inception system wide security testing of real
play

Inception: System-Wide Security Testing of Real- World Embedded - PowerPoint PPT Presentation

Sep 11, 2023 •250 likes •911 views

Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurlien Francillon (EURECOM) 08/15/18 Embedded Systems Are Everywhere [1]

  1. Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurélien Francillon (EURECOM) 08/15/18

  2. Embedded Systems Are Everywhere [1] https://community.arm.com/processors/b/bl og/posts/arm-cortex-m3-processor-the-core- of-the-iot 2 | Maxim Integrated | EURECOM

  3. Embedded Systems Are Everywhere [1] Low Power https://community.arm.com/processors/b/bl Micro-controllers og/posts/arm-cortex-m3-processor-the-core- of-the-iot 3 | Maxim Integrated | EURECOM

  4. Embedded Systems Are Everywhere Over 32 billions of ARM Cortex M3 shipped in 2018 [1] Cover a wide range of fields [1] Low Power https://community.arm.com/processors/b/bl Micro-controllers og/posts/arm-cortex-m3-processor-the-core- of-the-iot 4 | Maxim Integrated | EURECOM

  5. Why the Security of Such Systems Matters? 5 | Maxim Integrated | EURECOM

  6. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks 6 | Maxim Integrated | EURECOM

  7. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks • Difficulty to patch the code > Mask ROM → mask applied on the chip during the fabrication > Off-line devices 7 | Maxim Integrated | EURECOM

  8. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks • Difficulty to patch the code > Mask ROM → mask applied on the chip during the fabrication > Off-line devices • Store sensitive data > Bitcoin wallet > Payment terminal 8 | Maxim Integrated | EURECOM

  9. Why the Security of Such Systems Matters? • Highly connected -> large scale attacks • Difficulty to patch the code > Mask ROM → mask applied on the chip during the fabrication > Off-line devices • Store sensitive data > Bitcoin wallet > Payment terminal • Drive sensitive hardware system > Physical damage > Production line outage > Signaling systems (red light) 9 | Maxim Integrated | EURECOM

  10. Exemple of Recent Security Issues Recent attacks 10 | Maxim Integrated | EURECOM

  11. Exemple of Recent Security Issues Recent attacks • Nintendo Switch Tegra X1 bootrom exploit 2018 > buffer overflow in the USB stack embedded in the mask ROM > Cannot be patched > Give access to the entire software stack 11 | Maxim Integrated | EURECOM

  12. How Can We Test Such Firmware Programs? • Symbolic Execution > High path coverage > Return test case for bugs 12 | Maxim Integrated | EURECOM

  13. Symbolic Execution Example i = symb_i Int buffer[2] i = < input > int buffer [ 2 ] = {0, 1}; 13 | Maxim Integrated | EURECOM

  14. Symbolic Execution Example i = symb_i Int buffer[2] FALSE TRUE i = < input > buffer[i] int buffer [ 2 ] = {0, 1}; 𝟏 ≤ 𝒋 < 𝟑 ¬(𝟏 ≤ 𝒋 < 𝟑) if( buffer [ i ] == 0 ) { Out of bounds access 14 | Maxim Integrated | EURECOM

  15. Symbolic Execution Example i = symb_i Int buffer[2] FALSE TRUE i = < input > buffer[i] int buffer [ 2 ] = {0, 1}; 𝟏 ≤ 𝒋 < 𝟑 ¬(𝟏 ≤ 𝒋 < 𝟑) if( buffer [ i ] == 0 ) { buffer [ i ] = 0xDEADBEEF ; } FALSE TRUE buffer[i] == 0 Out of bounds 𝒋 = 𝟏 ¬(𝒋 = 𝟏) access buffer[i] == 0xDEADBEAF 15 | Maxim Integrated | EURECOM

  16. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: 16 | Maxim Integrated | EURECOM

  17. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. 17 | Maxim Integrated | EURECOM

  18. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations 18 | Maxim Integrated | EURECOM

  19. Building A Symbolic Executor For Firmware Programs Klee as a basis • Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage 19 | Maxim Integrated | EURECOM

  20. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage 20 | Maxim Integrated | EURECOM

