contents
play

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The - PowerPoint PPT Presentation

Nov 08, 2023 •2.73k likes •3.29k views

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

  1. avatar 2 Marius Muench 34c3 - December 29, 2017

  2. Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1

  3. Binary Firmware Analysis

  4. Motivation • Amount of embedded devices steadily increasing • Misconfigurations, bugs, and vulnerabilities are common • A lot of reported vulnerabilities are ”low-hanging fruits” • Discovery of more complex bugs benefits from sophisticated tooling 2

  5. Major Challenges • Variety of platforms • Memory layout • Peripherals • Often no OS-level abstractions • Many devices use monolithic firmware • Hardware interactions are embedded in firmware code • Memory Mapped I/O • Interrupts • Variety of architectures 3

  6. https://en.wikipedia.org/wiki/List of ARM microarchitectures#Designed by ARM 3

  7. Further Challenges • Instrumentation • Emulation • Fault detection • Interrupt handling • Microarchitecture dependent instructions 4

  8. Tooling Landscape

  9. Binary Analysis Tools for Firmware • A lot of binary analysis tools for desktop software • Way less for embedded devices software • Especially when considering open source tools • Often, challenges for embedded devices exceed capabilities of static analysis tools • Assumuption about environment may not hold true • Difficult to infer peripheral behaviour and interrupts 5

  10. FiE • Based on KLEE • Targets MSP430 firmware • Symbolic Execution • Uses explicit analysis, memory and interrupt specifications Davidson, Drew, et al. ”FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution.” USENIX Security Symposium 2013. 6

  11. FiE • Based on KLEE • Targets MSP430 firmware • Symbolic Execution • Uses explicit analysis, memory and interrupt specifications • Requires source code of firmware Davidson, Drew, et al. ”FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution.” USENIX Security Symposium 2013. 6

  12. Firmadyne • Based on Qemu • Targets ARM & MIPS firmware • Instrumented Linux kernel • Automated analysis of web pages and SNMP implementations • Automated testing with known exploits Chen, Daming D., et al. ”Towards Automated Dynamic Analysis for Linux-based Embedded Firmware.” NDSS 2016. 7

  13. Firmadyne • Based on Qemu • Targets ARM & MIPS firmware • Instrumented Linux kernel • Automated analysis of web pages and SNMP implementations • Automated testing with known exploits • Works only for Linux based firmware with no too specific kernel modules Chen, Daming D., et al. ”Towards Automated Dynamic Analysis for Linux-based Embedded Firmware.” NDSS 2016. 7

  14. LuaQemu • Based on instrumented QEMU • Work in progress • Example targets BCM4358 firmware • Prototyping of Boards with LUA • Instrumentation capabilities https://github.com/Comsecuris/luaqemu 8

  15. LuaQemu • Based on instrumented QEMU • Work in progress • Example targets BCM4358 firmware • Prototyping of Boards with LUA • Instrumentation capabilities • Requires a significant amount of modeling and trial & error https://github.com/Comsecuris/luaqemu 8

  16. Avatar • Based on S 2 E (QEMU+KLEE) and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware • I/O forwarding • Orchestration • Symbolic Execution Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 9

  17. Avatar • Based on S 2 E (QEMU+KLEE) and OpenOCD/GDB • Targets ARM firmware • Partial emulation together with real hardware • I/O forwarding • Orchestration • Symbolic Execution • Heavily tied to the S 2 E infrastructure • Requires the presence of the physical device Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.” NDSS 2014. 9

  18. Observations • A lot of focus on ARM • QEMU’s emulation capabilities are a common building block • Frameworks are heavily bound to underlying components 10

  19. The avatar 2 framework

  20. The big picture • Dynamic Multi-Target Orchestration and Instrumentation Framework • Focus on firmware analysis • Python based framework • Re-designed and re-implemented from scratch • Open source: https://github.com/avatartwo • Research project • Released in June 2017 11

  21. Who? • Developed by the Software and System Security Group at Eurecom • Specifically: • Marius Muench • Dario Nisi • Aur´ elien Francillon • Davide Balzarotti http://s3.eurecom.fr/ 12

  22. main goals • Target orchestration • Abstraction of debuggers, emulators and other frameworks • Easy addition of new targets • Separation of execution and memory • Enables I/O forwarding/remote memory • State transfer and synchronization • Don’t keep the state of analysed software local to single targets 13

  23. avatar 2 - components • avatar 2 core • Targets • Endpoints • Protocols 14

  24. avatar 2 - architecture overview Avatar 2 . . . T arget 0 T arget n . . . Execution Memory Register Execution Memory Register Protocol Protocol Protocol Protocol Protocol Protocol . . . Endpoint n Endpoint 0 15

  25. Implemented Targets 16

  26. Implemented Targets GDB 16

  27. Implemented Targets GDB QEMU 16

  28. Implemented Targets GDB PANDA QEMU 16

  29. Implemented Targets GDB PANDA QEMU angr 1 1 Still under development 16

  30. Changes to QEMU Avatar 2 provides a costomized QEMU • All located in a single subfolder: hw/avatar • New board: Configurable Machine • Already present in the first avatar • Allows flexible configuration of emulated hardware • New peripheral: avatar-peripheral • Communicates with avatar 2 via posix message queues • Utilizes custom remote-memory protocol 17

  31. Additional features • Architecture independent design • Internal memory layout representation • Legacy python support • Peripheral modeling • Plugin System • Assembler/Disassembler • Orchestrator • Instruction Forwarder 18

  32. Examples

  33. avatar 2 -scripting: High-Level Overview An avatar 2 scripts needs to: 1. Create the Avatar-object 2. Define a set of targets 3. Optionally define memory layout 4. Specify an execution plan 19

  34. Hello World Demo 20

  35. Binary Instrumentation • Let’s move on to a real target! • Proof of concept implementation of HARVEY 2 • Malware for a COTS PLC • The plc utilizes multiple boards • Code injection via JTAG 2 Garcia, Luis, et al. ”Hey, My Malware Knows Physics Attacking PLCs with Physical Model Aware Rootkit.” NDSS 2016. 21

  36. Binary Instrumentation (Fragile) Demo 22

  37. Demo backup ;) 23

  38. Improving Fault Detection • Part of WYCINWYC 3 • Joint work with SIEMENS • Investigates challenges specific to fuzz testing embedded devices • Fault detection • Instrumentation • Scalability • Evaluates different strategies to aid fuzz-testing • Uses avatar 2 for partial and full emulation of the firmware 3 Muench, Marius, et.al. ”What you corrupt is not what you crash: Challenges in Fuzzing Embedded Devices” To be presented at NDSS 2018 24

  39. The setup • Two Targets • STM32l152re • PANDA • Target Software • expat, a popular XML-parser • Artificially inserted vulnerabilities • Orchestration • Board initilization on physical device • Emulation of main-loop inside PANDA • Analysis • 5 PANDA plugins to detect different types of vulnerabilities • Mimicry of existing techniques for desktop software • Doesn’t require modification of the firmware 25

  40. Evaluation • 100 Fuzzing sessions in different setups • Native • Partial emulation with I/O forwarding • Partial emulation with avatar 2 -peripherals • Full emulation • Plugins could detect previously undetected faults • Full emulation provided better performance than native fuzzing • More details in the paper: http://s3.eurecom.fr/docs/ndss18 muench.pdf 26

  41. Record & Replay • Dynamic binary analysis of firmware requires often the device • PANDA allows to record and replay execution • Allows exchange of executions fur further analysis without the device 27

  42. Record & Replay Demo 28

  43. Symbolic Execution and Complex Software (WIP) • Firefox with inserted bug • Executed concretely inside gdb until function of interest • Analysis of only one thread • Automated memory layout extraction from gdb • Transfer of layout into angr • Copy-On-Read • Symbolic function arguments 29

  44. Symbolic Execution and Complex Software (WIP) Preliminary Results: • Approximatly 10 minutes of runtime • 36 executed basic blocks • 21 uniquely accessed pages • Found the bug 30

  45. Examples: Recap 5 Examples: • Dynamic Instrumentation of GDB • Dynamic Instrumentation of a plc • Fault Detection with an development board and PANDA • Record and Replay with an development board and PANDA • Symbolic Execution with firefox and gdb 31

  46. Conclusion

  47. Conclusion • Dynamic firmware analysis is still a challenging topic • Avatar 2 aims to tackle some of the challenges • Multi-target orchestration is not limited to firmware 32

  48. Plans for 2018 • Move main development to github • Introduce proper versioning • More, exciting targets 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Contents Contents Fluid

