from off the shelf embedded devices to research platforms
play

From off-the-shelf embedded devices to research platforms. Two case - PowerPoint PPT Presentation

Jan 27, 2024 •424 likes •886 views

From off-the-shelf embedded devices to research platforms. Two case studies: a PLC and a SSD Lucian Cojocar Herbert Bos Vrije Universiteit of Amsterdam 10/02/2015 1 / 44 Who I am Find back-doors in firmwares: Wrote a translator from

  1. From off-the-shelf embedded devices to research platforms. Two case studies: a PLC and a SSD Lucian Cojocar Herbert Bos Vrije Universiteit of Amsterdam 10/02/2015 1 / 44

  2. Who I am ● Find back-doors in firmwares: – Wrote a translator from binary to LLVM – Used it for parser detection (to appear @ACSAC) ● Binary analysis, especially for firmwares – Started with dynamic (firmware emulation system) – Switched to static analysis – Currently trying to use the best from both worlds ● Extract and analyze various firmwares 2 / 44

  3. Presentation outline 1. An introduction to hardware hacking – What is a research platform ? – Why do we need re-purposing a device? 2. First showcase: a PLC – An example of re-purposing a high-profile device. 3. Second showcase: a SSD – Another embedded device that was re-purposed. 4. Call for contribution: – We gather a list of such devices on this public wiki: http://embedded.labs.vu.nl 3 / 44

  4. Background ● Embedded devices are ubiquitous nowadays – IoT buzzword (Shodan project) – Old devices, out-dated code – They are also cheap :-) ● We apply various security related techniques to the firmware of these devices – The techniques are not necessarily new – Most of them are binary based ● Regardless of the goal we have to extract the firmware and, in some cases, we have to execute code on them Look at relevant devices and reuse them for testing 4 / 44

  5. Motivation of re-purposing or why hardware hacking? ● It's fun :-) ● Analyze the firmware that runs ● Develop new generic techniques ● Test new security oriented ideas ● Deploy security mechanism to old devices A researcher should invest most of the time in developing new ideas and not in finding the suitable device to test them 5 / 44

  6. Motivation of re-purposing or why hardware hacking? ● It's fun :-) ● Analyze the firmware that runs ● Develop new generic techniques ● Test new security oriented ideas ● Deploy security mechanism to old devices A researcher should invest most of the time in developing new ideas and not in finding the suitable device to test them

  7. What does repurposing mean? ● Reusing an off-the-shelf embedded device with the goal of testing security related frameworks ● Roughly, this boils down to: – Running new (or partially new) code and, – Communicate with the target device. ● Examples: – Avatar: Dynamic firmware analysis (Zaddach et al.) – showcased on a GSM phone and a HDD – Firmalice: Detection of Authentification Bypass (Shoshitaishvili et al.) – tested on a camera and a printer – PoC back-doors on printers, HDDs, IPCamera, SatPhones 7 / 44

  8. A primer on repurposing or on hardware hacking Roughly three steps: ● Reconnaissance phase – Read the documentation and take the device apart ● Getting code execution – JTAG, debug channel ● Communication channel – UART interface, GPIO pin, display 8 / 44

  9. Reconnaissance phase (1) ● Read the description of the device ● Read reference manual and SDKs ● Previous errors (CVEs) reported for this device ● Firmware updates, different versions, change-logs ● How widely used is this device? ● Are there other researchers that are working with this device? ● In short: gather as much information as possible from the publicly available sources 9 / 44

  10. Reconnaissance phase (2) Take it apart and look for: ● Test pads ● Known/Unknown chips ● Main SoC ● Unpopulated footprints ● Hidden headers ● Power lines ● Data-sheets ● Build a high-level diagram of the system 10 / 44

  11. Code execution (1) ● Software (via R FU or command injection) – A bit of reverse engineering (on the FU ) is required along with some trial and error ● Signature/checksum of the FU (if any) ● (Un)packing of the FU ● check of the FU (is it off-line or on-line) – Are there any buggy software components used? ● Can we exploit these bugs? ● Updates are rare ● (manual) Fuzzing still effective in some cases 11 / 44

  12. Code execution (2) ● Hardware – Debug signals of the main SoC (data-sheet is useful) ● JTAG, SWI, etc. ● Debug facilities are sometimes still enabled ● Look for unpopulated foot-prints at test patterns ● Good candidates for JTAG signals can be identified (Breeuwsma) – Flash chips that may store code (don't be afraid to use the soldering iron) ● SPI flash is easy to access ● Sniff some data, identify when the chip is used ● Read and reprogram the chip ● Simple is better – start looking at smaller (in terms of storage) chips first Start simple: use “ while (1) ; ” patterns for reprogramming and observe the behavior 12 / 44