  21. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage Clang 21 | Maxim Integrated | EURECOM

  22. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage Clang LLVM bit-code 22 | Maxim Integrated | EURECOM

  23. Building A Symbolic Executor For Firmware Programs Klee as a basis C/C++ source • Inception is based on Klee a symbolic virtual machine: code > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage Clang LLVM bit-code Klee 23 | Maxim Integrated | EURECOM

  24. Why testing source code instead of binary code ? Source VS Binary 24 | Maxim Integrated | EURECOM

  25. Why testing source code instead of binary code ? Source VS Binary b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 25 | Maxim Integrated | EURECOM

  26. Why testing source code instead of binary code ? Source VS Binary b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 26 | Maxim Integrated | EURECOM

  27. Why testing source code instead of binary code ? Source ( Klee/Clang …) VS Binary (SE2, angr, BAP) b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 define i8 @getElement ( i32 index) { define i8 @getElement ( i32 %index ){ entry: entry: store i32 %index , i32 * @R0 %0 = load i32 * %index .addr store i32 268436792, i32 * @R2 %1 = getelementptr inbounds %R2_1 = load i32 * @R2 [2 x i8 ]* @b1 , i32 0, i32 %0 %R0_1 = load i32 * @R0 %2 = load i8 * %1 %R2_2 = add i32 %R2_1 , %R0_1 ret i8 %2 %R3_0 = inttoptr i32 %R2_2 to i32 * } %R3_1 = bitcast i32 * %R3_0 to i8 * %R3_2 = load i8 * %R3_1 27 | Maxim Integrated | EURECOM %R3_3 = zext i8 %R3_2 to i32

  28. Why testing source code instead of binary code ? Source ( Klee/Clang …) VS Binary (SE2, angr, BAP) b1 : .space 2 char b1 [ 2 ]; b2 : .space 2 char b2 [ 2 ]; getElement (int): char getElement ( int index ) ldr r2 , .L3 { add r3 , r2 , r0 return b1 [ index ]; ldrb r0 , [ r3 ] } bx lr .L3 : .word b1 define i8 @getElement ( i32 index) { define i8 @getElement ( i32 %index ){ entry: entry: store i32 %index , i32 * @R0 %0 = load i32 * %index .addr store i32 268436792, i32 * @R2 %1 = getelementptr inbounds %R2_1 = load i32 * @R2 [2 x i8 ]* @b1 , i32 0, i32 %0 %R0_1 = load i32 * @R0 %2 = load i8 * %1 %R2_2 = add i32 %R2_1 , %R0_1 ret i8 %2 %R3_0 = inttoptr i32 %R2_2 to i32 * } %R3_1 = bitcast i32 * %R3_0 to i8 * %R3_2 = load i8 * %R3_1 28 | Maxim Integrated | EURECOM %R3_3 = zext i8 %R3_2 to i32

  29. Source vs Binary • When source available testing binary is possible however: > Types are lost > Corruption will be detected later if at all > Worse on embedded systems • See: Muench et. al. What you corrupt is not what you crash, NDSS 2018 • Goal of Inception: improve testing for firmware during development > Limit requirements on code 29 | Maxim Integrated | EURECOM

  30. Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware ? 1000 100 108 10 98 80 22 1 STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 • Number of functions including assembly instructions in real world embedded software 30 | Maxim Integrated | EURECOM

  31. Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware ? 1000 • Assembly code : > Multithreading > Optimizations 100 > Side channel counter-measures > Hardware features e.g. ultra low power mode 108 10 98 80 22 1 STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 • Number of functions including assembly instructions in real world embedded software 31 | Maxim Integrated | EURECOM

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers

OS Security Thierry Sans Security is a wide topic CSCD27 Computer and Network Security covers Cryptography Network security System security Web security (recap) Protection File systems implement a protection system Who

800 views • 30 slides
Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web

Security Testing - Where Automation Fails Today How does security testing of web applications work What does the tooling landscape look like How does automated security testing fail What can we do Image courtesy of

583 views • 56 slides
Testing temperature measuring system for security and gas self-extinguishing for MPD detector

Testing temperature measuring system for security and gas self-extinguishing for MPD detector

