avatar 2 a multi target orchestration platform
play

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, - PowerPoint PPT Presentation

Sep 17, 2022 •2.53k likes •2.94k views

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien Francillon & Davide Balzarotti Workshop on Binary Analysis Research 2018 Introduction Dynamic B inaryA nalysis 1 Motivation Having a huge

  1. Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur´ elien Francillon & Davide Balzarotti Workshop on Binary Analysis Research 2018

  2. Introduction Dynamic B inaryA nalysis 1

  3. Motivation • Having a huge variety of tools is awesome • But analysis state is mostly local to the single tools • A lot of effort to integrate specific tools into other 2

  4. Being able to interconnect debuggers, emulators and analysis frameworks greatly benefits dynamic binary analysis 2

  5. A link to the past 2014: The avatar framework: • Connects S 2 E and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 3

  6. A link to the past 2014: The avatar framework: • Connects S 2 E and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware • Tightly coupled to S 2 E and OpenOCD/GDB Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 3

  7. Imagine a tool that ... 4

  8. Imagine a tool that ... 4

  9. Imagine a tool that ... 4

  10. Imagine a tool that ... 4

  11. Imagine a tool that ... 4

  12. Imagine a tool that ... 4

  13. Imagine a tool that ... 4

  14. Imagine a tool that ... 4

  15. Imagine a tool that ... 4

  16. One framework to orchestrate them all? • Capable of interconnecting a variety of tools • Expose a consistent API to the analyst • Easy scriptability • Operate in an highly asynchronous environment � Careful crafted architecture required 5

  17. Avatar 2 - The architecture Avatar 2 . . . T arget 0 T arget n Execution Memory Register . . . Execution Memory Register Protocol Protocol Protocol Protocol Protocol Protocol . . . Endpoint 0 Endpoint n 6

  18. Additional features • Architecture independent design • Internal memory layout representation • Legacy python support • Peripheral modeling • Plugin System • Assembler/Disassembler • Orchestrator • Instruction Forwarder 7

  19. Examples Example I: Example II: Facilitating replication Symbolic Execution & reproduction & Complex Software Example III: Record & Replay for Firmware 8

  20. Example I - Replicating Harvey • Proof of concept implementation of HARVEY [1] • Malware for a COTS PLC • The plc utilizes multiple boards • Code injection via JTAG [1] Garcia, Luis, et al. ”Hey, My Malware Knows Physics Attacking PLCs with Physical Model Aware Rootkit.” NDSS 2016. 9

  21. Figure 1: Harvey’s modifications to the GPIO-output ISR 1 1Taken from [1]. Original title: ”Figure 5. Original GPIO-output update ISR assembly code compared to 10 modified subroutine with branch to malicious code.”

  22. 1 from avatar2 import Avatar, ARMV7M, OpenOCDTarget 2 3 output_hook = ’’’mov r5,0xfffffffd mov r4, r5 4 mov r5, 0 5 b 0x2000233E’’’ 6 7 8 avatar = Avatar(arch=ARMV7M) 9 avatar.load_plugin(’assembler’) 10 11 t = avatar.add_target(OpenOCDTarget, openocd_script=’harvey.cfg’, gdb_executable=’arm-none-eabi-gdb’) 12 13 14 t.init() 15 t.set_breakpoint(0xd270) 16 t.cont() 17 t.wait() 18 19 t.inject_asm(’b 0x20002514’,addr=0x20002338) 20 t.inject_asm(output_hook,addr=0x20002514) 21 22 t.cont() 11

  23. Example I - Results • Implementation of PoC in approx. 30 lines of Python • All of this could –and has – been done without avatar 2 • Unified and centralized interface • Easy to exchange scripts • Modifications can easily be integrated 12

  24. Example II - Symbolic Execution of Firefox • Firefox with inserted bug • Executed concretely inside gdb until function of interest • Automated memory layout extraction from gdb • Transfer of layout into angr • Memory contents copied-on-read • Symbolic function arguments • Analysis of only one thread 13

