Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Agenda
Motivation Introduction to the playing field How to obtain byte code Recognizing basic properties of the byte code Implementing an IDA Pro processor module Calling Conventions Advanced Addressing Modes Reading code you are not supposed to
Motivation General
00000d70h: 00000d80h: 00000d90h: 00000da0h: 00000db0h: 00000dc0h: 00000dd0h: 00000de0h: 00000df0h: 00000e00h: 00000e10h: 00000e20h: 00000e30h: 00000e40h: 00000e50h: 00000e60h: 00000e70h: 00000e80h: 00000e90h: 00 00 00 07 01 41 FF 7E 00 38 00 68 00 00 3C 00 19 54 45 00 00 00 4C 2D 43 B8 42 04 07 09 1C 02 05 00 00 4B 49 00 53 53 00 70 35 02 00 00 41 00 38 FB 00 05 04 0E 03 43 00 49 37 00 0B 60 82 06 10 62 00 07 78 61 50 00 00 70 00 00 4D 5F 00 00 39 FB FB 30 00 00 00 03 00 01 0C 00 25 49 20 41 4C 00 02 A0 78 70 03 02 01 00 78 02 00 00 00 CF 45 00 54 56 68 FB 00 03 07 00 21 FB 00 41 68 A4 4A 88 19 43 D2 49 00 1D 78 40 78 4A 03 C0 79 00 44 2C 00 07 00 4B 00 97 43 00 68 03 00 68 70 21 00 03 FB 02 65 04 01 00 00 00 00 00 00 2C 78 9C 1C 0B A0 62 7A 78 82 00 00 01 00 00 00 00 49 20 41 7E FF 00 00 7E 00 7E 03 FB 01 12 EA 12 00 00 00 45 00 61 43 B8 42 02 42 02 57 7A 70 00 00 08 00 00 00 00 43 2C 00 00 00 02 FB 00 FF 00 7E 07 00 1D 00 03 53 57 00 00 6D 02 98 05 82 78 10 B8 0C 47 52 02 00 00 70 49 45 00 00 00 FB 38 68 68 03 30 00 70 00 70 00 33 06 25 4D 5F 00 00 00 70 09 1D 2D 78 03 0B 0B 0C 0B 00 00 08 CF 41 54 00 ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ; ..SIMATIC.IEC... ..S7_LV... .,m.. ......h.h,Aa..p .Lp...x.x~C.8. .-5`9 .@...h. AC.x.xh..B.h..p.Jp...x.x ~B..0...! ~B..0. ..Ab..!.b.... 8.....y.z~W..p. ..8.....x.z~G.. h.x.xAD.p.Rp. ...a..h,e....... ...P.........3. <.....J........ ............p% .K.p%.K....SIMA TIC.IEC.....WE_T E... .........
Motivation Specific
Frank Boldewin discovered interesting payload functionality within the W32.Stuxnet malware
July 14, 2010*
Everyone started speculating Few started looking at the actual code Within one component, blobs of programmable logic controller (PLC) code were discovered This code needed to get disassembled and analyzed
Waiting for third parties to trickle information through small publications wasnt an option.
* http://www.wilderssecurity.com/showpost.php?p=1712134&postcount=22
Introduction to PLCs
PLCs are essentially programmable input/output controllers
Designed to mirror electrical wiring, to be used by electrical engineers Default access to inputs and outputs is digital, bitwise addressing as sub-address of bytes
The inputs and outputs are usually fed by analog lines through A/D converters
Introduction to PLCs
PLCs are standardized through International Electrotechnical Commission: IEC 61131
The IEC also standardized things like the 19 rack and the VHS video tape ;)
Introduction to PLCs
Introduction to Simatic S7
Programming device Central Processing Unit Load memory Hardware config System data blocks (config data) System memory Process image input table Process image output table Diagnostic buffer Communication buffer Local data stack Block stack Work memory Sequence relevant parts of code blocks Interrupt stack Memory bits Time functions Sequence relevant parts of data blocks Count functions Signal Modules
Inputs Outputs
User program
Symbol table
Four other optional development environments PLC simulation package, including hardware design environment Tools to communicate with PLC over various media
STEP7 Environment
lala
If you can, use hexadecimal representations when writing your test code
It is easier to recognize hexadecimal characters in hex dumps It is also easier to realize they are missing
00000c20h: 00000c30h: 00000c40h: 00000c50h: 00000c60h: 9A 00 00 01 05 F6 1E 7F 00 02 26 30 30 00 05 60 03 03 14 05 03 00 00 00 05 9D 01 7F 00 05 CB 30 30 00 05 0C 03 03 02 00 11 00 00 05 00 4C 7F 7F 02 FE 00 30 30 05 FE 1C 03 03 02 14 00 00 00 05 00 0E 7F 7F 02 FE 00 30 65 05 FE 14 03 00 02 14 ; ; ; ; ; &`. ..L...... ..0...0.. 0.. 0. . 0.. 0.. 0.. e. ................ .........SunKing
You might have noticed: the codes endianess comes out for free
00 00 CB 30 AA 00 00 00 0C 07 AA 02 02 00 11 CA 38 05 00 90 4C FE 07 02 90 00 00 FF FE 05 00 00 1C FF FE 02 00 00 00 38 0B 05 00 00 0E 07 AD 02 70 04 00 AA 65 05 70 97 14 AA 00 02 ; ; ; ; ; ; .......... ...pp ......... ..... N&`. ..L...... ..0.0.8. 8.8..e. ................
