A firmware analysis tour with Avatar in 7 minutes

(maybe)

Aurélien Francillon, Eurecom

Cryptacus Meeting, 6 Nov 2016

HDD backdoor

● How bad would be a compromised hard disk firmware?– Is this a realistic threat model ?

● We reverse engineered and backdoored an HDD– ~10 person-month effort– Without any privileged information– No significant performance overhead

● Data-exfiltration backdoor– No cooperation from host– Stealthy

«Implementation and Implications of a Stealth Hard-Drive Backdoor»

J. Zaddach, et. al., ACSAC 2013

IRATEMONK ?

11/23/16 - - p 5

Lesson learnt

● How could we analyze a firmware to find backdoors?

● Performing security analysis of embedded systems is very challenging !

– Very hard to analyze the disk

– Static v/s Dynamic analysis

– 20 Mbytes of statically linked code, without symbols

=> We need to develop new methodologies and tools for dynamic security analysis of embedded systems

6

Avatar project and goals

● We need tools and methodologies to analyze large firmware code– Find vulnerabilities– Verify functionality– Reverse engineering– Security testing

« Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti, NDSS 2014

Security evaluation tools

Techniques that are typically used on a PCAdvanced debugging techniques◦Tracing◦Fuzzing◦Tainting◦Symbolic Execution

Integrated tools◦ IDA Pro◦GDB◦Eclipse

A device of devices

A device of devicesCPU

A device of devices

ModemUSB

EthernetWIFI

LEDsButtons

CPU

A device of devices

USBEthernet

LEDsButtons

CPU

IRQ Controller

MemoryController

WIFI

Timers

BUS Controller

Modem

Challenges

● Advanced dynamic analysis needs emulation

● Emulating a firmware requires not only instruction set emulation but also peripheral emulation

● But peripherals often unknown, interact with the physical world and other embedded devices...

Avatar goal

CPU

Firmware

Physical embedded device Emulator

?

Avatar goal

CPU

Firmware

Physical embedded device Emulator

Avatar

● Orchestrate execution between emulator and device– Currently S2E, a symbolic execution engine for

binary code, is used as the emulator

● Forward peripheral accesses to the device under analysis

● Do not attempt to emulate peripherals– No documentation– Reverse engineering is difficult

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins

Avatar overview

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins

Avatar overview

Avatar overview

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins

Avatar overview

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins

Avatar overview

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins

Avatar overview

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins IRQ

Avatar overview

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins IRQ

Avatar overview

EmulatorEmulator

. . .mov r2, r0mov r3, r1add r3, r3, #1ldr r2, [r2, #0]cmp r2, r3 . . .

DeviceDevice

In-memory stub

MemoryRegistersCPU state

DeviceDevice

In-memory stub

MemoryRegistersCPU state

AvatarAvatar

Analysis scriptAnalysis script

pluginsAnalysis plugins IRQ

Avatar overview

Bottlenecks

• Emulated execution is much slower than execution on the real device

– Memory accesses pass through low-bandwidth debug link

• IRQs can saturate debug link

Improving performance

• Transfer state/execution– From the device to the emulator– From the emulator to the device

Improving performance

• Transfer state/execution– From the device to the emulator– From the emulator to the device

2828

Emulator DeviceStateState StateState

Memory

AvatarRegister

StateState

Improving performance

• Transfer state/execution– From the device to the emulator– From the emulator to the device

11/23/16 29

Emulator DeviceStateStateAvatar

Memory

Register

Improving performance

• Transfer state/execution– From the device to the emulator– From the emulator to the device

Full separation mode

Emulator Device

StateState

Register

StateState

Memory

Avatar

Memory access optimization

Emulator Device

StateState

Register

Memory

StateState

IO Memory

Avatar

Avatar in more details

Use cases

GSM phone

Hard disk drive

EconoTag (Zigbee sensor mote)

Avatar Summary Enables to perform some analysis that were impossible before:

● Selective symbolic/concolic execution, analysis on whole system analysis, from (partial) binary code, reverse engineering framework, tracing …

Is a versatile, Open Source platform● http://s3.eurecom.fr/tools/avatar/

We are currently using it to analyze many different devices● Have a device to analyze? Come for a STEM

Under active development, currently extending it to ● support other analysis frameworks (Angr, Panda, klee, mixed

analysis…)● Better interaction with hardware (fast custom USB3 dongle)

« Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti, NDSS 2014

People involved

Davide Balzarotti

Students projects:Luka Malisa (initial experiments) Kjell Braden (Avatar MMU Support)

Luca Bruno(fuzzer, Avatar)

Sandeep Nuckchady

Jonas ZadachLucian Cojocar (VU Amsterdam)