  25. Example II - Results • Implementation in approx. 60 lines of Python • Execution statistics: • Approximatly 10 minutes of runtime 2 • 36 executed basic blocks • 21 uniquely accessed pages • Found the bug • angr alone was not able to find the bug • Could be achieved by tedious population of state without avatar 2 • Demonstrates State Transfer and Orchestration capabilities 2 Hardware: VM with four Intel Xeon E5-2650L cores and 16GB of RAM 14

  26. Example III - Recording Firmware Execution • Dynamic binary analysis of firmware often requires the device • PANDA [2] allows to record and replay execution • Allows exchange of executions for further analysis without the device [2] Whelan, Ryan J., et al. ”Repeatable Reverse Engineering with the Platform for Architecture-Neutral Dynamic Analysis.” MIT Lincoln Laboratory Lexington 2015. 15

  27. 1 from avatar2 import ARMV7M, Avatar, OpenOCDTarget, PandaTarget 2 3 avatar = Avatar(arch=ARMV7M) 4 avatar.load_plugin(’orchestrator’) 5 6 nucleo = avatar.add_target(OpenOCDTarget, [...]) 7 panda = avatar.add_target(PandaTarget, [...]) 8 9 rom = avatar.add_memory_range(0x08000000, 0x1000000, file=firmware) 10 11 ram = avatar.add_memory_range(0x20000000, 0x14000) 12 mmio= avatar.add_memory_range(0x40000000, 0x1000000, forwarded=True, forwarded_to=nucleo) 13 14 15 avatar.init_targets() 16 [...] 17 panda.begin_record(’panda_record’) 18 avatar.resume_orchestration(blocking=False) 19 [...] 20 avatar.stop_orchestration() 21 panda.end_record() 16

  28. Example III - Results • Implementation in approx. 30 lines of Python • Successful recording of firmware’s execution • Replayable without presence of hardware • Without avatar 2 , cumbersome implementation of peripherals required • Demonstration of separation between execution and memory 17

  29. Discussion • So far, only five targets implemented • Achieving genericity is difficult • Overhead for implementing new targets varies • Unsolved challenges for analysis of embedded devices • Interrupts • Debug access 18

  30. Conclusion • Multi-target orchestration is not limited to firmware • We are just at the beginning ... • More tomorrow morning! • ”What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices.” • Session 1A: IoT, Kon Tiki Ballroom, 12.20pm 19

  31. Artifacts? • The full framework is open source: https://github.com/avatartwo/avatar2 • Presented examples at: https://github.com/avatartwo/bar18_avatar2 • Pre-built vagrant box: avatar/2bar18 avatar2 20

  32. Backup slide #1: Changes to QEMU Avatar 2 provides a costomized QEMU • All located in a single subfolder: hw/avatar • New board: Configurable Machine • Already present in the first avatar • Allows flexible configuration of emulated hardware • New peripheral: remote memory • Communicates with avatar 2 via posix message queues • Utilizes custom remote-memory protocol 21

  33. Backup Slide #2: Event handling in avatar 2 • Targets are emitting events • Events are registered by protocols forwarded to the avatar 2 core • Fast queue for execution state updates • Enables callbacks and inspection mechanisms 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench <marius.muench@eurecom.fr> PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Students could create their own avatar to guide them through the various sections of Create your own the website, this avatar could potentially remind them of areas they have yet to visit, avatar give them updates on how they can earn more

440 views • 3 slides
Embedded Multi-Target Tracking System CN052 Wang Shuhui, Wang Qiaoyuan, Wei Longping Lu Xiaofeng

Embedded Multi-Target Tracking System CN052 Wang Shuhui, Wang Qiaoyuan, Wei Longping Lu Xiaofeng

Embedded Multi-Target Tracking System CN052 Wang Shuhui, Wang Qiaoyuan, Wei Longping Lu Xiaofeng Outline 1. Introduction 2. System Platform 3. Hardware Architecture of Multi-target Detection 4. Hardware Architecture of Multi-target Tracking

