image image
Alexander Bolshev

Advanced microcontrollers firmware exploitation

Duration: 4 days (5hrs each day)

Date: 27th to 30th September 2020


TRAINER

Alexander Bolshev


Overview

This 3-day training is focused on the advanced topics that arise when you reverse engineer and exploit embedded devices based on the microcontrollers. The main focus will be real-world tasks and questions that arise when you are performing a security assessment of Harvard-architecture microcontroller firmware. For example, you could find such devices in automotive (e.g. inside engine control units or electronic fuel injections subsystems) and smart home systems, input devices (e.g. wireless keyboards), IoT sensors and security access control devices. All of them share the same "feature" -- separate storage and signal pathways for instructions and data combined with small memory size. This creates a lot of challenges during reverse engineering and exploit creation, which will be topics for this course.

Hardware Targets

Microchip/Atmel AVR-based devices including ATmega32U4, ATmega4809 and AT90USB162

Target Audience

  • pentesters who want to learn how to assess and exploit small-memory size and Harvard-architecture microcontrollers
  • security researches.
  • embedded developers who want to understand how discover and fix related vulnerabilities during development process.
  • everyone who wants to learn how hackers may reverse engineer and exploit your product.

Topics

  • Warming up: AVR MCUs review, instruction set, reverse engineering
  • How to develop your exploit blindly, without knowing registers andmemory content of the device
  • Exploiting buffer overflows in protocol parsers that receive data from UART
  • Finding vulnerabilities: static and dynamic way, fuzzing and crash detection
  • Gaining more information: debug and I/O points, firmware extraction, debugging interfaces
  • Bootloaders and bootloader vulnerabilities
  • Common weaknesses in USB device stack implementations
  • Reverse engineering and finding flaws in [small-memory sized, low power] cryptographic algorithms impementation
  • Attacking CAN-BUS message parsers
  • Reverse engineering and finding flaws in state machines
  • Exfiltrating protected information from EEPROM, firmware or external secure devices
  • Exploitation of home automation protocols parsers

Labs

  • Exploitation of simple buffer overflow in UART-based protocol packetprocessin
  • More advanced parsers hacking: fuzzing and exploiting vulnerability in home automation protocol parse
  • Leaking fuel maps from a simple EFI(electronic fuel injection) controller using weaknessed in CAN-BUS message parsin
  • Extracting firmware using vulnerabilities in serial bootloade
  • Reverse engineering of cryptographic algorithm implementatio
  • Exploitation of vulnerabilities in USB HID device firmwar
  • Attacking a system with external secure authentication device

Class requirements

  • Understanding of reverse-engineering and basic knowledge of (at least one) assembly language
  • Basic knowledge of IoT and/or embedded systems security
  • Laptop with your favorite disassembler and internet connection

Remote participation (due to the current circumstances)

This training is intended for online (remote) participation. If it will not be possible to carry on offline training, participants will be provided with hardware kits and instructions on how to setup / use them. On the day of training, students will receive information about how to access online class.

ABOUT THE TRAINER

Alexander is a Senior Security Consultant for F-Secure. He holds a Ph.D. in computer security and his research interests lie in distributed systems, mobile, ICS and embedded systems security. He has presented at various conferences including Black Hat USA/EU/UK/Asia, t2.fi, hardwear.io, ZeroNights, CONFIdence, and S4.