Note: To ensure that all training kits are delivered to the attendees before the start of the trainings, we encourage everyone to register for Advanced Microcontrollers Firmware Exploitation before Wednesday, 13th Jan 2021. After this day, we cannot ensure that all kits are delivered in time.

Overview

This 4-day training is focused on the advanced topics that arise when you reverse engineer and exploit embedded devices based on the microcontrollers. The main focus will be real-world tasks and questions that could be met when you are performing a security assessment of Harvard-architecture microcontroller firmware. For example, you could find such devices in automotive (e.g. inside engine control units or electronic fuel injections subsystems) and smart home systems, input devices (e.g. wireless keyboards), IoT sensors and security access control devices. All of them share the same "feature" -- separate storage and signal pathways for instructions and data combined with small memory size. This creates a lot of challenges during reverse engineering and exploit creation, which will be the topics for this course.

Hardware Targets

Microchip/Atmel AVR-based devices including ATmega328p, Atmega32U4 and ATmega4809.

Target Audience

• pentesters who want to learn how to assess and exploit small-memory size and Harvard-architecture microcontrollers
• security researchers
• embedded developers who want to understand how to discover and fix related vulnerabilities during development process.
• everyone who wants to learn how hackers may reverse engineer and exploit your product.

Topics

• Warming up: AVR MCUs review, instruction set, reverse engineering
• How to develop your exploit blindly, without knowing registers and memory content of the device
• Exploiting buffer overflows in protocol parsers that receive data from UART
• Finding vulnerabilities: static and dynamic way, fuzzing and crash detection
• Gaining more information: debug and I/O points, firmware extraction, debugging interfaces
• Bootloaders and bootloader vulnerabilities
• Reverse engineering and finding flaws in [small-memory sized, low power] cryptographic algorithms impementation
• Attacking CAN-BUS message parsers
• Reverse engineering and finding flaws in state machines
• Exfiltrating protected information from EEPROM, firmware or external secure devices
• Exploitation of home automation protocols parsers

Labs

• Exploitation of simple buffer overflow in UART-based protocol packet processing
• More advanced parsers hacking: fuzzing and exploiting vulnerabilities in home automation protocol parser
• Reverse engineering of cryptographic algorithm implementation
• Attacking a system with external secure authentication device
• Extracting firmware using vulnerabilities in a serial bootloader
• Leaking fuel maps from a simple EFI (electronic fuel injection) controller using weaknessed in CAN-BUS message parsing

Class requirements

• Understanding of reverse-engineering and basic knowledge of (at least one) assembly language
• Basic knowledge of IoT and/or embedded systems security
• Laptop with your favorite disassembler and internet connection
• Remote participation (due to the current circumstances)

This training is intended for online (remote) participation. If it will not be possible to carry on offline training, participants will be provided with hardware kits and instructions on how to setup / use them. On the day of training, students will receive information about how to access online class.

ABOUT THE TRAINER

Alexander is a Senior Security Consultant for F-Secure. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, ICS and embedded systems security. He has presented at various conferences including Black Hat USA/EU/UK/Asia, t2.fi, hardwear.io, ZeroNights, CONFIdence, and S4.

Tao is a Sr. Security Engineer at Anvil Ventures. He is interested in web, mobile, code review, firmware analysis and embedded systems. During his spare time, he enjoys bug hunting and co-maintains CANToolz, a python framework for black-box CAN bus analysis.