Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati
|
|
- Maude Turner
- 5 years ago
- Views:
Transcription
1 Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurélien Francillon (EURECOM) 08/15/18
2 Embedded Systems Are Everywhere [1] og/posts/arm-cortex-m3-processor-the-coreof-the-iot 2 Maxim Integrated EURECOM
3 Embedded Systems Are Everywhere [1] og/posts/arm-cortex-m3-processor-the-coreof-the-iot Low Power Micro-controllers 3 Maxim Integrated EURECOM
4 Embedded Systems Are Everywhere Over 32 billions of ARM Cortex M3 shipped in 2018 [1] [1] og/posts/arm-cortex-m3-processor-the-coreof-the-iot 4 Maxim Integrated EURECOM Low Power Micro-controllers Cover a wide range of fields
5 Why the Security of Such Systems Matters? 5 Maxim Integrated EURECOM
6 Why the Security of Such Systems Matters? Highly connected -> large scale attacks 6 Maxim Integrated EURECOM
7 Why the Security of Such Systems Matters? Highly connected -> large scale attacks Difficulty to patch the code > Mask ROM mask applied on the chip during the fabrication > Off-line devices 7 Maxim Integrated EURECOM
8 Why the Security of Such Systems Matters? Highly connected -> large scale attacks Difficulty to patch the code > Mask ROM mask applied on the chip during the fabrication > Off-line devices Store sensitive data > Bitcoin wallet > Payment terminal 8 Maxim Integrated EURECOM
9 Why the Security of Such Systems Matters? Highly connected -> large scale attacks Difficulty to patch the code > Mask ROM mask applied on the chip during the fabrication > Off-line devices Store sensitive data > Bitcoin wallet > Payment terminal Drive sensitive hardware system > Physical damage > Production line outage > Signaling systems (red light) 9 Maxim Integrated EURECOM
10 Exemple of Recent Security Issues Recent attacks 10 Maxim Integrated EURECOM
11 Exemple of Recent Security Issues Recent attacks Nintendo Switch Tegra X1 bootrom exploit 2018 > buffer overflow in the USB stack embedded in the mask ROM > Cannot be patched > Give access to the entire software stack 11 Maxim Integrated EURECOM
12 How Can We Test Such Firmware Programs? Symbolic Execution > High path coverage > Return test case for bugs 12 Maxim Integrated EURECOM
13 Symbolic Execution Example i = symb_i Int buffer[2] i = <input> int buffer[2] = {0, 1}; 13 Maxim Integrated EURECOM
14 Symbolic Execution Example i = symb_i Int buffer[2] i = <input> TRUE buffer[i] FALSE int buffer[2] = {0, 1}; if( buffer[i] == 0 ) { 0 i < 2 (0 i < 2) Out of bounds access 14 Maxim Integrated EURECOM
15 Symbolic Execution Example i = symb_i Int buffer[2] i = <input> TRUE buffer[i] FALSE int buffer[2] = {0, 1}; if( buffer[i] == 0 ) { buffer[i] = 0xDEADBEEF; } TRUE 0 i < 2 buffer[i] == 0 FALSE (0 i < 2) i = 0 buffer[i] == 0xDEADBEAF (i = 0) Out of bounds access 15 Maxim Integrated EURECOM
16 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: 16 Maxim Integrated EURECOM
17 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. 17 Maxim Integrated EURECOM
18 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations 18 Maxim Integrated EURECOM
19 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage 19 Maxim Integrated EURECOM
20 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code 20 Maxim Integrated EURECOM
21 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code Clang 21 Maxim Integrated EURECOM
22 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code Clang LLVM bit-code 22 Maxim Integrated EURECOM
23 Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code Clang LLVM bit-code Klee 23 Maxim Integrated EURECOM
24 Why testing source code instead of binary code? Source VS Binary 24 Maxim Integrated EURECOM
25 Why testing source code instead of binary code? Source VS Binary char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 25 Maxim Integrated EURECOM
26 Why testing source code instead of binary code? Source VS Binary char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 26 Maxim Integrated EURECOM
27 Why testing source code instead of binary code? Source ( Klee/Clang ) VS Binary (SE2, angr, BAP) char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } define %index){ entry: %0 = load i32* %index.addr %1 = getelementptr inbounds [2 x i32 0, i32 %0 %2 = load i8* %1 ret i8 %2 } 27 Maxim Integrated EURECOM b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 define index) { entry: store i32 %index, store i , %R2_1 = load %R0_1 = load %R2_2 = add i32 %R2_1, %R0_1 %R3_0 = inttoptr i32 %R2_2 to i32* %R3_1 = bitcast i32* %R3_0 to i8* %R3_2 = load i8* %R3_1
