Fuzzing and Attacking Custom Embedded Systems
Tobias Scharnowski and Marius Muench

This training covers analyzing, fuzz testing, and exploiting devices with custom embedded OS. It dives into Arm Firmware, teaches reverse engineering with Ghidra, and offers hands-on exercises to build proficiency with tools like Unicorn, AFL++, and Fuzzware.

Fuzzing and Attacking Custom Embedded Systems // Tobias Scharnowski, Marius Muench

In-Person | March 18-21 | 4 Days

BOOK NOW

ABSTRACT

Deeply embedded systems play a crucial role in the ever-growing Internet of Things and typically offer a lucrative attack surface with over-the-air interfaces, hardcoded secrets, and missing security protections.

During the training, we will understand the inner workings of a typical embedded system, and re-discover memory corruption vulnerabilities in a real-world, non-linux embedded operating system by combining reverse engineering, emulation and fuzzing. We will then develop proof-of-concept exploits using the discovered vulnerabilities to demonstrate how an attacker could compromise the target system.

The full training is accompanied with various practical hands-on exercises and tinkering with a physical embedded training platform created for this training. After the training, we expect participants to feel comfortable to independently analyze deeply embedded systems of their choice.

Fuzzing and Attacking Custom Embedded Systems // Tobias Scharnowski, Marius Muench

In-Person | March 18-21 | 4 Days

BOOK NOW

INTENDED AUDIENCE

  • Security Researchers
  • Firmware Developers
  • Curious Minds
💡
Note, this is a really advanced course. The fundamentals are addressed in a systematic way, but students are expected to have experience with Fault Injection.

KEY LEARNING OBJECTIVES

  • The inner workings of deeply embedded firmware
  • Fundamentals of firmware reverse engineering
  • Harnessing parsers for fuzzing
  • Fuzzing via full-system firmware rehosting
  • Overcoming typical fuzzing roadblocks
  • Triaging found crashes
  • Exploitation strategies for Arm Cortex-M systems
BOOK NOW

COURSE DETAILS

Day 1: Obtaining and Analyzing Firmware

  • Introduction to embedded systems and firmware
  • Hardware reconnaissance
  • Firmware extraction
  • Arm Thumb-v2 disassembly
  • Firmware reversing engineering with Ghidra

Day 2: Emulation and Harnessing

  • Introduction to emulation
  • Parser harnessing with unicornAFL
  • Hooking functions and emulating peripherals
  • Firmware Fuzzing with AFL++

Day 3: Full-system fuzzing via Rehosting

  • Introduction to rehosting
  • Full-system fuzzing with Fuzzware
  • Overcoming emulation roadblocks
  • Advanced rehosting for interrupts and DMA
  • Triaging and understanding crashes

Day 4: Exploitation

  • Introduction to Cortex-M exploitation
  • Arm Shellcoding
  • Building and debugging exploits
  • Return-Oriented Programming for firmware
  • Advanced topics and training recap
💡
Note that this is a highly practical training. Besides the introductory and recap sessions which discuss key concepts, all sessions are accompanied with hands-on exercises.
BOOK NOW

Knowledge Prequisites

  • Basic knowledge in Python
  • Being comfortable with using command-line tools
  • Some background in C is a plus
  • Previous experience with firmware analysis, reverse engineering, or fuzzing is not required

System Requirements

Hardware

Students should bring their own laptop with:

  • At least 8GB of RAM
  • At least 50 GB of available disk space
  • Access to the internet (including github)
  • One free and usable USB port
  • NATIVE Linux OS (Ubuntu 22.04 or above)

Software

  • Visual Studio Code
  • Docker
  • Ghidra

Students will be provided with a detailed setup guide before the training.

While it may be possible to use a different base OS or a Linux VM, some of the hardware has not been tested with other combinations. We will not be able to troubleshoot beyond a base Linux OS install.

YOUR INSTRUCTORS: Tobias Scharnowski and Marius Muench

Tobias Scharnowski is a systems security researcher at CISPA. He focuses on automated firmware security analysis techniques. Besides academia, he is a CTF RE/pwning veteran and repeat Pwn2Own participant. At Pwn2Own, he demonstrated RCE on 10 targets in the automotive and industrial automation domains. This included an exploit of the core DNP3 implementation, the protocol that powers the US electric grid.

Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.

BOOK NOW
See also
BOOTSTRAP25

VoidStar Security - Hardware Hacking for Reverse Engineers

This course teaches hardware reverse engineering fundamentals, focusing on low-level protocols like SPI, I2C, JTAG, and SWD in embedded systems. Students develop tools to interface with these protocols. All hardware is provided, and students keep the tools after completing the course.
4 min read
BOOTSTRAP25

Patch Diffing In The Dark: Reverse Engineering Modern CVEs

This course teaches patch diffing to analyze real-world Windows and Android vulnerabilities. Students use open-source tools like Ghidra to reverse engineer recent CVEs, gaining the skills and confidence to discover complex vulnerabilities with tools they already have.
6 min read
Great! Next, complete checkout for full access to Ringzer0
Welcome back! You've successfully signed in
You've successfully subscribed to Ringzer0
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated