embedded devices security firmware reverse engineering
play

Embedded Devices Security Firmware Reverse Engineering Jonas - PowerPoint PPT Presentation

Oct 24, 2022 •403 likes •1.19k views

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei Costin/Jonas Zaddach www.firmware.re 1/78 Administratrivia Please fill-in the BH13US Feedback Form - Thanks! The views of the authors are their

  1. Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei Costin/Jonas Zaddach www.firmware.re 1/78

  2. Administratrivia • Please fill-in the BH13US Feedback Form - Thanks! • The views of the authors are their own and do not represent the position of their employers or research labs • By attending this workshop, you agree to use the tools and knowledge acquired only for legal purposes and for activities you have explicit authorization for Andrei Costin/Jonas Zaddach www.firmware.re 2/78

  3. About – Jonas Zaddach • PhD. candidate on "Development of novel binary analysis techniques for security applications" at EURECOM • Co-founder of FIRMWARE.RE • jonas@firmware.re • jonas.zaddach@eurecom.fr Andrei Costin/Jonas Zaddach www.firmware.re 3/78

  4. About – Andrei Costin • PhD. candidate on "Software security in embedded systems" at EURECOM • Co-founder of FIRMWARE.RE • Author of MFCUK and BT5-RFID (RFID security) • Researcher on security of: printers, ADS-B • andrei@firmware.re • andrei.costin@eurecom.fr Andrei Costin/Jonas Zaddach www.firmware.re 4/78

  5. About – EURECOM Andrei Costin/Jonas Zaddach www.firmware.re 5/78

  6. About – EURECOM Table: Eurecom Research Results – Publications Year Total No. of publ. Cosigned with Ext. Labs Cosigned with Intl. Labs Conf. Journals/Papers Books/Chapters Scientific Reports Patents H-number/Avg. Top 10 2012 276 152 113 173 45 3 17 1 18,00 / 26,20 2011 240 156 108 160 35 19 14 0 16,00 / 23,40 2010 267 141 100 179 39 10 15 0 15,04 / 22,60 Andrei Costin/Jonas Zaddach www.firmware.re 6/78

  7. Introduction Introduction Andrei Costin/Jonas Zaddach www.firmware.re 7/78

  8. Workshop Roadmap • 1st part (14:15 – 15:15) • Little bit of theory • Overview of state of the art • 2nd part (15:30 – 16:30) • Encountered formats, tools • Unpacking end-to-end • 3rd part (17:00 – 18:00) • Emulation introduction • Awesome exercises – find your own 0day! Andrei Costin/Jonas Zaddach www.firmware.re 8/78

  9. What is a Firmware? (Ascher Opler) • Ascher Opler coined the term "firmware" in a 1967 Datamation article • Currently, in short: it’s the set of software that makes an embedded system functional Andrei Costin/Jonas Zaddach www.firmware.re 9/78

  10. What is firmware? (IEEE) • IEEE Standard Glossary of Software Engineering Terminology, Std 610.12-1990, defines firmware as follows: • ¨ The combination of a hardware device and computer instructions and data that reside as read-only software on that device. • Notes: (1) This term is sometimes used to refer only to the hardware device or only to the computer instructions or data, but these meanings are deprecated. • Notes: (2) The confusion surrounding this term has led some to suggest that it be avoided altogether˙ " Andrei Costin/Jonas Zaddach www.firmware.re 10/78

  11. Common Embedded Device Classes • Networking – Routers, Switches, NAS, VoIP phones • Surveillance – Alarms, Cameras, CCTV, DVRs, NVRs • Industry Automation – PLCs, Power Plants, Industrial Process Monitoring and Automation • Home Automation – Sensoring, Smart Homes, Z-Waves, Philips Hue • Whiteware – Washing Machine, Fridge, Dryer • Entertainment gear – TV, DVRs, Receiver, Stereo, Game Console, MP3 Player, Camera, Mobile Phone, Toys • Other Devices - Hard Drives, Printers • Cars • Medical Devices Andrei Costin/Jonas Zaddach www.firmware.re 11/78