28 Why testing source code instead of binary code? Source ( Klee/Clang ) VS Binary (SE2, angr, BAP) char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } define %index){ entry: %0 = load i32* %index.addr %1 = getelementptr inbounds [2 x i32 0, i32 %0 %2 = load i8* %1 ret i8 %2 } 28 Maxim Integrated EURECOM b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 define index) { entry: store i32 %index, store i , %R2_1 = load %R0_1 = load %R2_2 = add i32 %R2_1, %R0_1 %R3_0 = inttoptr i32 %R2_2 to i32* %R3_1 = bitcast i32* %R3_0 to i8* %R3_2 = load i8* %R3_1
29 Source vs Binary When source available testing binary is possible however: > Types are lost > Corruption will be detected later if at all > Worse on embedded systems See: Muench et. al. What you corrupt is not what you crash, NDSS 2018 Goal of Inception: improve testing for firmware during development > Limit requirements on code 29 Maxim Integrated EURECOM
30 Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware? STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 Number of functions including assembly instructions in real world embedded software 30 Maxim Integrated EURECOM
31 Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware? Assembly code : > Multithreading > Optimizations > Side channel counter-measures > Hardware features e.g. ultra low power mode 1 STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 Number of functions including assembly instructions in real world embedded software 31 Maxim Integrated EURECOM
32 Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware? Challenge 1 : STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Assembly code : > Multithreading > Optimizations > Side channel counter-measures > Hardware features e.g. ultra low power mode Firmware source code contains a mix of C/C++, assembly and binary Functions with inline asm Functions2 Presence of assembly instructions in real world embedded software 32 Maxim Integrated EURECOM
33 Major Challenges For Symbolic Execution of Firmware Programs Hardware environment 33 Maxim Integrated EURECOM
34 Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O 34 Maxim Integrated EURECOM
35 Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O Memory Peripherals #define UART_STATUS 0x #define UART_DATA 0x char* RX_BUFFER = 0x ; while(!*uart_status) { char* data = (char*)uart_data; strncpy(rx_buffer++, data, 4); } 35 Maxim Integrated EURECOM Internal/external memory Internal/external peripherals
36 Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O Memory Peripherals > Interrupt driven programs Interrupt Controller #define UART_STATUS 0x #define UART_DATA 0x char* RX_BUFFER = 0x ; while(!*uart_status) { char* data = (char*)uart_data; strncpy(rx_buffer++, data, 4); } 36 Maxim Integrated EURECOM void interrupt_handler() { } Internal/external memory Internal/external peripherals
37 Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O Memory Peripherals > Interrupt driven programs #define UART_STATUS 0x #define UART_DATA 0x char* RX_BUFFER = 0x ; while(!*uart_status) { char* data = (char*)uart_data; strncpy(rx_buffer++, data, 4); } Challenge 2 : Interrupt Controller Firmware programs highly interact with their hardware environment 37 Maxim Integrated EURECOM void interrupt_handler() { } Internal/external memory Internal/external peripherals
38 Building A Symbolic Executor For Firmware Programs 38 Maxim Integrated EURECOM
39 Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code 39 Maxim Integrated EURECOM
40 Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code ARM Backend ELF 40 Maxim Integrated EURECOM
41 Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code ARM Backend ELF Inception translator: > Lift assembly directives and binary code in LLVM bit-code > Merge lifted bit-code with other High-IR : obtained from C/C++ Glue-IR : glue code Low-IR : lifted assembly/binary Inception Translator LLVM bit-code Mixed IR 41 Maxim Integrated EURECOM
42 Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code ARM Backend ELF Inception translator: > Lift assembly directives and binary code in LLVM bit-code > Merge lifted bit-code with other High-IR : obtained from C/C++ Glue-IR : glue code Low-IR : lifted assembly/binary > Support Cortex M3 ISA Inception Translator LLVM bit-code Mixed IR Modified Klee 42 Maxim Integrated EURECOM
43 Challenge 1 : Supporting C/C++/Asm/Binary code Inception-translator 52 Maxim Integrated EURECOM
44 Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: C: 80 B4 push {r7} E: 83 B0 sub sp, #0xc 53 Maxim Integrated EURECOM
