Professional Documents
Culture Documents
Improvingembeddedsecuritywith
SE,KLEEandQemu
http://www.s3.eurecom.fr/tools/avatar/
About us
Eurecom,aconsortiumofEuropeanuniversitiesin
Frenchriviera
Securityresearchgroup
9people
Appliedsystemsecurity
Embeddedsystems
Networkingdevices
Criticalinfrastructures
02/02/2014
Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions
02/02/2014
Software everywhere
Embeddeddevicesarediversebutallofthem
runsoftware
02/02/2014
Canoperateformanyyears
Legacysystems,no(security)updates
Havelargeattacksurfaces
Networking,forgottendebuginterfaces,etc.
Sometimetooeasytotakeover/backdoor
02/02/2014
Oftenmonolithicbinaryonlyfirmwares
Notoolchainavailable
Nodocumentationavailable
Uniquetools(toflashanddebug)for
eachmanufacturer
02/02/2014
Advanceddebuggingtechniques
Tracing
Fuzzing
SymbolicExecution
Tainting
Integratedtools
>0
C
<8
D
0<x<8
IDAPro
GDB
Netzob
02/02/2014
Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions
02/02/2014
Why Avatar
Provideaframeworkfor
Invivoanalysisofanykindofdevice
Advanceddebugging
Easyprototyping
Integratedworkbench
Tousealltechniquestogetheronalivesystem
Notonlyfocusedonsecurity
Debugging/profiling/tracingishardinembedded
environments
02/02/2014
Avatar: basics
Emulateembeddeddevicesfirmwares
Forwardperipheralaccessestothe
deviceunderanalysis
DoNOTattempttoemulateperipherals
Nodocumentation
Reverseengineeringisdifficult
02/02/2014
10
Avatar overview
Avatar
Emulator
Backend
Emulator
Target
Backend
Proxy
read/write memory
...
mov r2, r0
mov r3, r1
add r3, r3, #1
add r2, ip, r2
ldr
r2, [r2], #0
cmp r2, r3
...
read/write memory
value
value
interrupt
Firmware
Plugins
02/02/2014
interrupt
Embedded
device
11
GDBandOpenOCD
toattachcomponentsanddevices
Yourowntoolsforanalysis
IDAPro,Capstone,Netzob...
02/02/2014
12
Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions
02/02/2014
13
14
SE in a nutshell
Emulator
Avatar
TCG
Qemu
frontend
Qemu
executer
LLVM
SE
hooks
VM state
Registers
CPU state
Memory
02/02/2014
KLEE
Symbolic
states
Qemu
config
Qemu
GDB
SE
QMP/Lua
RemoteMem
plugin
15
Python3 framework
Analysis script
Avatar
Emulator
Config
writer
GDB/MI
adapter
GDB
interface
BinProto
adapter
QMP/Lua
interface
Memory
forwarder
02/02/2014
Target
Emulator
backend
Analysis
Plugins
Target
backend
Telnet
adapter
GDB
adapter
16
Analysis platform
Avatarprovidesanalysisglue
Orchestrateexecution
Bridgebetweenemulatordevice
Intercept/manipulatememoryaccesses
Externalintegration,exposingGDBor
JSONinterfaces
02/02/2014
17
Embedded target
Avatar
Target device
UART
In-memory
stub
Open
OCD
Target state
Registers
CPU state
Memory
JTAG
02/02/2014
18
Target communication
Eitheradebugginginterface
JTAG
DebugSerialInterface
Orcodeinjectionandacommunication
channel
GDBStub+SerialPort
02/02/2014
19
Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions
02/02/2014
20
Usecases
CheckforhiddenbackdoorsinHDDfirmware
Fuzzing/symbolicexecutionofSMSdecodingon
featurephone
Vulnerabilitiescheckonprogrammablewireless
sensors
02/02/2014
21
Bottlenecks
Emulatedexecutionismuchslowerthan
executionontherealdevice
Memoryaccessforwardingthroughlow
bandwidthchannelisthebottleneck
Inonecasedownto~10instr./sec.
Interruptsaretricky,canoverwhelmemulation
02/02/2014
22
Improving performance
PointofInterestisoftenfardowninthefirmware
AlargepartofforwardedaccessesaretononIO
memory
Trapexecutionondeviceandtransferstatetothe
emulator
DetectanddropforwardingfornonIOmemory
regions(stack,heapandcodeintheemulator)
Highperiodicityinterruptscanbesynthesizedto
avoidsaturation
02/02/2014
23
Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions
02/02/2014
24
Limitations
Stateconsistency
DMAmemorychangesnottracked
Timingconsistency
Emulatedexecutiontimemuchslowerthanreal
executiontime
Symbolicexecution
CoherencybetweenHWandSW
Bugfindingstrategiestobeimproved
02/02/2014
25
Recap
Avatarisatoolto
Enabledynamicanalysis
Andperformsymbolicexecution
Onembeddeddevices
Whereonlybinarycodeisavailable
02/02/2014
26
Questions?
Thankyouforlistening!
ThankstoPascalSachsandLukaMalisawhobuiltanearlierprototypeofthe
system,andLucianCojocarforcontributions
02/02/2014
27
References
AVATARwebpage:http://www.s3.eurecom.fr/tools/avatar/
AVATAR:AFrameworktoSupportDynamicSecurityAnalysisofEmbeddedSystems'Firmwares,
JonasZaddach,LucaBruno,AurelienFrancillon,DavideBalzarotti
Howard:adynamicexcavatorforreverseengineeringdatastructures,AsiaSlowinska,
TraianStancescu,HerbertBos
KLEEwebpage:http://ccadar.github.io/klee/
S2Ewebpage:https://s2e.epfl.ch/
S2E:APlatformforInVivoMultiPathAnalysisofSoftwareSystems,VitalyChipounov,
VolodymyrKuznetsov,GeorgeCandea
TheS2EPlatform:Design,Implementation,andApplications,VitalyChipounov,Volodymyr
Kuznetsov,GeorgeCandea
QEMUwebpage:http://qemu.org
DowsingforOverows:AGuidedFuzzertoFindBufferBoundaryViolations,IstvanHaller,
AsiaSlowinska,MatthiasNeugschwandtner,HerbertBos
02/02/2014
28
29