Merken

Embedded devices reverse engineering

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
I Matlab Matlab ma'am come food from home grew Rydra home I Theory ion while staying thousand strategies hi
everyone so I mean the director and
well 1st of all we have some this limit is on its own view so it's not as not the represent IBM pollution on this so um hundreds of during of where I am X-Force so both model of a lot of love and really think that this limit is why when I when I am only have so the London that you so little bit about me either for the
same team as we it is a next sorcerer steam cover India of union region and we have a lot of work you know in different areas of security covering of the devices of was engineering and penetration testing so why are we going to cook to people to speak to them about this topic uh very
recently had that our interesting project testing 1 device which might be used in automotive industry and he was based on Fiat furious and the power cost and we have some interesting findings during the during this project and also the discovered that there not too much resources about security on the free of DOS so that was the big problem on the 1 side and the other side there we had some issues actually uh reversing the immediate future for the device that you get the so after a lot of time spent reading documentation in the header files and might be interesting for some few which might come into this a similar position to will share with you some of our findings so how many of you will be the sum of a and b the development who have some hands excellent so that that's good so for you know this couple of slides will not be interesting so I'm going to show you how the different mind-set is needed when you are working on media device neural used to desktop stuff they can developing software here reversing it to him analyzing it and then that is something the discovery know that we can mostly to architecture 6 both based on the dole the most common stuff running on Windows so very rare mayor of all those things and there is a lot of resources about that also found there is very much hidden from us there are some drivers which might or might not be interesting to us but usually hard is all of the defined in the AP axis it
as a black box operating system provides a black box so all level of abstraction of the Carver to software world so that is the main purpose of what libraries and operating system and it is very much difference in the world the media the only have a small CPU microstrip usually there are a lot of choices that that I started there was only 1 or 2 addresses interval Motorola now we have a lot of different architectures and the very common our and very powerful devices coming for usually cortex and 0 the and the and then for device is because they're of of the family which is made for a media devices so you can they a family of farm reaches for application purposes and it is for a new license the and they came in with a lot of peripheral selectivity and problem is when you're developing for and B the stuff you need to be aware of both hardware and software so you cannot just sit and develop software for the ways that you never saw before because it is a lot for it and will be kicking off so can be the device is because they the we we see that the media devices that area to date is much cheaper to put up a microcontroller or something then simple transistor there before so you it everywhere from the the caps for a coffee which only have some indicators of all temperature and stuff and lose small poised to break bodies 2 cars so even our car is 1 big embedded system with wheels on it and it's writing and it's become a very interesting target for different adducts so both of 1st are more or less similar for or from both sides so we used to work usually the or rather whatever on the desktop and you can use the same on the mobile as long as it supports are targeted detector but the problem is for example our favorite always the prof course but it has some corrects for example
told these example of University of going to show later needed to serve numerous places to have difficulty correctly so it's a little bit complicated set up and it is very useful something that you're not going to show you today because this is still work-in-progress is a tool used structures dynamically created in memory so all this is by going to speak a little bit about the architectural free of DOS to help us the the discover functions so when we are talking about reality as it will be a little bit cleaner so solve problems me if any of these is not properly set up you look at problem with modern instructions saw if you don't set up this segment default adjusted value tools d 2 1 ideological Stompers actions proper for example or you will have to manually search each line to come the as an Indian devices
will always so they everywhere most popular and be the devices are currently running the Morris she imagine designing something and to put it millions of kilometers of they and to try to fix it the body the mind in it is the problem and developers need to be aware of the vacant limited amount of memory and the resources they must be of their power consumption must be controlled they must take care of real-time responses and device must self sustainable and resilient what is the mean of all 200 days after the mouse over when the 1 last bit of the initial the it has no computers in need for resilience and they are designed in case the primary computer has any problems to shut down and sees a hand over to the secondary computer blogrolls I started stopped responding to any commands why because primary going computer was stuck in the y so I'm able to switch to secondary computer luckily there was 3rd communication device which is independent of all these and was enable that control from the start send commands to shut down primary computer and switch over to secondary computer so it is very very important clue about resilience that's self-sustainability of these devices what there is