45 Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: C: 80 B4 push {r7} E: 83 B0 sub sp, #0xc %a = alloca i32 store i32 4, i32* %a %0 = load i32* %a %call = call %0) ret void } High IR 54 Maxim Integrated EURECOM
46 Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: C: 80 B4 push {r7} E: 83 B0 sub sp, #0xc %a = alloca i32 store i32 4, i32* %a %0 = load i32* %a %call = call %0) ret void } High IR "boo+0": ; preds = %entry %R7_1 = load %SP1 = load %SP2 = sub i32 %SP1, 4 %SP3 = inttoptr i32 %SP2 to i32* store i32 %R7_1, i32* %SP3 store i32 %SP2, %SP4 = load %SP5 = add i32 %SP4, -13 %SP6 = add i32 %SP5, 1 Low IR 55 Maxim Integrated EURECOM
47 Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: C: 80 B4 push {r7} E: 83 B0 sub sp, #0xc %a = alloca i32 store i32 4, i32* %a %0 = load i32* %a %call = call %0) ret void } High IR define %a){ entry: store i32 %a, br label %"boo+0" Glue IR "boo+0": ; preds = %entry %R7_1 = load %SP1 = load %SP2 = sub i32 %SP1, 4 %SP3 = inttoptr i32 %SP2 to i32* store i32 %R7_1, i32* %SP3 store i32 %SP2, %SP4 = load %SP5 = add i32 %SP4, -13 %SP6 = add i32 %SP5, 1 Low IR 56 Maxim Integrated EURECOM
48 Unified Memory Layout 57 Maxim Integrated EURECOM
49 Unified Memory Layout High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 58 Maxim Integrated EURECOM Execution path
50 Unified Memory Layout Allocate Low IR memory : stack, virtual CPU registers, heap High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 59 Maxim Integrated EURECOM Execution path
51 Unified Memory Layout Allocate Low IR memory : stack, virtual CPU registers, heap Fill gaps in global data sections When no C/C++ symbols point to this area High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 60 Maxim Integrated EURECOM Execution path
52 Unified Memory Layout Allocate Low IR memory : stack, virtual CPU registers, heap Fill gaps in global data sections When no C/C++ symbols point to this area Allocate High-IR objects at location defined in the ELF symbols table High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 61 Maxim Integrated EURECOM Execution path
53 Low IR Hardware Mechanisms Emulation Challenge we solved: > Indirect calls (Indirect Call Promotion) > Seamless hardware mechanisms (Context switching) > Supervisor call > Update specific registers values (LR, MSP, PSP, BASEPRI, ITSTATE, ) Emulation High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 62 Maxim Integrated EURECOM Execution path
54 Challenge 2 : Hardware interactions Inception-analyzer 63 Maxim Integrated EURECOM
55 The Inception System Overview Mixed Bytecode Klee-based Symbolic Virtual Machine config.json ELF 64 Maxim Integrated EURECOM
56 The Inception System Overview Mixed Bytecode Klee-based Symbolic Virtual Machine Globals Memory Mapped stack Data are allocated according to the information present in the symbol table User configuration (config.json): - Local memory - Redirected memory - Symbolic memory config.json heap ELF 65 Maxim Integrated EURECOM
57 The Inception System Overview: Inception debugger Mixed Bytecode Klee-based Symbolic Virtual Machine Globals Memory Mapped stack USB 3.0 link Custom Inception Debugger config.json heap Jtag ELF Real Device 66 Maxim Integrated EURECOM
58 The Inception System Overview: Inception debugger Globals Inspired by Surrogates and Avatar Memory Mapped USB 3.0 link Custom Inception Debugger Zaddach et. al. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares, NDSS 2014 Koscher et. al. SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems, WOOT 2015 stack heap Jtag Real Device 67 Maxim Integrated EURECOM
59 The Inception System Overview: Inception debugger Mixed Bytecode Klee-based Symbolic Virtual Machine Globals Memory Mapped stack USB 3.0 link Custom Inception Debugger config.json Interrupt Controller heap Jtag ELF Real Device 68 Maxim Integrated EURECOM
60 Evaluation 69 Maxim Integrated EURECOM
61 Performance Average IO per second Reads Writes Buffered Reads Inception Surrogates Average time to complete read or write requests for SURROGATES and Inception. Average runtime [ms] ,1 Wget Ping UART Inception Native Performance comparison between native execution and Inception. * Current bottleneck is bit-code execution 70 Maxim Integrated EURECOM
