toward the analysis of embedded firmware through
play

Toward the Analysis of Embedded Firmware through Automated - PowerPoint PPT Presentation

Jan 02, 2023 •242 likes •963 views

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia

  1. Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525.

  2. Let’s secure the IoT! 2 Pretender

  3. ....but there’s all this crazy hardware... 3 Pretender

  4. Our Analysis Goals: ● Fuzzing ○ Feed the program with lots of inputs until something bad happens ○ Make lots of copies of the code and its environment to make it feasible ● Symbolic Execution ○ Used to understand how data affects program behavior, and detect possible invalid behaviors ○ Needs a strong model of the code’s environment (software and hardware) to be tractable. 4 Pretender

  5. What if... 5 Pretender

  6. What if... 01010101 01010100 10101000 Extract! 6 Pretender

  7. What if... 01010101 01010100 Virtualize! 10101000 QEMU 7 Pretender

  8. What if... 01010101 01010101 01010100 Fuzz all the 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU things!!! 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010100 10101000 QEMU 10101000 QEMU 8 Pretender

  9. Re-hosting to the Rescue? “ Re-hosting” : the act of transferring a piece of software from one execution environment into another, such as from a hardware device to a software emulator 9 Pretender

  10. ....but there’s all this crazy hardware... 10 Pretender

  11. Uh oh... 11 Pretender

  12. Firmware is hard! Device-specific code S Y S C Device-specific code A L L S Operating System Libraries (HALs, libc) M M M M I I O O Hardware Peripherals Hardware Peripherals OS-based firmware Blobs 12 Pretender

  13. Peripherals are Hard! FLASH MEMORY RAM M E M O R CPU Y B On-chip U Peripherals S (MMIO) 13 Pretender

  14. Peripherals are Hard! FLASH On- Off- chip MEMORY chip RAM M E M O R CPU Timers Y I2C I2C Bus Interface B U Power Cfg S Serial USART / UART interface 14 Pretender

  15. Peripherals are Hard! 15 Pretender

  16. Peripherals are Hard! 16 Pretender

  17. Peripherals are Hard! Offset Register Name Offset Register Name 0x0 Control 1 0x0 Status 0x4 Control 2 0x4 Data (RX and TX) 0x8 Control 3 0x8 Baud Rate 0xC Baud Rate 0xC Control 1 0x10 GTPR 0x10 Control 2 0x14 RTOR 0x14 Control 3 … ... … … ... 0x18 GTPR 0x20 Data RX 0x24 Data TX STM32L152 Serial port STM32F072 Serial port 17 Pretender

  18. Peripherals are Hard! ● Obtained a dataset of Cortex-M memory layouts as used by debuggers (SVD files) ● Data self-published by vendors (and is therefore extremely incomplete) ● 463 distinct chip models, 13 vendors, 1592 unique peripherals ● Mainline QEMU supports 3 Cortex-M CPUs, and zero of the above dataset! 18 Pretender

  19. Emulation is Hard! ● Hardware-in-the-loop isn’t sufficient ○ One thread per device ○ One device reboot per execution ● Replay is not sufficient! ○ Can’t do fuzzing without input 19 Pretender

  20. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation 20 Pretender

  21. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program 21 Pretender

  22. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would 22 Pretender

  23. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would ● Automatic ○ Requires a minimum of human intervention 23 Pretender

  24. Re-hosting is hard! But are we doomed? Not yet.

  25. Can we observe the real hardware, to build models for an emulator?

  26. Pretender 26 Pretender

  27. Recording Inside the Device-specific code CPU Libraries (HALs, libc) M We want to record this, M but it’s inside the CPU! I O B Internal Peripherals u s s External Peripherals e s 27 Pretender

  28. Recording Now we just Inside the record here. CPU Device-specific code Problem solved? Libraries (HALs, libc) M M MMIO I B O Internal Peripherals QEMU u s R s P External Peripherals e AVATAR C s 28 Pretender

  29. Interrupts ● The current version of Avatar does not handle interrupts at all, but almost every firmware requires them ● Previous approaches leverage chip-specific hardware to observe interrupts ● Timing, masking, ordering, …. Cause extreme complications 29 Pretender

