The Avatar project: Improving embedded security with SE, KLEE and - - PowerPoint PPT Presentation

the avatar project improving embedded security with s e
SMART_READER_LITE
LIVE PREVIEW

The Avatar project: Improving embedded security with SE, KLEE and - - PowerPoint PPT Presentation

May 31, 2023 429 likes •743 views

The Avatar project: Improving embedded security with SE, KLEE and Qemu http://www.s3.eurecom.fr/tools/avatar/ Luca Bruno <lucab@debian.org>, J. Zaddach, A. Francillon, D. Balzarotti About us Eurecom, a consortium of European

slide-1
SLIDE 1

The Avatar project: Improving embedded security with S²E, KLEE and Qemu

http://www.s3.eurecom.fr/tools/avatar/

Luca Bruno <lucab@debian.org>,

  • J. Zaddach, A. Francillon, D. Balzarotti
slide-2
SLIDE 2

2 02/02/2014

About us

  • Eurecom, a consortium of European universities in

French riviera

  • Security research group

– 9 people

  • Applied system security

– Embedded systems – Networking devices – Critical infrastructures

slide-3
SLIDE 3

3 02/02/2014

Outline

  • Embedded security
  • Avatar overview
  • Framework components
  • Field testing
  • Conclusions
slide-4
SLIDE 4

4 02/02/2014

Software everywhere

  • Embedded devices are diverse – but all of them

run software

slide-5
SLIDE 5

5 02/02/2014

Reasons for embedded security

  • Embedded devices are ubiquitous

– Even if not visible, your lives depend on them

  • Can operate for many years

– Legacy systems, no (security) updates

  • Have large attack surfaces

– Networking, forgotten debug interfaces, etc.

  • Sometime too easy to take-over/backdoor
slide-6
SLIDE 6

6 02/02/2014

Challenges in embedded security

  • No source code available

– Often monolithic binary-only firmwares

  • No toolchain available
  • No documentation available
  • Unique tools (to flash and debug) for

each manufacturer

slide-7
SLIDE 7

7 02/02/2014

Wishlist for security evaluation

  • Typical PC-security toolbox

– Advanced debugging techniques

  • Tracing
  • Fuzzing
  • Symbolic Execution
  • Tainting

– Integrated tools

  • IDA Pro
  • GDB
  • Netzob

A B C D E >0 ≤0 <8 ≥8 0<x<8

slide-8
SLIDE 8

8 02/02/2014

Outline

  • Embedded security
  • Avatar overview
  • Framework components
  • Field testing
  • Conclusions
slide-9
SLIDE 9

9 02/02/2014

Why Avatar

  • Provide a framework for

– In-vivo analysis of any kind of device – Advanced debugging – Easy prototyping

  • Integrated workbench

– To use all techniques together on a live system

  • Not only focused on security

– Debugging/profiling/tracing is hard in embedded environments

slide-10
SLIDE 10

10 02/02/2014

Avatar: basics

  • Emulate embedded devices’ firmwares
  • Forward peripheral accesses to the

device under analysis

  • Do NOT attempt to emulate peripherals

– No documentation – Reverse engineering is difficult

slide-11
SLIDE 11

11 02/02/2014

Avatar overview

Firmware Embedded device

Emulator Proxy Avatar Emulator Backend Target Backend Plugins

read/write memory interrupt read/write memory value value interrupt . . . mov r2, r0 mov r3, r1 add r3, r3, #1 add r2, ip, r2 ldr r2, [r2], #0 cmp r2, r3 . . .

slide-12
SLIDE 12

12 02/02/2014

Avoid NIH syndrome

  • S²E (Qemu+Klee)

– for emulation and symbolic execution

  • GDB and OpenOCD

– to attach components and devices

  • Your own tools for analysis

– IDA Pro, Capstone, Netzob...

slide-13
SLIDE 13

13 02/02/2014

Outline

  • Embedded security
  • Avatar overview
  • Framework components
  • Field testing
  • Conclusions
slide-14
SLIDE 14

