedded technologies? 9

  10. Research Subquestions - What are the possibilities of implementing a Ghidra plugin for RISC-V? - What are the possibilities of using reverse-engineering to enable hidden features on the Kendryte K210? 10

  11. Methodology Creating a Ghidra Plugin for RISC-V64GC Reverse engineering the Kendryte K210 bootrom Research into writing to the Kendryte K210 OTP in order to implement secure boot 11

  12. Creating a Ghidra Plugin for RISC-V64GC - Add support for architectures - Specifies register layouts and hardware specs - Must contain all instructions specifications to allow successful decompilation 12 confidential

  13. Creating a Ghidra Plugin Plugin structure .ldefs file (language definition) 13

  14. Creating a Ghidra Plugin Plugin structure .ldefs file (language definition) .sla file Example: (Instruction definitions) 14

  15. Creating a Ghidra Plugin Plugin structure .ldefs file (language definition) .sla file (Instruction definitions) .pspec file (Processor specification) 15

  16. Creating a Ghidra Plugin Plugin structure .ldefs file (language definition) .sla file (Instruction definitions) .pspec file (Processor specification) .cspec file (Compiler specification) 16 ...

  17. Creating a Ghidra Plugin Plugin structure .ldefs file (language definition) .sla file (Instruction definitions) .pspec file (Processor specification) .cspec file (Compiler specification) 17

  18. Reverse engineering the Kendryte K210 bootrom Using the plugin … 18

  19. Reverse engineering the Kendryte K210 bootrom Using the plugin … Can be: “f3 01 e7 00” or “f3 01” Neither are in the documentation … 19

  20. Reverse engineering the Kendryte K210 bootrom Using an alternative reverse engineering tool An alternative to Ghidra could be used to find out more about these functions. 20

  21. Reverse engineering the Kendryte K210 bootrom Using an alternative reverse engineering tool An alternative to Ghidra could be used to find out more about these functions. Ghidra Radare2 21

  22. Reverse engineering the Kendryte K210 bootrom Using the complete bootrom 22

  23. Reverse engineering the Kendryte K210 bootrom Using the complete bootrom There are still some unrecognized instructions 23

  24. Reverse engineering the Kendryte K210 bootrom Debugging Using J-Link and OpenOCD (on-chip-debugger) 24

  25. Reverse engineering the Kendryte K210 bootrom Debugging It turns out that all instructions left were no actual instructions 25

  26. Research into writing to the Kendryte K210 OTP Implementing secure boot 26

  27. Research into writing to the Kendryte K210 OTP Implementing secure boot 27

  28. Research into writing to the Kendryte K210 OTP Implementing secure boot 28

  29. Research into writing to the Kendryte K210 OTP Implementing secure boot 29

  30. Research into writing to the Kendryte K210 OTP Implementing secure boot 30

  31. Research into writing to the Kendryte K210 OTP Implementing secure boot 31

  32. Research into writing to the Kendryte K210 OTP Trying to write to the OTP We used the Ghidra plugin to find the OTP write function 32

  33. Research into writing to the Kendryte K210 OTP Trying to write to the OTP We used the Ghidra plugin to find the OTP write function While being the correct function, it is yet unable to write 33

  34. Research into writing to the Kendryte K210 OTP What is this return value? In the function, the following is specified: 34

  35. Research into writing to the Kendryte K210 OTP What is this return value? In the function, the following is specified: So what is this _DAT_50420060? 35

  36. The Ghidra Plugin works, and is Conclusion able to completely reverse engineer the Kendryte K210 Bootrom However, it is not possible to enable any features that require writing to the OTP if the write disabling bit has been set. 36

  37. Test the write function on a Future Work Kendryte K210 chip with an unwritten OTP Use the Ghidra Plugin as a means to analyze the security of embedded SoC’s Enable other features of the Kendryte K210 using reverse engineering Create a plugin for other RISC-V types or extensions 37

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded

Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded

Adventures with RISC-V Vectors and LLVM Robin Kruppe Roger Espasa Chief Architect Embedded Systems and Applications Group 1 Background RISC-V is a new open-source ISA rapidly gaining momentum Definition controlled by the RISC-V

530 views • 23 slides
Page 1 Brief ARM History ARM=RISC, ColdFire=CISC? 1978 Acorn started Make

Page 1 Brief ARM History ARM=RISC, ColdFire=CISC? 1978 Acorn started Make

Ripped From The Headlines Last Time OpenBTS: A software-based GSM access point, allowing Embedded systems introduction standard GSM-compatible mobile phones to Definition of embedded system make telephone calls without

