![Page 1: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/1.jpg)
Finding 0 Days in Embedded Systems
H2HC - Sao Paulo, October 2018
with Code Coverage Guided Fuzzing
NGUYEN Anh Quynh, aquynh -at- gmail.comKaiJern LAU, kj -at- theshepherd.io
![Page 2: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/2.jpg)
About NGUYEN Anh Quynh
> Nanyang Technological University, Singapore > PhD in Computer Science > Operating System, Virtual Machine, Binary analysis, etc > Usenix, ACM, IEEE, LNCS, etc > Blackhat USA/EU/Asia, DEFCON, Recon, HackInTheBox, Syscan, etc > Capstone disassembler: http://capstone-engine.org > Unicorn emulator: http://unicorn-engine.org > Keystone assembler: http://keystone-engine.org
![Page 3: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/3.jpg)
About KaiJern
Founder of hackersbadge.com, RE && CTF fan
Reverse Engineer Badge Maker
> Reversing Binary > Reversing IoT Devices > Part Time CtF player
Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai
HITB Security Conference
> 2006 till end of time > Core Crew > Review Board
> 2005, HITB CTF, Malaysia, First Place /w 20+ Intl. Team
> 2010, Hack In The Box, Malaysia, Speaker
> 2012, Codegate, Korean, Speaker
> 2015, VXRL, Hong Kong, Speaker
> 2015, HITCON Pre Qual, Taiwan, Top 10 /w 4K+ Intl. Team
> 2016, Codegate PreQual, Korean, Top 5 /w 3K+ Intl. Team
> 2016, Qcon, Beijing, Speaker
> 2016, Kcon, Beijing, Speaker
> 2016, Intl. Antivirus Conference, Tianjin, Speaker
> MacOS SMC, Buffer Overflow, suid > GDB, PE File Parser Buffer Overflow > Metasploit Module, Snort Back Oriffice > Linux ASLR bypass, Return to EDX
Day Time Job, breaking things and earning salary from a Fortune 500 company, JD.COM
The Shepherd Lab
> IoT Research > Blockchain Research > Fun Security Research
> 2017, Kcon, Beijing, Trainer
> 2017, DC852, Hong Kong, Speaker
> 2018, KCON, Beijing, Trainer
> 2018, DC010, Beijing, Speaker
> 2018, Brucon, Brussel, Speaker
> 2018, H2HC, Sao Paolo, Brazil
> 2018, HITB, Beijing/Dubai, Speaker
> 2018, beVX, Hong Kong, Speaker
![Page 4: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/4.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
![Page 5: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/5.jpg)
Fuzzing - Concept
> Automated software testing technique to find bugs > Feed craft input data to the program under test > Monitor for errors like crash/hang/memory leaking > Focus more on exploitable bugs like memory corruption,
info leaking > Maximize code coverage to find bugs > Blackbox fuzzing > Whitebox fuzzing > Graybox fuzzing, or Coverage Guided Fuzzing
![Page 6: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/6.jpg)
Coverage-guided Fuzzer
> Instrument target binary to collect coverage info > Mutate the input to maximize the coverage > Repeat above steps to find bugs
> Proved to be very effective > Easier to use/setup & found a lot of bugs
> Trending in fuzzing technology > American Fuzzy Lop (AFL) really changed the game
![Page 7: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/7.jpg)
Guided Fuzzer for Embedded
> Guided fuzzer was introduced for powerful PC systems > Bring over to embedded world?
> Restricted system > Closed system (without source code) > Lack support for embedded hardware
![Page 8: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/8.jpg)
Issues
Restricted System
Closed System
Lack Support for Embedded
> Binary only - without source code > Existing guided fuzzers rely on source code
available > Source code is needed for branch
instrumentation to feedback fuzzing progress
> Emulation such as QEMU mode support in AFL is slow & limited in capability
> