finding vulnerabilities in embedded software · finding vulnerabilities in embedded software...
TRANSCRIPT
![Page 1: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/1.jpg)
UC Santa Barbara
Finding Vulnerabilities in Embedded Software
Christopher Kruegel UC Santa Barbara
![Page 2: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/2.jpg)
UC Santa Barbara
What are we talking about?
1. firmware and security 2. binary vulnerability
analysis 3. vulnerability models 4. automation
2
![Page 3: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/3.jpg)
UC Santa Barbara
Blend between real and virtual worlds
• Embedded software is everywhere – captured through many buzzwords
• pervasive, ubiquitous computing • Internet of Things (IoT)
– sensors and actuators
3
![Page 4: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/4.jpg)
UC Santa Barbara
The “Internet of Things”
4
![Page 5: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/5.jpg)
UC Santa Barbara
Increase in Lines of Code
5
![Page 6: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/6.jpg)
UC Santa Barbara
Security Challenges
• Quantity has a quality all its own
• Vulnerability analysis – binary blobs (binary only, no OS or library abstractions) – software deeply connected with hardware
• Patch management – devices must be cheap – vendors might be long gone
6
![Page 7: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/7.jpg)
UC Santa Barbara
Security Challenges
• Remote accessibility – device authentication – access control (pacemaker during emergency) – stepping stone into inside of perimeter
• Additional vulnerability surface – attacks launched from physical world – supply chain attacks
• Getting access to the firmware
7
![Page 8: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/8.jpg)
UC Santa Barbara
8
![Page 9: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/9.jpg)
UC Santa Barbara
BINARY VULNERABILITY ANALYSIS
9
![Page 10: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/10.jpg)
UC Santa Barbara
Ones
Source Code
Type Information
Control Flow
Symbols
Binary Code
Zeroes
10
Binary Analysis
![Page 11: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/11.jpg)
UC Santa Barbara
• Binary code is the worst-case, common denominator scenario
11
Binary Analysis
![Page 12: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/12.jpg)
UC Santa Barbara
Symbolic Execution
"How do I trigger path X or condition Y?"
• Dynamic analysis – Input A? No. Input B? No. Input C? … – Based on concrete inputs to application
• (Concrete) static analysis – "You can't” / "You might be able to” – based on various static techniques
• We need something slightly different
12
![Page 13: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/13.jpg)
UC Santa Barbara
Symbolic Execution
"How do I trigger path X or condition Y?"
• Interpret the application, keeping input values abstract (symbolic)
• Track "constraints" on variables • When a condition is triggered, "concretize" to obtain a
possible input
13
![Page 14: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/14.jpg)
UC Santa Barbara
Symbolic Execution - Example
x = int(input())
if x >= 10:
if x < 100:
vulnerable_code()
else:
func_a()
else:
func_b()
14
![Page 15: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/15.jpg)
UC Santa Barbara
Symbolic Execution - Example
x = int(input())
if x >= 10:
if x < 100:
vulnerable_code()
else:
func_a()
else:
func_b()
State A
Variables
x = ???
Constraints
------
15
![Page 16: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/16.jpg)
UC Santa Barbara
x = int(input())
if x >= 10:
if x < 100:
vulnerable_code()
else:
func_a()
else:
func_b()
Symbolic Execution - Example
State A
Variables
x = ???
Constraints
------
State AA
Variables
x = ???
Constraints
x < 10
State AB
Variables
x = ???
Constraints
x >= 10 16
![Page 17: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/17.jpg)
UC Santa Barbara
x = int(input())
if x >= 10:
if x < 100:
vulnerable_code()
else:
func_a()
else:
func_b()
Symbolic Execution - Example
State AA
Variables
x = ???
Constraints
x < 10
State AB
Variables
x = ???
Constraints
x >= 10
17
![Page 18: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/18.jpg)
UC Santa Barbara
x = int(input())
if x >= 10:
if x < 100:
vulnerable_code()
else:
func_a()
else:
func_b()
Symbolic Execution - Example
State AA
Variables
x = ???
Constraints
x < 10
State AB
Variables
x = ???
Constraints
x >= 10
State ABA
Variables
x = ???
Constraints
x >= 10 x < 100
State ABB
Variables
x = ???
Constraints
x >= 10 x >= 100 18
![Page 19: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/19.jpg)
UC Santa Barbara
x = int(input())
if x >= 10:
if x < 100:
vulnerable_code()
else:
func_a()
else:
func_b()
Symbolic Execution - Example
State ABA
Variables
x = ???
