the avatar project improving embedded security with s e
play

The Avatar project: Improving embedded security with SE, KLEE and - PowerPoint PPT Presentation

May 31, 2023 •429 likes •740 views

The Avatar project: Improving embedded security with SE, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti About us Eurecom, a consortium of European

  1. The Avatar project: Improving embedded security with S²E, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti

  2. About us • Eurecom, a consortium of European universities in French riviera • Security research group – 9 people • Applied system security – Embedded systems – Networking devices – Critical infrastructures 02/02/2014 2

  3. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 3

  4. Software everywhere • Embedded devices are diverse – but all of them run software 02/02/2014 4

  5. Reasons for embedded security • Embedded devices are ubiquitous – Even if not visible, your lives depend on the m • Can operate for many years – Legacy systems, no (security) updates • Have large attack surfaces – Networking, forgotten debug interfaces, etc. • Sometime too easy to take-over/backdoor 02/02/2014 5

  6. Challenges in embedded security • No source code available – Often monolithic binary-only firmwares • No toolchain available • No documentation available • Unique tools (to flash and debug) for each manufacturer 02/02/2014 6

  7. Wishlist for security evaluation • Typical PC-security toolbox A – Advanced debugging techniques ≤0 >0 • Tracing B C • Fuzzing <8 ≥8 • Symbolic Execution • Tainting D E 0<x<8 – Integrated tools • IDA Pro • GDB • Netzob 02/02/2014 7

  8. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 8

  9. Why Avatar • Provide a framework for – In-vivo analysis of any kind of device – Advanced debugging – Easy prototyping • Integrated workbench – To use all techniques together on a live system • Not only focused on security – Debugging/profiling/tracing is hard in embedded environments 02/02/2014 9

  10. Avatar: basics • Emulate embedded devices’ firmwares • Forward peripheral accesses to the device under analysis • Do NOT attempt to emulate peripherals – No documentation – Reverse engineering is difficult 02/02/2014 10

  11. Avatar overview Avatar Target Emulator Emulator Proxy Backend Backend read/write memory read/write memory . . . mov r2, r0 mov r3, r1 value value add r3, r3, #1 add r2, ip, r2 interrupt ldr r2, [r2], #0 interrupt cmp r2, r3 . . . Firmware Embedded Plugins device 02/02/2014 11

  12. Avoid NIH syndrome • S²E (Qemu+Klee) – for emulation and symbolic execution • GDB and OpenOCD – to attach components and devices • Your own tools for analysis – IDA Pro, Capstone, Netzob... 02/02/2014 12

  13. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 13

  14. LLVM under the hood • S²E combines existing tools to achieve symbolic execution of x86/ARM binary code – Qemu translates binary code to an intermediate representation (TCG) – QEMU-LLVM translates TCG to LLVM bytecode – KLEE executes LLVM bytecode symbolically 02/02/2014 14

  15. S²E in a nutshell Emulator Avatar TCG Qemu Qemu config frontend Qemu Qemu GDB LLVM executer KLEE S²E S²E hooks QMP/Lua VM state Registers ● Symbolic RemoteMem CPU state ● states plugin Memory ● 02/02/2014 15

  16. Python3 framework Analysis script Avatar Emulator Target Config GDB/MI writer adapter GDB BinProto interface Target adapter Emulator backend backend QMP/Lua Telnet interface adapter Memory GDB forwarder adapter Analysis Plugins 02/02/2014 16

  17. Analysis platform • Avatar provides analysis glue – Orchestrate execution ⟷ – Bridge between emulator device – Intercept/manipulate memory accesses – External integration, exposing GDB or JSON interfaces 02/02/2014 17

  18. Embedded target Avatar Target device UART In-memory stub Open Target state OCD Registers ● CPU state ● Memory ● JTAG 02/02/2014 18

  19. Target communication • Either a debugging interface – JTAG – Debug Serial Interface • Or code injection and a communication channel – GDB Stub + Serial Port 02/02/2014 19

  20. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 20

  21. Usecases • Check for hidden backdoors in HDD firmware • Fuzzing/symbolic execution of SMS decoding on feature phone • Vulnerabilities check on programmable wireless sensors 02/02/2014 21

  22. Bottlenecks • Emulated execution is much slower than execution on the real device – Memory access forwarding through low- bandwidth channel is the bottleneck – In one case down to ~10 instr./sec. • Interrupts are tricky, can overwhelm emulation 02/02/2014 22