  30. Interrupt Recording QEMU Hardware RUNNING RUNNING Normal code Normal code MMIO… MMIO… MMIO... 30 Pretender

  31. Interrupt Recording QEMU Hardware INTERRUPT 0x2F!!! RUNNING STOPPED Normal code Interrupt Routine 31 Pretender

  32. Interrupt Recording Hardware QEMU STOPPED RUNNING Fake Interrupt Normal code Routine 32 Pretender

  33. Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine OK! Taking Interrupt 0x2F!! 33 Pretender

  34. Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine 34 Pretender

  35. Interrupt Recording QEMU Hardware RUNNING RUNNING Normal Code Normal Code OK! Done with Interrupt 0x2F!! 35 Pretender

  36. Modeling 1. Figure out which groups of memory locations are distinct “peripherals” 2. Figure out which interrupts those peripherals fire, and under which conditions 3. Assign a model to each location within the peripheral 36 Pretender

  37. Grouping Peripherals Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 37 Pretender

  38. Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 38 Pretender

  39. Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 Clustering: READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 39 Pretender

  40. Associating Interrupts Offset Value 0x0 ???????? 0x4 ???????? 0x8 ???????? 0xC ???????? 0x10 ???????? 40 Pretender

  41. Associating Interrupts Offset Value 0x0 ???????? 0x4 0xDEADBEEF 0x8 ???????? 0xC ???????? 0x10 ???????? 41 Pretender

  42. Associating Interrupts Offset Value Interrupt 0x2F! 0x0 ???????? Interrupt 0x2F! Interrupt 0x2F! 0x4 0xDEADBEEF Interrupt 0x2F! 0x8 ???????? 0xC ???????? 0x10 ???????? 42 Pretender

  43. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 43 Pretender

  44. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 44 Pretender

  45. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 Peripheral 4 READ Peripheral 4 generates Interrupt 0x2F! WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 45 Pretender

  46. Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xDEADBEEF ... ... … … ... ENTER 0x2F 46 Pretender

  47. Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xFACEBEEF WRITE 0x4 0xDEADBEEF … ... ... … … ... ... ... … … ... ISR ENTER 0x2F ISR ENTER 0x2F WRITE 0x4 0x0000BEEF ISR EXIT 0x2F … ... ... … … ... … ... ... … … ... ISR ENTER 0x2F WRITE 0x4 0xDEAD0000 47 Pretender

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11,

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin August 11, 2013 Andrei Costin/Jonas Zaddach www.firmware.re 1/104 About Jonas Zaddach PhD. candidate on "Development of novel binary analysis

1.25k views • 104 slides
Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller

Breaking Through Another Side Bypassing Firmware Security Boundaries from Embedded Controller Alex Matrosov Alexandre Gazet Actually 5 months of passionate reverse-engineering nights Disclaimer All the details given about BIOS Guard

968 views • 77 slides
Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

577 views • 34 slides
Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei

Embedded Devices Security Firmware Reverse Engineering Jonas Zaddach Andrei Costin Andrei Costin/Jonas Zaddach www.firmware.re 1/78 Administratrivia Please fill-in the BH13US Feedback Form - Thanks! The views of the authors are their

1.19k views • 78 slides
TPM2.0 practical usage Using a firmware TPM 2.0 on an embedded device Davide Guerri -

TPM2.0 practical usage Using a firmware TPM 2.0 on an embedded device Davide Guerri -

TPM2.0 practical usage Using a firmware TPM 2.0 on an embedded device Davide Guerri - dguerri@fb.com Production Engineer - Facebook London Agenda Trusted Platform Module 2.0: a practical example what is a TPM? using TPM2.0 (on a

612 views • 23 slides
Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with hardware innovations. Tom Melham University of Oxford Problem Firmware today facing greater complexity and shorter schedules coded at low

478 views • 14 slides
development upgrades Michael Brown NGM Firmware Lead Technologist Dell EMC Embedded Linux

development upgrades Michael Brown NGM Firmware Lead Technologist Dell EMC Embedded Linux

Reducing the pain of Yocto development upgrades Michael Brown NGM Firmware Lead Technologist Dell EMC Embedded Linux Conference 2017 Outline Easier Yocto upgrades in development - Introduction - Problem Statement - Dell EMC

