fuzzing and debugging cisco ios
play

Fuzzing and Debugging Cisco IOS Blackhat Europe 2011 Sebastian Mu - PowerPoint PPT Presentation

Jan 16, 2023 •367 likes •591 views

Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Fuzzing and Debugging Cisco IOS Blackhat Europe 2011 Sebastian Mu niz, Alfredo Ortega Groundworks

  1. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Fuzzing and Debugging Cisco IOS Blackhat Europe 2011 Sebastian Mu˜ niz, Alfredo Ortega Groundworks Technologies March 18, 2011 Groundworks Technologies Fuzzing and Debugging Cisco IOS

  2. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Agenda Cisco IOS Architecture Debugger internals Dynamips modification GDB support IDA Pro support Shortcomings of self-checking routines Demos: Malware analysis Fuzzing example Groundworks Technologies Fuzzing and Debugging Cisco IOS

  3. Cisco IOS architecture Architecture Analyzing Pros and Cons Dynamips emulator Use case: IOS malware Built-in GDB server Use case: ROMMON debugging Use cases: Fuzzer Wrapping up cisco IOS architecture Fast Packet Switch Processes Buffers Softw. Single binary image Shared single address space Kernel Device Drivers Cooperative priority-based scheduler Hardware Figure: Cisco IOS process memory Groundworks Technologies Fuzzing and Debugging Cisco IOS

  4. Cisco IOS architecture Architecture Analyzing Pros and Cons Dynamips emulator Use case: IOS malware Built-in GDB server Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Dynamips emulator Created by Christophe Fillot 1 Runs on Windows, Linux and Mac OS X. Equivalent to QEMU/Bochs Implements MIPS/PowerPC architecture and Cisco hardware Supports the following models: (a) 7200 (b) 36XX (c) 2691 (d) 3725 (e) 3745 (f) 26XX (g) 17XX 1http://www.ipflow.utc.fr/index.php/Cisco 7200 Simulator Groundworks Technologies Fuzzing and Debugging Cisco IOS

  5. Cisco IOS architecture Architecture Analyzing Pros and Cons Dynamips emulator Use case: IOS malware Built-in GDB server Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Built-in GDB server Used by Cisco developers and support engineers Works over Telnet, SSH and Serial console Slightly different GDB protocol Examine Debug Kernel Read Registers Write Registers Read Memory Write Memory Freeze OS Remote Figure: GDB debugging modes Groundworks Technologies Fuzzing and Debugging Cisco IOS

  6. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Virtual Machine Debugger internals Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Virtual Machine Debugger internals Dynamips GDB PowerPC Server CPU/Memory instrumentation GDB Protocol MIPS No JIT support Supported commands Memory Controller Special Hard Read/Write CPU Registers FPGA Read/Write Memory Set/Unset Breakpoints PCI WIC Any standard GDB client supported NM Figure: GDB Server embedding Groundworks Technologies Fuzzing and Debugging Cisco IOS

  7. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up Pros and Cons of Virtual Machine Debugger Pros: Complete isolation (almost!) Cost-effective Controlled debugging environment Bug-hunter friendly Cons: Not 100% exact emulation Not all models or hardware compatible Findings need double-check with physical device Check Cisco EULA before doing anything crazy. Just in case. Groundworks Technologies Fuzzing and Debugging Cisco IOS

  8. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up Why isolation is good? Analyzing malware Analyzing malware GDB Client Cisco IOS Cisco IOS GDB Client Malware Read_Memory Read_Memory Request Malware Built−In GDB Stub Expected (fake) Bytes Malware memory Original memory GDB Stub dump Mirror DYNAMIPS Figure: Using built-in GDB Figure: Dynamips GDB server Lesson learned: NEVER analyze malware inside an infected host. Groundworks Technologies Fuzzing and Debugging Cisco IOS