62 Bug Detection Average number of detected vuln % of detected bugs 100% 80% 60% 40% 1 20% % Division by Zero Null Pointer Dereference Use After Free Free Memory Not on Heap Heap-Based Buffer Overflow Integer Overflow Detected Undetected Evolution of corruption detection vs. number of assembly functions in the EXPACT XML parser (4 vulnerabilities [1], symbolic inputs, and a timeout of 90s). Detected Undetected Corruption detection of real-world security flaws based on FreeRTOS and the Juliet 1.3 test suites. [1] MUENCH et. al. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In NDSS Maxim Integrated EURECOM
63 Verification Intensive verification of the lifter and the modified Klee > 53K tests comparison between Inception and native > 1562 tests based on NIST Juliet 1.3 tests suite > 40 tests based on the Klockwork tests suite > Several demos for the STM32 L152RE and the LPC1850 DB1 boards > 1 Mbed TLS test suite > Several embedded operating systems (FreeRTOS, mini-arm-os) 72 Maxim Integrated EURECOM
64 Conlusion Extends analysis to mixed languages: assembly, C/C++, binary Fit well in chip life-cycle : > test without hardware > FPGA-based design > silicium Already used on proprietary real world Mask ROM code at Maxim > Bugs found before mask manufacturing Inception is open-sourced: > Getting started at > Github and docker 73 Maxim Integrated EURECOM
65 Questions? Free icons license : 74 Maxim Integrated EURECOM
Inception: System-Wide Security Testing of Real-World Embedded Systems Software
Inception: System-Wide Security Testing of Real-World Embedded Systems Software Nassim Corteggiani, EURECOM, Maxim Integrated; Giovanni Camurati and Aurélien Francillon, EURECOM https://www.usenix.org/conference/usenixsecurity18/presentation/corteggiani
More informationFiE on Firmware Finding Vulnerabilities in Embedded Systems using Symbolic Execution. Drew Davidson Ben Moench Somesh Jha Thomas Ristenpart
FiE on Firmware Finding Vulnerabilities in Embedded Systems using Symbolic Execution Drew Davidson Ben Moench Somesh Jha Thomas Ristenpart 1 FiE in a Nutshell Symbolic execution tailored to embedded firmware
More informationLecture Notes: FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution
Lecture Notes: FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution Rui Zhang March 6, 2017 1 Embedded microprocessors, Firmware Typical low-power embedded systems combine
More informationWhat You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices Marius Muench 1 Jan Stijohann 2,3 Frank Kargl 3 Aurélien Francillon 1 Davide Balzarotti 1 1 EURECOM 2 Siemens AG 3 Ulm University
More informationFiE on Firmware Finding Vulnerabilities in Embedded Systems using Symbolic Execution. Drew Davidson Ben Moench Somesh Jha Thomas Ristenpart
FiE on Firmware Finding Vulnerabilities in Embedded Systems using Symbolic Execution Drew Davidson Ben Moench Somesh Jha Thomas Ristenpart 1 FiE in a Nutshell Symbolic execution tailored to embedded firmware
More informationECE254 Lab3 Tutorial. Introduction to Keil LPC1768 Hardware and Programmers Model. Irene Huang
ECE254 Lab3 Tutorial Introduction to Keil LPC1768 Hardware and Programmers Model Irene Huang Lab3 Part A Requirements (1) A function to obtain the task information OS_RESULT os_tsk_get(os_tid task_id,
More informationOverview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas
CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges
More informationBaggy bounds with LLVM
Baggy bounds with LLVM Anton Anastasov Chirantan Ekbote Travis Hance 6.858 Project Final Report 1 Introduction Buffer overflows are a well-known security problem; a simple buffer-overflow bug can often
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationCprE 288 Introduction to Embedded Systems Course Review for Exam 3. Instructors: Dr. Phillip Jones
CprE 288 Introduction to Embedded Systems Course Review for Exam 3 Instructors: Dr. Phillip Jones 1 Announcements Exam 3: See course website for day/time. Exam 3 location: Our regular classroom Allowed
More informationARM TrustZone for ARMv8-M for software engineers
ARM TrustZone for ARMv8-M for software engineers Ashok Bhat Product Manager, HPC and Server tools ARM Tech Symposia India December 7th 2016 The need for security Communication protection Cryptography,
More informationIntroduction to software exploitation ISSISP 2017
Introduction to software exploitation ISSISP 2017 1 VM https://drive.google.com/open?id=0b8bzf4ybu s1kltjsnlnwqjhss1e (sha1sum: 36c32a596bbc908729ea9333f3da10918e24d767) Login / pass: issisp / issisp 2
More information1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques
1 Bug Hunting Bug hunting is the process of finding bugs in software or hardware. In this book, however, the term bug hunting will be used specifically to describe the process of finding security-critical
