DeepSec 2015 Workshop: Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices – Alexander Bolshev & Boris Ryutin

Sanna/ October 7, 2015/ Conference, Training

The Internet of Things (IoT), more common known as the Internet of Stuff, is all around us. You don’t have to wait for it any more. Take a peek at the search results from Shodan and you will see that lots of devices are connected to the Internet. Since your refrigerator does not run high performance hardware, it is well worth to take a look at the hardware being used. For connected household devices and their controllers you need low power equipment. Think small, think embedded, not different. This is why we offer the Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices training to you at DeepSec 2015. Alexander Bolshev and Boris Ryutin will show you how to create exploits for the Internet of Things:

Embedded systems are everywhere. And all of them have a heart – microcontrollers (MCU) with specific firmwares. Atmel™AVR® is the of the most popular MCU platforms in the world. It became famous because of the amateur Arduino platform, however, its real usage goes much further. Today, you can find many devices based on AVR microcontrollers in home automation, automotive applications (in security, safety, powertrain and entertainment modules), industrial systems, RF-systems, and much more. Do you know that USB-based AVRs have been used in XBox? Also, many KNX (building automation) gateways have several Atmega128 or Atmega16 inside. Thus, sooner or later you will meet one of these systems in your security projects. You may find many talks about reversing and exploit development for AVR-based devices, however there is still a lack of a full-scale guide that answers the question: “I have an AVR device. I have firmware (?). I have found something that looks like a vulnerability. What should I do now?”. The goal of this workshop is to give an answer to this question.

During this workshop, you will learn AVR firmwares reversing and exploitation specifics. We will talk about tools and techniques, review AVR architecture, teach you how to write ROP chains for AVR, and use other methods that enforces MCU to do what wasn’t expected by firmware developers. Post-exploitation topics (like reflashing and altering the bootloader) will also be covered. We will start our journey with simple programs, quickly move on to popular Arduino libraries and finish it with a case of a real exploitation of an industrial gateway. We will talk about how to use Radare2 and (a bit) IDA Pro in reversing and exploiting AVR firmwares. And we will show you how to develop tools that help you with your task.

Here is a short abstract of the workshop:

Day 1:

* Introduction

* Part 1: AVR basics
– Harvard Architecture
– AVR features
– AVR assembly
– A word about AVR bootloaders
– Software and hardware tools
– Quick intro to radare2
– Examples & exercises

* Part 2: Pre-exploitation
– First steps
– Acquiring firmware
– Firmware reversing
– Function signatures and various system libs
– Small Real time OSes from security perspective
– Examples & exercises

Day 2:
* Part 3: Exploitation
– Basics
– Types of vulnerabilities
– Building ROP chains for AVR
– Interruption tricks
– Advanced methods
– Examples & exercises

* Part 4: Post-exploitation
– Reading Flash and EEPROM
– Staying persistent
– Examples & exercises

* Conclusion

 

IMG_0196Every attendee will receive a special kit that contains:

– Atmega128 training board with built-in Wi-Fi
– JTAG programmer
– Arduino board

 

 

 

 

 

This training is highly practical and contains various exercises, for example:
– Overflowing the UART to control another UART interface
– Building ROP-chain for controlling i2c transmission
– Reading protected AES key from the bootloader
– ROP-chain with watchdog evasion
– And much more!

To participate you need just a basic understanding of reverse engineering and buffer overflow/memory corruption vulnerabilities. Please bring a laptop with at least 4 GB RAM, 15 GB free hard drive space, two USB ports and installed VMWare/VirtualBox or Parallels virtual machine. You will be supplied with all required software (virtual machine image) and hardware (debuggers and AVR development boards).

Don’t miss this opportunity! Soon you will be surrounded by hardware not based on the trusty x86/x86_64 architecture. Attacking different architectures will become crucial for future penetration testing, security assessment, and even „cyber“ defence. Therefore we highly recommend this workshop for everyone.

 

bolshev_alexanderAlexander Bolshev is an information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, mobile, hardware and industrial protocol security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and ICS security. He spoke at the following conferences: Black Hat USA/EU/UK, ZeroNights, t2.fi, CONFIdence, S4.

 

 

 

ryutin_borisBoris (@dukebarman) has graduated from the Baltic State Technical University “Voenmeh”, faculty of rocket and space technology. Currently he is a postgraduate student there, works as a security engineer at ZORSecurity and as a contributor to MALWAS post-exploitation framework. Boris is a recurring writer for the ][akep magazine, and a contributor and developer involved in several open-source information security projects. Radare2 evangelist. Multiple bug bounty awardee.

Share this Post

3 Comments

Comments are closed.