  9. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up I don’t need this, I have the verify command Cisco Response on IOS rootkits 2 : Maintain chain of trust when verifying IOS images Verify IOS image in external host, or before booting it Use the MD5 File Validation command “verify” on Loaded image: Using the MD5 File Validation Feature “The MD5 File Validation feature, added in Cisco IOS Software Releases 12.2(4)T and 12.0(22)S, allows network administrators to calculate the MD5 hash of a Cisco IOS software image file that is loaded on a device.” 2 http://www.cisco.com/warp/public/707/cisco-sr-20080516-rootkits.shtml Groundworks Technologies Fuzzing and Debugging Cisco IOS

  10. Cisco IOS architecture Architecture Pros vs Cons Analyzing Pros and Cons Why isolation is good? Use case: IOS malware I don’t need this, I have the verify command Use case: ROMMON debugging Shortcomings of self-checking routines Use cases: Fuzzer Wrapping up Shortcomings of self-checking routines Malware-affected analysis Clean analyis Verify CLI command Cisco IOS External Trusted environment Malware MD5 Tool Calculate User expected MD5 CHK MD5 chksum (fake) Result Login routine Hash Cisco IOS GDB server Figure: Using Dynamips GDB server Figure: Using built-in GDB Lesson learned ( again ): NEVER verify code inside an infected host. Groundworks Technologies Fuzzing and Debugging Cisco IOS

  11. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Use cases: IOS malware Demo: Backdoored IOS installation Not trivial to analyze (Many IOS variations) At least, possible: Demo! Groundworks Technologies Fuzzing and Debugging Cisco IOS

  12. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up Use case: ROMMON debugging ROMMON: Cisco bootloader 3 Very easy to verify and analyze (less variations) Read-only in some models Contains a basic but privileged debugger ROMMON itself can be debugged by Dynamips 3 Felix ’FX’ Lindner , 25c3, Cisco IOS - Attack & Defense Groundworks Technologies Fuzzing and Debugging Cisco IOS

  13. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Fuzzing requirements Correct exception handling Reproducible test-cases Logging Desirable: Debugging envirment (for post-analysis) Groundworks Technologies Fuzzing and Debugging Cisco IOS

  14. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Fuzzing timing diagram Fuzzer GDB Dynamips Start Start Fuzz case N Exception Signal Get Regs Registers Log Restart Restart Fuzz case N+1 Groundworks Technologies Fuzzing and Debugging Cisco IOS

  15. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Example fuzzer Start Connect to FTP Attack surface via Protocol fuzzer (ftp) Send: Command + "AAA..." (100 A’s) Trivial test-case generation (just an Disconnect Yes example!) No Yes More Crash? Save state CMDs? No End DB Groundworks Technologies Fuzzing and Debugging Cisco IOS

  16. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Fuzzer Demo Demo! Groundworks Technologies Fuzzing and Debugging Cisco IOS

  17. Cisco IOS architecture Architecture Fuzzing requirements Analyzing Pros and Cons Timing diagram Use case: IOS malware Example fuzzer Use case: ROMMON debugging Triggered Vulnerability Use cases: Fuzzer Wrapping up Triggered Vulnerability Cisco Security Advisory: Multiple Vulnerabilities in the IOS FTP Server (cisco-sa-20070509-iosftp) 30 FTP commands, remote code execution on 16: (USER,CWD,DELE,RNFR,STOR,NLST,APPE,MKD, RMD,STOU,RETR,LIST,STAT,MDTM,SIZE, and HELP) Patched in 2007: Completely remove all FTP server code Groundworks Technologies Fuzzing and Debugging Cisco IOS

  18. Cisco IOS architecture Architecture Analyzing Pros and Cons Use case: IOS malware Use case: ROMMON debugging Use cases: Fuzzer Wrapping up How secure is this debugger? Very. Can be used in a production environment to analyze malicious code? No Dynamips contains emulation bugs. Demo! Groundworks Technologies Fuzzing and Debugging Cisco IOS

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cisco ASA Provider The Cisco ASA provider is used to interact with Cisco ASA hardware devices or

Cisco ASA Provider The Cisco ASA provider is used to interact with Cisco ASA hardware devices or

Cisco ASA Provider The Cisco ASA provider is used to interact with Cisco ASA hardware devices or the Cisco ASAv virtual appliance. The provider needs to be congured with the proper credentials before it can be used. Use the navigation to the

372 views • 11 slides
Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and

Chapter 15 Debugging Debugging with High Level Languages Same goals as low-level debugging Examine and set values in memory Execute portions of program Stop execution when (and where) desired Want debugging tools to operate on

274 views • 9 slides
Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me

Fuzzing Kamailio Security testing the Kamailio SIP server with fuzzing Agenda About me Motivation Introduction of fuzzing and afl fuzzer Necessary changes to the core and configuration Testing setup Example SIP messages and

1.03k views • 35 slides
Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is

Fuzzing for CyberSecurity Abe Cohen 2019-11-13 Fuzzing for CyberSecurity What is fuzzing/fuzz testing? Why AFL? How does it work with GNAT Pro/Ada? Premise: Fuzz Testing Definition: Stable Software Software that is highly

649 views • 16 slides
Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities A.K.A Fuzzing 101 Agenda GEEKZONE Overview of fuzzing techniques Tutorials on specific open-source fuzzers Demonstrations DIY fuzzing! Who

825 views • 50 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production

Welcome to Advanced .NET Debugging Debugging Tools Module Overview Introduction to Debugging Problems in Production Challenges in debugging Production issues Production Environment Debugging Timeline Tools for .NET Debugging Review 3

622 views • 47 slides
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico

Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results 2 Fuzzing 3 Fuzzing 1 Generate

1.36k views • 72 slides
Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange

Wi-Fi Advanced Fuzzing Wi-Fi Advanced Fuzzing Laurent BUTTI France Tlcom / Orange Division R&D firstname dot lastname at orange-ftgroup dot com research & development Forewords Wi-Fi Fuzzing/BlackHat EU 2007/Laurent Butti p

1.05k views • 78 slides
Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing

Modern Fuzzing of Media-processing projects Max Moroz, FOSDEM 2017 Agenda Fuzzing what is fuzzing, why fuzz, fuzzing types How to fuzz fuzz target, fuzzing engine, libFuzzer Media processing as a target

551 views • 19 slides
T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1

T-Fuzz: Fuzzing by Program Transformation Hui Peng 1 , Yan Shoshitaishvili 2 , Mathias Payer 1 1 2 Fuzzing as a bug finding approach Fuzzing is highly effective in finding bugs (CVEs) Developers use it as proactive defense measure:

844 views • 32 slides
FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr.

MASTER SEMINAR WS16/17 PROF. DR. ALEXANDER PRETSCHNER SAAHIL OGNAWALA FUZZING FOR VULNERABILITY DETECTION FUZZING FOR VULNERABILITY DETECTION WHO WE ARE Prof. Dr. Alexander Pretschner Head of Chair XXII Software Engineering @TUM since

489 views • 21 slides
Encoding ECMP/UCMP information in PCEP M. Koldychev Cisco Systems (mkoldych@cisco.com)

Encoding ECMP/UCMP information in PCEP M. Koldychev Cisco Systems (mkoldych@cisco.com)

IET ETF 105 Mo Montreal PCE PCE Wor Working Gro roup Encoding ECMP/UCMP information in PCEP M. Koldychev Cisco Systems (mkoldych@cisco.com) Presenter M. Sivabalan Cisco Systems (msiva@cisco.com) D. Dhody Huawei Technologies

604 views • 12 slides
Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction

Fuzzing the Media Framework in Android Alexandru Blanda OTC Security QA 1 Agenda Introduction Fuzzing Media Content in Android Data Generation Fuzzing the Stagefright Framework Logging & Triage Mechanisms 2 Introduction Fuzzing

1.12k views • 38 slides
NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein,

NEUZZ: Efficient Fuzzing with Neural Program Smoothing Dongdong She, Kexin Pei, Dave Epstein, Junfeng Yang, Baishakhi Ray, and Suman Jana Columbia University 1 Fuzzing: a popular way to uncover bugs [Liang et al. 2019] 2 Evolutionary Fuzzing

1.02k views • 26 slides
Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS

Cisco IOS Embedded Packet Capture (EPC) Cisco IOS Embedded Packet Capture (EPC) The Cisco IOS Embedded Packet Capture (EPC) delivers a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data