the is the 1st problems are coming off from the homicide so you have data again your ports available so you are able to connect and debugging was of course in the case of mozzarella if somebody's the start the body of the eyes will have much serious issues the security of the device at this point but for the birds bed-bound lies this is a big you should we can expose the so you are able to just come into the bias on device and to read all protocols that the running there if you can decode it of course then the human protective storage for example in the family wise you charitable flush around but if you have also external memory for whatever purpose for all this for a few hundred for temporary storage like as the cart so you can tap into that and collect information their own sort of communication interfaces was the radio interfaces which are used for everything and they all at all they are easy to hop from the time there are very common that but he was also left soul developers forgets to disable debugging features before they is so that enable us to to get to the what loader it enable us to download the fear for devices and to to do whatever we need to do it so there also softer requirements and 1st author advising need to be tailored specifically to a bit harder to cover of the device that he attaches chose this big problem you usually have to be used by some of the open gatherers softer developed in the 200 the mill tools architecture that they think it to work for them such that think needs to adjust and that becomes a problem because CPU speed memory with within available storage they almost daily Olympic self development of course again power consumption error-handling soft and the and the bugs resilience so softer developers must be able to adjust their processes and they're called to specific heat that how to do it there is a lot of different harder as we already mentioned you have a different architectures with different endianness is different to the peripherals and you need to account for all possibilities of the combination of different devices to become a solution for this use something of existing frameworks and the real-time operating systems this should help you to solve this into controllable manner 1 of the very common the room lieu operating system that the news is free of your eyes it is nice because it is open source it is available on the market for a lot of time in a long time but there is a commercial version which is certified for security above all what so it might be interesting if you want to take a look at more details on the side that is down there but the term almost every possible platform including oddly know so if you want to divide at home you can play with some problem it's easy to port to new platforms you need to change only the files which of Harvard depend everything else is around as is and the supports multi tasking needs to in the has a tiny footprint so on top of these basic operating system the him additional ModuleSearcher which available to make our free device more usable so 1st and most important is TCP IP stack the uh then we have file system come online and I support digital GPA 0 you all know what is period against some yes so basic structure
of reality this is as shown here we cover of the lowest level that we can cover the peasant called mostly files that I showed you that we have for stores the car the independent files feature same and provide the same functionalities and they can the code that you like to be executing on top of the tourists and it will serve the purpose he intended
so main components is task scheduler task and is the orchestrated which will take care of executing tasks tasks are program at provided pieces of course logically it would be like programs on the desktop the specific functions and they execute concurrently so it is molded by asking each task has a separate stack and you will see later how the effect is handled by the quality of it is the i mentioned this but this is walls that use anymore I I did it is not even supported anymore and the camera communication interprocess communications so that accused to exchange information between processes semaphore and that this is for signalization and timers for measuring died others say real-time is really important in this case it the the most important structural are lists everything in the accuracy is contained in some form of police facility can of takes Taskar readily is which is most important please which has pointers to all records but DOS control walks sparse control book contains all the necessary information for the customer greater task so when you create 1st ask you a clear customs or book summer in memory and you know I the other number 1 in your task of at least but that you create 1st DOS 1 more task will be automatically created which was the and ideas I don't yes so 1st pass this 0 task will be idle task which should take care of all was the unused CPU cycles and then all the other so the new inventions your 1st task it'll create a elite automatically idle task uh so here local with about fuels so again varies with some specific center force to the area and they can be binary semaphores or all or a motive surface and they kinda used used to communicate between uh signal between the processes and new taxes are used to protect access to resources uh during the multi tasking nobody will happen if you have 2 task runs of highest priority than the other in each of them need to watch a story sources so the 1st thing we started the high-level task it will create high-level text protecting