Who are we? Jonas Zaddach. Andrei Costin. Davide Balzarotti. Aurélien Francillon 2/91

Transcription

1

2 Who are we? Andrei Costin Jonas Zaddach Aurélien Francillon Davide Balzarotti 2/91

3 Who are we? 3/91

4 Embedded Systems Are Everywhere by Wilgengebroed on Flickr [CC-BY-2.0] 4/91

5 Smarter & More Complex by Wilgengebroed on Flickr [CC-BY-2.0] 5/91

6 Interconnected by Wilgengebroed on Flickr [CC-BY-2.0] 6/91

7 Many Examples of Insecure Embedded Systems Routers 7/91

8 Many Examples of Insecure Embedded Systems Routers Printers Networked printers at risk (30/12/2011, McAfee Labs) 8/91

9 Many Examples of Insecure Embedded Systems Routers Printers VoIP Cisco VoIP Phones Affected By On Hook Security Vulnerability (12/06/2012, Forbes) 9/91

10 Many Examples of Insecure Embedded Systems Routers Printers VoIP Cars Hackers Reveal Nasty New Car Attacks With Me Behind The Wheel (12/08/2013, Forbes) 10/91

11 Many Examples of Insecure Embedded Systems Routers Printers VoIP Cars Drones 11/91

12 Many Examples of Insecure Embedded Systems Routers Printers VoIP Cars Drones... 12/91

13 Many Examples of Insecure Embedded Systems Routers Printers VoIP Cars Drones Each of the above is a result of individual analysis Manual and tedious efforts Does not scale 13/91

14 The Goal Perform a large scale analysis to gain a better understanding of firmware problems 14/91

15 The Problem With Large Scale Analysis Heterogeneity of Hardware, architectures, OSes Users, requirements Security goals 15/91

16 The Problem With Large Scale Analysis Heterogeneity of Hardware, architectures, OSes Users, requirements Security goals Manual analysis does not scale, it requires Finding and downloading firmware Unpacking and initial analysis Re-discovering a similar bugs 16/91

17 Previous Approaches Test on real devices [Bojinov09CCS] Accurate results Does not scale well 17/91

18 Previous Approaches Test on real devices [Bojinov09CCS] Accurate results Does not scale well Scan devices on the Internet Large scale testing [Cui10ACSAC] Can only test for known vulnerabilities Blackbox approach More is too intrusive [Census2012] 18/91

19 Our Approach to The Large Scale Analysis Collect a large number of firmware images 19/91

20 Our Approach to The Large Scale Analysis Collect a large number of firmware images Perform broad but simple static analysis 20/91

21 Our Approach to The Large Scale Analysis Collect a large number of firmware images Perform broad but simple static analysis Correlate across firmwares 21/91

22 Our Approach to The Large Scale Analysis Collect a large number of firmware images Perform broad but simple static analysis Correlate across firmwares Advantages No intrusive online testing, no devices involved Scalable 22/91

23 Our Approach to The Large Scale Analysis Collect a large number of firmware images Perform broad but simple static analysis Correlate across firmwares Advantages No intrusive online testing, no devices involved Scalable Many challenges remain 23/91

24 Mainstream Systems Have Centralized Updates 24/91

25 Challenge: Embedded Systems Update Sources are diverse Public site Manufacturer web site FTP site Hidden site Accessed by firmware update utility Restricted site Request-only updates Delivery on other media (CD-Rom, ) Firmware only delivered on device 25/91

26 Challenge: Embedded Systems Update Mechanisms are diverse 26/91

27 Collecting a Dataset No large scale firmware dataset yet As opposed to existing datasets in security or other research areas 27/91

28 Collecting a Dataset No large scale firmware dataset yet As opposed to existing datasets in security or other research areas We collected a subset of the firmwares available for download 28/91

29 Collecting a Dataset No large scale firmware dataset yet As opposed to existing datasets in security or other research areas We collected a subset of the firmwares available for download Still many firmwares are not publicly available 29/91

30 Collecting a Dataset No large scale firmware dataset yet As opposed to existing datasets in security or other research areas We collected a subset of the firmwares available for download Still many firmwares are not publicly available 30/91