  13. Communication channel (1) ● We need a way to communicate with the device – Send and receive data ● Any controllable and observable signal can be used – Most of the SoCs have an UART interface ● Usually, it requires reverse engineering of the firmware – Identify the memory map (MMIO area) – Polling code patterns – “ while (*MMIO_ADDR & 0x40) ; ” – Search GPIO ports (LEDs indicating statuses might be connected to such ports) – Exception handling routines may help 13 / 44

  14. Communication channel (2) UART communication ● How to find the TX signal: – Is there output? – Trace (in firmware) the sync point of strings – Look for pooling patterns followed by a single byte write – If it is DMA, things are more complicated :-) – It is rarely DMA – Probe with the oscilloscope potential candidates on the PCB ● How to find the RX signal: – Usually at the same (or very similar) MMIO address as the TX signal – Same polling pattern – Trial and error process: write code that is verbose after a byte is received through the RX signal 14 / 44

  15. Recap ● In principle repurposing has three steps: – Reconnaissance phase ● Data-sheets, PCB inspection – Code execution phase ● JTAG, SWD etc. – Communication channel phase ● UART, GPIO etc. ● We will repurpose two embedded devices: – PLC – SSD 15 / 44

  16. PLC (Programmable logic controller) ● Part of SCADA system – S7-1200 Series – Similar device was attacked by Stuxnet – High-profile device ● Exact details are in the paper 16 / 44

  17. PLC goals ● We needed a test case for a research project ● The research framework used a GDB connection to a live system We implement a GDB server on this device 17 / 44

  18. PLC – reconnaissance (1) Plenty of documentation available on-line ● On how to use the device, ● And how to add expansion boards, ● And how to program (application) the device with, ● And how to connect a communication module, ● But nothing denoting what hardware is inside. 18 / 44

  19. PLC – reconnaissance (2) Firmware updates were available ● Packed with unknown algorithm ● Not signed, only checksummed ● The checking was done online ● Known text strings present in the firmware update ● The update can be performed trough: – A special MMC card, or – Through a webserver We tried to reverse the algorithm but it turned out to be faster to gain code execution by other means 19 / 44

  20. PLC – reconnaissance (3) ● Take it apart! (top) – Three PCBs: power, actuators and logic – Many test pads – Network interface – Unknown chips – Extension headers – Flash, RAM, SoC 20 / 44

  21. PLC – reconnaissance (4) ● Take it apart! (bottom) – A nice SPI (1Mbit) flash – Data-sheet available – Two internal headers 21 / 44

  22. PLC – code execution (1) ● Firmware was checksummed and compressed – The unpacking was done off-line – We dropped the idea of modifying the FU ● Unknown SoC, no data-sheet available – Previous versions of this PLC were ARM – No obvious pattern of unpopulated header (JTAG) ● Let's investigate the SPI flash → to the scope! 22 / 44

  23. Anatomy of a bootloader ● Used only after the power-up ● Fairly small ● Does basic configs and check (RAM patterns) ● Loads a bigger code ● Finally, it jumps to the loaded code The code in the SPI flash is a good candidate. 23 / 44

  24. PLC – code execution (2) ● Reflashed the bootloader with our code ( j . ) ● For testing: reflashed back the original bootloader ● The PLC was in good shape :-) ● We didn't had a stable version of the GDB stub – Solution: man-in-the middle on SPI Flash – Other solution might work 24 / 44

  25. PLC – code execution (3) ● Man-in-the middle on the SPI: – Desolder only chip-select ( CS ), clock ( CLK ), data-in ( DI ) – Either: ● clk_prog → clk_chip , or ● clk_board → clk_chip ● We achieved code execution – proof: j . blocks the boot process, we can see this on the LEDs 25 / 44

  26. PLC – communication channel (1) ● Two expansion ports (on each side of the CPU/PLC) ● CM 1241 RS232 is a nice module … and it is referenced in the manual … and it is connected to the above mentioned ports ● Reverse engineering: – We bet that the serial port is used in the simplest configuration: polling. Idea : search for tight loops that are checking statuses – There were not too many loops and not too many serial port types. – while (*(base+offset) & 0x40); *(base) = x; 26 / 44

