Scribd Logo
Upload

Welcome to Scribd!

  • Improving Embedded Security With S E, KLEE and Qemu: The Avatar Project

    Uploaded by

    c121
    66 views29 pages
    sdfsdf

    Original Title

    sdfsdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    sdfsdf

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    66 views29 pages

    Improving Embedded Security With S E, KLEE and Qemu: The Avatar Project

    Uploaded by

    c121
    sdfsdf

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 29

    TheAvatarproject:

    Improvingembeddedsecuritywith
    SE,KLEEandQemu

    http://www.s3.eurecom.fr/tools/avatar/

    Luca Bruno <lucab@debian.org>,


    J. Zaddach, A. Francillon, D. Balzarotti

    About us
    Eurecom,aconsortiumofEuropeanuniversitiesin
    Frenchriviera
    Securityresearchgroup
    9people
    Appliedsystemsecurity
    Embeddedsystems
    Networkingdevices
    Criticalinfrastructures
    02/02/2014

    Outline
    Embeddedsecurity
    Avataroverview
    Frameworkcomponents
    Fieldtesting
    Conclusions

    02/02/2014

    Software everywhere
    Embeddeddevicesarediversebutallofthem
    runsoftware

    02/02/2014

    Reasons for embedded security


    Embeddeddevicesareubiquitous
    Evenifnotvisible,yourlivesdependonthem

    Canoperateformanyyears
    Legacysystems,no(security)updates

    Havelargeattacksurfaces
    Networking,forgottendebuginterfaces,etc.

    Sometimetooeasytotakeover/backdoor
    02/02/2014

    Challenges in embedded security


    Nosourcecodeavailable

    Oftenmonolithicbinaryonlyfirmwares

    Notoolchainavailable
    Nodocumentationavailable
    Uniquetools(toflashanddebug)for
    eachmanufacturer
    02/02/2014

    Wishlist for security evaluation


    TypicalPCsecuritytoolbox

    Advanceddebuggingtechniques
    Tracing
    Fuzzing
    SymbolicExecution
    Tainting

    Integratedtools

    >0

    C
    <8
    D

    0<x<8

    IDAPro
    GDB
    Netzob
    02/02/2014

    Outline
    Embeddedsecurity
    Avataroverview
    Frameworkcomponents
    Fieldtesting
    Conclusions

    02/02/2014

    Why Avatar
    Provideaframeworkfor

    Invivoanalysisofanykindofdevice

    Advanceddebugging

    Easyprototyping

    Integratedworkbench
    Tousealltechniquestogetheronalivesystem

    Notonlyfocusedonsecurity
    Debugging/profiling/tracingishardinembedded
    environments
    02/02/2014

    Avatar: basics
    Emulateembeddeddevicesfirmwares
    Forwardperipheralaccessestothe
    deviceunderanalysis
    DoNOTattempttoemulateperipherals
    Nodocumentation
    Reverseengineeringisdifficult

    02/02/2014

    10

    Avatar overview
    Avatar
    Emulator
    Backend

    Emulator

    Target
    Backend

    Proxy

    read/write memory
    ...
    mov r2, r0
    mov r3, r1
    add r3, r3, #1
    add r2, ip, r2
    ldr
    r2, [r2], #0
    cmp r2, r3
    ...

    read/write memory
    value

    value

    interrupt

    Firmware
    Plugins

    02/02/2014

    interrupt

    Embedded
    device

    11

    Avoid NIH syndrome


    SE(Qemu+Klee)
    foremulationandsymbolicexecution

    GDBandOpenOCD
    toattachcomponentsanddevices

    Yourowntoolsforanalysis

    IDAPro,Capstone,Netzob...

    02/02/2014

    12

    Outline
    Embeddedsecurity
    Avataroverview
    Frameworkcomponents
    Fieldtesting
    Conclusions

    02/02/2014

    13

    LLVM under the hood


    SEcombinesexistingtoolstoachieve
    symbolicexecutionofx86/ARMbinary
    code
    Qemutranslatesbinarycodetoan
    intermediaterepresentation(TCG)
    QEMULLVMtranslatesTCGtoLLVM
    bytecode
    KLEEexecutesLLVMbytecodesymbolically
    02/02/2014

    14

    SE in a nutshell
    Emulator

    Avatar

    TCG

    Qemu
    frontend
    Qemu
    executer

    LLVM
    SE
    hooks

    VM state

    Registers

    CPU state

    Memory

    02/02/2014

    KLEE

    Symbolic
    states

    Qemu
    config
    Qemu
    GDB
    SE
    QMP/Lua
    RemoteMem
    plugin

    15

    Python3 framework
    Analysis script

    Avatar

    Emulator

    Config
    writer

    GDB/MI
    adapter

    GDB
    interface

    BinProto
    adapter

    QMP/Lua
    interface
    Memory
    forwarder

    02/02/2014

    Target

    Emulator
    backend

    Analysis
    Plugins

    Target
    backend

    Telnet
    adapter
    GDB
    adapter

    16

    Analysis platform
    Avatarprovidesanalysisglue

    Orchestrateexecution

    Bridgebetweenemulatordevice

    Intercept/manipulatememoryaccesses

    Externalintegration,exposingGDBor
    JSONinterfaces

    02/02/2014

    17

    Embedded target
    Avatar

    Target device
    UART

    In-memory
    stub

    Open
    OCD

    Target state

    Registers

    CPU state

    Memory

    JTAG

    02/02/2014

    18

    Target communication
    Eitheradebugginginterface
    JTAG
    DebugSerialInterface

    Orcodeinjectionandacommunication
    channel
    GDBStub+SerialPort

    02/02/2014

    19

    Outline
    Embeddedsecurity
    Avataroverview
    Frameworkcomponents
    Fieldtesting
    Conclusions

    02/02/2014

    20

    Usecases
    CheckforhiddenbackdoorsinHDDfirmware
    Fuzzing/symbolicexecutionofSMSdecodingon
    featurephone
    Vulnerabilitiescheckonprogrammablewireless
    sensors

    02/02/2014

    21

    Bottlenecks
    Emulatedexecutionismuchslowerthan
    executionontherealdevice
    Memoryaccessforwardingthroughlow
    bandwidthchannelisthebottleneck
    Inonecasedownto~10instr./sec.
    Interruptsaretricky,canoverwhelmemulation

    02/02/2014

    22

    Improving performance
    PointofInterestisoftenfardowninthefirmware

    AlargepartofforwardedaccessesaretononIO
    memory

    Trapexecutionondeviceandtransferstatetothe
    emulator

    DetectanddropforwardingfornonIOmemory
    regions(stack,heapandcodeintheemulator)

    Highperiodicityinterruptscanbesynthesizedto
    avoidsaturation
    02/02/2014

    23

    Outline
    Embeddedsecurity
    Avataroverview
    Frameworkcomponents
    Fieldtesting
    Conclusions

    02/02/2014

    24

    Limitations
    Stateconsistency
    DMAmemorychangesnottracked

    Timingconsistency
    Emulatedexecutiontimemuchslowerthanreal
    executiontime

    Symbolicexecution
    CoherencybetweenHWandSW

    Bugfindingstrategiestobeimproved
    02/02/2014

    25

    Recap
    Avatarisatoolto

    Enabledynamicanalysis

    Andperformsymbolicexecution

    Onembeddeddevices

    Whereonlybinarycodeisavailable

    02/02/2014

    26

    Questions?
    Thankyouforlistening!

    ThankstoPascalSachsandLukaMalisawhobuiltanearlierprototypeofthe
    system,andLucianCojocarforcontributions

    02/02/2014

    27

    References

    AVATARwebpage:http://www.s3.eurecom.fr/tools/avatar/

    AVATAR:AFrameworktoSupportDynamicSecurityAnalysisofEmbeddedSystems'Firmwares,

    JonasZaddach,LucaBruno,AurelienFrancillon,DavideBalzarotti

    Howard:adynamicexcavatorforreverseengineeringdatastructures,AsiaSlowinska,
    TraianStancescu,HerbertBos

    KLEEwebpage:http://ccadar.github.io/klee/

    S2Ewebpage:https://s2e.epfl.ch/

    S2E:APlatformforInVivoMultiPathAnalysisofSoftwareSystems,VitalyChipounov,
    VolodymyrKuznetsov,GeorgeCandea

    TheS2EPlatform:Design,Implementation,andApplications,VitalyChipounov,Volodymyr
    Kuznetsov,GeorgeCandea

    QEMUwebpage:http://qemu.org

    DowsingforOverows:AGuidedFuzzertoFindBufferBoundaryViolations,IstvanHaller,
    AsiaSlowinska,MatthiasNeugschwandtner,HerbertBos

    02/02/2014

    28

    Extra: GDB stub


    GDBcanconnecttotargetsusingaserial
    interfaceandasimpleprotocol
    Thereisastubimplementationinthesource
    codetree,butnotforARManditsbloated(for
    ourpurposes)
    6primitivesareenoughtogivedebugging
    supportwithsoftwarebreakpoints:
    Readbytes,writebytes,readregisters,writeregisters,
    continueandgetsignal
    02/02/2014

    29

    You might also like