31 Challenge: Firmware Identification Clearly a Firmware 31/91

32 Challenge: Firmware Identification Clearly a Firmware Clearly not a Firmware 32/91

33 Challenge: Firmware Identification Clearly a Firmware Clearly not a Firmware? 33/91

34 Challenge: Firmware Identification E.g., upgrade by printing a PS document 34/91

35 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? 35/91

36 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP 36/91

37 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP EXE PS 37/91

38 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP EXE PS 38/91

39 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP EXE PS Printer driver 39/91

40 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP EXE PS ASCII85 Printer driver 40/91

41 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP EXE PS ASCII85 Printer driver ELF 41/91

42 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP PS EXE ASCII85 Binary patch? Printer driver ELF 42/91

43 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP PS EXE Update executable? ASCII85 Binary patch? Printer driver ELF 43/91

44 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? ZIP PS EXE Update executable? ASCII85 Binary patch? Printer driver Whole FW image? ELF 44/91

45 Challenge: Unpacking & Custom Formats How to reliably unpack and learn formats? Firmware updates often are russian dolls ZIP PS EXE Sometimes result of unpacking is just a binary data blob Update executable? ASCII85 Binary patch? Printer driver Whole FW image? ELF 45/91

46 Our Approach to Unpacking & Custom Formats Often a firmware image is just a binary blob File carving required Bruteforce at every offset with all known unpacker Have good heuristics when to stop carving 46/91

47 Our Approach to Unpacking & Custom Formats Often a firmware image is just a binary blob File carving required Bruteforce at every offset with all known unpacker Have good heuristics when to stop carving We compared existing tools and used BAT (Binary Analysis Toolkit) Supports recursive extraction and carving Extended it with multiple custom unpackers 47/91

48 Challenge: Scalability & Computational Limits Unpacking and file carving is very CPU intensive 48/91

49 Challenge: Scalability & Computational Limits Unpacking and file carving is very CPU intensive Results in millions of unpacked files Manual analysis infeasible One-to-one fuzzy hash comparison is CPU intensive 49/91

50 Challenge: Scalability & Computational Limits Fuzzy hashing becomes difficult with lots of file CPU Time 150 y 850 d 26k 130k # firmwares 50/91

51 Challenge: Results Confirmation An issue found statically Cannot guarantee exploitability May not apply to a real device E.g., vulnerable daemon present but never started 51/91

52 Challenge: Results Confirmation An issue found statically Cannot guarantee exploitability May not apply to a real device E.g., vulnerable daemon present but never started Issue confirmation is difficult Requires advanced analysis (static & dynamic) Does not scale for heterogeneous firmware Often requires real embedded devices 52/91

53 Architecture Firmware Datastore Internet Crawl 53/91

54 Architecture Firmware Datastore Internet Crawl Public Web Interface Submit 54/91

55 Architecture Firmware Datastore Internet Crawl Public Web Interface Submit Firmware Analysis Cloud 55/91

56 Architecture Firmware Datastore Internet Crawl Public Web Interface Submit Firmware Analysis Cloud Master 56/91

57 Architecture Firmware Datastore Internet Crawl Public Web Interface Submit Firmware Analysis Cloud Master Distribute Password Hash Cracker Unpacking Static Analysis Fuzzy Hashing Workers 57/91

58 Architecture Firmware Datastore Internet Crawl Public Web Interface Submit Firmware Analysis Cloud Master Distribute Password Hash Cracker Firmware Analysis & Reports DB Unpacking Static Analysis Fuzzy Hashing Workers 58/91

59 Architecture Firmware Datastore Internet Crawl Public Web Interface Submit Firmware Analysis Cloud Data Enrichment Master Distribute Password Hash Cracker Unpacking Static Analysis Fuzzy Hashing Firmware Analysis & Reports DB Correlation Engine Workers 59/91

60 Crawler Multiple seeds Several download techniques FTP-index engines Google Custom search engines WGET scripts Beautiful Soup scripts 759 K collected files, 1.8 TB of disk space 60/91

61 (beta) Will provide Unpacking and Analysis 61/91

62 (beta) Will provide Unpacking and Analysis 62/91

63 Unpacking 759 K total files collected 63/91

64 Unpacking 759 K total files collected Filter non firmware 172 K filtered interesting files 64/91

65 Unpacking 759 K total files collected Filter non firmware 172 K filtered interesting files Random selection 32 K analyzed 65/91

66 Unpacking 759 K total files collected Filter non firmware 172 K filtered interesting files Random selection 32 K analyzed Successful unpack 26 K unpacked (fully or partially) 66/91