Contents Contents Fluid

Physics-based Fluid Simulations for Computer Graphics Ryoichi Ando Contents Contents Fluid Solver Contents Fluid Solver Surface Tracker Contents Fluid Solver Surface

2.14k views • 175 slides
Contents Contents.....2 Butter

Contents Contents.....2 Butter

4/8/2019 Milkfat Ingredients, from Cream to AMF 2019 ADPI Dairy 360 Contents Contents.....2 Butter Definition..12 Churning Process..13 Farm Separated

582 views • 9 slides
17 www.scad.ae Table of Contents Table of Contents

17 www.scad.ae Table of Contents Table of Contents

Statistical Report Writing and Data Presentation Guide Methodology and Quality Guides - No. (17) 17 www.scad.ae Table of Contents Table of Contents

1.03k views • 41 slides
Level 1, V2.0 Level 1, V2.0 1 Course Contents Course Contents Course Contents Course

Level 1, V2.0 Level 1, V2.0 1 Course Contents Course Contents Course Contents Course

August 2008 Training Manual: Training Manual: KI7400 & 7800 Series Sources KI7400 & 7800 Series Sources Level 1, V2.0 Level 1, V2.0 1 Course Contents Course Contents Course Contents Course Contents 1 1. General features

590 views • 19 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

972 views • 66 slides
Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The

Trigger and DAQ at LHC Trigger and DAQ at LHC C.Schwick Contents Contents INTRODUCTION The context: LHC & experiments PART1: Trigger at LHC Requirements & Concepts Muon and Calorimeter triggers (CMS and ATLAS) Specific solutions

1.19k views • 90 slides
CONTENTS CONTENTS 1 6 INTRODUCTION APPLICATION 2 ORGANIZATION 7 DISTRIBUTION

CONTENTS CONTENTS 1 6 INTRODUCTION APPLICATION 2 ORGANIZATION 7 DISTRIBUTION

CONTENTS CONTENTS 1 6 INTRODUCTION APPLICATION 2 ORGANIZATION 7 DISTRIBUTION PROCESS 3 8 BUSINESS SCOPE APPROVAL 4 9 FACILITY REFERENCE 5 10 PRODUCT SUMMARY CERTIFICATE 1. INTRODUCTION 1.

818 views • 19 slides
Introduction To Tcl/Tk Introduction To Tcl/Tk - Contents - Contents Whats Tcl/Tk? 3

Introduction To Tcl/Tk Introduction To Tcl/Tk - Contents - Contents Whats Tcl/Tk? 3

Introduction To Tcl/Tk Introduction To Tcl/Tk - Contents - Contents Whats Tcl/Tk? 3 Getting Started 4 Tcl Scripting 5 Basics 5 Variable Substitution 6 Command Substitution 6 Controlling Word Structure 7 Comment 7 Command Line

1.87k views • 18 slides
September 2019 02 CONTENTS 02 VILLA GUASTAVILLANI 03 CONTENTS 04 WHO WE ARE 05 PURPOSE

September 2019 02 CONTENTS 02 VILLA GUASTAVILLANI 03 CONTENTS 04 WHO WE ARE 05 PURPOSE

September 2019 02 CONTENTS 02 VILLA GUASTAVILLANI 03 CONTENTS 04 WHO WE ARE 05 PURPOSE 06 GENERATIVE EDUCATION 07 WHAT WE DO 08 KEY FACTS 09 OUR PROGRAMS 10 DIGITAL TRANSFORMATON 11 SUSTAINABILITY 12 ALUMNI 03 WHO WE ARE

502 views • 18 slides
Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts

Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts

Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts Quick Find Integration with PRIMER Undocking Menus User Defined Components Material Extra Data FAST-TCF Curve Table

1.58k views • 81 slides
Contents Contents Tables i i Figures v v 1.0 1.0 Introduction 1 1 2.0 2.0 Me

Contents Contents Tables i i Figures v v 1.0 1.0 Introduction 1 1 2.0 2.0 Me

i Contents Contents Tables i i Figures v v 1.0 1.0 Introduction 1 1 2.0 2.0 Me Methodology thodology 3 3 3.0 3.0 Knowsley 5 5 3.1 3.1 Drug Drug Te Testing sting Data Data 5 5 3.2 3.2 Assessments (DIR) 7 7 3.3 3.3

1.06k views • 68 slides
Engagement with the Commonwealth 1 PRESENTATION CONTENTS Contents Economic Impact Study