the resource then you will have all task executes it'll create new text stocks is the other other research it is not clear yet by the high-level task and it will create new text now you will vote in the situation that you're blocked because the high-level task cannot access resources which is what by the lawyer lowpass and my so ballpark somewhat blocked and you cannot you cannot proceed saw preocular solve this by temporary amazing the level of the process which is waiting for a new text from higher level process so in this case a lot of a lot elaborate task will be upgraded to level reality so it should be able to to take the mutex and proceed accordingly in the lobby waiting for the final task if saw there some security features which are within the the reality of a some summary on Salford's companies SSL library in the doesn't change if after city separate library probable facets of I believe that it is at the national it is much smaller than the standard Open SSL and if you are most of the water below this weekend in the last couple of years to serious with it was were related to open itself it became too big for its purpose and difficult to maintain so these these 2 operators in using the library which is very nice and small and support everything that you actually need that if you have somebody mentally stack overflow protection and it supports different privilege levels for the tasks but that is limited only to politics and the devices which have memory protection units so in this case you can create task of different privileges a so that is not the best approach because it is easy to 2 to to to to a ball around the problem is that from underprivileged task you can create privilege task so if you manage to exploit something determine the rise of the unprivileged you can drop your way out of it by creating pillars task in getting access difference between privileged and non-privileged tasks are pretty of his access to it's always take and into all other specs unprivileged task Task inactive so his own views of all his own spec the the so we have a start from orbital protection of the mentally so it is in 2 there are 2 possible roles 1 will just simple check if your respect point there is some a rare e in the range of it should be expected that the renewal of small the canneries to measure if it is the only US perspective points and problem the TCP IP stack is not very easy and because this is indeed device it is not made to suffer harassment of helium users connecting to it all the time so if you do any more intensive so example port scan on this device they might experience some issues and this is see that very often it's K the devices so this is why we need you never scans skater devices on the production there they they can really sensitive this the that and of course it's free of duress is developed in C it inherits all the possible issues that you can use any other C programs those to be fair I saw I I was searching for sexual abilities there is both a month so they could find and it doesn't mean that they don't exist but they could find them but you you might find in the custom created tasks so they can introduce abilities triadic is relatively safe from it and you can always investigated because it is open source and everything that you discussed so far could be fined injected into the source code is that are provided on the site we are going to develop a simple application that data later be destroying here for purpose of demonstration and the amount of the fields of simple obligation because it will be easier for us to see and to show you what is important so we'll create application which only 2 golds wise to check you button is pressed the button is pressed if you'll probability so it is very simple the
and this is the basic architecture that 1st come to mind so they can form furiously here task scheduler running the 2 tasks 1st task the text if the button is pressed due the the balls and everything and then we'll just data KQ information the button is pressed the other task is let's bubble cost it'll verify if they pick you has information that he expects and he will turn off orthonormal other accordingly this is nice but it is that this is not how it is done actually on embedded devices so I created a little bit better architecture
problem 1st architecture is the device level to sleep so here probably poet collection In this case I have changed about him a lot to be inter to device can go to sleep and only when you press the button generate interrupt and make up the lights do I still the texts that it is vacant up by external interrupts and it'll trigger the B binary semaphores it'll became available with less trouble task the faithful readers for 2 became available and then he detected it is available at to turn on the ladder and then make semaphore again unavailable so it cannot do to think who here don't twice on the same time so next finally bottom Hendler needs to to to to set the semaphore again so how it is that it is very simple
soul bolded lines are harbor lines so set of how is however dependent as expected everything else is not covered with and so they created the 1 task which is so alive semaphore him with task and the dust schedule if he ever get it there 1 there is a problem with our application should never at the task scheduling this afternoon should never at the and to function the 1st 1 is a little regard a related tool lets so how to public let it looks active semaphore is available it late for error if it is not available then become available it'll trigger double the light I give altered that they alternate way of triggering uh let because if they did this thing for something that's a little show you later and the correct interrupt handler in this case are what the users of online state so we need specific envelops the truth and the life of a reject if it is line and do what we need so these really is to make some for available and let's let's figure what remains is to go from the source glycolysis below compilation verbal overlap and you upload everything to our device