More informationArm TrustZone Armv8-M Primer
Arm TrustZone Armv8-M Primer Odin Shen Staff FAE Arm Arm Techcon 2017 Security Security technologies review Application Level Security Designed with security in mind: authentication and encryption Privilege
More information15-411: LLVM. Jan Hoffmann. Substantial portions courtesy of Deby Katz
15-411: LLVM Jan Hoffmann Substantial portions courtesy of Deby Katz and Gennady Pekhimenko, Olatunji Ruwase,Chris Lattner, Vikram Adve, and David Koes Carnegie What is LLVM? A collection of modular and
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationSecurity Testing of Software on Embedded Devices Using x86 Platform
Security Testing of Software on Embedded Devices Using x86 Platform Yesheng Zhi( ), Yuanyuan Zhang, Juanru Li, and Dawu Gu Lab of Cryptology and Computer Security, Shanghai Jiao Tong University, Shanghai,
More informationECE254 Lab3 Tutorial. Introduction to MCB1700 Hardware Programming. Irene Huang
ECE254 Lab3 Tutorial Introduction to MCB1700 Hardware Programming Irene Huang Lab3 Requirements : API Dynamic Memory Management: void * os_mem_alloc (int size, unsigned char flag) Flag takes two values:
More informationEURECOM 6/2/2012 SYSTEM SECURITY Σ
EURECOM 6/2/2012 Name SYSTEM SECURITY 5 5 5 5 5 5 5 5 5 5 50 1 2 3 4 5 6 7 8 9 10 Σ Course material is not allowed during the exam. Try to keep your answers precise and short. You will not get extra points
More informationCharm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems
Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, Ardalan Amiri Sani, Zhiyun Qian UC Irvine UC Riverside
More informationARM Architecture and Assembly Programming Intro
ARM Architecture and Assembly Programming Intro Instructors: Dr. Phillip Jones http://class.ece.iastate.edu/cpre288 1 Announcements HW9: Due Sunday 11/5 (midnight) Lab 9: object detection lab Give TAs
More informationPointer Analysis for C/C++ with cclyzer. George Balatsouras University of Athens
Pointer Analysis for C/C++ with cclyzer George Balatsouras University of Athens Analyzes C/C++ programs translated to LLVM Bitcode Declarative framework Analyzes written in Datalog
More informationA program execution is memory safe so long as memory access errors never occur:
A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories
More informationProgram SoC using C Language
Program SoC using C Language 1 Module Overview General understanding of C, program compilation, program image, data storage, data type, and how to access peripherals using C language; Program SoC using
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationHonours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui
Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui Projects 1 Information flow analysis for mobile applications 2 2 Machine-learning-guide typestate analysis for UAF vulnerabilities 3 3 Preventing
More informationUniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages
UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages Kangjie Lu, Chengyu Song, Taesoo Kim, Wenke Lee School of Computer Science, Georgia Tech Any Problem Here? /* File: drivers/usb/core/devio.c*/
More informationProtection and Mitigation of Software Bug Exploitation
Protection and Mitigation of Software Bug Exploitation Vartan Padaryan vartan@ispras.ru 1 How safe is latest Linux release? Command line arguments fuzzer (inspired by Brumley s article) Launch programs
More informationCode: analysis, bugs, and security
Code: analysis, bugs, and security supported by Bitdefender Marius Minea marius@cs.upt.ro 4 October 2017 Course goals improve skills: write robust, secure code understand program internals learn about
More informationBlack Box Debugging of Embedded Systems
Black Box Debugging of Embedded Systems Introduction: Alexandru Ariciu Background in hacking Worked as a hacker for my whole life Worked in corporate security before (Pentester) Currently an ICS Penetration
More informationThe Low-Level Bounded Model Checker LLBMC
The Low-Level Bounded Model Checker LLBMC A Precise Memory Model for LLBMC Carsten Sinz Stephan Falke Florian Merz October 7, 2010 VERIFICATION MEETS ALGORITHM ENGINEERING KIT University of the State of
More informationCOSC345 Software Engineering. Basic Computer Architecture and The Stack
COSC345 Software Engineering Basic Computer Architecture and The Stack Outline Architectural models A little about the 68HC11 Memory map Registers A little bit of assembly (never did us any harm) The program