Constraints
x >= 10 x < 100
Concretized ABA
Variables
x = 99
19
![Page 20: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/20.jpg)
UC Santa Barbara
Symbolic Execution - Pros and Cons
Pros
• Precise • No false positives
– with correct environment model
• Produces directly-actionable inputs
Cons
• Not easily scalable – constraint solving is NP-
complete – state and path explosion
20
![Page 21: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/21.jpg)
UC Santa Barbara
angr
Framework for the analysis of binaries, developed at UCSB
21
![Page 22: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/22.jpg)
UC Santa Barbara
angr Components
Static Analysis Routines
Symbolic Execution Engine
Control-Flow Graph
Data-Flow Analysis
Binary Loader
Value-Set Analysis
angr
Forward Symbolic Execution
Under-constrained SE
22
![Page 23: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/23.jpg)
UC Santa Barbara
OpenSourceAnalysisPla2orm• Morethan100KLOC• Morethan10Kcommits
• Morethan30Kdownloadsin2017
• 1,600+starsonGithub
• Usersinindustry,academia,government
angr Platform
23
![Page 24: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/24.jpg)
UC Santa Barbara
angr - Challenges and Goals
Scalability
PrecisionNewModelsof
Malice
24
![Page 25: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/25.jpg)
UC Santa Barbara
angr - Challenges and Goals
Scalability
PrecisionNewModelsof
Malice
Abilitytocomposedifferentanalysesisverypowerful
25
![Page 26: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/26.jpg)
UC Santa Barbara
9.50%
10.00%
10.50%
11.00%
11.50%
12.00%
Base Optimized Core
Symbolic Execution Improvements
• Fastpath and adaptive concretization
– when possible, analyze parts of code non symbolically
• Peephole optimization
– replace code snippets that blow up symbolic execution
• Lazy constraint solving
– sometimes, waiting to add more constraints makes solving easier
26
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
14.00%
Base Optimized Core
![Page 27: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/27.jpg)
UC Santa Barbara
Constraint Solver Optimizations
• Solution caching – don’t run solver on same constraints
multiple times
• Constraint subset management – break up hard constraints into subparts
and solve separately
• Expression simplification – before submitting constraints, simplify
• Expression rewriting
27
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
![Page 28: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/28.jpg)
UC Santa Barbara
Static Analysis Support
• Veritesting – SSE to merge over multiple paths
• LESE - loop extended sym exec – intelligent loop unrolling
• Code summarization (Dodo) – automatically (and statically)
summarize effect of loops / functions
• VSA - value set analysis – resolve ranges (and conditionals)
without solving constraints 28
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
![Page 29: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/29.jpg)
UC Santa Barbara
American Fuzzy Lop (AFL)
29
![Page 30: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/30.jpg)
UC Santa Barbara
American Fuzzy Lop (AFL)
30
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
40.00%
45.00%
50.00%
Base Optimized Core Veritesting LESE Dodo AFL
![Page 31: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/31.jpg)
UC Santa Barbara
Combining Approaches
• angr can be used in combination with other tools
• Fuzzing excels at producing general inputs • Symbolic execution is able to satisfy complex path
predicates for specific inputs
• Key Insight – combine both techniques to leverage their strengths and
mitigate their weaknesses
31
![Page 32: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/32.jpg)
UC Santa Barbara
Driller = AFL + angr
Fuzzing
good at finding solutions for general
inputs
Symbolic Execution
good at find solutions
for specific inputs
32
![Page 33: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/33.jpg)
UC Santa Barbara
username=input()password=input()ifpassword=="secret":complex_function()command=input()ifcommand=="C”:crash()else:print"Unknowncommand”else:complex_function()iflen(username)<5:
print"Invalidusername!”else:print"Authfailure!”print"Tryagain..."return
Driller Example
33
![Page 34: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/34.jpg)
UC Santa Barbara
username=input()password=input()ifpassword=="secret":complex_function()command=input()ifcommand=="C”:crash()else:print"Unknowncommand”else:complex_function()iflen(username)<5:
print"Invalidusername!”else:print"Authfailure!”print"Tryagain..."return
Driller Example Test Cases
“asDA:sAAA”
“asdf:AAAA”
“aDAAA:sAAA”
“asDAL:sAAAt”
“axOO:sABBX”
“asOO:sABX”
34
![Page 35: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/35.jpg)
UC Santa Barbara
username=input()password=input()ifpassword=="secret":complex_function()command=input()ifcommand=="C”:crash()else:print"Unknowncommand”else:complex_function()iflen(username)<5:
print"Invalidusername!”else:print"Authfailure!”print"Tryagain..."return
Driller Example Constraints
username = ??? password = ???