power on and will detected it is running so we can can't create love for us to be realized we expect some profit from the it of course we stuff for free but we make a lot of
mistakes in the dark Dark Lord of Mordor is looking at you and he will do something bad to our something that plot please set OK so and 1 of the things that this it's interesting so we have that with thing and the bad thing about this and embedded systems and well the good thing is that the active deeply tied into the into the into the MCU and this means that you have a lot of documentation even go to the to the to the estimate on it for instance we for for this example we used to be focused more on the STM 32 F 0 personal and you which is based on the on the arm 6 and 0 uh court and the good thing is that the embedded devices they need to be developed for the specific and you so this allows it to that you will have a lot of the accommodation evolved ensued interrupts all all the architecture and it's a good thing on get this on the other side the bad thing is that it's tied to the ends you so if you have your firm and and you don't know what is the target of it so it will be hard for you to understand what's going on inside it because you want know how a hold the starting addresses the how how to to approach it so it's a good thing it's a bad thing so um let's imagine that you don't have a lot of string analysis usually using this kind of system and really need to output a lot of things to the user so if you look at the singular don't get that many things in that many that much information has Levin said because the codes of that the user Coventry US is embedded so deeply into the operating system you have to have the skull that it can search for uh there are some of them that you because that is reused when you compile the code like the the scheduler but in reality you don't have that si skulls to read memory to read the but the in some kind of a of of that of interrupt them that so it's not that easy to use and to look and see where you're going to start and from the memory point of view it's not protect so when you're application is running basically you are reading and writing from all memory addresses depending on each in trying to read from a register which is tied to adhere to a a p not with or input or if you're looking at what all known external interrupt so everything are memory addresses so you don't really have uh the abstraction layer that you have under normal operating systems and this leads us to some kind of difficulties when you're trying to reverse engineer and applications of accuracy metric as you don't really have the usual desktop and approach so an the can mean the 1st thing is that we need to buy default when it would be much into like Levin said you have to set the initial the initial address for the image you need to have of some some information the size of the image you need to know what it's about it wouldn't be that will it this Hamlet but the thing is the entry point and you know it might be not that easy to find the entry point to see how your problem starting you can wandering around inside search for it but it's not easy any that you might not detect it so we can refine and how can we do it yes we can end 1 of the things that DSP 32 by default they have they have a at a a group of interrupt handlers that will help that field by default helped the the the firmware to know how to be when the the 1st games you good stuff so in order to know where the event handlers are the this fancy has been depicted table which be pretty much is a table that holds all the information about about what kind of interrupts can exist on dense you and 1 of these interrupts is is the reset so what's the reset more then simply I would so when you put the device it's a reset is nothing else than that so if we look at the and at this table and we looked for the interrupt 2 for the reset interrupt handler we pretty much might have that's that that answer so if you look very you see that that's all going from 1 to 2 up you have this is the natural table that you can get from the documentation and you can see that initial stack pointer and have the receptor so the stable bridge much goes to this at the beginning of the image I at offset 0 0 so you get it you have simple there that was not is not naturally put into that table form so what we did was to try to get an a plug-in that would help us who have a mapping between these values and the actual that are on the documentation so these are the 2 4 so that we have and after we rendered
this script will see it like this and we also added some documents some comments that will help us to initially understand what's going on so 1st we have that this technology then we have the receptor and and there there are and there's like there's like the assisting Candler or the SEC and the which are used by the Fiat US to to manage the test so if we now after we have this the the both addresses for the for the Indian threat and we can go there and we can actually see what is going
on so as soon as this device which in this case what is doing is is basically putting the initial stack address into the stack pointer which Britain much can be the 1st the for the 1st actually does so now we have a um now we have an entry point and this helps us to start our analysis now we really can can see when our code starts to be executed of course as we said this is highly dependent on them you so the good thing is that it's well well-documented and probably if you know which hence you are in your image targets again to go online and search for the recommendation you'll find that that this this to the description of that table which will help you do in understand exactly what it's doing so the not we have an entry point we know