More informationDynamic Dispatch and Duck Typing. L25: Modern Compiler Design
Dynamic Dispatch and Duck Typing L25: Modern Compiler Design Late Binding Static dispatch (e.g. C function calls) are jumps to specific addresses Object-oriented languages decouple method name from method
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More informationVA Smalltalk 9: Exploring the next-gen LLVM-based virtual machine
2017 FAST Conference La Plata, Argentina November, 2017 VA Smalltalk 9: Exploring the next-gen LLVM-based virtual machine Alexander Mitin Senior Software Engineer Instantiations, Inc. The New VM Runtime
More informationCoverage-guided Fuzzing of Individual Functions Without Source Code
Coverage-guided Fuzzing of Individual Functions Without Source Code Alessandro Di Federico Politecnico di Milano October 25, 2018 1 Index Coverage-guided fuzzing An overview of rev.ng Experimental results
More informationPRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG
PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG Table of contents Introduction Binary Disassembly Return Address Defense Prototype Implementation Experimental Results Conclusion Buffer Over2low Attacks
More informationIoT and Security: ARM v8-m Architecture. Robert Boys Product Marketing DSG, ARM. Spring 2017: V 3.1
IoT and Security: ARM v8-m Architecture Robert Boys Product Marketing DSG, ARM Spring 2017: V 3.1 ARM v8-m Trustzone. Need to add security to Cortex -M processors. IoT Cortex-A has had TrustZone for a
More informationHow Software Executes
How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Programming
More informationMcSema: Static Translation of X86 Instructions to LLVM
McSema: Static Translation of X86 Instructions to LLVM ARTEM DINABURG, ARTEM@TRAILOFBITS.COM ANDREW RUEF, ANDREW@TRAILOFBITS.COM About Us Artem Security Researcher blog.dinaburg.org Andrew PhD Student,
More informationesi-risc Development Suite Getting Started Guide
1 Contents 1 Contents 2 2 Overview 3 3 Starting the Integrated Development Environment 4 4 Hello World Tutorial 5 5 Next Steps 8 6 Support 10 Version 2.5 2 of 10 2011 EnSilica Ltd, All Rights Reserved
More informationin memory: an evolution of attacks Mathias Payer Purdue University
in memory: an evolution of attacks Mathias Payer Purdue University Images (c) MGM, WarGames, 1983 Memory attacks: an ongoing war Vulnerability classes according to CVE Memory
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationSymbolic Execution for Bug Detection and Automated Exploit Generation
Symbolic Execution for Bug Detection and Automated Exploit Generation Daniele Cono D Elia Credits: Emilio Coppa SEASON Lab season-lab.github.io May 27, 2016 1 / 29 Daniele Cono D Elia Symbolic Execution
More informationEmbedded/Connected Device Secure Coding. 4-Day Course Syllabus
Embedded/Connected Device Secure Coding 4-Day Course Syllabus Embedded/Connected Device Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted
More informationlogistics: ROP assignment
bug-finding 1 logistics: ROP assignment 2 2013 memory safety landscape 3 2013 memory safety landscape 4 different design points memory safety most extreme disallow out of bounds usually even making out-of-bounds
More informationCompiler Construction: LLVMlite
Compiler Construction: LLVMlite Direct compilation Expressions X86lite Input Output Compile directly from expression language to x86 Syntax-directed compilation scheme Special cases can improve generated
More informationTargeting LLVM IR. LLVM IR, code emission, assignment 4
Targeting LLVM IR LLVM IR, code emission, assignment 4 LLVM Overview Common set of tools & optimizations for compiling many languages to many architectures (x86, ARM, PPC, ASM.js). Integrates AOT & JIT
More informationTowards Automatic Generation of Vulnerability- Based Signatures
Towards Automatic Generation of Vulnerability- Based Signatures David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha (presented by Boniface Hicks) Systems and Internet Infrastructure Security
More informationARM Cortex-M and RTOSs Are Meant for Each Other
ARM Cortex-M and RTOSs Are Meant for Each Other FEBRUARY 2018 JEAN J. LABROSSE Introduction Author µc/os series of software and books Numerous articles and blogs Lecturer Conferences Training Entrepreneur
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationMemory corruption countermeasures
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 30th January 2014 Outline Announcement Recap Containment and curtailment Stack tamper detection
More informationCS-527 Software Security