518 views • 24 slides
S ft Software Architecture A hit t Bertrand Meyer (Nadia Polikarpova) ETH Zurich, February

S ft Software Architecture A hit t Bertrand Meyer (Nadia Polikarpova) ETH Zurich, February

Chair of Softw are Engineering S ft Software Architecture A hit t Bertrand Meyer (Nadia Polikarpova) ETH Zurich, February May 2009 Lecture 11: UML for Software f f Architectures Outline What is UML? What is UML? UML diagrams

926 views • 45 slides
UML2 et ses profils pour le temps-rel COLE D'T TEMPS REL 2005 GdR ARP Thme StrQdS

UML2 et ses profils pour le temps-rel COLE D'T TEMPS REL 2005 GdR ARP Thme StrQdS

UML2 & Real-Time UML2 et ses profils pour le temps-rel COLE D'T TEMPS REL 2005 GdR ARP Thme StrQdS Nancy, 13 - 16 Septembre 2005 Sbastien Grard CEA-LIST Saclay Sebastien.Gerard@cea.fr Dtsi/Sol/L-LSP Sbastien

972 views • 81 slides
Lecture 20: Live Sequence Charts 2015-02-03 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 20

Lecture 20: Live Sequence Charts 2015-02-03 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 20

Software Design, Modelling and Analysis in UML Lecture 20: Live Sequence Charts 2015-02-03 Prof. Dr. Andreas Podelski, Dr. Bernd Westphal 20 2015-02-03 main Albert-Ludwigs-Universit at Freiburg, Germany Contents & Goals

868 views • 53 slides
Responses to reviewers ques/ons DAQ design team CERN, 4 th November 2016 1. Produce an orgchart

Responses to reviewers ques/ons DAQ design team CERN, 4 th November 2016 1. Produce an orgchart

Responses to reviewers ques/ons DAQ design team CERN, 4 th November 2016 1. Produce an orgchart with leadership & person power in each box -is there a steering group? [ See next slides DUNE Organization 3 10.18.16 Eric James | NP04

1.13k views • 22 slides
[ ( R G ) ( R B ) ] + FCG Sect 16.6 Procedural Techniques 2 1

[ ( R G ) ( R B ) ] + FCG Sect 16.6 Procedural Techniques 2 1

University of British Columbia Reading for Last Time and Today Corrected Correction: HSI/HSV and RGB News CPSC 314 Computer Graphics HSV/HSI conversion from RGB H3 Q2: OK to use either HSV or HSI Jan-Apr 2007 FCG Chap 11 Texture

415 views • 4 slides
Frontend Wrapup COMP 520: Compiler Design (4 credits) Alexander Krolik

Frontend Wrapup COMP 520: Compiler Design (4 credits) Alexander Krolik

COMP 520 Winter 2017 Frontend Wrapup (1) Frontend Wrapup COMP 520: Compiler Design (4 credits) Alexander Krolik alexander.krolik@mail.mcgill.ca MWF 13:30-14:30, MD 279 COMP 520 Winter 2017 Frontend Wrapup (2) Announcements (Wednesday,

842 views • 31 slides
IRST SiPM characterizations and Application Studies G. Pauletta for the FACTOR collaboration

IRST SiPM characterizations and Application Studies G. Pauletta for the FACTOR collaboration

IRST SiPM characterizations and Application Studies G. Pauletta for the FACTOR collaboration Outline 1. Introduction (who and where) 2. Objectives and program (what and how) 3. characterizations 4. Applications 28 June 2007 G. Pauletta:

571 views • 36 slides
VIRTUAL CONFERENCE ictcm.com | # ICTCM 32 nd International Conference on Technology in

VIRTUAL CONFERENCE ictcm.com | # ICTCM 32 nd International Conference on Technology in

32 nd International Conference on Technology in Collegiate Mathematics VIRTUAL CONFERENCE ictcm.com | # ICTCM 32 nd International Conference on Technology in Collegiate Mathematics VIRTUAL CONFERENCE # ICTCM Tips, Tools, and Techniques

696 views • 34 slides

More recommend