Vulnerability research in embedded systems relies either on emulation or physical devices. As hardware can be costly and difficult to obtain, emulation is an appealing option, however access to emulation tools faces its own challenges as well. Prior to attempting to emulate a device, much key knowledge about the subject must be acquired. Furthermore, vendors create software components in tandem with hardware, and so achieving a viable level of emulation can be quite difficult.
While some tools exist that assist researchers in emulating firmware, these tools are mostly related to more recent hardware. There are plenty of embedded devices still in use that are ten or more years old, and the tools necessary to emulate such hardware are usually unavailable or simply don't exist. Our research focuses on devices based on Windows CE 6, an aging operating system widely used by embedded systems including industrial and medical devices.
We propose two methods to enable full emulation of any given Windows CE 6 device. First, we demonstrate a case of emulation in which we use binary patching, including kernel drivers of the device's image. While successful for a specific device, this method is laborious and unpractical as there is much variation between devices. We propose another method: "Static Reconstruction of Relocation Information for Stripped Windows Binaries". This allows researchers to run any given CE6 binaries, extracted from any image, in a environment where researchers can have full control.
In this talk, we will also show how our emulation methods allows us to transplant any given kernel-mode binaries into our controlled environment. We will also show how we can use this method to our advantage, transplanting a specific vendor's HMI runtime, with its own drivers, into our environment, allowing us to study deeply into this HMI without its hardware.
Ta-Lun Yen is an independent researcher with interests in reverse engineering, protocol analysis, wireless security, embedded & IoT/ICS device security. Been a member of a Taiwanese InfoSec community "UCCU Hacker". Presented at various conferences & events including HITCON, Black Hat, CODE BLUE. Joined Trend Micro (TXOne Networks) in 2019 with focus on offensive security.