where to start but as I said also everything he not US it's pretty much reading from memory or in writing to memory addresses so there's no skulls so if you remember I said that um all the peripherals insurgency use they are managed by its addresses so these ranges and is offsets can be useful for us yeah course again for that from from reading that began as an exact what what our images doing so again we can go tool to the documentation of this this see you and what we did was well was is reviewing a block log to help us we basically run a plug that field have had that has some information about the the documentation and will list all the registered at minimum manipulated the functions that's that many each register so that we can go directly to the core that we want to see an end also it will have that some of of the comments that will help us to manage it so in the end
begins to see things like this so for instance in this case we know that you said in we are activity in the control of the clock control register this is important for instance because if you want to see and a peripheral that has some kind of DPI your reader right it will have to have a constant clock and full register are attributed to it so if if by chance chance because some of these advances can be mn generated in main in runtime even though if you cannot find a specific register where the the GPA was being written you can just set for this kind of registers which will tell you exactly which detailed busses are being used so because some of these addresses the can for than they can be generated in in memory however the compiler tends to generate some of them to keep some of them hard coded so that it doesn't need to make some adjustments many operations during execution yeah 1 that is really interesting to see is this is the this is they will generate a clock basically and will call the interrupt the interrupt said and this cystic interrupt every time the clock reaches 0 so if you want to check for uh that task set out in a little this is the the place to go and this will this will tell exactly how the clock is behaving which is also really important that you if you for instance you have a firm where which is checking on certain intervals for for some signal that is coming from a it's an external service that can that can be it so it's it's also interesting to to check the other thing is that at the end it was OK now we can see that a little now we can see exactly which which functions are many putting a register so we can go can have a more direct approach we can look into the those functions and see that what they're doing the cult although such as his arm so far enables unhcr can will be able to understand it so this is much more about how what would what would be the methodology to get there instead of just looking at the color of really wondering what that leading nowhere but look so in this case for instance what we what we have done is we are looking at the the cystic um function and as you can see up there it's we are setting the real value and we are doing the control register so these specific registers they belong to the core to the harm course not to the MCU because you have 2 different kinds of registers you have the registers with which belong to the course for the encore and you have the registers which are on the MCU so they're not they're not the same and they are protected in different ways but in this case this is just an example of what we are seeing here is that we are telling them directly computing the register for the cystic so the first one we are giving the here uh of thousands takes another thousand and takes it will do something and that's defined by the 2nd register so this is the control register so if you look at the documentation we should be going to the next 1 whole so in my program crashes but yeah so it
difficult if we look at the documentation is an arm you'll see that those 3 bits are the ones that configure actually the register so when we do when we move the 7 into the into that register what we saying is that well we want the clock source to be 1 of undertakings to be 1 and the 1 the fuck enabled so the quot source is just saying that it's a hardware market will go directly from the from the CPU the take thinking is saying that when the clock comes to 0 it will release an uninterrupted stay and wait it will not move on to the next cycle and enabled by submits enable the quality of its enabling the clock so in this case what is this is doing is at at every a thousand clicks it will generate an interrupt any to wait so this is kind of thing that you find on the documentation of and on of all and used in this case all ensues based on the the 6 7 0 will have this kind of clock which can be computed on everyone but depending on different of course and on depending on and events use you can have you can have different registers so the thing here is that this is what we did was basically we tried to have kind of played in that would help us to understand that code much easier than just be looking and knowing addresses from the top of my head so the other thing that it's also interesting is that when you have a free arc USOS basically you will have critical sections and this is really important because sometimes if you cannot wait you cannot have any anthropology something if you're breaking it can't have to say all stop breaking and Kiki bond so not a damper has a has to specific instructions which allow you to enable or disable and the interrupts which is a good place to start looking trying to to the diversity of an application it's in a good place because most probably critical coat fought for your for your application will be inside uh these stable enable block of no and in the end the they interrupt enabling into a block of code so the other thing that that you