67 Unpacking 759 K total files collected Filter non firmware 172 K filtered interesting files Random selection 32 K analyzed Successful unpack 26 K unpacked (fully or partially) Unpacked files 1.7 M resulted files after unpacking 67/91

68 Static Analysis Misconfigurations Data enrichment Web-server configs, Credentials, Code repositories Version banners Software packages and versions Keywords Known problems (e.g., telnet, shell, UART, backdoor) Correlation/clustering Fuzzy hashes, Private SSL keys, Credentials 68/91

69 Example: Correlation Correlation via fuzzy-hashes (ssdeep, sdhash) Firmware 1 69/91

70 Example: Correlation Correlation via fuzzy-hashes (ssdeep, sdhash) Firmware 1 70/91

71 Example: Correlation Correlation via fuzzy-hashes (ssdeep, sdhash) Firmware 1 Firmware 4 Firmware 2 99% 95% 0% Firmware 3 Firmware 5 71/91

72 Example: Correlation Correlation via fuzzy-hashes (ssdeep, sdhash) Firmware 1 Firmware 4 Firmware 2 99% 95% 0% Firmware 3 Firmware 5 72/91

73 Example: Correlation Correlation via fuzzy-hashes (ssdeep, sdhash) Firmware 1 Firmware 4 Firmware 2 99% 95% 0% Firmware 3 Firmware 5 73/91

74 Example: RSA Keys SSL keys correlation + vulnerability propagatio 74/91

75 Example: RSA Keys SSL keys correlation + vulnerability propagatio 75/91

76 Example: RSA Keys SSL keys correlation + vulnerability propagatio Vendor A 76/91

77 Example: RSA Keys SSL keys correlation + vulnerability propagatio Vendor A 77/91

78 Example: RSA Keys SSL keys correlation + vulnerability propagatio Vendor A 78/91

79 Example: RSA Keys SSL keys correlation + vulnerability propagatio Vendor A 79/91

80 Example: RSA Keys SSL keys correlation + vulnerability propagatio Vendor A Vendor B 80/91

81 Example: RSA Keys SSL keys correlation + vulnerability propagatio Vendor A Vendor B 81/91

82 Example: RSA Keys SSL keys correlation + vulnerability propagatio Vendor A Common Vulnerabie Components Vendor B 82/91

83 Results: Summary 38 new vulnerabilities (CVE) Correlated them to 140 K online devices Affected 693 firmware files by at least one vuln 83/91

84 Chamber of Horrors Several recently build images with linux kernels, busybox older than 9 years Similar debug backdoor daemon in networking, home automation equipment Forgotten or backdoor entries in authorized_keys files 84/91

85 Chamber of Horrors Linux kernel older than 4 years compiled by root on a machine with public IP accepting SSH connections (GPS/Aerospace manufacturer) Discovered vulnerability in wireless fireworks system, implemented PoC attack [3] 85/91

86 Contributions Summary First large-scale static analysis of firmwares Described the main challenges associated Shown the advantages of performing a largescale analysis of firmware images Implemented a framework and several efficient static techniques 86/91

87 Conclusions A broader view on firmwares Not only beneficial But necessary for discovery and analysis of vulnerabilities Correlation reveals firmware relationship Shows how vulnerabilities reappear across different products Could allow seeing how firmwares evolve 87/91

88 Conclusions There are plenty of latent vulnerabilities Security Tradeoff with cost and time-to-market Clearly not a priority for some vendors 88/91

89 Thank you To our advisors, Aurelien and Davide To our friends and families To Black Hat and the Sponsors To everybody who is submitting firmware to us To you for listening to this talk :) 89/91

90 The End Questions? eurecom.fr 90/91

91 References [1] A. Costin, J. Zaddach, A. Francillon, D. Balzarotti, A Large-Scale Analysis of the Security of Embedded Firmwares, In Proceedings of the 23rd USENIX Conference on Security (to appear) [2] A. Costin, J. Zaddach, Poster: Firmware.RE: Firmware Unpacking and Analysis as a Service, In Proceedings of the ACM Conference on Security and Privacy in Wireless Mobile Networks (WiSec) '14 [3] A. Costin, A. Francillon, Short paper: A Dangerous 'Pyrotechnic Composition': Fireworks, Embedded Wireless and Insecurity-by-Design, In Proceedings of the ACM Conference on Security and Privacy in Wireless Mobile Networks (WiSec) '14 91/91