  27. PLC – communication channel (2) ● How do we test this? ● Tight loop that writes characters at the presumably serial MMIO output register ● Use (again) the oscilloscope to probe around. 27 / 44

  28. 28 / 44

  29. 29 / 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
Networked Embedded Devices Frank Piessens, imec-DistriNet, KU Leuven Introduction Long-term

Networked Embedded Devices Frank Piessens, imec-DistriNet, KU Leuven Introduction Long-term

Sancus 2.0: A Security Architecture for Low-Cost Networked Embedded Devices Frank Piessens, imec-DistriNet, KU Leuven Introduction Long-term objective: Secure open software application platforms for distributed IT infrastructure

712 views • 40 slides
Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2

ELC 2010 Effective Scripting in Embedded Devices Steve Bennett 1 What is Embedded? ELC 2010 2 Creating an Embedded Product Time to market Linux kernel Quality uClibc Features Busybox Cost Other open source

494 views • 35 slides
Mapping the SCA to Embedded Platforms Using the SCA with DSPs and FPGAs Steve Bernier Project

Mapping the SCA to Embedded Platforms Using the SCA with DSPs and FPGAs Steve Bernier Project

SMis 8 th Annual International Software Radio London, UK Mapping the SCA to Embedded Platforms Using the SCA with DSPs and FPGAs Steve Bernier Project Leader, Advanced Radio Systems Communications Research Centre (CRC) Agency of Industry

607 views • 29 slides
Embedded Rust, by example of RIOT-OS applications Christian M. Ams uss <ca@etonomy.org>

Embedded Rust, by example of RIOT-OS applications Christian M. Ams uss <ca@etonomy.org>

Embedded Rust, by example of RIOT-OS applications Christian M. Ams uss <ca@etonomy.org> 2018-11-27 Embedded Devices 10kB 1MB ROM 1kB 100kB RAM Typical hardware: ARM Cortex-M3, eg. STM32 Embedded Devices

416 views • 28 slides
Safety-Critical Java for Low-End Embedded Platforms Stephan E. Korsholm & Hans Sndergaard

Safety-Critical Java for Low-End Embedded Platforms Stephan E. Korsholm & Hans Sndergaard

Safety-Critical Java for Low-End Embedded Platforms Stephan E. Korsholm & Hans Sndergaard VIA University College, Horsens, DK Anders P. Ravn CISS, Aalborg University, DK JTRES October 2012 1 The Problem Low-End Industrial Platforms

180 views • 16 slides
Mesa 3D in an Embedded Context Mark Janes, Feb 21, 2017 mark.a.janes@intel.com About me:

Mesa 3D in an Embedded Context Mark Janes, Feb 21, 2017 mark.a.janes@intel.com About me:

Mesa 3D in an Embedded Context Mark Janes, Feb 21, 2017 mark.a.janes@intel.com About me: Working on Linux platforms since 2004, with a background on embedded devices. Joined Mesa in 2015, working on performance tools and

227 views • 12 slides
Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This

Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This

Trust but verify: Why and how to establish trust in embedded devices Aurlien Francillon This talk Introduction Economic aspects Why make secure products? Trust in embedded devices Verifying trust Conclusion Aurlien

649 views • 37 slides
Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded

Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded

Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded software engineer Filesystem considerations ABSTRACT The goal of this presentation is to answer a question asked by several customers: which

1.36k views • 110 slides
Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC

Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC

Mining Your P s and Q s Detection of Widespread Weak Keys in Embedded Devices Nadia Heninger UC San Diego Microsoft Research New England Zakir Durumeric Eric Wustrow Alex Halderman University of Michigan January 10, 2012 or

490 views • 46 slides
The Embedded Learning Library The Embedded Learning Library (ELL) Cross-compiler for AI

The Embedded Learning Library The Embedded Learning Library (ELL) Cross-compiler for AI

The Embedded Learning Library The Embedded Learning Library (ELL) Cross-compiler for AI pipelines, specialized for resource constrained target platforms T arget ELL AI Machine Pipeline Code https://github.com/Microsoft/ELL The Embedded

638 views • 36 slides
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

474 views • 29 slides
Agents for Handheld Agents for Handheld and Embedded Devices and Embedded Devices Tim Finin

Agents for Handheld Agents for Handheld and Embedded Devices and Embedded Devices Tim Finin

Agents for Handheld Agents for Handheld and Embedded Devices and Embedded Devices Tim Finin Tim Finin University of Maryland University of Maryland Baltimore County Baltimore County Presentation given at the Workshop on Cooperative tell