tried to do was basically least all the functions that enable the the interrupts because that will be the end of our block so we want to go from bottom to up to up so in this case will just list all functions that that has been and the instruction to enable the and then we function that basically call that function and this helps us to understand that in this case instance we are the the the function 1 key for these labels the interrupts right at the beginning of its execution and then it will be enabled them only look really really down the code so if you want an exact what that block of code was doing the thing would be just to try to miss that what was going on between that that that so in here will be to some function but you'll see that we are calling their the CDC which were identified as being 1 of the the function that really inside is has the CO 2 re-enabled interrupts now enable and disable interrupts is not that linear because there are a group of each interrupt will have different priorities and there are a couple of priorities that we'll actually make this the kernel of the of US to stop and is a good the for the function at the animal that has that let interrupt so it really depends on the the priority of of of of your code again there are their registers that are used to define the priorities of each each each handler and again that's just a register inside ends you just have to look at the documentation you have exactly exactly what registry are talking about so there are a couple of other really interesting registers like the deceased config which is basically a registered with that many put well but when a little back all NC user have several pins and those things will be connected to were molten multiplier multiplier which basically that will be in it will enable what will be enabled or disabled according to the bits that you have so but this means that you basically have called the the object but on this architecture you have 2 busses which have several BPI goes and then you need to select which ones you wanted to check so this registered this is scoffing at the xt which basically all allows you to configure which external interrupt you want to have into your and you and then you have the the EXT I register which basically allows you to define the animals for those interrupt and that means that you have also that the clock source you have already talked about and the NCI registers well the nested vector interrupt control which also it's the 1 that allows you to define factually to define the the and the threats that you'll have so how you handle those interested you and which are the priorities that you have on those interrupt if the EXT I allows you to Due to the finely chopped which ones are the external threats that you'll be using in or on which means the and the and the I will like to define the priority of those of those of those interrupts and they have the the the clock which is also interesting because if you want to have the BIO external with excellent to read from a nest from a Fleischer flash memory or from some other kind of external devices you'll need to adhere to give it a clock so even if you don't find the the uh and d address that allows you to identify which of the nearby using you can check this registered to see which things are being enabled which EPA being enabled so it gives you a clue or where to find afterwards what you need to and based on this basically what we did was well
we defined the list of register sold the putting that tree that we did when he's good admissible search the code for all of these registers and will and it will give us this output which allows us to understand which functions are doing what and at the same time it also adds some codes some comments on the code so that when many 1 3 and looking at the code it can more or less anonymous all of what going on so um this is so there's a lot of work to be done on this on this basically
because there's been this is highly depending on the on on the on the MCU so what not all of them will have the same registers so that we need to influence on heuristics to find registers which is which is which are being created dynamically that again no you can also try to help in identifying which which interact in which external device are being used there is also another 1 other thing that we want to which basically looks at the table that we talked about and decodes the automatically the code that what that I've been pointed to it and top there sort of what could be done especially because there's so many different ends you so many different course it can be used that doing this for all of and it's really all it's each task of of reading documentation covering up annotation so the idea is that in this splitting can be updated by and women and can just basically will the as as they need another thing that we would like to achieve is the identification of the type of image which is something that is not that bad easy and again it's how dependent on the on is on this abuse and all thank of that's if