14 02/02/2014

LLVM under the hood

  • S²E combines existing tools to achieve

symbolic execution of x86/ARM binary code

– Qemu translates binary code to an intermediate representation (TCG) – QEMU-LLVM translates TCG to LLVM bytecode – KLEE executes LLVM bytecode symbolically

slide-15
SLIDE 15

15 02/02/2014

S²E in a nutshell

Emulator

RemoteMem plugin S²E QMP/Lua Qemu GDB Qemu config

VM state

  • Registers
  • CPU state
  • Memory

Qemu executer

Qemu frontend

LLVM

Symbolic states KLEE

TCG S²E hooks

Avatar

slide-16
SLIDE 16

16 02/02/2014

Python3 framework

Avatar Analysis script Target backend

GDB adapter Telnet adapter BinProto adapter GDB/MI adapter

Emulator backend

Memory forwarder QMP/Lua interface GDB interface Config writer

Analysis Plugins Emulator Target

slide-17
SLIDE 17

17 02/02/2014

Analysis platform

  • Avatar provides analysis glue

– Orchestrate execution – Bridge between emulator

device ⟷

– Intercept/manipulate memory accesses – External integration, exposing GDB or

JSON interfaces

slide-18
SLIDE 18

18 02/02/2014

Embedded target

Avatar Open OCD Target device In-memory stub

Target state

  • Registers
  • CPU state
  • Memory

JTAG UART

slide-19
SLIDE 19

19 02/02/2014

Target communication

  • Either a debugging interface

– JTAG – Debug Serial Interface

  • Or code injection and a communication

channel

– GDB Stub + Serial Port

slide-20
SLIDE 20

20 02/02/2014

Outline

  • Embedded security
  • Avatar overview
  • Framework components
  • Field testing
  • Conclusions
slide-21
SLIDE 21

21 02/02/2014

Usecases

  • Check for hidden backdoors in HDD firmware
  • Fuzzing/symbolic execution of SMS decoding on

feature phone

  • Vulnerabilities check on programmable wireless

sensors

slide-22
SLIDE 22

22 02/02/2014

Bottlenecks

  • Emulated execution is much slower than

execution on the real device

– Memory access forwarding through low- bandwidth channel is the bottleneck – In one case down to ~10 instr./sec.

  • Interrupts are tricky, can overwhelm emulation
slide-23
SLIDE 23

23 02/02/2014

Improving performance

  • Point of Interest is often far down in the firmware

– Trap execution on device and transfer state to the

emulator

  • A large part of forwarded accesses are to non-IO

memory

– Detect and drop forwarding for non-IO memory

regions (stack, heap and code in the emulator)

  • High-periodicity interrupts can be synthesized to

avoid saturation

slide-24
SLIDE 24

24 02/02/2014

Outline

  • Embedded security
  • Avatar overview
  • Framework components
  • Field testing
  • Conclusions
slide-25
SLIDE 25

25 02/02/2014

Limitations

  • State consistency

– DMA memory changes not tracked

  • Timing consistency

– Emulated execution time much slower than real execution time

  • Symbolic execution

– Coherency between HW and SW

  • Bug-finding strategies to be improved
slide-26
SLIDE 26

26 02/02/2014

Recap

  • Avatar is a tool to

– Enable dynamic analysis – And perform symbolic execution – On embedded devices – Where only binary code is available

slide-27
SLIDE 27

27 02/02/2014

Questions?

Thank you for listening!

Thanks to Pascal Sachs and Luka Malisa who built an earlier prototype of the system, and Lucian Cojocar for contributions

slide-28
SLIDE 28

28 02/02/2014

References

  • AVATAR web page: http://www.s3.eurecom.fr/tools/avatar/
  • AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares,

Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti

  • Howard: a dynamic excavator for reverse engineering data structures, Asia Slowinska,

Traian Stancescu, Herbert Bos

  • KLEE webpage: http://ccadar.github.io/klee/
  • S2E webpage: https://s2e.epfl.ch/
  • S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems, Vitaly Chipounov,

Volodymyr Kuznetsov, George Candea

  • The S2E Platform: Design, Implementation, and Applications, Vitaly Chipounov, Volodymyr

Kuznetsov, George Candea

  • QEMU webpage: http://qemu.org
  • Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Istvan Haller,

Asia Slowinska, Matthias Neugschwandtner, Herbert Bos

slide-29
SLIDE 29

29 02/02/2014

Extra: GDB stub

  • GDB can connect to targets using a serial

interface and a simple protocol

  • There is a stub implementation in the source

code tree, but not for ARM and it’s bloated (for

  • ur purposes)
  • 6 primitives are enough to give debugging

support with software breakpoints:

Read bytes, write bytes, read registers, write registers, continue and get signal