![Page 1: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Ang Cui
Embedded Exploitation Party Trick!
BR-T08
Ph.D.
Columbia University
Chief Scientist, Red Balloon
![Page 2: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/2.jpg)
#RSAC
Who I am, What I Do
2
Ang Cui
![Page 3: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/3.jpg)
#RSAC
Who I am, What I Do
3
DR. Ang Cui !
![Page 4: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/4.jpg)
#RSAC
Who I am, What I Do
4
Co-founder,
Chief Scientist
Red Balloon Security
![Page 5: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/5.jpg)
#RSAC
Who I am, What I Do
5
Security Researcher
![Page 6: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/6.jpg)
#RSAC
Great stories start in mid-drama
6
@ RSA_2014
![Page 7: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/7.jpg)
#RSAC
My friend,
the Avaya ONE-X phone (9608)
7
![Page 8: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/8.jpg)
#RSAC
My friend,
the Avaya ONE-X phone (9608)
8
![Page 9: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/9.jpg)
#RSAC
ASA-2014-099
9
![Page 10: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/10.jpg)
#RSAC
RELEASED 2014
10
![Page 11: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/11.jpg)
#RSAC
Avaya 9608 Vulnerability # 2
11
![Page 12: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/12.jpg)
#RSAC
Vulnerability Details will not be published until we all…
https://downloads.avaya.com/css/P8/documents/100178648
12
![Page 13: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/13.jpg)
#RSAC
Avaya 96xx Security Analysis
accidentally found this Exploit
… while trying to exploit another Exploit…
![Page 14: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/14.jpg)
#RSAC
Avaya 96xx Security Analysis
Challenged by Avaya representative at NTSWG briefing on Cisco
Endpoint Exploitation
![Page 15: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/15.jpg)
#RSAC
Avaya 96xx Security Analysis
Challenged by Avaya representative at NTSWG briefing on Cisco
Endpoint Exploitation
Challenge (eventually) accepted
![Page 16: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/16.jpg)
#RSAC
Avaya 96xx exploitation process
Initial penetration
Difficult
Nearly zero attack surface without avaya environment
Resorted to physical tear-down
![Page 17: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/17.jpg)
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
![Page 18: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/18.jpg)
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
![Page 19: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/19.jpg)
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
10gb of crash data
![Page 20: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/20.jpg)
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
10gb of crash data
10K+ documented crashes
![Page 21: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/21.jpg)
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
10gb of crash data
10K+ documented crashes
Ran basic clustering algorithm to determine unique root-causes
![Page 22: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/22.jpg)
#RSAC
Avaya 96xx exploitation process
Chose top 4 unique crash cases
![Page 23: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/23.jpg)
#RSAC
Avaya 96xx exploitation process
Chose top 4 unique crash cases
All Reliably reproducible
![Page 24: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/24.jpg)
#RSAC
Avaya 96xx exploitation process
Chose top 4 unique crash cases
All Reliably reproducible
Manual analysis for exploitability
![Page 25: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/25.jpg)
#RSAC
p3wn like it’s 1998!
96x1Hupgrade.txt
![Page 26: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/26.jpg)
#RSAC
p3wn like it’s 1998!
Hrm -)
![Page 27: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/27.jpg)
#RSAC
Consequence #1
27
![Page 28: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/28.jpg)
#RSAC
Consequence #2
28
![Page 29: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/29.jpg)
#RSAC
Consequence #3
29
![Page 30: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/30.jpg)
#RSAC
Consequence #4
Hacked Once,
Hacked Always
30
![Page 31: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/31.jpg)
#RSAC
What’s on this slide and why couldn’t I show it?!
31
![Page 32: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/32.jpg)
#RSAC
Embedded Exploitation Party Trick
Exploitable… with an text editor
![Page 33: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/33.jpg)
#RSAC
Embedded Exploitation Party Trick
Exploitable… with an text editor
I can describe it to you in a single sentence
![Page 34: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/34.jpg)
#RSAC
Embedded Exploitation Party Trick
Exploitable… with an text editor
I can describe it to you in a single sentence
Someone (not you) can do terrible things to your entire VoIP
infrastructure
![Page 35: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/35.jpg)
#RSAC
Command Injection Vulnerability in Firmware Update Code!
35
![Page 36: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/36.jpg)
#RSAC
36
PARTAY TRICK (Demo)
Let’s p3wn together -)
![Page 37: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/37.jpg)
#RSAC
37
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
It’s “This Level Stuff”
![Page 38: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/38.jpg)
#RSAC
38
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
![Page 39: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/39.jpg)
#RSAC
39
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
Billions are being spent on research.
![Page 40: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/40.jpg)
#RSAC
40
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
Billions are being spent on research.
Just not the kind that helps you.
![Page 41: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/41.jpg)
#RSAC
41
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
3. Embedded exploitation is effective
![Page 42: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/42.jpg)
#RSAC
42
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
3. Embedded exploitation is effective
4. Embedded exploitation is persistent
![Page 43: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/43.jpg)
#RSAC
43
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
3. Embedded exploitation is effective
4. Embedded exploitation is persistent
5. Embedded exploitation has no defense
![Page 44: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/44.jpg)
#RSAC
44
Embedded Security landscape
Asymmetric Adversarial Dynamic
![Page 45: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/45.jpg)
#RSAC
45
Embedded Security landscape
Which one Are You?