CS-527 Software Security Memory Safety Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-softsec/ Spring 2017 Eternal
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Reference Monitor Observes execution of the program/process At what level? Possibilities:
More informationARM Cortex-M4 Programming Model
ARM Cortex-M4 Programming Model ARM = Advanced RISC Machines, Ltd. ARM licenses IP to other companies (ARM does not fabricate chips) 2005: ARM had 75% of embedded RISC market, with 2.5 billion processors
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationBlack Hat Webcast Series. C/C++ AppSec in 2014
Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com
More informationCODE TIME TECHNOLOGIES. Abassi RTOS. Porting Document. ARM Cortex-M3 CCS
CODE TIME TECHNOLOGIES Abassi RTOS Porting Document ARM Cortex-M3 CCS Copyright Information This document is copyright Code Time Technologies Inc. 2011,2012. All rights reserved. No part of this document
More informationResilient IoT Security: The end of flat security models
Resilient IoT Security: The end of flat security models Xiao Sun Senior Application Engineer ARM Tech Symposia China 2015 November 2015 Evolution from M2M to IoT M2M Silos of Things Standards Security
More informationAutomated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim
Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach Moonzoo Kim Contents Automated Software Analysis Techniques Background Concolic testing process Example of concolic
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationRuntime Defenses against Memory Corruption
CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,
More informationBug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher
Bug Finding with Under-approximating Static Analyses Daniel Kroening, Matt Lewis, Georg Weissenbacher Overview Over- vs. underapproximating static analysis Path-based symbolic simulation Path merging Acceleration
More informationLecture Notes: Unleashing MAYHEM on Binary Code
Lecture Notes: Unleashing MAYHEM on Binary Code Rui Zhang February 22, 2017 1 Finding Exploitable Bugs 1.1 Main Challenge in Exploit Generation Exploring enough of the state space of an application to
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationIntroduction to Micro-controller Software. Gary J. Minden September 3, 2013
Introduction to Micro-controller Software Gary J. Minden September 3, 2013 1 Microcontroller Software How developed Language (C) Tools Organization/Structure How deployed Organization in memory How executed
More informationPutting it All Together
EE445M/EE360L.12 Embedded and Real-Time Systems/ Real-Time Operating Systems : Commercial RTOS, Final Exam, Review 1 Putting it All Together Micrium μcos-ii Reference: www.micrium.com Application Note
More informationSmartphone (in) Security
Smartphone (in) Security Smartphones (in)security Nicolas Economou and Alfredo Ortega October 6, 2008 In this talk: 1. Introduction 2. Smartphone Security overview 3. Explotation and shellcodes for both
More informationMultitasking. Embedded Systems
Multitasking in Embedded Systems 1 / 39 Multitasking in Embedded Systems v1.0 Multitasking in ES What is Singletasking? What is Multitasking? Why Multitasking? Different approaches Realtime Operating Systems
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationUndefined Behaviour in C
Undefined Behaviour in C Report Field of work: Scientific Computing Field: Computer Science Faculty for Mathematics, Computer Science and Natural Sciences University of Hamburg Presented by: Dennis Sobczak
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationAutomatic program generation for detecting vulnerabilities and errors in compilers and interpreters
Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters 0368-3500 Nurit Dor Shir Landau-Feibish Noam Rinetzky Preliminaries Students will group in teams of 2-3
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationCSE 504: Compiler Design. Code Generation
Code Generation Pradipta De pradipta.de@sunykorea.ac.kr Current Topic Introducing basic concepts in code generation phase Code Generation Detailed Steps The problem of generating an optimal target program
More informationVerification & Validation of Open Source
Verification & Validation of Open Source 2011 WORKSHOP ON SPACECRAFT FLIGHT SOFTWARE Gordon Uchenick Coverity, Inc Open Source is Ubiquitous Most commercial and proprietary software systems have some open
More informationLecture 3: Instruction Set Architecture
