Practical Baseband Exploitation

Abstract:

Baseband exploitation is often considered the cream of the offensive security field. In the last decade, only a handful of such exploits were publicly released. As a result, many researchers view the ability to silently achieve code execution on a victim's device by emulating a GSM or LTE base station as a difficult, almost mythical objective.

By the end of the course, students will become familiar with two extremely common baseband platforms, Shannon and Mediatek, gain the skills to debug these and other baseband platforms, and learn about previously discovered bugs in basebands, and how they have been exploited.

Day 1:

1. Introduction to communication processors

• The evolution and challenges of communication systems
• Baseband processors: An architecture overview
• MAC and Network layers
• CP architectures: Broadcom, Qualcomm, MediaTek, Samsung
• Samsung's Baseband chip: Shannon

2. Establishing an environment & getting the code

• Challenges of baseband code extraction
• OpenBTS
• Hands-on:
  • Establishing OpenBTS environment
  • Making phone calls+SMS on the network
  • Extracting the firmware

3. Achieving initial read primitives, basic code analysis

• Bypassing code signing (if enforced)
• AT commands as an attack surface
• Hands-on:
  • Parsing custom firmware headers
  • Identifying functions and symbols in the code
  • Extracting debug strings and getting the logs

4. Debugging

• Conditions for building a debugger
• Make it possible to write code and execute it
• Hooks: understanding our basic framework implementation
• Hands-on:
  • Apply hooks

Day 2:

1. Introduction to GSM and GPRS

• Cellular concept overview
• GSM Network Architecture
• GSM protocols
• GPRS as an enhacement of GSM

2. Relevant GSM and GPRS attack surfaces

• 3G\4G: MITM problem and downgrade attack to 2G
• Working with the specs
• Reverersing the GSM protocol implementation
  • CC protocol
  • IPC mechanisms
• Hands-on:
  • Reverse engineering a CC command parser

3. Reverse engineering the code - methods and tricks

• Hands-on:
  • Deeper code reversing, overcoming hidden obstacles
  • Finding vulnerable code using the debugger and all gained knoweledge

4. Bug hunting - methods, tips and previously discovered bugs (no 0-days!)

5. Exploitation basics - from stack overflow to RCE

Course Agenda

• Introduction to communication processors
• Getting the code
• Bypassing code signing (if enforced)
• Achieving initial read primitives
• Building a debugger
• Introduction to GSM and GPRS
• Relevant GSM and GPRS attack surfaces
• Reverse engineering the code - methods and tricks
• Bug hunting - methods, tips and previously discovered bugs (no 0-days!)
• Exploitation basics

Required knowledge

• C and Python
• Good reverse engineering knowledge
• Recommended: ARM assembly

Bio

Nitay Artenstein is a security researcher in the fields of reverse engineering, exploit development and vulnerability research. His fields of interest include reverse engineering embedded systems and bug hunting in the Linux kernel. For the past five years, he has been working mainly on exploiting Android devices. He suffers from a severe addiction to IDA Pro (at least until radare come up with a decent decompiler), and generally gets a kick out of digging around where he's not supposed to.

Anna Dorfman is a security researcher who’s also a cryptography enthusiast. In her previous roles at Versafe (now F5 networks), Kaspersky Labs and as an independent researcher, she carried out a variety of projects focusing on reverse engineering X86 and ARM, malware research and embedded systems vulnerability research. She gave talks at ReCon, VirusBulletin and other conferences, presenting RE tools and results of recent researches.