Asymmetric Adversarial Dynamic
![Page 46: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/46.jpg)
#RSAC
46
1. You don’t know what software you are running
![Page 47: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/47.jpg)
#RSAC
47
1. You don’t know what software you are running
2. You don’t have the right to look inside the software to find
vulnerabilities
![Page 48: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/48.jpg)
#RSAC
48
1. You don’t know what software you are running
2. You don’t have the right to look inside the software to find
vulnerabilities
3. You can’t fix the vulnerability even if you know one exists
![Page 49: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/49.jpg)
#RSAC
49
1. You don’t know what software you are running
2. You don’t have the right to look inside the software to find
vulnerabilities
3. You can’t fix the vulnerability even if you know one exists
4. You can update firmware
![Page 50: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/50.jpg)
#RSAC
50
Firmware Update:
The act of of trading known vulnerabilities with unknown ones.
Ang’s Definition of Firmware Update
![Page 51: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/51.jpg)
#RSAC
51
1. They know what software you are running
![Page 52: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/52.jpg)
#RSAC
52
1. They know what software you are running
2. They look inside your software to find vulnerabilities
![Page 53: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/53.jpg)
#RSAC
53
1. They know what software you are running
2. They look inside your software to find vulnerabilities
3. They can exploit the Vulnerabilities that you know about and
can’t fix
![Page 54: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/54.jpg)
#RSAC
54
1. They know what software you are running
2. They look inside your software to find vulnerabilities
3. They can exploit the Vulnerabilities that you know about and
can’t fix
4. They know you probably don’t update firmware
![Page 55: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/55.jpg)
#RSAC
55
We need a better game plan.
![Page 56: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/56.jpg)
#RSAC
56
We need a better game plan.
Here is the distillation of
6 years of my
PhD research at
Columbia University
![Page 57: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/57.jpg)
#RSAC
Sponsored By
57
![Page 58: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/58.jpg)
#RSAC
My labor of love
58
219 Pages
Available Soon
Please read!
![Page 59: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/59.jpg)
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
![Page 60: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/60.jpg)
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
![Page 61: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/61.jpg)
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense
![Page 62: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/62.jpg)
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense And…
• Run defense on RTOS without breaking functionality
![Page 63: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/63.jpg)
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense
• Run defense on RTOS without breaking functionality
• Do it without requiring hardware modification
![Page 64: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/64.jpg)
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense
And…
• Run defense on RTOS without breaking functionality
• Do it without requiring hardware modification
• Do this without vendor IP / Source Code (just the binary!)
![Page 65: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/65.jpg)
#RSAC
Two Ideas for Embedded Security
65
1 Universal
Host-Based Defense For
All Devices
Software Symbiote
![Page 66: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/66.jpg)
#RSAC
Two Ideas for Embedded Security
66
2 Automated Attack
Surface Reduction
Autotomic Binary Structure Randomization
![Page 67: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/67.jpg)
#RSAC
Two Ideas for Embedded Security
67
2 Strong Binary
Randomization For All
Devices
Autotomic Binary Structure Randomization
![Page 68: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/68.jpg)
#RSAC
Symbiote Structure
Drop in a Defensive Symbiote Payload
![Page 69: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/69.jpg)
#RSAC
UNPACKING ENGINE
* patent pending
![Page 70: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/70.jpg)
#RSAC
* patent pending
Analysis
&
modification
![Page 71: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/71.jpg)
#RSAC
* patent pending
![Page 72: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/72.jpg)
#RSAC
REPACKED
* patent pending
![Page 73: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/73.jpg)
#RSAC
![Page 74: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/74.jpg)
#RSAC
![Page 75: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/75.jpg)
#RSAC
![Page 76: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/76.jpg)
#RSAC
HTTP, HTTPS LDAP SNMP TELNET PRINT SERVER SSH ETC, ETC RFU Firmware Update Service
![Page 77: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/77.jpg)
#RSAC
HTTP, HTTPS LDAP SNMP TELNET PRINT SERVER SSH ETC, ETC RFU Firmware Update Service
![Page 78: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/78.jpg)
#RSAC
Autotomic Binary Structure Randomization
• Automated Attack Surface Reduction
![Page 79: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/79.jpg)
#RSAC
Autotomic Binary Structure Randomization
• Automated Attack Surface Reduction
• Automated Non-localized, In-place binary randomization
![Page 80: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/80.jpg)
#RSAC
Autotomic Binary Structure Randomization
• Automated Attack Surface Reduction
• Automated Non-localized, In-place binary randomization
Autotomic Binary Reduction + Binary Structure Randomization
(ABR) (BSR)
![Page 81: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/81.jpg)
#RSAC
Autotomic Binary Reduction
![Page 82: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/82.jpg)
#RSAC
![Page 83: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/83.jpg)
#RSAC
83
Busybox – ARM - Linux
All but unzip, sha512
51.3% binary reduction.
![Page 84: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/84.jpg)
#RSAC
The short story…
It works!
Srsly, read the papers!
![Page 85: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/85.jpg)
#RSAC
Make Impact
Transfer Technology, Protect What Matters
![Page 86: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/86.jpg)
#RSAC
Make Impact
Today, Symbiote Technology Used In
Civilian Government
![Page 87: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/87.jpg)
#RSAC
Make Impact
Today, Symbiote Technology Used In
Civilian Government
Military Infrastructure
![Page 88: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/88.jpg)
#RSAC
Make Impact
Today, Symbiote Technology Used In
Civilian Government
Military Infrastructure
Enterprise Appliances
![Page 89: Embedded Exploitation Party Trick! - RSA Conference · Embedded Exploitation Party Trick ... Embedded exploitation is cheap Billions are being spent on research. Just not the kind](https://reader030.vdocument.in/reader030/viewer/2022020100/5b1433757f8b9a2a7c8bcb04/html5/thumbnails/89.jpg)
#RSAC
The World’s Most Secure Router
11:15 AM, Wednesday
DHS Science & Technology
Booth 202