password !=
"secret"
password ==
"secret"
35
![Page 36: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/36.jpg)
UC Santa Barbara
username=input()password=input()ifpassword=="secret":complex_function()command=input()ifcommand=="C”:crash()else:print"Unknowncommand”else:complex_function()iflen(username)<5:
print"Invalidusername!”else:print"Authfailure!”print"Tryagain..."return
Driller Example
36
Test Cases
“asdf:ljafe”
“asdf:secret”
“aDAA:secret”
“aaDAA:etsf”
![Page 37: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/37.jpg)
UC Santa Barbara
username=input()password=input()ifpassword=="secret":complex_function()command=input()ifcommand=="C”:crash()else:print"Unknowncommand”else:complex_function()iflen(username)<5:
print"Invalidusername!”else:print"Authfailure!”print"Tryagain..."return
Driller Example Constraints
username = ??? password = ???
password !=
"secret"
password ==
"secret"
command == "C"
37
![Page 38: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/38.jpg)
UC Santa Barbara
username=input()password=input()ifpassword=="secret":complex_function()command=input()ifcommand=="C”:crash()else:print"Unknowncommand”else:complex_function()iflen(username)<5:
print"Invalidusername!”else:print"Authfailure!”print"Tryagain..."return
Driller Example
38
![Page 39: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/39.jpg)
UC Santa Barbara
Impact of Driller
Applicability varies by program. Where it was needed, Driller increased block coverage by an average of 71%.
Bas
ic B
lock
Cov
erag
e
Time
39
![Page 40: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/40.jpg)
UC Santa Barbara
Impact of Driller
40
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%
60.00%
AFL Driller
![Page 41: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/41.jpg)
UC Santa Barbara
Failed Attempts (aka Future Research)
• State management – duplicate state detection
• Path selection to reach “promising” parts of the program – heuristics that guide analysis to areas that are
more likely vulnerable
41
![Page 42: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/42.jpg)
UC Santa Barbara
VULNERABILITY MODELS
42
![Page 43: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/43.jpg)
UC Santa Barbara
Interesting Vulnerabilities
• Memory safety vulnerabilities – buffer overrun – out of bounds reads (heartbleed) – write-what-where
• Authentication bypass (backdoors)
• Actuator control
43
![Page 44: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/44.jpg)
UC Santa Barbara
Show me recorded video.
Please authenticate.
chris:<REDACTED>
Authentication Successful!
Here is the video.
Authentication Bypass
44
![Page 45: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/45.jpg)
UC Santa Barbara
Show me recorded video.
Please authenticate.
service:service
Authentication Successful!
Here is the video.
Authentication Bypass
45
![Page 46: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/46.jpg)
UC Santa Barbara
46
service:service
![Page 47: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/47.jpg)
UC Santa Barbara
Authentication Bypass
47
Prompt
AuthenLcaLon
Success Failure
![Page 48: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/48.jpg)
UC Santa Barbara
Authentication Bypass
48
Prompt
AuthenLcaLon
Success Failure
Backdoore.g.,strcmp()
![Page 49: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/49.jpg)
UC Santa Barbara
Authentication Bypass
49
Prompt
AuthenLcaLon
Success Failure
Backdoore.g.,strcmp()
Hardtofind.
![Page 50: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/50.jpg)
UC Santa Barbara
Authentication Bypass
50
Prompt
Success
Missing!
![Page 51: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/51.jpg)
UC Santa Barbara
Modeling Authentication Bypass
51
Prompt
AuthenLcaLon
Success Failure
Backdoore.g.,strcmp()
Easiertofind!
Hardtofind.
![Page 52: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/52.jpg)
UC Santa Barbara
Input Determinism
52
Prompt
AuthenLcaLon
Success Failure
Backdoore.g.,strcmp()
CanwedeterminetheinputneededtoreachthesuccessfuncLon,justbyanalyzingthecode?TheanswerisNO
![Page 53: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/53.jpg)
UC Santa Barbara
Input Determinism
53
Prompt
AuthenLcaLon
Success Failure
Backdoore.g.,strcmp()
CanwedeterminetheinputneededtoreachthesuccessfuncLon,justbyanalyzingthecode?TheanswerisYES
![Page 54: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/54.jpg)
UC Santa Barbara
Modeling Authentication Bypass
54
Prompt
AuthenLcaLon
Success Failure
Backdoore.g.,strcmp()
Easiertofind!Buthow?