303 views • 7 slides
HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore

HERO: Open-Source Heterogeneous Embedded Research Platform for Exploring RISC-V Manycore Architectures on FPGA First Workshop on Computer Architecture Research with RISC-V (CARRV) @ MICRO 50 2017-10-14 Andreas Kurth Pirmin Vogel Alessandro

216 views • 21 slides
A Comparison of Linux Software Update Technologies Matt Porter, Konsulko Group Embedded Linux

A Comparison of Linux Software Update Technologies Matt Porter, Konsulko Group Embedded Linux

A Comparison of Linux Software Update Technologies Matt Porter, Konsulko Group Embedded Linux Conference Europe 2016 Overview Background of Linux software update Linux software update strategies Detailed look at each FOSS project

400 views • 26 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
Cloud meets GRID Wolfgang Hennerbichler (wolfgang.hennerbichler@risc-software.at) RISC Software

Cloud meets GRID Wolfgang Hennerbichler (wolfgang.hennerbichler@risc-software.at) RISC Software

Cloud meets GRID Wolfgang Hennerbichler (wolfgang.hennerbichler@risc-software.at) RISC Software GmbH Sep 21, 2012 Sep 21, 2012 Cloud meets GRID 1 Table of Contents IBM CloudBurst 1 Hardware Specs Networking Infrastructure IBM Tivoli

512 views • 22 slides
Embien Technologies Corporate Presentation Overview About Us Expertise Matrix

Embien Technologies Corporate Presentation Overview About Us Expertise Matrix

Embien Technologies Corporate Presentation Overview About Us Expertise Matrix Embedded Software Services Embedded Hardware Services Solution Offerings Alliances and Technologies About Us Technology Service Provider for

206 views • 9 slides
HW/SW Codesign w/ FPGAsGeneral Purpose Embedded Cores ECE 495/595 The RISC Pipeline (A Practical

HW/SW Codesign w/ FPGAsGeneral Purpose Embedded Cores ECE 495/595 The RISC Pipeline (A Practical

HW/SW Codesign w/ FPGAsGeneral Purpose Embedded Cores ECE 495/595 The RISC Pipeline (A Practical Intro. to HW/SW Codesign, P. Schaumont) Here we cover the internal architecture of a very common type of microprocessor, the Reduced Instruction Set

450 views • 20 slides
RISC-V: Emulation and Rich, Non-Intrusive Analytics Address Verification Complexity Embedded

RISC-V: Emulation and Rich, Non-Intrusive Analytics Address Verification Complexity Embedded

RISC-V: Emulation and Rich, Non-Intrusive Analytics Address Verification Complexity Embedded World | 27 Feb 2018 UltraSoC: Corporate Overview Tier-1 VC-funded start-up Automotive Recently completed round D ($6M) ARMv8 Founded 2009

557 views • 32 slides
1 How are embedded systems different Timing and Concurrency than traditional software? Fire

1 How are embedded systems different Timing and Concurrency than traditional software? Fire

What is an Embedded System? Definition of an embedded computer system: Embedded Systems is a digital system. Introduction uses a microprocessor (usually). runs software for some or all of its functions. frequently used as a

158 views • 3 slides
ARM Cortex-M4 Programming Model ARM = Advanced RISC Machines, Ltd. ARM licenses IP to other

ARM Cortex-M4 Programming Model ARM = Advanced RISC Machines, Ltd. ARM licenses IP to other

ARM Cortex-M4 Programming Model ARM = Advanced RISC Machines, Ltd. ARM licenses IP to other companies (ARM does not fabricate chips) 2005: ARM had 75% of embedded RISC market, with 2.5 billion processors ARM available as microcontrollers, IP

611 views • 29 slides
Page 1 ARM=RISC, ColdFire=CISC ARM Family Members ARM7 (1995) However ARM is not all that

Page 1 ARM=RISC, ColdFire=CISC ARM Family Members ARM7 (1995) However ARM is not all that

Reminders Last Time Get on the mailing list if youre not already Course perspective Looks like about 6 people need to do this Embedded systems introduction Definition of embedded system Lab after class today

472 views • 6 slides
Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group

Embedded Software TI2726-B 8. Debugging techniques Koen Langendoen Embedded Software Group Grace Hopper 1947 2 Overview Debugging techniques Debugging a distributed system Preparation for the exam Debugging Write good code!

733 views • 45 slides
Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Software for Embedded Systems Galyna Tabunshchyk Prof. Software Tools Department ZNTU, Ukraine

Development of Embedded System Courses with implementation of Innovative Virtual approaches for integration of Research, Education and Production in UA, GE, AM Pilot Teaching Implementation Software for Embedded Systems Galyna Tabunshchyk

397 views • 14 slides
Embedded Software R&D at ETRI: Qplus, Esto, and Nano Qplus Heung-Nam Kim Embedded S/W

Embedded Software R&D at ETRI: Qplus, Esto, and Nano Qplus Heung-Nam Kim Embedded S/W

Embedded Software R&D at ETRI: Qplus, Esto, and Nano Qplus Heung-Nam Kim Embedded S/W Research Division Electronics and Telecommunications Research Institute, KOREA hnkim@etri.re.kr Abstract It is said that embedded software technology

339 views • 4 slides
Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement

Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement

Why RISC-V Is Not Nearly Boring Enough Al Stone Principal Software Engineer Platform Enablement Red Hat When RISC-V Grows Up... The ISA is only a small part of a product What we need is to be dead boring To get there, we need:

300 views • 13 slides
Case Management and Contacts Jane Scott July 25, 2017 1 Applications Division Incentive

Case Management and Contacts Jane Scott July 25, 2017 1 Applications Division Incentive

Case Management and Contacts Jane Scott July 25, 2017 1 Applications Division Incentive Rate-setting Major Applications and Regulatory Jane Scott Accounting Dan Gapic - Case Managers; COS & CIR - Case Managers; IRM - Subject Matter

1.96k views • 182 slides
Everything in its Place: Investigating the affordances of integrated data display in

Everything in its Place: Investigating the affordances of integrated data display in

Everything in its Place: Investigating the affordances of integrated data display in analysing neighbourhood experiences of crime and disorder Graham Hughes QUIC Conference 2011 University of Surrey 5 th May 2011 n.hughes@surrey.ac.uk

663 views • 25 slides
Smarter Balanced Assessment 2017 Report to the Ridgefield Board of Education presented by

Smarter Balanced Assessment 2017 Report to the Ridgefield Board of Education presented by

Smarter Balanced Assessment 2017 Report to the Ridgefield Board of Education presented by Kimberly Beck Assistant Superintendent & District Test Coordinator Dr. Alison Villanueva K-12 Humanities Supervisor November 27, 2017 A Quick

610 views • 28 slides
Business Office 2018-2019 Contacts Budget & Risk o AMS Info Advantage Reports o AMS

Business Office 2018-2019 Contacts Budget & Risk o AMS Info Advantage Reports o AMS

Business Office 2018-2019 Contacts Budget & Risk o AMS Info Advantage Reports o AMS Finance Transaction Detail: Payroll o Payroll Procedures o Payroll Schedule Procurement o Purchasing and Procurement o Requisition Form o

625 views • 35 slides
USB for Embedded Devices Mohit Maheshwari 200601008 Prashant Garg 200601144 USB : An

USB for Embedded Devices Mohit Maheshwari 200601008 Prashant Garg 200601144 USB : An

USB for Embedded Devices Mohit Maheshwari 200601008 Prashant Garg 200601144 USB : An Introduction The Universal Serial Bus (USB) is a specification developed by Compaq, Intel, Microsoft and NEC, joined later by Hewlett-Packard, Lucent

607 views • 27 slides
TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux

TOMOYO Linux News! A Lightweight and Manageable Security System for PC and Embedded Linux PDF version of ELC2007 slide is available: CE Linux Forum Wiki TomoyoLinux http://tree.celinuxforum.org/CelfPubWiki/TomoyoLinux (bookmark and

890 views • 48 slides
Plugin frameworks About me About this talk Plugin 3 approaches to designing plugin APIs

Plugin frameworks About me About this talk Plugin 3 approaches to designing plugin APIs

Plugin frameworks noufal Introduction Plugin frameworks About me About this talk Plugin 3 approaches to designing plugin APIs frameworks Case #1 : Trac Trac Component architecture Noufal Ibrahim Writing a plugin Example

550 views • 23 slides
veraPDF: industry supported, open source PDF/A validation for digital preservationists PREFORMA

veraPDF: industry supported, open source PDF/A validation for digital preservationists PREFORMA

veraPDF: industry supported, open source PDF/A validation for digital preservationists PREFORMA Experience Workshop, Berlin 23 November Why veraPDF? PDF/A, and the standards on which PDF/A is based, are complex; agreement on meaning

345 views • 18 slides

More recommend