avatar a framework for dynamic security analysis of
play

AVATAR: A Framework for Dynamic Security Analysis of Embedded - PowerPoint PPT Presentation

Feb 20, 2023 •631 likes •1.09k views

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurlien Francillon, Davide Balzarotti Outline Introduction AVATAR overview Framework components

  1. AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems’ Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurélien Francillon, Davide Balzarotti

  2. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 2

  3. Software is everywhere • Embedded devices are diverse – but all of them run software 2/24/14 3

  4. Reasons for embedded security • Embedded devices are ubiquitous – Even if invisible, they are essential to your life • Can operate for many years – Legacy systems, no (security) updates • Have a large attack surface – Networking, forgotten debug interfaces, etc 2/24/14 4

  5. Third party security evaluation • No source code available • No toolchain available • No documentation available • Distinct tools (to flash and debug) for each manufacturer 2/24/14 5

  6. Wishlist for security evaluation • Typical PC security toolbox – Advanced debugging techniques A • Tracing ≤ 0 > 0 • Fuzzing • Tainting B C • Symbolic Execution – Integrated tools < 8 ≥ 8 • IDA Pro D E • GDB 0 < x < 8 2/24/14 6

  7. Challenges • Advanced dynamic analysis needs emulation • Full emulation – Unknown peripherals – Firmware fails if peripherals are missing • Integration – Support multiple vendors and platforms 2/24/14 7

  8. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 8

  9. AVATAR • Orchestrate execution between emulator and device • Forward peripheral accesses to the device under analysis • Do not attempt to emulate peripherals – No documentation – Reverse engineering is difficult 2/24/14 9

  10. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 10

  11. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 11

  12. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 12

  13. Avatar overview Device Emulator Avatar . . . In-memory mov r2, r0 stub mov r3, r1 plugins Analysis add r3, r3, #1 IRQ ldr r2, [r2, #0] plugins cmp r2, r3 . . . Memory Registers CPU state Analysis script 2/24/14 13

  14. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 14

  15. Emulator Emulator Avatar S 2 E Configuration LLVM Qemu Qemu GDB Klee Remote Memory Memory Analysis Registers plugins CPU state 2/24/14 15

  16. Avatar core Device Emulator Avatar Configuration interface GDB interface GDB interface plugins Analysis Remote plugins memory Analysis script 2/24/14 16

  17. Embedded target Device Avatar In-memory stub JTAG server Memory Registers CPU state 2/24/14 17

  18. Target communication • Either a debugging interface – JTAG – Debug Serial Interface • Or code injection and a communication channel – Custom GDB Stub + Serial Port 2/24/14 18

  19. Bottlenecks • Emulated execution is much slower than execution on the real device – Memory access forwarding through low- bandwidth channel is the bottleneck – In one case down to ~10 memory accesses/ sec. • Interrupts can saturate debug connection 2/24/14 19

  20. Improving performance • Transfer execution/state – From the device to the emulator – From the emulator to the device • Migrate memory and code snippets – Keep memory regions in the emulator – Execute IO-intensive pieces of code on the device 2/24/14 20

  21. Full separation mode Device Emulator Avatar State State Register Memory 2/24/14 21

  22. Memory access optimization Device Emulator Avatar State State Register Memory IO Memory 2/24/14 22

  23. Execute code snippets on the device Device Emulator Avatar State State Code 2/24/14 23

  24. Execute code snippets on the device Device Emulator State State Code Code 2/24/14 24

  25. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 25

  26. Use case: Hard Disk • Recover bootloader protocol with symbolic execution – Inject GDB stub – Instrument flash loading – Inject symbolic values for data read from serial port – Keep track of which input leads into which code flow http://www.s3.eurecom.fr/docs/ndss14_zaddach.pdf 2/24/14 26

  27. Use case: GSM Phone • Search vulnerabilities in SMS decoding routine – Connect through JTAG – Execute on device until SMS decoding – Replace SMS payload with symbolic values – Check for symbolic values in • program counter • load/store address 2/24/14 27

  28. Use case: Econotag • Find proof-of-concept bug in user application – Connect through JTAG – Execute on device until Zigbee packet arrives – Replace payload with symbolic values – Check for symbolic values in • program counter • load/store address 2/24/14 28