![Page 55: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/55.jpg)
UC Santa Barbara
Finding “Authenticated Point”
• Without OS/ABI information
• With ABI information
55
EXEC()
![Page 56: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/56.jpg)
UC Santa Barbara
"AuthenticationSuccessful!"
- static analysis (data references, system calls)
- human analyst fallback
Identify Authenticated Point
56
![Page 57: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/57.jpg)
UC Santa Barbara
- static analysis (program slicing)
"AuthenticationSuccessful!"
Compute Authentication Slice
57
![Page 58: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/58.jpg)
UC Santa Barbara
authenticated path
Path Collection
58
authenticated path
![Page 59: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/59.jpg)
UC Santa Barbara
Vulnerability Detection
59
"service:service"
"AAA:XXX""BBB:YYY""CCC:ZZZ"...
- can the attacker determine a concrete authenticating input via program analysis?
![Page 60: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/60.jpg)
UC Santa Barbara
Bootloader Vulnerabilities
60
![Page 61: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/61.jpg)
UC Santa Barbara
BL1/BootROM
BL2 BL31
Android Kernel (boot)
Trusted OS (tz)
BL33
EL3
EL1
Secure World
Non-Secure World
Trusted Apps
Android Framework/Apps (system/data)
EL0
Writeable Storage
Bootloader Vulnerabilities
61
![Page 62: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/62.jpg)
UC Santa Barbara
Two Malice Models
Memory Corruption
"Is data, read from writeable storage, used unsafely in memory operations?"
(can result in bricking, device compromise, and even TrustZone compromise!)
Unsafe Unlock
"Can the device be unlocked without triggering a user data wipe?"
(can result in data compromise)
62
![Page 63: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/63.jpg)
UC Santa Barbara
MulL-tagTaint
PropagaLon
Under-constrainedSymbolicExecuLon
TaintSources
WriteableStorage
Symbolic Taint Propagation
TaintSinks- memorydereferences
- memcpy- loopcondiLons
Writeable Storage
63
![Page 64: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/64.jpg)
UC Santa Barbara
Results
Bootloader Sources Sinks Alerts MemoryBugs
UnsafeUnlock
Qualcomm(Latest)
2 1 0 0 1
Qualcomm(Old) 3 1 4 1 1
NVIDIA 6 1 1 1 0
HiSilicon/Huawei 20 4 15 5 1
MediaTek 2 2 - - -
Total 33 9 20 7 3
64
![Page 65: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/65.jpg)
UC Santa Barbara
AUTOMATING VULNERABILITY ANALYSIS
65
![Page 66: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/66.jpg)
UC Santa Barbara
From Tools Supporting Humans …
66
High effectiveness Low scalability
![Page 67: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/67.jpg)
UC Santa Barbara
… To Fully Automated Analysis
67
High scalability
![Page 68: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/68.jpg)
UC Santa Barbara
DARPA Grand Challenges
Self-driving Cars Robots
68
![Page 69: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/69.jpg)
UC Santa Barbara
DARPA Cyber Grand Challenge
Programs!
69
![Page 70: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/70.jpg)
UC Santa Barbara
DARPACyberGrandChallenge(CGC)
70
![Page 71: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/71.jpg)
UC Santa Barbara
DARPA Cyber Grand Challenge
• CTF-style competition • Autonomous Cyber-Reasoning Systems (CRSs)
attack and defend a number of services (binaries)
• No human in the loop
• A first qualification round decided the 7 finalists
• Final event was on August 4, 2016 during DefCon – Shellphish came in 3rd place
• Significant cash prizes – 750K for qualification, 2M for win (750K for 3rd place)
71
![Page 72: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/72.jpg)
UC Santa Barbara
CGC Results
72
![Page 73: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/73.jpg)
UC Santa Barbara
Summary
• Internet of Things – explosive growth of devices with embedded software – many interesting security challenges
• Binary analysis – key tool to hunt for IOT vulnerabilities – delivers powerful results, but faces scalability issues – promising approach is to combine analysis techniques (e.g., fuzzing and symbolic execution)
• angr – UCSB open-source binary analysis software
73
![Page 74: Finding Vulnerabilities in Embedded Software · Finding Vulnerabilities in Embedded Software Christopher Kruegel ... • When a condition is triggered, "concretize" to obtain a possible](https://reader033.vdocument.in/reader033/viewer/2022043006/5f8f0a43c22b2153eb36e673/html5/thumbnails/74.jpg)
UC Santa Barbara
Thank You!
74