the thank you on we have time for questions if you have the thank I have 1 cat question but it's because I haven't understood you was working about they that up the lab and you receive a can you will be explained that sorry you was because they get after that it's the obvious that not on this so so when you when we use enable or disable interrupts that's possible then she will do that however you need to it to give it a priority and there are certain a certain level of priority between 3 and 1 which even though you disabled interrupts the the core will always and execute the handler because he and even the aft US kernel will stop quantity that task so you can really when we see that there is a blend are enabling threats remove them we must be careful because we know we cannot assume that that will happen and the % our barcodes if you have a test which is the 1 even if you are running or something else that that have a will be as Monday's replicas even if it is them it's like this high idea well more or less near the banks yeah nobody knows OK so I think you guys thank you and yet
Bit
Sichtenkonzept
Reverse Engineering
Kraft
Malware
Twitter <Softwareplattform>
Sichtenkonzept
Physikalische Theorie
Computeranimation
Kombinatorische Gruppentheorie
Informationsmodellierung
Softwaretest
Strategisches Spiel
Computersicherheit
Inverser Limes
Subtraktion
Gewichtete Summe
Ortsoperator
Kraft
Computeranimation
Überlagerung <Mathematik>
Intel
Software
Bildschirmfenster
Computersicherheit
Softwareentwickler
Druckertreiber
E-Mail
Hacker
Hardware
Softwaretest
Computersicherheit
Reverse Engineering
Systemplattform
Elektronische Publikation
Rechenschieber
Druckertreiber
Flächeninhalt
Hypermedia
Projektive Ebene
Computerarchitektur
Routing
Bit
Subtraktion
Einfügungsdämpfung
Blackbox
Gruppenoperation
Familie <Mathematik>
Schreiben <Datenverarbeitung>
Kartesische Koordinaten
Zentraleinheit
Architektur <Informatik>
Computeranimation
Zustandsdichte
Übergang
Software
Trennschärfe <Statistik>
Programmbibliothek
Booten
Datenstruktur
Grundraum
Peripheres Gerät
Default
Auswahlaxiom
Gerade
Lineares Funktional
Hardware
Abstraktionsebene
Firmware
Physikalisches System
Mikrocontroller
Kugelkappe
Flächeninhalt
Einheit <Mathematik>
Festspeicher
ATM
Hypermedia
Eigentliche Abbildung
Bit
Prozess <Physik>
Versionsverwaltung
Familie <Mathematik>
Nebenbedingung
Echtzeitsystem
Computer
Computerunterstütztes Verfahren
Abstraktionsebene
Computeranimation
Freeware
Serielle Schnittstelle
Multitasking
Dateiverwaltung
Portal <Internet>
Schnittstelle
Softwareentwickler
Computersicherheit
Speicher <Informatik>
Betriebssystem
Programmierumgebung
Frequenz
Arithmetisches Mittel
Software
UDP <Protokoll>
Framework <Informatik>
Festspeicher
ATM
Reelle Zahl
Information
Versionsverwaltung
Zentraleinheit
Telekommunikation
Subtraktion
Schaltnetz
Entscheidungsmodell
Zentraleinheit
Systemplattform
Architektur <Informatik>
Term
ROM <Informatik>
Framework <Informatik>
CLI
Quellcode
Multiplikation
Endogene Variable
Inverser Limes
Gruppoid
Booten
Speicher <Informatik>
Softwareentwickler
Datenstruktur
Mobiles Endgerät
Peripheres Gerät
Hardware
Autorisierung
Fehlermeldung
Protokoll <Datenverarbeitungssystem>
Open Source
Systemplattform
Physikalisches System
Elektronische Publikation
Quick-Sort
Programmfehler
Endogene Variable
Echtzeitsystem
Flash-Speicher
Gamecontroller
Computerarchitektur
Lie-Gruppe
Reihenfolgeproblem
Prozess <Physik>
Punkt
Freeware
Weg <Topologie>
Kartesische Koordinaten
Ähnlichkeitsgeometrie
Steuerwerk
Computeranimation
Übergang
Komponente <Software>
Einheit <Mathematik>
Code
Computersicherheit
Speicherabzug
Multitasking
Umwandlungsenthalpie
Koroutine
Lineares Funktional
Nichtlinearer Operator
Sichtenkonzept
Benutzerfreundlichkeit
Computersicherheit
Stichprobe
Element <Gruppentheorie>
Firmware
Übergang
Wechselseitiger Ausschluss
Softwareentwicklung
Programmierumgebung
Schwach besetzte Matrix
Quellcode
Zeiger <Informatik>
Instantiierung
Biprodukt
Datenfeld
Datenstruktur
Forcing
Verschlingung
Einheit <Mathematik>
Festspeicher
Information
Programmbibliothek
p-Block
Portscanner
Message-Passing
Standardabweichung
Telekommunikation
Web Site
Subtraktion
Multiplikation
Kontrollstruktur
Wasserdampftafel
Mathematisierung
Zahlenbereich
Keller <Informatik>
Zentraleinheit
Kontextbezogenes System
Code
Task
Mailing-Liste
Bildschirmmaske
Datensatz
Spannweite <Stochastik>
Multiplikation
Task
Flächentheorie
Perspektive
Adressraum
Widget
Programmbibliothek
Zusammenhängender Graph
Semaphor
Speicher <Informatik>
Zeiger <Informatik>
Normalvektor
Programm
Trennungsaxiom
Soundverarbeitung
Speicherschutz
Interprozesskommunikation
Open Source
Semaphor
Systemplattform
Mailing-Liste
Elektronische Publikation
Reihenfolgeproblem
Warteschlange
Flächeninhalt
Offene Menge
Pufferüberlauf
Dreiecksfreier Graph
Gamecontroller
Bit
Architektur <Informatik>
Reihenfolgeproblem
Semaphor
Programmverifikation
Binärcode
Interrupt <Informatik>
Computeranimation
Reihenfolgeproblem
Übergang
Warteschlange
Task
Generator <Informatik>
Interrupt <Informatik>
Task
Lesen <Datenverarbeitung>
Mixed Reality
Semaphor
Information
Computerarchitektur
Videospiel
Reihenfolgeproblem
Compiler
Semaphor
Systemplattform
Kartesische Koordinaten
Quellcode
Oval
Computeranimation
Reihenfolgeproblem
Task
Spezialrechner
Quellcode
Scheduling
Task
Semaphor
Gerade
Hardware
Aggregatzustand
Fehlermeldung
Punkt
Adressraum
Gruppenkeim
Speicherschutz
Bridge <Kommunikationstechnik>
Kartesische Koordinaten
Extrempunkt
Analysis
Computeranimation
Spezialrechner
Reverse Engineering
Code
Speicherabzug
Skript <Programm>
Default
Funktion <Mathematik>
Softwaretest
Koroutine
Sichtenkonzept
Plug in
Abstraktionsebene
Reverse Engineering
Just-in-Time-Compiler
Betriebssystem
Plot <Graphische Darstellung>
Firmware
Dateiformat
Ereignishorizont
Scheduling
Datenfeld
Festspeicher
Information
Ordnung <Mathematik>
Tabelle <Informatik>
Zeichenkette
Instantiierung
Content <Internet>
Vektorraum
Subnormaler Operator
Interrupt <Informatik>
Code
Systemprogrammierung
Bildschirmmaske
Interrupt <Informatik>
Spieltheorie
Adressraum
Speicheradresse
Biprodukt
Zeiger <Informatik>
Bildgebendes Verfahren
Analysis
Hardware
Tabelle <Informatik>
Schätzwert
Linienelement
Default
Physikalisches System
Zwischenwertsatz
Mapping <Computergraphik>
Zeichenkette
Firmware
Hill-Differentialgleichung
Computerarchitektur
Punkt
Adressraum
ROM <Informatik>
Code
