- Webinar |
- Netherlands 2024 |
- USA 2024 |
- Netherlands 2023 |
- USA 2023 |
- Netherlands 2022 |
- USA 2022 |
- Netherlands 2021 |
- USA 2021 |
- Germany 2021 |
- Berlin 2021 |
- Netherlands 2020 |
- Virtual Con 2020 |
- Berlin 2020 |
- Netherlands 2019 |
- USA 2019 |
- Berlin 2019 |
- Netherlands 2018 |
- Berlin 2018 |
- Netherlands 2017 |
- Netherlands 2016 |
- Netherlands 2015
Tiny Embedded Systems Firmware Reverse Engineering & Exploitation
23rd - 25th September | 3 Days
TRAINERS
Alexander Bolshev & Tao Sauvage
OBJECTIVE
This course is about reversing firmwares and exploiting vulnerabilities in tiny microcontrollers (MCUs). There are many other microcontroller architectures that differ from ARM, MIPS and x86 worlds. Most of them are small, low-power, low-frequency, sometimes hard real time devices. Even if your circuit based on ARM CPU, you will definitely find the tiny "old-fashioned" AVR or MSP chip nearby. Temperature control in Solid State Drives, velocity control in hard disks, motor control in bikes, fieldbus communications in Industrial Control Systems, even compressor control in your new(or old) fridge -- they are totally everywhere. And you should not underestimate the importance of them from security point of view -- sometimes, firmware vulnerabilities there are even dangerous than in main CPU itself, because exactly these devices doing real job and interacting physical world.
Most of these devices have very small RAM size (sometimes just hundreds of bytes) and/or using Harvard architecture, which makes exploit writing very difficult. This training is focused on how to deal with it. Attendees will learn basic (plus some advanced) methods of reverse-engineering and exploitation firmwares in such tiny microcontrollers.
TARGETS
This course mainly targets Microchip/Atmel ATtiny85-based devices, however the principles that will be given, could be used with other architectures. Also, there is additional module focused on other architectures, like STM8, PIC, etc.
TOPICS
- MCUs basics
- Pre-exploitation: PCB reversing, locating debug and I/O points, firmware extraction, debugging interfaces, bootloaders.
- Fuzzing of MCUs, watchdogs, crash detection
- Firmware reverse engineering
- Exploiting buffer overflows in the circumstances of very small memory size and harvard CPU architecture; main focus will be on buffer overflows in processing data from SPI, I2C buses, USB and ICS fieldbus protocols.
- Locating and attacking logic flaws in digital data processing
- Practical attacks against analog signal processing
- Other architectures: STM8, PIC, 8051 and friends, e.t.c.
- How to protect your device and firmware
LABS
- Simple AVR firmware analysis
- Exploitation of simple buffer overflow in UART data processing
- Exploring Return-oriented programming gadgets sources and building various ROP chains
- Exploitation of vulnerabilities in custom USB-stack implementation
- Using logic flaws to circumvent the cyber-physical process.
- Arbitrary waveform generating to fool analog data processing.
- Extracting flag from a custom "secure" I2C keychain storage device.
- Attacking MCU bootloaders.
AUDIENCE
Information security professionals, software developers, embedded device developers, computer security researchers, ICS and electronic engineers and also everyone who wants to learn how hackers may reverse engineer and exploit your product.
WHAT TO BRING?
- Laptop with VM (VirtualBox or VMWare) installed and 8 Gb of free disk space.
- All course tasks will be available on simulators and using hardware; if you want to do them on real hardware, please be sure that you have two free USB ports that could be accessed from the virtual machine. Also, please bring one MicroUSB cable.
ABOUT TRAINERS
Alexander is a Security Consultant for IOActive. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, hardware and industrial protocols security. He has presented at conferences including Black Hat USA/EU/UK/Asia, t2.fi, hardwear.io, ZeroNights, CONFIdence, and S4.
Tao is a Sr. Security Consultant for IOActive. He is interested in code review, firmware analysis and embedded systems. He enjoys finding new vulnerabilities and exploiting them. He maintains CANToolz in his spare time, a python framework for black-box CAN bus analysis.
