Exploiting Real Time Operating Systems 2016 1


Exploiting Real Time Operating Systems 2016
Event on 2016-11-14 09:00:00
Exploiting Real Time Operating Systems CPE/ECE Credits: 5 Course Description This course will teach students how to analyze, reverse, debug, and exploit embedded RTOS firmware. Hands-on experience with a variety of real-world devices, RTOS’s, and architectures equip students with the practical knowledge and skills necessary to be proficient in RTOS vulnerability analysis and exploitation. Prerequisites Due to the nature of the material, we do expect students to already have experience with: basic overflows and ROP be comfortable in IDA’s user interface some prior knowledge of MIPS and ARM (a plus, but not required) This course is a natural progression for students already familiar with embedded Linux exploitation; if you attended Embedded Device Exploitation, then you meet the criteria. Day 1 Basic introduction to the concept of Real Time Operating Systems What is an RTOS? Challenges in reversing and exploiting RTOS code Overview of MIPS architecture and design Common instructions / registers MIPS RE crash course Firmware analysis of our first target device Initial analysis and extraction of compressed / obfuscated code and data Identifying the main RTOS code and loading it into IDA Identifying the RTOS base load address and major segments (.text, .data, .bss, etc) Debugging our first target device JTAG vs UART debugging VxWorks debugging interface Dumping memory sections Augmenting IDA’s auto analysis Loading dumped .bss segment into IDA Identification of symbol and function tables Parsing symbol tables and renaming functions with IDAPython Searching for backdoors Identification of running services on the device Examining service code for possible backdoors Find and exploit a backdoor on our first target device Day 2 Searching for stack overflows Common low-hanging fruit (HTTP, UPnP) Finding text parsing bugs Locate and verify a stack overflow bug in our first target device Exploiting RTOS overflows Useful ROP gadgets Overwriting critical data Overwriting existing code Architecture-specific concerns (e.g., cache incoherency in MIPS) Write an overflow exploit for our first target device How not to crash your target Techniques to prevent the target from crashing Write an overflow exploit that doesn’t crash our first target device Practical exploitation of LAN services from the WAN Exploiting networked targets with HTML and JavaScript Write a browser-based exploit against our first target device Day 3 Fresh meat Hardware analysis of our second target device Firmware analysis and disassembly of our second target device Identifying functions without a symbol table Format string analysis Identifying leaf functions Manually reversing leaf functions Automated function analysis Debugging without a debugger Detecting system crashes UART messages Code snippet emulation Searching for stack overflows Finding pre-auth parsing bugs Locate and verify a stack overflow vulnerability in our second target device Writing stack overflows with limited debugging Proper understanding of memory and static code analysis Planning ahead Crash mitigation ROP gadgets Write a stack overflow exploit for our second target device Day 4 More bugs! Finding more parsing bugs in our second target device Identifying dynamic call paths Writing more complex ROP chains Re-programming and RTOS in memory Re-programming RTOS kernel code on-the-fly Leaking sensitive information through existing services Low-hanging crypto Custom crypto implementations Auto-generated WPA keys Auto-generated WPS pins Breaking custom crypto Poor encryption methods Known plain text attacks Finding WPS crypto bugs Identifying pin generation functions Identifying sources of entropy Verifying hypotheses Find a WPS implementation bug in our second target device Practical exploitation of WPS crypto bugs Examining 802.11 WPS packets Leaking of seemingly benign info Cracking WPS pins in our second target device Day 5 Firmware analysis of our third target device Initial analysis and extraction of compressed / obfuscated code and data Identifying the main RTOS code and loading it into IDA Identifying the RTOS base load address and major segments (.text, .data, .bss, etc) Augmenting IDA’s auto analysis Identification of symbol and function tables Parsing symbol tables and renaming functions with IDAPython V-Chip backdoors Identification of code processing user input Examining infrared processing code for possible backdoors in the V-Chip password Find and exploit a backdoor on our third target device Hidden manufacturer menus Custom IR codes IR code sequences Identify hidden manufacturer IR codes in our third target device Requirements You will need the following to succeed in class: Intimate familiarity with the Linux operating environment Knowledge of common networking protocols (TCP/IP, HTTP) Experience with programming/scripting languages (C and Python in particular) Familiarity with any assembly language Familiarity with IDA Pro Experience with PC vulnerability analysis and exploitation Instructor Bio Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions in Columbia, MD. He has 6 years experience analyzing embedded systems and operates the /dev/ttys0 blog which is dedicated to embedded hacking topics. He has presented at events such as Blackhat and DEF CON. His skin has never been exposed to sunlight and is bioluminescent at 200 meters (656 feet) below sea level.

at Tactical Network Solutions
8825 Stanford Blvd
Columbia, United States


Leave a comment

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

One thought on “Exploiting Real Time Operating Systems 2016