Day 1: Obtaining and Analyzing Firmware

• Introduction to embedded systems and firmware
• Hardware reconnaissance
• Firmware extraction
• Arm Thumb-v2 disassembly
• Firmware reversing engineering with Ghidra

Day 2: Emulation and Harnessing

• Introduction to emulation
• Parser harnessing with unicornAFL
• Hooking functions and emulating peripherals
• Firmware Fuzzing with AFL++

Day 3: Full-system fuzzing via Rehosting

• Introduction to rehosting
• Full-system fuzzing with Fuzzware
• Overcoming emulation roadblocks
• Advanced rehosting for interrupts and DMA
• Triaging and understanding crashes

Day 4: Exploitation

• Introduction to Cortex-M exploitation
• Arm Shellcoding
• Building and debugging exploits
• Return-Oriented Programming for firmware
• Advanced topics and training recap

Note that this is a highly practical training. Besides the introductory and recap sessions which discuss key concepts, all sessions are accompanied with hands-on exercises.

• Basic knowledge in Python
• Being comfortable with using command-line tools
• Some background in C is a plus
• Previous experience with firmware analysis, reverse engineering, or fuzzing is not required

Hardware

Students should bring their own laptop with:

• At least 8GB of RAM
• At least 50 GB of available disk space
• Access to the internet (including github)
• One free and usable USB port
• NATIVE Linux OS (Ubuntu 22.04 or above)

❗️While it may be possible to use a different base OS or a Linux VM, some of the hardware has not been tested with other combinations. We will not be able to troubleshoot beyond a base Linux OS install.

Software

• Visual Studio Code
• Docker
• Ghidra

Students will be provided with a detailed setup guide before the training.

Tobias Scharnowski is a systems security researcher at CISPA. He focuses on automated firmware security analysis techniques. Besides academia, he is a CTF RE/pwning veteran and repeat Pwn2Own participant. At Pwn2Own, he demonstrated RCE on 10 targets in the automotive and industrial automation domains. This included an exploit of the core DNP3 implementation, the protocol that powers the US electric grid.

https://twitter.com/scepticCtf
https://github.com/fuzzware-fuzzer

Marius Muench is an assistant professor at the University of Birmingham. His research interests cover (in-)security of embedded systems, binary & microarchitectural exploitation, and defenses. He obtained his PhD from Sorbonne University in cooperation with EURECOM and worked as postdoctoral researcher at the Vrije Universiteit Amsterdam. He developed and maintains avatar2, a framework for analyzing embedded systems firmware, and FirmWire, an emulation and fuzzing platform for cellular basebands. Throughout his career, Marius publicly shared his findings and presented at venues such as Black Hat, REcon, and Hardwear.io.

https://twitter.com/nsinusr
@nsr@infosec.exchange
https://www.linkedin.com/in/marius-muench-801aa580
https://github.com/FirmWire/FirmWire & https://github.com/avatartwo/avatar2