812 views • 67 slides
Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

1 ESII: ASIPs_ISEs Design and Architectures for Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems Karlsruhe Institute of Technology, Germany Today: Embedded Processor Platforms ASIPs and Extensible

1.5k views • 89 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Pharmaceutical Shelf Life Determination: Findings of the PQRI Stability Shelf Life Working Group

Pharmaceutical Shelf Life Determination: Findings of the PQRI Stability Shelf Life Working Group

Pharmaceutical Shelf Life Determination: Findings of the PQRI Stability Shelf Life Working Group James Schwenke, Ph.D. Consulting Statistician Applied Research Consultants, LLC Determining Release and Throughout Dating Potency Specifications: A

477 views • 35 slides
Taking full advantage of QEMU in Xen Daniel P. Berrange <berrange@redhat.com> Xen Summit,

Taking full advantage of QEMU in Xen Daniel P. Berrange <berrange@redhat.com> Xen Summit,

Taking full advantage of QEMU in Xen Daniel P. Berrange <berrange@redhat.com> Xen Summit, November 2007 Xen userspace in 3.1.x A large number of components Libraries: libxenstore, libxenctrl, libxenguest Daemons: xend,

521 views • 13 slides
Giant Clouds, Tiny Computers Salesforce.com Meets the Raspberry Pi Reid Carlberg Principal

Giant Clouds, Tiny Computers Salesforce.com Meets the Raspberry Pi Reid Carlberg Principal

Giant Clouds, Tiny Computers Salesforce.com Meets the Raspberry Pi Reid Carlberg Principal Developer Evangelist @ReidCarlberg Where to find stuff: http://developer.force.com Github: ReidCarlberg LAB-Wireless-Sensor-Network

460 views • 26 slides
robot partner CSSE 120 Rose Hulman Institute of Technology Announcements Homework assigned

robot partner CSSE 120 Rose Hulman Institute of Technology Announcements Homework assigned

Getting to know the iRobot Create Please sit with your choice of a robot partner CSSE 120 Rose Hulman Institute of Technology Announcements Homework assigned on Monday and Tuesday each week: Reading/Quiz part of first assignment due

882 views • 54 slides
Kernel Graphics Development on Remote Machines 2018-02-03, Joonas Lahtinen Intel Corporation 1

Kernel Graphics Development on Remote Machines 2018-02-03, Joonas Lahtinen Intel Corporation 1

Kernel Graphics Development on Remote Machines 2018-02-03, Joonas Lahtinen Intel Corporation 1 About the author Joonas Lahtinen <joonas.lahtinen@linux.intel.com> IRC: dolphin@freenode (Registered : Aug 20 15:42:25 2002 (15y 24w 2d ago))

616 views • 22 slides
Mobile Broadband measurements: representing results in a database-oriented fashion ISMA 2013

Mobile Broadband measurements: representing results in a database-oriented fashion ISMA 2013

Mobile Broadband measurements: representing results in a database-oriented fashion ISMA 2013 AIMS-5 D iugas Baltr nas Simula Research Laboratory 2013-02-07 Environment Few hundreds of geographically spread nodes equipped with 2+ 3G

430 views • 19 slides
Programming In Forth on the Vectrex Phillip Eaton 2018 What is a Vectrex?

Programming In Forth on the Vectrex Phillip Eaton 2018 What is a Vectrex?

Programming In Forth on the Vectrex Phillip Eaton 2018 What is a Vectrex? https://youtu.be/k8GiErP6Nfc My Background Spent 90s programming Z80 SBCs with MPE Forth for SCADA applications Collected a lot of classic video arcade games:

288 views • 13 slides
Hardware devices iGCSE Computer Science High level overview Feedback cycle Sensor based

Hardware devices iGCSE Computer Science High level overview Feedback cycle Sensor based

Hardware devices iGCSE Computer Science High level overview Feedback cycle Sensor based programs generally work on a feedback cycle. Open v closed loop feedback cycle Does the output have a direct impact on future inputs? If no, it is

686 views • 31 slides
Node-js (for Starters) and Electronics/Robotics Presented by Onuralp SEZER Fedora Ambassador

Node-js (for Starters) and Electronics/Robotics Presented by Onuralp SEZER Fedora Ambassador

Node-js (for Starters) and Electronics/Robotics Presented by Onuralp SEZER Fedora Ambassador Event Topics Node-js ? 1 . a.How to install ? b.How to use ? (simple and quick way) 2. And Electronics, 3. And Robotics 4.IOT Security How to

492 views • 23 slides

More recommend