00 01 EB 00 AA 01
00 01 4E 1E AA 00
00 01 26 30 38 00
00 08 60 07 07 14
00 00 03 CA AA 00
00 01 9D FE AA 00
Pre-processing
38 Assemble 38 38 38 38
07 07 07 07 07
00 00 00 00 00
01 02 03 04 05
AA AA AA AA AA
AA AA AA AA AA
00 FF 68 68
00 FF 1D 1C
How To Document
Document your discoveries
The code of your disassembler is not documentation! Only an independently documented instruction set allows you to separate wrong mappings from implementation bugs.
A (n indicates NOT)
Discovering Ranges
Many instructions take arguments in ranges
Immediate operands Numbered registers Date and Time formats Addresses Offsets
Discovering Ranges
Arguments = ( I 0.0, I 0.7, I 32.0, I 128.7... ...Q 0.0, Q 0.7, Q 32.0, Q 128.7... Instructions = ( A $arg, O $arg, X $arg, ... A A A ... O O ... I 0.0 I 0.7 I 32.0 I 0.0 I 0.7
Requirement to produce interface formats for other tools Lack of other functionality (e.g. code flow tracing)
out: Executed when IDA wants to create a textual representation for the instruction outop: Executed when IDA wants to create the textual representation of an operand to the instruction ana: Executed to decode an instruction
IDA does not give you an index or address of the bytes to decode, only functions to say get next byte/word/etc.
Due to the callback design and the requirements to use IDAs structures, it quickly becomes hard to manage
Warning: The choice of types and values within those structures influences significantly how the IDA kernel will handle your disassembly
Intermission: Writing IDA Processor Modules Endianess is a surprisingly big issues with IDA
There is a (not very well documented) structure called inf, and inf.mf sets the endianess
inf.mf = 0 is big endian inf.mf = 1 is little endian
Setting the endianess this way doesnt help when reading data > 8 Bit during instruction decoding
Hint: write yourself functions to read anything bigger than a byte, you should know the endianess
Instance Data Blocks (DI) are assigned to FBs that transfer parameters. There is one instance per FB call in the user program.
Think of them as objects of a class.
When inspecting the byte code for a CALL to FB instruction, a surprising amount of code shows
00000c30h: 00000c40h: 00000c50h: 00000c60h: 00 FB 7E FB 3A 79 55 7C 38 00 00 10 07 01 01 04 00 FE FE 38 01 6F 0B 07 AA 00 84 00 AA 14 00 02 10 68 00 AA 03 1C 00 AA 41 41 75 65 60 50 01 00 00 00 FE 01 18 00 6B 00 FB 28 00 00 7C 02 14 14
When you encounter a large block of emitted byte code, its safest to assume macro operations
+4 DW#16#2AAAAh
Here, the compiler generates a temporary local pointer that is passed as the SFC
This pointer will never be visible in the development environment
All instruction sizes and addressing modes supported Error free disassemblies (AFAIK)
Completely identical code to all published snippets of the STUXNET PLC blocks
Reading STUXNET
5: Reset internal values and reinitialize internal data structures 0: Error handler
ADD_AC:
OPN DB888 The STUXNET Machine L DBW10h // wordState 888.16 L W#16#3 <I
// word 3 // ACCU2 is less than ACCU1 // 3 STUXNET > 888.16 It was quickly apparent that uses an internal state JC loc_2840 // jump if RLO=1 (DW888.16 < 3) machine // (do not jump if DW888.16 is 3 or more) // exchange ACCU1 and is ACCU2 TheTAK widely published 0xDEADF007 magic value actually only L W#16#4 returned in state 3 and 4 // ACCU1 = 4 >I // ACCU2 is greater than ACCU1 The states are now known as: // 4 < 888.16 JC loc_2840 // jumpand if monitor RLO=1 (DW888.16 4 VFD, ) 1: Record frames via DP_RECV values of > the until // (do not jump if DW888.16 is 4 or less) enough events are recorded L DW#16#0DEADF007h 2: Wait PUSH2 hours // copy ACCU1 into ACCU2 3/4:BE Send bursts of Profibus frames to the VFDs, instructing them to
loc_2840:
5: Reset internal values and reinitialize internal data structures L DW#16#0 PUSH handler // copy ACCU1 into ACCU2 0: Error
BE
However, there are only 31 BLD instruction pairs for 152 FC calls within Block C of STUXNET
BLD +7
Call SFC46
+8 LW0
SAV_MOVB
RD_SK GET_ST NA_ME MAIN RD_PH DONE NR_DT SB_DT_NM RND_OP UP_STRNG IS_OP ROD_NM CO_DAT PRM_DT AVERGE
18:54:39
18:55:01 18:55:22 18:55:44 18:56:06 18:56:27 18:56:49 18:57:11 18:57:13 18:57:15 18:57:17 18:57:19 18:57:21 18:57:23 18:57:25 18:57:26
AFL_OP
CALC DUMP_DT MOD_NM RD_ST IO_ST LGC_OP INIT AD_OP TMR_DB
18:57:29
18:57:31 18:57:33 18:57:34 18:57:36 18:57:39 18:57:40 18:57:42 18:57:44 18:57:47
STUXNET Notes
This holds especially true if you pile a lot of exploits on top of each other
And you dont want to be noticed
And the authors havent actually tested the effectiveness of the PLC process attack yet
For which they need something like the target Would you build an expensive guided missile without ever testing the warhead?
Common estimates of 0day-burn-rates were significantly too low It was clear ICS infections would work
We underestimated how easy it is We underestimated how well it can be done
If you havent started funding and training an offensive development team 10 years ago, you are lacking an entire generation of digital weaponry
Thank You!
Felix FX Lindner
Head fx@recurity-labs.com