Firmadyne
ssuserb15333
293 views
43 slides
Dec 16, 2021
Slide 1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
About This Presentation
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware
Slide Content
redhung@SQLab, NYCU
Towards Automated Dynamic Analysis
for Linux-based Embedded Firmware
Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley, Carnegie Mellon University, NDSS, 2016
Towards Automated Dynamic Analysis
for Linux-based Embedded Firmware
Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley, Carnegie Mellon University, NDSS, 2016
>_ CAT ./OVERVIEW
Background
0x00
Architecture &
Concept
0x10
Evaluation
0x20
Conclusion
0x30
Background
0x00
Architecture &
Concept
0x10
Evaluation
0x20
Conclusion
0x30
Background
>_ Internet of Things
•Problems
---
-IoT devices are controlled by vendor and chipset-specific firmware
-
-Financial burden Q_Q
-interface with the debugging port on the device places strict limits
•How to dump the firmware from the actual hardware?
•Problems
---
-IoT devices are controlled by vendor and chipset-specific firmware
-
-Financial burden Q_Q
-interface with the debugging port on the device places strict limits
•How to dump the firmware from the actual hardware?
>_ Internet of Things
---
---
>_ Internet of Things
---
•Dismantle the DVR
---
•Dismantle the DVR
>_ Internet of Things
---
SHOUT OUT TO ATTIFY
•Dismantle the DVR
---
SHOUT OUT TO ATTIFY
•Dismantle the DVR
>_ Internet of Things
---
GND Tx Rx
•Dismantle the DVR
---
GND Tx Rx
•Dismantle the DVR
>_ Internet of Things
---
•Dismantle the DVR
---
•Dismantle the DVR
>_ Internet of Things
---
•Dumping the firmware
---
•Dumping the firmware
>_ Internet of Things
---
•Dumping the firmware
---
•Dumping the firmware
>_ Internet of Things
---
•Dumping the firmware
---
•Dumping the firmware
>_ Internet of Things
---
•Dumping the firmware
---
•Dumping the firmware
>_ Internet of Things
---
---
>_ Internet of Things
---
•Done ! But …
---
•Done ! But …
>_ Internet of Things
---
---
>_ Emulator and automated analysis
•FIRMADYNE
---
-Automated dynamic analysis
-Using the QEMU full system emulator
•Challenges of embedded systems
-Presence of hardware-specific peripherals
-Creation of dynamically- generated files
-Usage of non-volatile memory (NVRAM)
•FIRMADYNE
---
-Automated dynamic analysis
-Using the QEMU full system emulator
•Challenges of embedded systems
-Presence of hardware-specific peripherals
-Creation of dynamically- generated files
-Usage of non-volatile memory (NVRAM)
Architecture & Concept
>_ Architecture
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
>_ Architecture
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
>_ Architecture
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
>_ Architecture
•Crawling firmware
---
-42 vendors in the dataset
-Multiple geographic locations of each vendor’s website
-Using the Scrapy framework
-Crawling FTP if the webpage is dynamically generated
•Crawling firmware
---
-42 vendors in the dataset
-Multiple geographic locations of each vendor’s website
-Using the Scrapy framework
-Crawling FTP if the webpage is dynamically generated
>_ Architecture
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
>_ Architecture
•Extract Firmware Filesystem
---
-Blacklist of filenames
-Improve extraction of JFFS2 and SquashFS filesystems
-Binwalk was insufficient for our purposes
•Extract Firmware Filesystem
---
-Blacklist of filenames
-Improve extraction of JFFS2 and SquashFS filesystems
-Binwalk was insufficient for our purposes
>_ Architecture
---
---
>_ Architecture
---
---
>_ Architecture
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
>_ Architecture
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
>_ Architecture
•Initial Emulation
---
-Process-level
-System-level
-Application-level
•Initial Emulation
---
-Process-level
-System-level
-Application-level
>_ Architecture
•Initial Emulation
---
-Process-level
-System-level
-Application-level
•Initial Emulation
---
-Process-level
-System-level
-Application-level
>_ Architecture
•NVRAM
---
-52.6% of all extracted firmware images access a hardware NVRAM
-Using a shared library named libnvram.so
-const char* nvram_get (const char* key)
-int nvram_set (const char* key, char *val)
-Init binary to include this library via LD_PRELOAD
•NVRAM
---
-52.6% of all extracted firmware images access a hardware NVRAM
-Using a shared library named libnvram.so
-const char* nvram_get (const char* key)
-int nvram_set (const char* key, char *val)
-Init binary to include this library via LD_PRELOAD
>_ Architecture
•Kernel
---
-Hooking 20 system calls using the kprobes framework
-Assigning MAC addresses, creating a network bridge, rebooting the system
-Automatic confirmation of vulnerabilities with poison values
-E.g. 0xDEADBEEF, 0x41414141
•Kernel
---
-Hooking 20 system calls using the kprobes framework
-Assigning MAC addresses, creating a network bridge, rebooting the system
-Automatic confirmation of vulnerabilities with poison values
-E.g. 0xDEADBEEF, 0x41414141
>_ Architecture
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
•Components
---
-Extract Firmware Filesystem
-Initial Emulation
-Dynamic Analysis
-Crawling Firmware
>_ Architecture
•Dynamic analysis
---
-SNMP Information
-Vulnerabilities
-Accessible Webpages
•Dynamic analysis
---
-SNMP Information
-Vulnerabilities
-Accessible Webpages
>_ Architecture
•Accessible Webpages
---
-Verifies that it is not a static resource (e.g., *.png, *.css, *.js)
-Attempts to access it directly over the web interface.
-Iterates through each file within the firmware (e.g., located within /www/)
-Determine which URLs were most accessible
•Accessible Webpages
---
-Verifies that it is not a static resource (e.g., *.png, *.css, *.js)
-Attempts to access it directly over the web interface.
-Iterates through each file within the firmware (e.g., located within /www/)
-Determine which URLs were most accessible
>_ Architecture
•Vulnerabilities
---
-The tested vulnerabilities were manually selected
-Manually developed proof-of-concepts exploits for the new vulnerabilities
-Using 60 known exploits, mostly from the Metasploit Framework
•Vulnerabilities
---
-The tested vulnerabilities were manually selected
-Manually developed proof-of-concepts exploits for the new vulnerabilities
-Using 60 known exploits, mostly from the Metasploit Framework
Evaluation
>_ Evaluation
---
•Dataset from the crawler
---
•Dataset from the crawler
>_ Evaluation
---
•Dataset from the crawler
---
•Dataset from the crawler
>_ Evaluation
---
---
>_ Evaluation
---
---
Conclusion
>_ Conclusion
---
•FIRMADYNE is an automated approach to analyze the firmware
•OEMs made the most vulnerabilities of the IoT devices
•Emulation with firmware fuzzing
---
•FIRMADYNE is an automated approach to analyze the firmware
•OEMs made the most vulnerabilities of the IoT devices
•Emulation with firmware fuzzing
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 293
- Slides 43
- Age 1448 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
21
Know for Certain
DaveSinNM
22 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views