167 views • 15 slides
Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura University of Hawaii December 14, 2012 US Firmware Meeting 1 v2 Firmware Version 2 firmware is largely done: New interface to the DAQ

273 views • 5 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench <marius.muench@eurecom.fr> PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook <keescook@chromium.org> (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
Embedded Firmware Diversity for Smart Electric Meters Stephen McLaughlin , Dmitry Podkuiko, Adam

Embedded Firmware Diversity for Smart Electric Meters Stephen McLaughlin , Dmitry Podkuiko, Adam

301 views • 18 slides
DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal Demonstrate upstream DAQ functions in firmware before design review - Have implementation ready before May 2020 10-second buffer Hit

466 views • 13 slides
Cochlear Implant Systems todays challenges in embedded firmware design December 7, 2009 Ren

Cochlear Implant Systems todays challenges in embedded firmware design December 7, 2009 Ren

Cochlear Implant Systems todays challenges in embedded firmware design December 7, 2009 Ren Roos Cochlear Implant Systems? Cochlear and CTC Cochlear Implant Systems for hearing impaired people First Cochlear implant, 1978,

590 views • 19 slides
Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do?

Hacking the Internet of Things Andrei Costin andrei@firmware.re @costinandrei What I do? Embedded Security Research 2009 RFID MiFare Classic (MFCUK) Click to edit Master text styles https://github.com/nfc-tools/mfcuk Second

1.12k views • 71 slides
high-sensitivity Troponin T measurements and 30-day mortality after noncardiac surgery PJ

high-sensitivity Troponin T measurements and 30-day mortality after noncardiac surgery PJ

Relationship between high-sensitivity Troponin T measurements and 30-day mortality after noncardiac surgery PJ Devereaux, MD, PhD McMaster University Background >5 Million Americans >45 yrs undergo in-patient noncardiac surgery

930 views • 10 slides
www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org

www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org

www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org www.escardio.org

348 views • 31 slides
Randomised International Trial in the World:ACST-2 Alison Halliday MD Professor of Vascular

Randomised International Trial in the World:ACST-2 Alison Halliday MD Professor of Vascular

Update on the only remaining Carotid Multicenter Randomised International Trial in the World:ACST-2 Alison Halliday MD Professor of Vascular Surgery University of Oxford Disclosure Statement of Financial Interest I, Alison Halliday, DO NOT

479 views • 26 slides
Beyond Flexibility - Workflows in the perioperative Sector of the Healthcare Domain Workshop on

Beyond Flexibility - Workflows in the perioperative Sector of the Healthcare Domain Workshop on

Beyond Flexibility - Workflows in the perioperative Sector of the Healthcare Domain Workshop on Flexible Workflows in Distributed Systems (WiVS 2011) Markus Bandt, Robert Khn, Sebastian Schick, Holger Meyer Picture Source: Chris Caldwell,

363 views • 21 slides
A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex Finkelstein and Haldun Hadimioglu Polytechnic University, Brooklyn, NY, USA Outline 1. Motivation/Goals and Related Work 2. Peripheral Context

887 views • 29 slides
Meson production in ultra-peripheral heavy ion collisions C.A. Bertulani C.A. Bertulani, 8th

Meson production in ultra-peripheral heavy ion collisions C.A. Bertulani C.A. Bertulani, 8th

Meson production in ultra-peripheral heavy ion collisions C.A. Bertulani C.A. Bertulani, 8th Workshop of the APS Topical Group on Hadronic Physics, April 11, 2019 Collaboration Fernando Navarra Victor Goncalves Adeola Adeluyi Gerhard Baur

749 views • 43 slides
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2 , 3 Frank Kargl 3 elien Francillon 1 Davide Balzarotti 1 Aur 1 EURECOM 2 Siemens AG 3 Ulm University Introduction Embedded

474 views • 29 slides
Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project?

Using SoC Vendor HALs in in the Zephyr Proje ject Maureen Helm, NXP What is Zephyr Project? Small Footprint RTOS Truly Open Source Cross Architecture As small as 8KB Apache 2.0 License ARM Enables Hosted by Linux

340 views • 16 slides

More recommend