Sei sulla pagina 1di 29

TheAvatarproject:

Improvingembeddedsecuritywith
SE,KLEEandQemu

http://www.s3.eurecom.fr/tools/avatar/

Luca Bruno <lucab@debian.org>,


J. Zaddach, A. Francillon, D. Balzarotti

About us
Eurecom,aconsortiumofEuropeanuniversitiesin
Frenchriviera
Securityresearchgroup
9people
Appliedsystemsecurity
Embeddedsystems
Networkingdevices
Criticalinfrastructures
02/02/2014

Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions

02/02/2014

Software everywhere
Embeddeddevicesarediversebutallofthem
runsoftware

02/02/2014

Reasons for embedded security


Embeddeddevicesareubiquitous
Evenifnotvisible,yourlivesdependonthem

Canoperateformanyyears
Legacysystems,no(security)updates

Havelargeattacksurfaces
Networking,forgottendebuginterfaces,etc.

Sometimetooeasytotakeover/backdoor
02/02/2014

Challenges in embedded security


Nosourcecodeavailable

Oftenmonolithicbinaryonlyfirmwares

Notoolchainavailable
Nodocumentationavailable
Uniquetools(toflashanddebug)for
eachmanufacturer
02/02/2014

Wishlist for security evaluation


TypicalPCsecuritytoolbox

Advanceddebuggingtechniques
Tracing
Fuzzing
SymbolicExecution
Tainting

Integratedtools

>0

C
<8
D

0<x<8

IDAPro
GDB
Netzob
02/02/2014

Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions

02/02/2014

Why Avatar
Provideaframeworkfor

Invivoanalysisofanykindofdevice

Advanceddebugging

Easyprototyping

Integratedworkbench
Tousealltechniquestogetheronalivesystem

Notonlyfocusedonsecurity
Debugging/profiling/tracingishardinembedded
environments
02/02/2014

Avatar: basics
Emulateembeddeddevicesfirmwares
Forwardperipheralaccessestothe
deviceunderanalysis
DoNOTattempttoemulateperipherals
Nodocumentation
Reverseengineeringisdifficult

02/02/2014

10

Avatar overview
Avatar
Emulator
Backend

Emulator

Target
Backend

Proxy

read/write memory
...
mov r2, r0
mov r3, r1
add r3, r3, #1
add r2, ip, r2
ldr
r2, [r2], #0
cmp r2, r3
...

read/write memory
value

value

interrupt

Firmware
Plugins

02/02/2014

interrupt

Embedded
device

11

Avoid NIH syndrome


SE(Qemu+Klee)
foremulationandsymbolicexecution

GDBandOpenOCD
toattachcomponentsanddevices

Yourowntoolsforanalysis

IDAPro,Capstone,Netzob...

02/02/2014

12

Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions

02/02/2014

13

LLVM under the hood


SEcombinesexistingtoolstoachieve
symbolicexecutionofx86/ARMbinary
code
Qemutranslatesbinarycodetoan
intermediaterepresentation(TCG)
QEMULLVMtranslatesTCGtoLLVM
bytecode
KLEEexecutesLLVMbytecodesymbolically
02/02/2014

14

SE in a nutshell
Emulator

Avatar

TCG

Qemu
frontend
Qemu
executer

LLVM
SE
hooks

VM state

Registers

CPU state

Memory

02/02/2014

KLEE

Symbolic
states

Qemu
config
Qemu
GDB
SE
QMP/Lua
RemoteMem
plugin

15

Python3 framework
Analysis script

Avatar

Emulator

Config
writer

GDB/MI
adapter

GDB
interface

BinProto
adapter

QMP/Lua
interface
Memory
forwarder

02/02/2014

Target

Emulator
backend

Analysis
Plugins

Target
backend

Telnet
adapter
GDB
adapter

16

Analysis platform
Avatarprovidesanalysisglue

Orchestrateexecution

Bridgebetweenemulatordevice

Intercept/manipulatememoryaccesses

Externalintegration,exposingGDBor
JSONinterfaces

02/02/2014

17

Embedded target
Avatar

Target device
UART

In-memory
stub

Open
OCD

Target state

Registers

CPU state

Memory

JTAG

02/02/2014

18

Target communication
Eitheradebugginginterface
JTAG
DebugSerialInterface

Orcodeinjectionandacommunication
channel
GDBStub+SerialPort

02/02/2014

19

Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions

02/02/2014

20

Usecases
CheckforhiddenbackdoorsinHDDfirmware
Fuzzing/symbolicexecutionofSMSdecodingon
featurephone
Vulnerabilitiescheckonprogrammablewireless
sensors

02/02/2014

21

Bottlenecks
Emulatedexecutionismuchslowerthan
executionontherealdevice
Memoryaccessforwardingthroughlow
bandwidthchannelisthebottleneck
Inonecasedownto~10instr./sec.
Interruptsaretricky,canoverwhelmemulation

02/02/2014

22

Improving performance
PointofInterestisoftenfardowninthefirmware

AlargepartofforwardedaccessesaretononIO
memory

Trapexecutionondeviceandtransferstatetothe
emulator

DetectanddropforwardingfornonIOmemory
regions(stack,heapandcodeintheemulator)

Highperiodicityinterruptscanbesynthesizedto
avoidsaturation
02/02/2014

23

Outline
Embeddedsecurity
Avataroverview
Frameworkcomponents
Fieldtesting
Conclusions

02/02/2014

24

Limitations
Stateconsistency
DMAmemorychangesnottracked

Timingconsistency
Emulatedexecutiontimemuchslowerthanreal
executiontime

Symbolicexecution
CoherencybetweenHWandSW

Bugfindingstrategiestobeimproved
02/02/2014

25

Recap
Avatarisatoolto

Enabledynamicanalysis

Andperformsymbolicexecution

Onembeddeddevices

Whereonlybinarycodeisavailable

02/02/2014

26

Questions?
Thankyouforlistening!

ThankstoPascalSachsandLukaMalisawhobuiltanearlierprototypeofthe
system,andLucianCojocarforcontributions

02/02/2014

27

References

AVATARwebpage:http://www.s3.eurecom.fr/tools/avatar/

AVATAR:AFrameworktoSupportDynamicSecurityAnalysisofEmbeddedSystems'Firmwares,

JonasZaddach,LucaBruno,AurelienFrancillon,DavideBalzarotti

Howard:adynamicexcavatorforreverseengineeringdatastructures,AsiaSlowinska,
TraianStancescu,HerbertBos

KLEEwebpage:http://ccadar.github.io/klee/

S2Ewebpage:https://s2e.epfl.ch/

S2E:APlatformforInVivoMultiPathAnalysisofSoftwareSystems,VitalyChipounov,
VolodymyrKuznetsov,GeorgeCandea

TheS2EPlatform:Design,Implementation,andApplications,VitalyChipounov,Volodymyr
Kuznetsov,GeorgeCandea

QEMUwebpage:http://qemu.org

DowsingforOverows:AGuidedFuzzertoFindBufferBoundaryViolations,IstvanHaller,
AsiaSlowinska,MatthiasNeugschwandtner,HerbertBos

02/02/2014

28

Extra: GDB stub


GDBcanconnecttotargetsusingaserial
interfaceandasimpleprotocol
Thereisastubimplementationinthesource
codetree,butnotforARManditsbloated(for
ourpurposes)
6primitivesareenoughtogivedebugging
supportwithsoftwarebreakpoints:
Readbytes,writebytes,readregisters,writeregisters,
continueandgetsignal
02/02/2014

29