image image
image

Tiny Embedded Systems Firmware Reverse Engineering & Exploitation

23rd - 25th September | 3 Days


TRAINERS

Alexander Bolshev & Tao Sauvage


OBJECTIVE

This course is about reversing firmwares and exploiting vulnerabilities in tiny microcontrollers (MCUs). There are many other microcontroller architectures that differ from ARM, MIPS and x86 worlds. Most of them are small, low-power, low-frequency, sometimes hard real time devices. Even if your circuit based on ARM CPU, you will definitely find the tiny "old-fashioned" AVR or MSP chip nearby. Temperature control in Solid State Drives, velocity control in hard disks, motor control in bikes, fieldbus communications in Industrial Control Systems, even compressor control in your new(or old) fridge -- they are totally everywhere. And you should not underestimate the importance of them from security point of view -- sometimes, firmware vulnerabilities there are even dangerous than in main CPU itself, because exactly these devices doing real job and interacting physical world.

Most of these devices have very small RAM size (sometimes just hundreds of bytes) and/or using Harvard architecture, which makes exploit writing very difficult. This training is focused on how to deal with it. Attendees will learn basic (plus some advanced) methods of reverse-engineering and exploitation firmwares in such tiny microcontrollers.

TARGETS

This course mainly targets Microchip/Atmel ATtiny85-based devices, however the principles that will be given, could be used with other architectures. Also, there is additional module focused on other architectures, like STM8, PIC, etc.

TOPICS

  • MCUs basics
  • Pre-exploitation: PCB reversing, locating debug and I/O points, firmware extraction, debugging interfaces, bootloaders.
  • Fuzzing of MCUs, watchdogs, crash detection
  • Firmware reverse engineering
  • Exploiting buffer overflows in the circumstances of very small memory size and harvard CPU architecture; main focus will be on buffer overflows in processing data from SPI, I2C buses, USB and ICS fieldbus protocols.
  • Locating and attacking logic flaws in digital data processing
  • Practical attacks against analog signal processing
  • Other architectures: STM8, PIC, 8051 and friends, e.t.c.
  • How to protect your device and firmware

LABS

  • Simple AVR firmware analysis
  • Exploitation of simple buffer overflow in UART data processing
  • Exploring Return-oriented programming gadgets sources and building various ROP chains
  • Exploitation of vulnerabilities in custom USB-stack implementation
  • Using logic flaws to circumvent the cyber-physical process.
  • Arbitrary waveform generating to fool analog data processing.
  • Extracting flag from a custom "secure" I2C keychain storage device.
  • Attacking MCU bootloaders.

AUDIENCE

Information security professionals, software developers, embedded device developers, computer security researchers, ICS and electronic engineers and also everyone who wants to learn how hackers may reverse engineer and exploit your product.

WHAT TO BRING?

  • Laptop with VM (VirtualBox or VMWare) installed and 8 Gb of free disk space.
  • All course tasks will be available on simulators and using hardware; if you want to do them on real hardware, please be sure that you have two free USB ports that could be accessed from the virtual machine. Also, please bring one MicroUSB cable.

ABOUT TRAINERS

Alexander is a Security Consultant for IOActive. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, hardware and industrial protocols security. He has presented at conferences including Black Hat USA/EU/UK/Asia, t2.fi, hardwear.io, ZeroNights, CONFIdence, and S4.

Tao is a Sr. Security Consultant for IOActive. He is interested in code review, firmware analysis and embedded systems. He enjoys finding new vulnerabilities and exploiting them. He maintains CANToolz in his spare time, a python framework for black-box CAN bus analysis.