  29. We are adding more devices 2/24/14 29

  30. Outline • Introduction • AVATAR overview • Framework components • Use cases • Conclusion 2/24/14 30

  31. Future work • Enhance state consistency – DMA memory changes not tracked • Automatically emulate peripherals • Improve symbolic execution – Coherency between HW and SW – Improve bug-finding strategies 2/24/14 31

  32. Conclusion • AVATAR is a modular open-source tool to – Enable dynamic analysis – And perform symbolic execution – On embedded devices – Where only binary code is available � A first step towards better analysis tools for embedded systems! 2/24/14 32

  33. Questions? • Thank you for listening! • Open source on github: https://github.com/eurecom-s3/avatar-python • Project page: http://s3.eurecom.fr/tools/avatar / Thanks to Pascal Sachs and Luka Malisa who built an earlier prototype of the system, and Lucian Cojocar for applying and extending AVATAR 2/24/14 33

  34. References • AVATAR web page: http://www.s3.eurecom.fr/tools/avatar/ • AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares, Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti • Howard: a dynamic excavator for reverse engineering data structures, Asia Slowinska, Traian Stancescu, Herbert Bos • KLEE webpage: http://ccadar.github.io/klee/ • S2E webpage: https://s2e.epfl.ch/ • S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems, italy Chipounov, Volodymyr Kuznetsov, George Candea • The S2E Platform: Design, Implementation, and Applications, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • QEMU webpage: http://qemu.org • Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos 2/24/14 34

  35. Injecting a debugger • Requires writing and executing memory – Debug menus allow this sometimes – A code execution vulnerability can be used • Requires a communication channel – Serial port, GPIO, Power consumption, … – GPIO • Requires an unused memory location in the firmware – Stub is about 3k of code 2/24/14 35

  36. Full separation mode Device Emulator Avatar State State Register Memory 2/24/14 36

  37. Memory access optimization Device Emulator Avatar State State Register Memory IO Memory 2/24/14 37

  38. Transfer execution from emulator to device Device Emulator State State Register Memory 2/24/14 38

  39. Transfer execution from emulator to device Device Emulator Avatar State State Register Memory 2/24/14 39

  40. Transfer execution from device to emulator Device Emulator State State Register Memory 2/24/14 40

  41. Transfer execution from device to emulator Device Emulator Avatar State State Register Memory 2/24/14 41

  42. Software interrupts • Software Interrupts – Are issued by an interrupt instruction in the code • Can be entirely emulated – Qemu manages calling of software interrupt handlers http://home.netcom.com/~swansont/interrupt.jpg 2/24/14 42

  43. Task completion interrupts • Triggered by application requests – Responses aligned with firmware execution speed – E.g., signal that a requested DMA transfer has finished • Can be forwarded from the device to the emulator – A stub on the device traps interrupts and forwards them 2/24/14 43

  44. External event interrupts • Signals an external event – Events aligned to wall-clock instead of execution time – E.g., that a time span has elapsed • Solution depends – Controllable interrupts can be forwarded – Uncontrollable interrupts need to be synthesized • Original interrupts are suppressed • Emulated interrupts are inserted according to emulated execution speed 2/24/14 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench &lt;marius.muench@eurecom.fr&gt; PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
The Avatar project: Improving embedded security with SE, KLEE and Qemu

The Avatar project: Improving embedded security with SE, KLEE and Qemu

The Avatar project: Improving embedded security with SE, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno &lt;lucab@debian.org&gt;, J. Zaddach, A. Francillon, D. Balzarotti About us Eurecom, a consortium of European

740 views • 29 slides
Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October 2016 December 2019 Colleague Exploratory Analysis, Concept Publish final Literature Research engagement research refinements Go live

650 views • 9 slides
PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis

PIN Dynamic instrumentation framework PIN: Building Customized Goals: Program Analysis Tools with Easy-to-use Dynamic Instrumentation Portable Transparent Luk et al PLDI 2005 Efficient Presented by Godmar Back

223 views • 5 slides
Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien

Avatar 2 : A Multi-target Orchestration Platform Marius Muench, Dario Nisi, Aur elien Francillon &amp; Davide Balzarotti Workshop on Binary Analysis Research 2018 Introduction Dynamic B inaryA nalysis 1 Motivation Having a huge

