ROOTS 2019 Talk: Harzer Roller: Linker-Based Instrumentation for Enhanced Embedded Security Testing – Katharina Bogad
Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The software development kits (SDKs) for these new platforms usually include closed-source binaries comprising wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available.
In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices. With the Harzer Roller, we hook instrumentation code into function call and return. The hooking not only applies to the user application code but to the SDK used to build firmware as well. While we keep the design of the Harzer Roller’s general architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture.
We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows. Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis. This enables better usage of a variety of software security testing methods like fuzzing of wireless protocol implementations or proof-of-concept attack development.
There’s nothing much to say about myself, I’ve spent my school years hacking and reverse engineering Pokemon games instead of paying attention in geography, later found out that people actually have hacking competitions where one can capture flags and started participating. Currently I’m pursuing my master’s degree in computer science at TUM and doing what some people apparently call „research“ 😉 as a research assistant at Fraunhofer AISEC.