383 views • 11 slides
Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard

Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard

Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard Vilalta, A. Mayoral, Raul Muoz, Ramon Casellas, Ricardo Martnez The need for generic control functions and a Transport API The NBI of the

679 views • 15 slides
A multi- -layer layer A multi A multi-layer research and training platform research and

A multi- -layer layer A multi A multi-layer research and training platform research and

Final Workshop of CDC 2002-2007 Tallinn, Brotherhood of the Blackheads, 21 22 January 2008 A multi- -layer layer A multi A multi-layer research and training platform research and training platform research and training platform for

769 views • 35 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Unicorn: Unified Resource Orchestration for Multi- Domain, Geo-Distributed Data Analytics Qiao

Unicorn: Unified Resource Orchestration for Multi- Domain, Geo-Distributed Data Analytics Qiao

Unicorn: Unified Resource Orchestration for Multi- Domain, Geo-Distributed Data Analytics Qiao Xiang 12 , Jace Liu 1 , Harvey Newman 3 , Tony Wang 12 , Y. Richard Yang 12 , Jensen Zhang 1 1 Tongji University, 2 Yale University, 3 California

885 views • 33 slides
Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October 2016 December 2019 Colleague Exploratory Analysis, Concept Publish final Literature Research engagement research refinements Go live

650 views • 9 slides
IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IBM - CVUT Student Research Projects IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator etc.) Frantiek Kafka (kafkaf1@fel.cvut.cz) Lud k Krejzar (krejzl1@fel.cvut.cz) The aim of project the

732 views • 6 slides
Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline Contribute to Lower Fares Passenger Revenue Branding Food & Beverage Avatar Vacations In-flight Entertainment TIcket

375 views • 35 slides
Drawing Parallels between Multi-label Classification and Multi-target Regression Grigorios

Drawing Parallels between Multi-label Classification and Multi-target Regression Grigorios

Drawing Parallels between Multi-label Classification and Multi-target Regression Grigorios Tsoumakas, Eleftherios Spyromitros-Xioufis, and Ioannis Vlahavas Machine Learning and Knowledge Discovery (MLKD) group Department of Informatics,

1.19k views • 34 slides
AI Driven Orchestration, Challenges & Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.)

AI Driven Orchestration, Challenges & Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.)

AI Driven Orchestration, Challenges & Opportunities Openstack Summit 2018 Sana Tariq (Ph.D.) TELUS Communication Agenda Service Orchestration Journey Service Orchestration Operational Challenges Closed Loop Orchestration and Dynamic

222 views • 19 slides
Multi-Target Regression via Random Linear Target Combinations Grigorios Tsoumakas, Eleftherios

Multi-Target Regression via Random Linear Target Combinations Grigorios Tsoumakas, Eleftherios

Multi-Target Regression via Random Linear Target Combinations Grigorios Tsoumakas, Eleftherios Spyromitros-Xioufis Aikaterini Vrekou, Ioannis Vlahavas Department of Informatics Aristotle University of Thessaloniki Thessaloniki 54124, Greece

349 views • 20 slides
Cooperative Localization via DSRC and Multi-Sensor Multi-Target Track Association Presenter:

Cooperative Localization via DSRC and Multi-Sensor Multi-Target Track Association Presenter:

Cooperative Localization via DSRC and Multi-Sensor Multi-Target Track Association Presenter: Preeti Pillai Authors: Ahmed Hamdi Sakr and Gaurav Bansal Toyota InfoTechnology Center, Mountain View, California, U.S.A. PPNIV workshop, IEEE ITSC 2016

638 views • 20 slides
Heterogeneous Multi-Computer System A New Platform for Multi-Paradigm Scientific Simulation

Heterogeneous Multi-Computer System A New Platform for Multi-Paradigm Scientific Simulation

Heterogeneous Multi-Computer System A New Platform for Multi-Paradigm Scientific Simulation Taisuke Boku, Hajime Susa, Masayuki Umemura, Akira Ukawa Center for Computational Physics, University of Tsukuba Junichiro Makino, Toshiyuki

531 views • 29 slides
Search-based Testing of Procedural Programs: Iterative Single-Target or Multi-Target Approach?

Search-based Testing of Procedural Programs: Iterative Single-Target or Multi-Target Approach?

Search-based Testing of Procedural Programs: Iterative Single-Target or Multi-Target Approach? Simone Scalabrino Giovanni Grano Dario Di Nucci Rocco Oliveto Andrea De Lucia The overall cost of testing has been estimated at being at

568 views • 39 slides
C Programming Basics GCC 8.2.0 & GDB 8.1.1 nike.cs.uga.edu brew macOS gcc-8

C Programming Basics GCC 8.2.0 & GDB 8.1.1 nike.cs.uga.edu brew macOS gcc-8

8/21/18 C Programming Basics GCC 8.2.0 & GDB 8.1.1 nike.cs.uga.edu brew macOS gcc-8 brew install gcc, or brew upgrade gcc Also need Xcode CLT xcode-select install Brew info gcc brew install gdb

399 views • 15 slides
CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018

CS527 Software Security Reverse Engineering Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Basics: encodings Code is data is code is data Learn to read hex numbers: 0x38 == 0011'1000 Python:

710 views • 49 slides
Introduction to a microkernel microkernel maybe self supporting initially they are built on a host

Introduction to a microkernel microkernel maybe self supporting initially they are built on a host

slide 1 gaius Introduction to a microkernel microkernel maybe self supporting initially they are built on a host and downloaded to a target during Operating systems we will be developing a microkernel which has been written in: Modula-2, C and

526 views • 28 slides
On Failure Diagnosis of the Storage Stack Duo Zhang , Om Rameshwar Gatla, Runzhou Han, Mai Zheng

On Failure Diagnosis of the Storage Stack Duo Zhang , Om Rameshwar Gatla, Runzhou Han, Mai Zheng

Data Storage Lab On Failure Diagnosis of the Storage Stack Duo Zhang , Om Rameshwar Gatla, Runzhou Han, Mai Zheng Iowa State University Storage System Failures Are Troublesome 2 Data Storage Lab Existing Efforts Are Not Enough Mostly

498 views • 23 slides
Segmentation Faults Otherwise known as segfaults. Occur when you try to access memory that

Segmentation Faults Otherwise known as segfaults. Occur when you try to access memory that

Segmentation Faults Otherwise known as segfaults. Occur when you try to access memory that you don't have permission to. Results in one of the least-informative error messages when using gcc. It is often more useful to be told the

678 views • 20 slides
Checkpoint-Restart for a Network of Virtual Machines Rohan Garg, Komal Sodha, Zhengping Jin, Gene

Checkpoint-Restart for a Network of Virtual Machines Rohan Garg, Komal Sodha, Zhengping Jin, Gene

Checkpoint-Restart for a Network of Virtual Machines Rohan Garg, Komal Sodha, Zhengping Jin, Gene Cooperman College of Computer and Information Science Northeastern University, Boston Boston, Massachusetts 02115 { rohgarg, komal, jinzp, gene }

668 views • 34 slides
Hacking PostgreSQL with Eclipse Metin Dl metin@citusdata.com PGCONF.EU 2017 1

Hacking PostgreSQL with Eclipse Metin Dl metin@citusdata.com PGCONF.EU 2017 1

Hacking PostgreSQL with Eclipse Metin Dl metin@citusdata.com PGCONF.EU 2017 1 Motivation Postgres cant do everything You can extend it Eclipse makes it easy 2 Extensions postGIS - Spatial and Geographic objects pg_cron - Run

376 views • 19 slides
TOS Arno Puder 1 Objectives Explain the TOS testing system Explain some debugging

TOS Arno Puder 1 Objectives Explain the TOS testing system Explain some debugging

TOS Arno Puder 1 Objectives Explain the TOS testing system Explain some debugging techniques when a program error typically crashes the whole system Explain symbolic debugging of TOS 2 Test Cases TOS comes with many test cases

483 views • 22 slides

More recommend