a firmware analysis tour with avatar in 7 minutes · a firmware analysis tour with avatar in 7...
TRANSCRIPT
A firmware analysis tour with Avatar in 7 minutes
(maybe)
Aurélien Francillon, Eurecom
Cryptacus Meeting, 6 Nov 2016
HDD backdoor
● How bad would be a compromised hard disk firmware?– Is this a realistic threat model ?
● We reverse engineered and backdoored an HDD– ~10 person-month effort– Without any privileged information– No significant performance overhead
● Data-exfiltration backdoor– No cooperation from host– Stealthy
«Implementation and Implications of a Stealth Hard-Drive Backdoor»
J. Zaddach, et. al., ACSAC 2013
IRATEMONK ?
11/23/16 - - p 5
Lesson learnt
● How could we analyze a firmware to find backdoors?
● Performing security analysis of embedded systems is very challenging !
– Very hard to analyze the disk
– Static v/s Dynamic analysis
– 20 Mbytes of statically linked code, without symbols
=> We need to develop new methodologies and tools for dynamic security analysis of embedded systems
6
Avatar project and goals
● We need tools and methodologies to analyze large firmware code– Find vulnerabilities– Verify functionality– Reverse engineering– Security testing
« Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti, NDSS 2014
Security evaluation tools
Techniques that are typically used on a PCAdvanced debugging techniques◦Tracing◦Fuzzing◦Tainting◦Symbolic Execution
Integrated tools◦ IDA Pro◦GDB◦Eclipse
A device of devices
A device of devicesCPU
A device of devices
ModemUSB
EthernetWIFI
LEDsButtons
CPU
A device of devices
USBEthernet
LEDsButtons
CPU
IRQ Controller
MemoryController
WIFI
Timers
BUS Controller
Modem
Challenges
● Advanced dynamic analysis needs emulation
● Emulating a firmware requires not only instruction set emulation but also peripheral emulation
● But peripherals often unknown, interact with the physical world and other embedded devices...
Avatar goal
CPU
Firmware
Physical embedded device Emulator
?
Avatar goal
CPU
Firmware
Physical embedded device Emulator
Avatar
● Orchestrate execution between emulator and device– Currently S2E, a symbolic execution engine for
binary code, is used as the emulator
● Forward peripheral accesses to the device under analysis
● Do not attempt to emulate peripherals– No documentation– Reverse engineering is difficult
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins
Avatar overview
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins
Avatar overview
Avatar overview
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins
Avatar overview
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins
Avatar overview
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins
Avatar overview
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins IRQ
Avatar overview
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins IRQ
Avatar overview
EmulatorEmulator
. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .
DeviceDevice
In-memory stub
MemoryRegistersCPU state
DeviceDevice
In-memory stub
MemoryRegistersCPU state
AvatarAvatar
Analysis scriptAnalysis script
pluginsAnalysis plugins IRQ
Avatar overview
Bottlenecks
• Emulated execution is much slower than execution on the real device
– Memory accesses pass through low-bandwidth debug link
• IRQs can saturate debug link
Improving performance
• Transfer state/execution– From the device to the emulator– From the emulator to the device
Improving performance
• Transfer state/execution– From the device to the emulator– From the emulator to the device
2828
Emulator DeviceStateState StateState
Memory
AvatarRegister
StateState
Improving performance
• Transfer state/execution– From the device to the emulator– From the emulator to the device
11/23/16 29
Emulator DeviceStateStateAvatar
Memory
Register
Improving performance
• Transfer state/execution– From the device to the emulator– From the emulator to the device
Full separation mode
Emulator Device
StateState
Register
StateState
Memory
Avatar
Memory access optimization
Emulator Device
StateState
Register
Memory
StateState
IO Memory
Avatar
Avatar in more details
Use cases
GSM phone
Hard disk drive
EconoTag (Zigbee sensor mote)
Avatar Summary Enables to perform some analysis that were impossible before:
● Selective symbolic/concolic execution, analysis on whole system analysis, from (partial) binary code, reverse engineering framework, tracing …
Is a versatile, Open Source platform● http://s3.eurecom.fr/tools/avatar/
We are currently using it to analyze many different devices● Have a device to analyze? Come for a STEM
Under active development, currently extending it to ● support other analysis frameworks (Angr, Panda, klee, mixed
analysis…)● Better interaction with hardware (fast custom USB3 dongle)
« Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti, NDSS 2014
People involved
Davide Balzarotti
Students projects:Luka Malisa (initial experiments) Kjell Braden (Avatar MMU Support)
Luca Bruno(fuzzer, Avatar)
Sandeep Nuckchady
Jonas ZadachLucian Cojocar (VU Amsterdam)