Computeranimation
Deskriptive Statistik
Mailing-Liste
Spannweite <Stochastik>
Speicheradresse
Zeiger <Informatik>
Peripheres Gerät
Bildgebendes Verfahren
Analysis
Peripheres Gerät
Lineares Funktional
Reverse Engineering
Plug in
p-Block
Datenfeld
Funktion <Mathematik>
Festspeicher
Würfel
Speicherabzug
Information
Tabelle <Informatik>
Lesen <Datenverarbeitung>
Bit
Freeware
Compiler
Regulärer Graph
Kartesische Koordinaten
Echtzeitsystem
Aggregatzustand
Computeranimation
Eins
Kreisbogen
Code
Inklusion <Mathematik>
Lineares Funktional
Nichtlinearer Operator
Hardware
Reverse Engineering
Plug in
p-Block
Quellcode
Marketinginformationssystem
Ereignishorizont
Konstante
Spannweite <Stochastik>
Dienst <Informatik>
Zugriffskontrolle
Funktion <Mathematik>
Einheit <Mathematik>
Rechter Winkel
Festspeicher
Ein-Ausgabe
Garbentheorie
Zentraleinheit
Instantiierung
Subtraktion
Hash-Algorithmus
Kontrollstruktur
Systemzusammenbruch
Ikosaeder
Zentraleinheit
Interrupt <Informatik>
Code
Task
Physikalisches System
Interrupt <Informatik>
Adressraum
Ereignishorizont
Schreib-Lese-Kopf
Peripheres Gerät
Konvexe Hülle
Konfigurationsraum
Rechenzeit
Netzwerktopologie
Dreiecksfreier Graph
Gamecontroller
Speicherabzug
Kantenfärbung
Bit
Adressraum
Gruppenkeim
Computeranimation
Kernel <Informatik>
Eins
Netzwerktopologie
Code
Gamecontroller
Minimum
Flächeninhalt
MIDI <Musikelektronik>
Konfigurationsdatenbank
Funktion <Mathematik>
Inklusion <Mathematik>
Lineares Funktional
Spitze <Mathematik>
Güte der Anpassung
Quellcode
p-Block
Einheit <Mathematik>
Reelle Zahl
p-Block
Schlüsselverwaltung
Ext-Funktor
Zentraleinheit
Instantiierung
Kontrollstruktur
Vektorraum
Code
Interrupt <Informatik>
Flash-Speicher
Quellcode
Multiplikation
Interrupt <Informatik>
Bewegungsunschärfe
Operations Research
Peripheres Gerät
Konfigurationsraum
Peripheres Gerät
Konvexe Hülle
Ext-Funktor
Mailing-Liste
Vektorraum
Persönliche Identifikationsnummer
Gamecontroller
ICC-Gruppe
Computerarchitektur
Hill-Differentialgleichung
Systemidentifikation
Heuristik
Information
Code
Interrupt <Informatik>
Analysis
Computeranimation
Kernel <Informatik>
Übergang
Task
Physikalisches System
Interrupt <Informatik>
Datentyp
Peripheres Gerät
Bildgebendes Verfahren
Implementierung
Softwaretest
Plug in
Systemidentifikation
Heuristik
Gasströmung
Zwischenwertsatz
Quick-Sort
Heegaard-Zerlegung
Speicherabzug
Computerunterstützte Übersetzung
Tabelle <Informatik>

Metadaten

Formale Metadaten

Titel Embedded devices reverse engineering
Serientitel REcon 2017 Brussels Hacking Conference
Teil 09
Anzahl der Teile 20
Autor Ventura, Vitor
Nikolić, Vladan
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32385
Herausgeber REcon
Erscheinungsjahr 2017
Sprache Englisch
Produktionsort Brüssel

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Embedded devices are everywhere. With new powerful micro CPUs which packs more power than CRAY-1 while costing just a couple of pence, question to use micro CPU or not is no more. Developers are using them for even the simplest of the tasks. IoT devices are using more powerful and more complex devices with multiple peripherals and cores, which supports TCP/IP stack and multitude of layer 2 networking protocols.There are different frameworks created to help developers to create complex software needed to drive these devices. Specifics of the environment force focus on continuous operations with high reliability while they should have a reduced power consumption and memory requirements, while security is mostly an afterthought if implemented at all. By introducing FreeRTOS as an example of frameworks for embedded devices firmware development, we’ll explore basics of its architecture and security features (and a lacks of them). Reverse engineering plays a big role in security assessment in the IOT space, being a very simple real-time operating system FreeRTOS lacks the traditional separation between kernel and userland space, which tends to make harder the identification of user code and framework code, increasing the time needed to perform reverse engineering. Access to peripherals is also in different ways has there are no well-known syscalls. While doing a security assessment on the automotive industry we came across the STM32F0 micro CPU made by STM based on an ARM Cortex6-M0. A simple processor used a lot in the IOT world ruing FreeRTOS, while doing our research for any resources related to reverse engineering documentation we came to the conclusion that there are not too many such resources, specifically compared to how common is this processor or the FreeRTOS. We’ll investigate FreeRTOS source code and show basics of memory organization. We’ll address some of IP stack specifics, way tasks are handled, SSL library and stack protection. We’ll cover tasks, mutexes, semaphores, and interrupt handling. Also we’ll show specifics of memory organization and memory structures used for task handling. We’re going to use a simple demo showing how to blink the led when button is pressed to demonstrate mapping between source and compiled code and to demonstrate execution flow in FreeRTOS. Building upon this example, we’ll demonstrate useful techniques for reverse engineering firmware of such OS. We will show how to differentiate between memory access from GPIO functions. We will demonstrate a tool (IDA Script) to help automate this process. It should cover automatically addressing pin names, signals and variables as defined in RTOS source code. Our presentation will start by explaining the concepts of FreeRTOS, moving into the security features that it lacks when compared with other Operating Systems. Then we will move into the reverse engineering using the STM32F0 as an example, we will show how to identify the reads and write operations into the peripherals and how our IDA plugin can help on those tasks.

Ähnliche Filme

Loading...