  12. Common Processor Architectures • ARM (ARM7, ARM9, Cortex) • Intel ATOM • MIPS • 8051 • Atmel AVR • Motorola 6800/68000 (68k) • Ambarella • Axis CRIS Andrei Costin/Jonas Zaddach www.firmware.re 12/78

  13. Common Buses • Serial buses - SPI, I2C, 1-Wire, UART • PCI, PCIExpress • AMBA Andrei Costin/Jonas Zaddach www.firmware.re 13/78

  14. Common Communication Lines • Ethernet - RJ45 • RS485 • CAN/FlexRay • Bluetooth • WIFI • Infrared • Zigbee • Other radios (ISM-Band, etc/) • GPRS/UMTS • USB Andrei Costin/Jonas Zaddach www.firmware.re 14/78

  15. Common Directly Addressable Memory • DRAM • SRAM • ROM • Memory-Mapped NOR Flash Andrei Costin/Jonas Zaddach www.firmware.re 15/78

  16. Common Storage • NAND Flash • SD Card • Hard Drive Andrei Costin/Jonas Zaddach www.firmware.re 16/78

  17. Common Operating Systems • Linux • Perhaps most favourite and most encoutered • VxWorks • Cisco IOS • Windows CE/NT • L4 • eCos • DOS • Symbian • JunOS • Ambarella • etc. Andrei Costin/Jonas Zaddach www.firmware.re 17/78

  18. Common Bootloaders • U-Boot • Perhaps most favourite and most encoutered • RedBoot • BareBox • Ubicom bootloader Andrei Costin/Jonas Zaddach www.firmware.re 18/78

  19. Common Libraries and Dev Envs • busybox + uClibc • Perhaps most favourite and most encoutered • buildroot • openembedded • crosstool • crossdev Andrei Costin/Jonas Zaddach www.firmware.re 19/78

  20. What Challenges Do Firmwares Bring? • Non-standard formats • Encrypted chunks • Non-standard update channels • Firmwares come and go, vendors quickly withdraw them from support/ftp sites • Non-standard update procedures • Printer’s updates via vendor-specific PJL hacks • Gazillion of other hacks Andrei Costin/Jonas Zaddach www.firmware.re 20/78

  21. Updating to a New Firmware • Firmware Update built-in functionality • Web-based upload • Socket-based upload • USB-based upload • Firmware Update function in the bootloader • USB-boot recovery • Rescue partition, e.g.: • New firmware is written to a safe space and integrity-checked before it is activated • Old firmware is not overwritten before new one is active • JTAG/ISP/Parallel programming Andrei Costin/Jonas Zaddach www.firmware.re 21/78

  22. Updating to a New Firmware – Pitfalls • TOCTOU attacks • Non-mutual-authenticating update protocols • Non-signed packages • Non-verified signatures • Incorectly/inconsistently verified signatures • Leaking signature keys Andrei Costin/Jonas Zaddach www.firmware.re 22/78

  23. Why Are Most Firmwares Outdated? Vendor-view • Profit and fast time-to-market first • Support and security comes (if at all!) as an after-thought • Great platform variety raises compilation and maintenance effort • Verification process is cumbersome, takes a lot of time and effort • E.g. for medical devices depends on national standards which require strict verification procedure, sometimes even by the state. Andrei Costin/Jonas Zaddach www.firmware.re 23/78

  24. Why Are Most Firmwares Outdated? Customer-view • ”If it works, don’t touch it!” • High effort for customers to install firmwares • High probability something goes wrong during firmware upgrades • ”Where do I put this upgrade CD into a printer – it has no keyboard nor a monitor nor an optical drive?!” Andrei Costin/Jonas Zaddach www.firmware.re 24/78

  25. Firmware Formats Firmware Formats Andrei Costin/Jonas Zaddach www.firmware.re 25/78

  26. Firmware Formats – Typical Objects Inside • Bootloader (1st/2nd stage) • Kernel • File-system images • User-land binaries • Resources and support files • Web-server/web-interface Andrei Costin/Jonas Zaddach www.firmware.re 26/78

  27. Firmware Formats – Components Category View • Full-blown (full-OS/kernel + bootloader + libs + apps) • Integrated (apps + OS-as-a-lib) • Partial updates (apps or libs or resources or support) Andrei Costin/Jonas Zaddach www.firmware.re 27/78