Lecture 3: Instruction Set Architecture CSE 30: Computer Organization and Systems Programming Summer 2014 Diba Mirza Dept. of Computer Science and Engineering University of California, San Diego 1. Steps
More informationImplementing Secure Software Systems on ARMv8-M Microcontrollers
Implementing Secure Software Systems on ARMv8-M Microcontrollers Chris Shore, ARM TrustZone: A comprehensive security foundation Non-trusted Trusted Security separation with TrustZone Isolate trusted resources
More information18-349: Embedded Real-Time Systems Lecture 2: ARM Architecture
18-349: Embedded Real-Time Systems Lecture 2: ARM Architecture Anthony Rowe Electrical and Computer Engineering Carnegie Mellon University Basic Computer Architecture Embedded Real-Time Systems 2 Memory
More informationImportant From Last Time
Important From Last Time Embedded C Ø Pros and cons Macros and how to avoid them Intrinsics Interrupt syntax Inline assembly Today Advanced C What C programs mean How to create C programs that mean nothing
More informationAnalysis of MS Multiple Excel Vulnerabilities
Analysis of MS-07-036 Multiple Excel Vulnerabilities I. Introduction This research was conducted using the Office 2003 Excel Viewer application and the corresponding security patch for MS-07-036 - Vulnerabilities
More informationComputer Organization & Assembly Language Programming (CSE 2312)
Computer Organization & Assembly Language Programming (CSE 2312) Lecture 15: Running ARM Programs in QEMU and Debugging with gdb Taylor Johnson Announcements and Outline Homework 5 due Thursday Midterm
More informationDesign and Implementation Interrupt Mechanism
Design and Implementation Interrupt Mechanism 1 Module Overview Study processor interruption; Design and implement of an interrupt mechanism which responds to interrupts from timer and UART; Program interrupt
More informationSecuring Real-Time Microcontroller Systems through Customized Memory View Switching
Securing Real-Time Microcontroller Systems through Customized Memory View Switching Chung Hwan Kim *, Taegyu Kim, Hongjun Choi, Zhongshu Gu +, By0ungyoung Lee, Xiangyu Zhang, Dongyan Xu + * Security of
More information18-600: Recitation #3
18-600: Recitation #3 Bomb Lab & GDB Overview September 12th, 2017 1 Today X86-64 Overview Bomb Lab Introduction GDB Tutorial 2 3 x86-64: Register Conventions Arguments passed in registers: %rdi, %rsi,
More informationConnecting the EDG front-end to LLVM. Renato Golin, Evzen Muller, Jim MacArthur, Al Grant ARM Ltd.
Connecting the EDG front-end to LLVM Renato Golin, Evzen Muller, Jim MacArthur, Al Grant ARM Ltd. 1 Outline Why EDG Producing IR ARM support 2 EDG Front-End LLVM already has two good C++ front-ends, why
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationComputer Architecture and System Software Lecture 07: Assembly Language Programming
Computer Architecture and System Software Lecture 07: Assembly Language Programming Instructor: Rob Bergen Applied Computer Science University of Winnipeg Announcements New assembly examples uploaded to
More informationHow Can You Trust Formally Verified Software?
How Can You Trust Formally Verified Software? Alastair Reid Arm Research @alastair_d_reid https://www.theguardian.com/business/2015/may/01/us-aviation-authority-boeing-787-dreamliner-bug-could-cause-loss-of-control
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationControl Flow Hijacking Attacks. Prof. Dr. Michael Backes
Control Flow Hijacking Attacks Prof. Dr. Michael Backes Control Flow Hijacking malicious.pdf Contains bug in PDF parser Control of viewer can be hijacked Control Flow Hijacking Principles Normal Control
More informationComputer Components. Software{ User Programs. Operating System. Hardware
Computer Components Software{ User Programs Operating System Hardware What are Programs? Programs provide instructions for computers Similar to giving directions to a person who is trying to get from point
More informationSoftware Quality is Directly Proportional to Simulation Speed
Software Quality is Directly Proportional to Simulation Speed CDNLive! 11 March 2014 Larry Lapides Page 1 Software Quality is Directly Proportional to Test Speed Intuitively obvious (so my presentation
More informationC and C++ Secure Coding 4-day course. Syllabus
C and C++ Secure Coding 4-day course Syllabus C and C++ Secure Coding 4-Day Course Course description Secure Programming is the last line of defense against attacks targeted toward our systems. This course
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More information