  23. Improving performance • Point of Interest is often far down in the firmware – Trap execution on device and transfer state to the emulator ● A large part of forwarded accesses are to non-IO memory – Detect and drop forwarding for non-IO memory regions (stack, heap and code in the emulator) ● High-periodicity interrupts can be synthesized to avoid saturation 02/02/2014 23

  24. Outline • Embedded security • Avatar overview • Framework components • Field testing • Conclusions 02/02/2014 24

  25. Limitations • State consistency – DMA memory changes not tracked • Timing consistency – Emulated execution time much slower than real execution time • Symbolic execution – Coherency between HW and SW • Bug-finding strategies to be improved 02/02/2014 25

  26. Recap • Avatar is a tool to – Enable dynamic analysis – And perform symbolic execution – On embedded devices – Where only binary code is available 02/02/2014 26

  27. Questions? Thank you for listening! Thanks to Pascal Sachs and Luka Malisa who built an earlier prototype of the system, and Lucian Cojocar for contributions 02/02/2014 27

  28. References • AVATAR web page: http://www.s3.eurecom.fr/tools/avatar/ • AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti • Howard: a dynamic excavator for reverse engineering data structures, Asia Slowinska, Traian Stancescu, Herbert Bos • KLEE webpage: http://ccadar.github.io/klee/ • S2E webpage: https://s2e.epfl.ch/ • S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • The S2E Platform: Design, Implementation, and Applications, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea • QEMU webpage: http://qemu.org • Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos 02/02/2014 28

  29. Extra: GDB stub • GDB can connect to targets using a serial interface and a simple protocol • There is a stub implementation in the source code tree, but not for ARM and it’s bloated (for our purposes) • 6 primitives are enough to give debugging support with software breakpoints: Read bytes, write bytes, read registers, write registers, continue and get signal 02/02/2014 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach

AVATAR: A Framework for Dynamic Security Analysis of Embedded Systems Firmwares Jonas Zaddach (zaddach@eurecom.fr) Luca Bruno, Aurlien Francillon, Davide Balzarotti Outline Introduction AVATAR overview Framework components

1.09k views • 44 slides
Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October

Project Avatar Dr Geraldine Paterson 1 Avatar Funded by Network Innovation Allowance October 2016 December 2019 Colleague Exploratory Analysis, Concept Publish final Literature Research engagement research refinements Go live

650 views • 9 slides
Improving Security of Autonomous UAVs Fleets by Using New Specific Embedded Secure Elements A

Improving Security of Autonomous UAVs Fleets by Using New Specific Embedded Secure Elements A

Improving Security of Autonomous UAVs Fleets by Using New Specific Embedded Secure Elements A Position Paper Raja Naeem Akram 1 , Pierre-Franois Bonnefoi 2 , Serge Chaumette 3 , Konstantinos Markantonakis 4 and Damien Sauveron 2 1 Department of

589 views • 24 slides
CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing

CSE 504: Project Proposal Jennifer Niederlnder 01/13/2016 Improving Security Testing Improving Security Testing or Collect security errors Derive Patterns Improving Performance Improving Performance 1. Take the code 2. Point out

423 views • 9 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator

IBM - CVUT Student Research Projects IVA Interactive Video Avatar (Toolkit for an interactive video for creating Avatar, simulator etc.) Frantiek Kafka (kafkaf1@fel.cvut.cz) Lud k Krejzar (krejzl1@fel.cvut.cz) The aim of project the

732 views • 6 slides
Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Senior school home page SEM and EM photographs of various microbes and all pack artwork available

Students could create their own avatar to guide them through the various sections of Create your own the website, this avatar could potentially remind them of areas they have yet to visit, avatar give them updates on how they can earn more

440 views • 3 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench &lt;marius.muench@eurecom.fr&gt; PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt Gierlichs KU Leuven, COSIC IACR Summer school 2015 Chia Laguna, Italy Attack on channel between communicating parties Encryption and

412 views • 6 slides
Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School

Playing with AVATAR How to play with AVATAR Giles Reger, Martin Suda and Andrei Voronkov School of Computer Science, University of Manchester The 1st Vampire Workshop Reger,G How to play with AVATAR 1 / 26 Overview Introduction 1

1.1k views • 43 slides
Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael

Improving TCP/IP security through randomization without sacrificing interoperability Michael James Silbersack The FreeBSD Project Introduction Over the years, many security problems have been found in the TCP and IP protocols. This is not

539 views • 17 slides
Improving the Security of Edge Computing Services Update status of the support for AMD and Intel