Engagement with the Commonwealth 1 PRESENTATION CONTENTS Contents Economic Impact Study

Engagement with the Commonwealth 1 PRESENTATION CONTENTS Contents Economic Impact Study UVAs Role in Economic Development Industry Attraction and Retention Addressing Workforce Needs Innovation, Entrepreneurship, and

416 views • 39 slides
MOCK-UP Table of Contents

MOCK-UP Table of Contents

Cr par Laura Belloni Introduction to the Canadian Securities Administrators MOCK-UP Table of Contents _______________________________________________________________________________________ 2 Table of Contents Message from the Chair

510 views • 30 slides
WELCOME TO THE EXTRAORDINARY GENERAL MEETING 21 NOVEMBER 2017 CONTENTS CONTENTS THE

WELCOME TO THE EXTRAORDINARY GENERAL MEETING 21 NOVEMBER 2017 CONTENTS CONTENTS THE

Local Property Overseas Property Purpose Built Student Construction Dormitory Development Development Accommodation WELCOME TO THE EXTRAORDINARY GENERAL MEETING 21 NOVEMBER 2017 CONTENTS CONTENTS THE RESOLUTIONS WHY THIS EGM IS

229 views • 18 slides
Contents Contents 1. Establishment of a Big Data Roadmap of the Korean Government 2.

Contents Contents 1. Establishment of a Big Data Roadmap of the Korean Government 2.

April 2013 Ki-bong Park Pilot Project MSIS2013(2013.4.23~ 25, Bangkok) Contents Contents 1. Establishment of a Big Data Roadmap of the Korean Government 2. Beginning of Big Data Use 3.

495 views • 7 slides
HANDOUTS 1 Slide 2 Handout contents Page 2-3 Handout contents 4 Introduction 5 - 6 Paying

HANDOUTS 1 Slide 2 Handout contents Page 2-3 Handout contents 4 Introduction 5 - 6 Paying

Slide 1 Civil Service Pensions Thinking about retirement HANDOUTS 1 Slide 2 Handout contents Page 2-3 Handout contents 4 Introduction 5 - 6 Paying your pension from HR to Capita Hartshead 7 - 8 Benefit Overview ( classic,

668 views • 38 slides
AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurlien Francillon, Davide Balzarotti Outline Introduction AVATAR overview Framework components

1.09k views • 44 slides
NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant

NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant

NG-SOC in Taiwan The realities , the difficulties and the future Senior Technical Consultant Jack Chou Who am I : : Incident Response CEH CHFI Palo Alto Network ACE Penetration Testing

1.11k views • 38 slides
INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula

INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula

5mm. INF5620: Numerical Methods for Partial Differential Equations Hans Petter Langtangen Simula Research Laboratory, and Dept. of Informatics, Univ. of Oslo Last update: April 29, 2011 INF5620: Numerical Methods for Partial Differential

2k views • 148 slides
Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin (

Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin (

Multimedia Communications @CS.NCTU Lecture 1: Networking Overview Instructor: Kate Ching-Ju Lin ( ) Slides modified from Computer Networking: A Top-Down Approach 6th Edition Outline Whats the Internet? Whats a

1.19k views • 71 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Will there ever be a market for signing avatars? Some observations on the past and future of our

Will there ever be a market for signing avatars? Some observations on the past and future of our

Will there ever be a market for signing avatars? Some observations on the past and future of our field Thomas Hanke University of Hamburg State of the union instead of a research paper. More to initiate a discussion than anything else SLTAT

872 views • 44 slides
EmotionML: A language for embodied conversational agents Davide Bonardo

EmotionML: A language for embodied conversational agents Davide Bonardo

EmotionML: A language for embodied conversational agents Davide Bonardo davide.bonardo@loquendo.com 1 1 Outline Introduction The COMPANIONS project Architecture Emotions: Input and Output Multimodal Emotional Input

677 views • 12 slides
Determ ining Optim al Update Period for Minim izing I nconsistency in Multi-server Distributed

Determ ining Optim al Update Period for Minim izing I nconsistency in Multi-server Distributed

Determ ining Optim al Update Period for Minim izing I nconsistency in Multi-server Distributed Virtual Environm ents Li Yusen, Wentong Cai Presented by Stephen John Turner PDCC, SCE Nanyang Technological University, Singapore Overview

628 views • 25 slides

More recommend