  28. Firmware Formats – Packing Category View • Pure archives (CPIO/Ar/Tar/GZip/BZip/LZxxx/RPM) • Pure filesystems (YAFFS, JFFS2, extNfs) • Pure binary formats (SREC, iHEX, ELF) • Hybrids (any breed of above) Andrei Costin/Jonas Zaddach www.firmware.re 28/78

  29. Firmware Formats – Flavors • Ar • YAFFS • JFFS2 • SquashFS • CramFS • ROMFS • UbiFS • xFAT • NTFS • extNfs • iHEX • SREC/S19 • PJL • CPIO/Ar/Tar/GZip/BZip/LZxxx/RPM Andrei Costin/Jonas Zaddach www.firmware.re 29/78

  30. Firmware Analysis Firmware Analysis Andrei Costin/Jonas Zaddach www.firmware.re 30/78

  31. Firmware Analysis – Overview • Get the firmware • Reconnaissance • Unpacking • Reuse engineering (check code.google.com and sourceforge.net) • Localize point of interest • Decompile/compile/tweak/fuzz/pentest/fun! Andrei Costin/Jonas Zaddach www.firmware.re 31/78

  32. Firmware Analysis – Getting the Firmware Many times not as easy as it sounds! In order of increasing complexity of getting the firmware image • Present on the product CD/DVD • Download from manufacturer FTP/HTTP site • Many times need to register for manufacturer spam :( • Google Dorks • FTP index sites (mmnt.net, ftpfiles.net) • Wireshark traces (manufacturer firmware download tool or device communication itself) • Device memory dump Andrei Costin/Jonas Zaddach www.firmware.re 32/78

  33. Firmware Analysis – Reconnaissance • strings on the firmware image/blob • Fuzzy string matching on a wide embedded product DB • Find and read the specs and datasheets of device Andrei Costin/Jonas Zaddach www.firmware.re 33/78

  34. Firmware Analysis – Unpacking • Did anyone pay attention to the previous section?! Andrei Costin/Jonas Zaddach www.firmware.re 34/78

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11, 2013 Andrei Costin/Jonas Zaddach www.firmware.re 1/104 About Jonas Zaddach PhD. candidate on "Development of novel binary analysis

1.25k views • 104 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

577 views • 34 slides
Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team

Next-Generation Debuggers For Reverse Engineering For Reverse Engineering The ERESI team eresi@asgardlabs.org This presentation is about .. The Embedded ERESI debugger : e2dbg The Embedded ERESI tracer : etrace The ERESI reverse

849 views • 47 slides
CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom

CS 166: Information Security Reverse Engineering & Digital Rights Management Prof. Tom Austin San Jos State University SRE Software Reverse Engineering Also known as Reverse Code Engineering (RCE) Or simply reversing

1.04k views • 80 slides
Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY

Secure Firmware Updates in the IoT COMPETENCE CENTRE FOR IT-SECURITY, MASTER STUDIES IT-SECURITY Silvie Schmidt Competence Centre for IT- Security at FH Campus Wien Project ELVIS Embedded Lab Vienna for IoT & Security Agenda

811 views • 37 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I

Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I

Reverse Engineering USB Devices Drew Fisher December 28, 2011 whoami Drew Fisher (zarvox) I maintain libfreenect, a set of reverse-engineered Kinect drivers. http://github.com/OpenKinect/libfreenect What well cover Introduction

437 views • 26 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook <keescook@chromium.org> (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University

ECE590 Computer and Information Security Fall 2019 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

629 views • 35 slides
ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2018 Reverse Engineering Tyler Bletsch Duke University With additional content by Jiaming Li, NC State University, 2015 What is software reverse engineering? Determine and possibly change

643 views • 35 slides
Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a

Reverse Engineering CS 166 Armen Boursalian 30 Apr 2018 Reverse Engineering Take a product, understand how it works Usually limited to certain aspects, not full systems Need to know a little bit about a lot of topics to gain

636 views • 11 slides
Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise

Detecting Reverse Engineering with Canaries Collin Mulliner Security Engineer @ Cruise Automation Twitter: @ collinrm CanSecWest March 2018 About Me Security since ~1994 (hard to tell) BS, MS, PhD in computer science (all focused on

1.29k views • 80 slides
Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide

Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide

Universit` a degli Studi di Milano Facolt` a di Scienze e Tecnologie Dipartimento di Informatica Reverse engineering: obfuscation Srdjan Matic < srdjan@security.di.unimi.it > Aristide Fattori < joystick@security.di.unimi.it > A.A.

