O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

INSIDE ARM-X - Countermeasure 2019

2.384 visualizações

Publicada em

The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

INSIDE ARM-X - Countermeasure 2019

  1. 1. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 INSIDE SAUMIL SHAH @therealsaumil 7 November 2019 COUNTERMEASURE|2019
  2. 2. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
  3. 3. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
  4. 4. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  5. 5. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  6. 6. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Inside an IoT device…
  7. 7. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram …same same but different
  8. 8. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  9. 9. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
  10. 10. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
  11. 11. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
  12. 12. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Starting an ARM-X device
  13. 13. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  14. 14. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2 - Booting the device Kernel
  15. 15. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  16. 16. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Kernel and hostfs ready hostfs NFS /armx
  17. 17. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3 - ARM-X Userland
  18. 18. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  19. 19. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 4 - nvram and userland init
  20. 20. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram nvram and userland init scripts conf conf init scripts libnvram
  21. 21. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  22. 22. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram init scripts Services Apps libnvram ARM-X: Device "booted up" x x x x conf conf
  23. 23. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  24. 24. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 5 - ARM-X hostfs/debug Shell
  25. 25. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  26. 26. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 How to add a new device to ARM-X BUILDROOT Firmware image
  27. 27. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
  28. 28. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 1: Web/FTP site
  29. 29. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2: Hidden UART interfaces Vcc (+3.3V) GND TX/RX GND
  30. 30. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Serial Console - working
  31. 31. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
  32. 32. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3: Take it directly from the chip!
  33. 33. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 DEMO TIME!
  34. 34. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 HERE BE THE GOODS Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil IP Camera CTF Challenge - blog.exploitlab.net
  35. 35. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Thank you and … QUESTIONS? @therealsaumil COUNTERMEASURE|2019

×