Master rack fire protection HFC-236fa refrigerant Measurement stand Received data Testing temperature measuring system for security and gas self-extinguishing for MPD detector Author: Patryk Marcola Supervised by: mgr in. Marek Peryt

245 views • 9 slides
Embedded analy+cs delivers system-wide visibility for debug, safety, security and more... Design

Embedded analy+cs delivers system-wide visibility for debug, safety, security and more... Design

Embedded analy+cs delivers system-wide visibility for debug, safety, security and more... Design and Reuse IP-SoC Days Shanghai 2017 Agenda Some obvious statements Some problems with exis4ng approaches Key requirements The

323 views • 18 slides
SHAC PRESENTATION SEPTEMBER 2011 Members: Maura ORahilly - SAC system wide Kathy Carney

SHAC PRESENTATION SEPTEMBER 2011 Members: Maura ORahilly - SAC system wide Kathy Carney

SHAC PRESENTATION SEPTEMBER 2011 Members: Maura ORahilly - SAC system wide Kathy Carney Nurse Leader system wide Mark Talbot Administrator system wide Anne Ward School Committee rep Friend Weiler- SRO system wide Shannon Jones

501 views • 17 slides
Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E.

Combinatorial Security Testing: Combinatorial Testing Meets Information Security Dimitris E. Simos SBA Research Applied &amp; Computational Mathematics Division Seminar Series National Institute of Standards and Technology (NIST) Gaithersburg,

675 views • 50 slides
Testing Terminology System testing Types of errors Function testing Structure

Testing Terminology System testing Types of errors Function testing Structure

Outline Testing Terminology System testing Types of errors Function testing Structure Testing Dealing with errors Performance testing Quality assurance vs Acceptance testing Testing Installation testing

396 views • 11 slides
Real-Time Systems: Testing Your System in Linux Jiangnan Liu CSE 520S Spring 02/13/2020 With

Real-Time Systems: Testing Your System in Linux Jiangnan Liu CSE 520S Spring 02/13/2020 With

Real-Time Systems: Testing Your System in Linux Jiangnan Liu CSE 520S Spring 02/13/2020 With adaptions from Haoran Li What is meant by Time? Absolute time since some fixed past event, e.g.: q Seconds since start of the Unix Epoch (00:00:00

1.01k views • 34 slides
The Non-Virtual Reality of Testing or What's Feasible in Real World Testing Contents 1.

The Non-Virtual Reality of Testing or What's Feasible in Real World Testing Contents 1.

TER-10 The Non-Virtual Reality of Testing or What's Feasible in Real World Testing Contents 1. Introduction 2. Seven myths about testing and their demystification 3. A kind of conclusion Karol Frhauf, INFOGEM AG , CH-5400 Baden,

527 views • 23 slides
About us Since its inception in 1999, 9 EXPRESSION has created a place for itself by providing time

About us Since its inception in 1999, 9 EXPRESSION has created a place for itself by providing time

About us Since its inception in 1999, 9 EXPRESSION has created a place for itself by providing time bound services while consistently maintaining highest standards of quality. We have successfully catered to wide range of requirements in outdoor

268 views • 11 slides
Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information

Security Testing TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Security testing vs regular testing Regular testing aims to

1.06k views • 54 slides
Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction

Automate Security Testing and System Compliance Agenda Introduction to SCAP Introduction to STIG SUSE STIG Automation Demo Time Whats next? What is SCAP? The Security Content Automation Protocol is a multi-purpose

684 views • 37 slides
Real Tim e TRON TRON TRON Testing using UPPAAL W ith Mariius Mikucionis, Brian Nielsen, Arne

Real Tim e TRON TRON TRON Testing using UPPAAL W ith Mariius Mikucionis, Brian Nielsen, Arne

Real Tim e TRON TRON TRON Testing using UPPAAL W ith Mariius Mikucionis, Brian Nielsen, Arne Skou, Anders Hessel, Paul Pettersson Overview Introduction Informationsteknologi Conformance for Real-Time System Off-line Test

985 views • 80 slides
Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking

Introduction to Penetration Testing Dr. Patrick McDaniel Meghan Riegel Fall 2015 What is Penetration Testing? Attacking a system to find security vulnerabilities in order to fix them before a malicious party attacks the system Legal if

