Fuzzing and Attacking Custom Embedded Systems
Tobias Scharnowski, Marius Muench
In-Person Training | August 3 - 6 | 4 days
Fuzzing And Attacking Custom Embedded Systems
Tobias Scharnowski, Marius Muench
This training teaches how to analyze, fuzz test, and exploit deeply embedded devices that use custom embedded operating systems. We will take a deep dive into the inner workings of Arm Firmware, teach reverse engineering essentials with Ghidra, and will have plenty of hands-on exercises to teach proficiency with Unicorn, AFL++, and Fuzzware.
ABSTRACT
Deeply embedded systems play a crucial role in the ever-growing Internet of Things and typically offer a lucrative attack surface with over-the-air interfaces, hardcoded secrets, and missing security protections.
During the training, we will understand the inner workings of a typical embedded system, and re-discover memory corruption vulnerabilities in a real-world, non-linux embedded operating system by combining reverse engineering, emulation and fuzzing. We will then develop proof-of-concept exploits using the discovered vulnerabilities to demonstrate how an attacker could compromise the target system.
The full training is accompanied with various practical hands-on exercises and tinkering with a physical embedded training platform created for this training. After the training, we expect participants to feel comfortable to independently analyze deeply embedded systems of their choice.
INTENDED AUDIENCE
- Firmware Developers
- Curious Minds
KEY LEARNING OBJECTIVES
- The inner workings of deeply embedded firmware
- Fundamentals of firmware reverse engineering
- Harnessing parsers for fuzzing
- Fuzzing via full-system firmware rehosting
- Overcoming typical fuzzing roadblocks
- Triaging found crashes
- Exploitation strategies for Arm Cortex-M systems
COURSE DETAILS
AGENDA
Day 1: Obtaining and Analyzing Firmware
- Introduction to embedded systems and firmware
- Hardware reconnaissance
- Firmware extraction
- Arm Thumb-v2 disassembly
- Firmware reversing engineering with Ghidra
Day 2: Emulation and Harnessing
- Introduction to emulation
- Parser harnessing with unicornAFL
- Hooking functions and emulating peripherals
- Firmware Fuzzing with AFL++
Day 3: Full-system fuzzing via Rehosting
- Introduction to rehosting
- Full-system fuzzing with Fuzzware
- Overcoming emulation roadblocks
- Advanced rehosting for interrupts and DMA
- Triaging and understanding crashes
Day 4: Exploitation
- Introduction to Cortex-M exploitation
- Arm Shellcoding
- Building and debugging exploits
- Return-Oriented Programming for firmware
- Advanced topics and training recap
Note that this is a highly practical training. Besides the introductory and recap sessions which discuss key concepts, all sessions are accompanied with hands-on exercises.
KNOWLEDGE PREREQUISITES
- Basic knowledge in Python
- Being comfortable with using command-line tools
- Some background in C is a plus
- Previous experience with firmware analysis, reverse engineering, or fuzzing is not required
REQUIREMENTS
Hardware
Students should bring their own laptop with:
- At least 8GB of RAM
- At least 50 GB of available disk space
- Access to the internet (including github)
- One free and usable USB port
Note that this training, conceptually, supports Windows, Linux, and MacOS. However, we strongly encourage the use of Linux or a Linux VM (e.g., Ubuntu 22.04).
Software
- Visual Studio Code
- Docker
- Ghidra
Students will be provided with a detailed setup guide before the training.
ABOUT THE INSTRUCTORS
Tobias Scharnowski is a systems security researcher at CISPA. He focuses on automated firmware security analysis techniques. Besides academia, he is a CTF RE/pwning veteran and repeat Pwn2Own participant. At Pwn2Own, he demonstrated RCE on 10 targets in the automotive and industrial automation domains. This included an exploit of the core DNP3 implementation, the protocol that powers the US electric grid.
https://twitter.com/scepticCtf
https://github.com/fuzzware-fuzzer
Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.
https://twitter.com/nsinusr
@nsr@infosec.exchange
https://www.linkedin.com/in/marius-muench-801aa580
https://github.com/FirmWire/FirmWire & https://github.com/avatartwo/avatar2