a firmware analysis tour with avatar in 7 minutes · a firmware analysis tour with avatar in 7...

A firmware analysis tour with Avatar in 7 minutes

(maybe)

Aurélien Francillon, Eurecom

Cryptacus Meeting, 6 Nov 2016

HDD backdoor

● How bad would be a compromised hard disk firmware?– Is this a realistic threat model ?

● We reverse engineered and backdoored an HDD– ~10 person-month effort– Without any privileged information– No significant performance overhead

● Data-exfiltration backdoor– No cooperation from host– Stealthy

«Implementation and Implications of a Stealth Hard-Drive Backdoor»

J. Zaddach, et. al., ACSAC 2013

IRATEMONK ?

11/23/16 - - p 5

Lesson learnt

● How could we analyze a firmware to find backdoors?

● Performing security analysis of embedded systems is very challenging !

– Very hard to analyze the disk

– Static v/s Dynamic analysis

– 20 Mbytes of statically linked code, without symbols

=> We need to develop new methodologies and tools for dynamic security analysis of embedded systems

Avatar project and goals

● We need tools and methodologies to analyze large firmware code– Find vulnerabilities– Verify functionality– Reverse engineering– Security testing

« Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti, NDSS 2014

Security evaluation tools

Techniques that are typically used on a PCAdvanced debugging techniques◦Tracing◦Fuzzing◦Tainting◦Symbolic Execution

Integrated tools◦ IDA Pro◦GDB◦Eclipse

A device of devices

A device of devicesCPU

A device of devices

ModemUSB

EthernetWIFI

LEDsButtons

A device of devices

USBEthernet

LEDsButtons

IRQ Controller

MemoryController

Timers

BUS Controller

Challenges

● Advanced dynamic analysis needs emulation

● Emulating a firmware requires not only instruction set emulation but also peripheral emulation

● But peripherals often unknown, interact with the physical world and other embedded devices...

Avatar goal

Firmware

Physical embedded device Emulator

Avatar goal

Firmware

Physical embedded device Emulator

Avatar

● Orchestrate execution between emulator and device– Currently S2E, a symbolic execution engine for

binary code, is used as the emulator

● Forward peripheral accesses to the device under analysis

● Do not attempt to emulate peripherals– No documentation– Reverse engineering is difficult

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins

Avatar overview

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

Avatar overview

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

Avatar overview

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

Avatar overview

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

Avatar overview

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

pluginsAnalysis plugins IRQ

Avatar overview

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

Avatar overview

EmulatorEmulator

DeviceDevice

In-memory stub

DeviceDevice

In-memory stub

AvatarAvatar

Avatar overview

Bottlenecks

• Emulated execution is much slower than execution on the real device

– Memory accesses pass through low-bandwidth debug link

• IRQs can saturate debug link

Improving performance

• Transfer state/execution– From the device to the emulator– From the emulator to the device

Emulator DeviceStateState StateState

Memory

AvatarRegister

StateState

11/23/16 29

Emulator DeviceStateStateAvatar

Memory

Register

Full separation mode

Emulator Device

StateState

Register

StateState

Memory

Avatar

Memory access optimization

Emulator Device

StateState

Register

Memory

StateState

IO Memory

Avatar

Avatar in more details

Use cases

GSM phone

Hard disk drive

EconoTag (Zigbee sensor mote)

Avatar Summary Enables to perform some analysis that were impossible before:

● Selective symbolic/concolic execution, analysis on whole system analysis, from (partial) binary code, reverse engineering framework, tracing …

Is a versatile, Open Source platform● http://s3.eurecom.fr/tools/avatar/

We are currently using it to analyze many different devices● Have a device to analyze? Come for a STEM

Under active development, currently extending it to ● support other analysis frameworks (Angr, Panda, klee, mixed

analysis…)● Better interaction with hardware (fast custom USB3 dongle)

« Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti, NDSS 2014

People involved

Davide Balzarotti

Students projects:Luka Malisa (initial experiments) Kjell Braden (Avatar MMU Support)

Luca Bruno(fuzzer, Avatar)

Sandeep Nuckchady

Jonas ZadachLucian Cojocar (VU Amsterdam)

a firmware analysis tour with avatar in 7 minutes · a firmware analysis tour with avatar in 7...

Documents

avatar (2009)

my avatar will contact your avatar

avatar presentation

target audience avatar template - conversion advantage ·...

region one avatar data all avatar artifacts :

avatar zentai

avatar -el_cambio_es_personal

avatar... excelente

improving embedded security with s²e, klee and...

santa cruz health - logging into avatar · web viewsanta...

avatar everyone - avatar photoshop

materurbiums avatar

avatar _based_marketing.ppt

avatar culture: cross-cultural evaluations of avatar

avatar powerpoint

avatar scenes

avatar iii -...

avatar 8790fr

avatar history

avatar technology