Improving the Security of Edge Computing Services Update status of the support for AMD and Intel

Improving the Security of Edge Computing Services Update status of the support for AMD and Intel processors FOSDEM 2020 Piotr Krl 1 / 13 Who am I Piotr Krl Founder &amp; Embedded Systems Consultant open-source firmware @pietrushnic

142 views • 13 slides
Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline

Building A Better Airline What Makes Avatar Different ? Building A Better Airline Contribute to Lower Fares Passenger Revenue Branding Food &amp; Beverage Avatar Vacations In-flight Entertainment TIcket

375 views • 35 slides
Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on

Security Skins: Embedded, Unspoofable Security Indicators Rachna Dhamija Center for Research on Computation and Society Harvard University Talk Outline Why Phishing Works Dynamic Security Skins Embedded Security Indicators Talk

731 views • 57 slides
CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1 General Information A research project with 2-5 individuals Building a new system Improving an existing technique Performing a large

647 views • 9 slides
A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A.

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

1.03k views • 72 slides
Discovery and Analysis of Regulatory Regions in the Human Genome Wyeth Wasserman Centre for

Discovery and Analysis of Regulatory Regions in the Human Genome Wyeth Wasserman Centre for

Discovery and Analysis of Regulatory Regions in the Human Genome Wyeth Wasserman Centre for Molecular Medicine and Therapeutics Childrens and Womens Hospital University of British Columbia Overview CMMT Basics of promoter analysis

929 views • 89 slides
Potty Training in Potty Training in Potty Training in Potty Training in Four Days Four Days

Potty Training in Potty Training in Potty Training in Potty Training in Four Days Four Days

2/2/2010 Potty Training in Potty Training in Potty Training in Potty Training in Four Days Four Days Four Days Four Days Four Days Four Days Four Days Four Days The Murphy Method The Murphy Method We tried everything! We tried

549 views • 11 slides
Probability and Inference Dr. Jarad Niemi STAT 544 - Iowa State University January 23, 2019

Probability and Inference Dr. Jarad Niemi STAT 544 - Iowa State University January 23, 2019

Probability and Inference Dr. Jarad Niemi STAT 544 - Iowa State University January 23, 2019 Jarad Niemi (STAT544@ISU) Probability and Inference January 23, 2019 1 / 35 Outline Quick review of probability Kolmogorovs axioms Bayes

795 views • 35 slides
Making Employment a Reality: Were All Responsible Derek Nord, PhD, FAAIDD Director and

Making Employment a Reality: Were All Responsible Derek Nord, PhD, FAAIDD Director and

Making Employment a Reality: Were All Responsible Derek Nord, PhD, FAAIDD Director and Associate Professor Indiana Institute on Disability and Community Indiana University, Bloomington, IN May 1, 2020 http://rwjms.rutgers.edu/boggscenter

728 views • 69 slides
University of Kentucky College of College of Communication and Information Strategic Planning

University of Kentucky College of College of Communication and Information Strategic Planning

1 University of Kentucky College of College of Communication and Information Strategic Planning Winter/Spring 2020 2 1 Michael A. Diamond Senior Partner, Academic Leadership Associates, LLC USC Vice President and Executive Vice Provost

1.08k views • 85 slides
7/27/16 Bond Referendum (CNCB) Matching Grant program for Local Governments 2016 Presented by

7/27/16 Bond Referendum (CNCB) Matching Grant program for Local Governments 2016 Presented by

7/27/16 Bond Referendum (CNCB) Matching Grant program for Local Governments 2016 Presented by Recreation Resources Service Workshop Agenda Introduction/CNCB Overview Funding Schedule Requirements and Resources Application

374 views • 19 slides
Ted Stevens Anchorage International Tie-Down Permit Regulations Advisory Committee Meeting #2

Ted Stevens Anchorage International Tie-Down Permit Regulations Advisory Committee Meeting #2

Ted Stevens Anchorage International Tie-Down Permit Regulations Advisory Committee Meeting #2 Alex Moss, AIAS Planning Manager alex.moss@alaska.gov 266-2540 May 18, 2017 Integrity Enterprising Excellence Respect 5/24/2017 1

321 views • 14 slides
Creating strongly collaborative local learning systems: Beyond top-down regulation and the market

Creating strongly collaborative local learning systems: Beyond top-down regulation and the market

Creating strongly collaborative local learning systems: Beyond top-down regulation and the market Prof. Ken Spours The argument New Labour have enacted an adaptive neo-liberal approach to education public services centralist,

456 views • 9 slides

More recommend