413 views • 9 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
The Sparse Vector Technique and online query answering

The Sparse Vector Technique and online query answering

The Sparse Vector Technique and online query answering CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 11: 590.03 Fall 16 1 Offline QA

477 views • 27 slides
A Dynamic Programming Approach to De Novo Peptide Sequencing via Tandem Mass Spectrometry Ting

A Dynamic Programming Approach to De Novo Peptide Sequencing via Tandem Mass Spectrometry Ting

Journal of Computational Biology, 8(3): 325-337, 2001 A Dynamic Programming Approach to De Novo Peptide Sequencing via Tandem Mass Spectrometry Ting Chen Department of Genetics Harvard Medical School Boston, MA 02115, USA Ming-Yang Kao

236 views • 13 slides
Appetizer: Simultaneous Translation ACL 2019 Invited Talk Simultaneous Translation: Recent

Appetizer: Simultaneous Translation ACL 2019 Invited Talk Simultaneous Translation: Recent

LinearFold: Linear-Time Parsing Meets RNA Folding x GCGGGAAUAGCUCAGUUGGUAGAGCACGACCUUGCCAAGGUCGGGGUCGCGAGUUCGAGUCUCGUUUCCCGCUCCA y (((((((..((((........)))).(((((.......))))).....(((((.......)))))))))))).... 1 G C U C C A C G G C 70

1.29k views • 108 slides
ADR Customization Interface Joel Saltz Alan Sussman Tahsin Kurc University of Maryland, College

ADR Customization Interface Joel Saltz Alan Sussman Tahsin Kurc University of Maryland, College

ADR Customization Interface Joel Saltz Alan Sussman Tahsin Kurc University of Maryland, College Park and Johns Hopkins Medical Institutions http://www.cs.umd.edu/projects/adr Data Loading Service Provides support for loading datasets

912 views • 47 slides
Voice Assistant Devices Alexa, play Todays Hits on Pandora Alexa, turn on Living Room lights

Voice Assistant Devices Alexa, play Todays Hits on Pandora Alexa, turn on Living Room lights

Dangerous Skills: Understanding and Mitigating Security Risks of Voice-Controlled Third-Party Functions on Virtual Personal Assistant Systems Nan Zhang, Xianghang Mi , Xuan Feng, XiaoFeng Wang, Yuan Tian, Feng Qian Voice Assistant Devices Alexa,

702 views • 40 slides
Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How

Packet Validation in the Network Environments Yingdi Yu UCLA 1 Packet Authentication How to authenticate a data packet containing the electricity usage of a room at certain time? Data is signed, but how to verify the signature?

224 views • 19 slides
An Introduction to UK Payroll (4) Ian Holloway Head of Legislation and Compliance Income Tax

An Introduction to UK Payroll (4) Ian Holloway Head of Legislation and Compliance Income Tax

An Introduction to UK Payroll (4) Ian Holloway Head of Legislation and Compliance Income Tax Agenda Legislation The UK tax year Taxable pay The Personal Allowance The tax code The pay adjustment Income Tax

822 views • 22 slides
CMSC 471 CMSC 471 Fall 2015 Fall 2015 Class #3 Class #3 Thursday 9/3/15 Thursday 9/3/15

CMSC 471 CMSC 471 Fall 2015 Fall 2015 Class #3 Class #3 Thursday 9/3/15 Thursday 9/3/15

CMSC 471 CMSC 471 Fall 2015 Fall 2015 Class #3 Class #3 Thursday 9/3/15 Thursday 9/3/15 Problem Solving as Search Problem Solving as Search Todays class Goal-based agents Representing states and operators Example problems

801 views • 41 slides

More recommend