2.94k views • 33 slides
Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the

Improvements in Transportation Security Analysis from a Complex Risk Mitigation Framework for the Security of International Spent Nuclear Fuel Transportation Adam D. Williams Global Security Research &amp; Analysis Sandia National Laboratories

505 views • 13 slides
Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Students could create their own avatar to guide them through the various sections of Create your own the website, this avatar could potentially remind them of areas they have yet to visit, avatar give them updates on how they can earn more

440 views • 3 slides
Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho

Touching the Untouchables: Dynamic Security Analysis of the LTE Control Plane Hongil Kim , Jiho Lee, Eunkyu Lee, and Yongdae Kim 2019 IEEE Symposium on Security and Privacy LTE communication is everywhere Public safety services Autonomous driving

605 views • 34 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and

Dytan: A Generic Dynamic Taint Analysis Framework James Clause, Wanchun (Paul) Li, and Alessandro Orso College of Computing Georgia Institute of Technology Partially supported by: NSF awards CCF-0541080 and CCR-0205422 to Georgia Tech, DHS

671 views • 40 slides
Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems Dynamic Hydrologic Systems Lucy Marshall Assistant Professor of Watershed Analysis A i P f f W h d A l i Department of Land Resources and

580 views • 30 slides
Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert

Software Security Dynamic analysis and fuzz testing Bhargava Shastry Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2016 1 / 21 Introduction What is this lecture about? How do we find bugs in programs? ... by

363 views • 21 slides
NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant

NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant

NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant Jack Chou Who am I : : Incident Response CEH CHFI Palo Alto Network ACE Penetration Testing

1.11k views • 38 slides
INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula

INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula

5mm. INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula Research Laboratory, and Dept. of Informatics, Univ. of Oslo Last update: April 29, 2011 INF5620: Numerical Methods for Partial Differential

2k views • 148 slides
Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin (

Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin (

Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin ( ) Slides modified from Computer Networking: A Top-Down Approach 6th Edition Outline Whats the Internet? Whats a

1.19k views • 71 slides
Time and Space Complexity of P Systems And Why They Matter Alberto Leporati Universit

Time and Space Complexity of P Systems And Why They Matter Alberto Leporati Universit

CMC 19 International Conference on Membrane Computing Dresden, 4 7 September 2018 Time and Space Complexity of P Systems And Why They Matter Alberto Leporati Universit degli Studi di Milano Bicocca Dip. di Informatica,

766 views • 47 slides
Will there ever be a market for signing avatars? Some observations on the past and future of our

Will there ever be a market for signing avatars? Some observations on the past and future of our

Will there ever be a market for signing avatars? Some observations on the past and future of our field Thomas Hanke University of Hamburg State of the union instead of a research paper. More to initiate a discussion than anything else SLTAT

872 views • 44 slides
EmotionML: A language for embodied conversational agents Davide Bonardo

EmotionML: A language for embodied conversational agents Davide Bonardo

EmotionML: A language for embodied conversational agents Davide Bonardo davide.bonardo@loquendo.com 1 1 Outline Introduction The COMPANIONS project Architecture Emotions: Input and Output Multimodal Emotional Input

677 views • 12 slides
Determ ining Optim al Update Period for Minim izing I nconsistency in Multi-server Distributed

Determ ining Optim al Update Period for Minim izing I nconsistency in Multi-server Distributed

Determ ining Optim al Update Period for Minim izing I nconsistency in Multi-server Distributed Virtual Environm ents Li Yusen, Wentong Cai Presented by Stephen John Turner PDCC, SCE Nanyang Technological University, Singapore Overview

628 views • 25 slides
Cisco Visual Networking Index: Forecast and Methodology, 2016-2021. Previous Live Streaming

Cisco Visual Networking Index: Forecast and Methodology, 2016-2021. Previous Live Streaming

Cisco Visual Networking Index: Forecast and Methodology, 2016-2021. Previous Live Streaming Experience Group 4 Group 3 Group 2 Group 1 0% 20% 40% 60% 80% 100% Virtual Joy Stick Total Messages Experienced No prior experience Did

869 views • 24 slides

More recommend