455 views • 9 slides
Real Tim e TRON TRON TRON TRON Testing Testing using UPPAAL W ith W ith Mariius

Real Tim e TRON TRON TRON TRON Testing Testing using UPPAAL W ith W ith Mariius

Real Tim e TRON TRON TRON TRON Testing Testing using UPPAAL W ith W ith Mariius Mikucionis, Brian Nielsen, Arne Skou, Anders Hessel, Paul Pettersson, Jacob I llum Rasm ussen Overview Introduction gi knolog Off-line Test

1.44k views • 61 slides
Toxicology Testing: Being a Detective Eddie Garcia MD Medical Toxicology Fellow University of

Toxicology Testing: Being a Detective Eddie Garcia MD Medical Toxicology Fellow University of

2/20/2020 Toxicology Testing: Being a Detective Eddie Garcia MD Medical Toxicology Fellow University of California San Francisco 1 Disclosures None 2 Topics Provoked urine testing Acetylcholinesterase testing 3 1 2/20/2020

569 views • 13 slides
FROM REQUIREMENTS TO TESTING, VALIDATION AND VERIFICATION Patricia Derler, National Instruments

FROM REQUIREMENTS TO TESTING, VALIDATION AND VERIFICATION Patricia Derler, National Instruments

FROM REQUIREMENTS TO TESTING, VALIDATION AND VERIFICATION Patricia Derler, National Instruments CPS V&amp;V I&amp;F Workshop 2017 April 2017 State of the Art Systems are becoming more complex, distributed, heterogeneous Tighter

386 views • 28 slides
Learning objectives Understand the purpose of integration testing Distinguish

Learning objectives Understand the purpose of integration testing Distinguish

Learning objectives Understand the purpose of integration testing Distinguish typical integration faults from faults that Integration and Component-based should be eliminated in unit testing Understand the nature of

260 views • 10 slides
S V V .lu software verification &amp; validation Testing of Cyber-Physical Systems:

S V V .lu software verification &amp; validation Testing of Cyber-Physical Systems:

S V V .lu software verification &amp; validation Testing of Cyber-Physical Systems: Diversity-driven Strategies Lionel Briand COW 57, London, UK Cyber-Physical Systems A system of collaborating computational elements controlling

808 views • 41 slides
Extending automotive certification processes to handle autonomous vehicles Dr Zeyn Saigol

Extending automotive certification processes to handle autonomous vehicles Dr Zeyn Saigol

Extending automotive certification processes to handle autonomous vehicles Dr Zeyn Saigol Principal Technologist | 14 th November 2019 Why is certifying AVs an important problem? &quot;Startups&quot;, because All major car manufacturers are

750 views • 46 slides
Functional Testing we design tests? And we ll start with functional testing. Software

Functional Testing we design tests? And we ll start with functional testing. Software

From Pressman, Software Engineering a practitioner s approach, Chapter 14 and Pezze + Young, Software Testing and Analysis, Chapters 10-11 Today, we ll talk about testing how to test software. The question is: How do

574 views • 20 slides
Computers in Ramsey Theory testing, constructions and nonexistence Stanisaw Radziszowski

Computers in Ramsey Theory testing, constructions and nonexistence Stanisaw Radziszowski

Computers in Ramsey Theory testing, constructions and nonexistence Stanisaw Radziszowski Department of Computer Science Rochester Institute of Technology, NY, USA Computers in Scientific Discovery 8 Mons, Belgium, August 24, 2017 1/33

820 views • 33 slides
Metrics, Statistics, Tests Tetsuya Sakai Microsoft Research Asia, P. R. China @tetsuyasakai

Metrics, Statistics, Tests Tetsuya Sakai Microsoft Research Asia, P. R. China @tetsuyasakai

Metrics, Statistics, Tests Tetsuya Sakai Microsoft Research Asia, P. R. China @tetsuyasakai February 6, 2013@PROMISE Winter School 2013 in Bressanone, Italy Why measure? IR researchers goal: build systems that satisfy the users system

723 views • 60 slides

More recommend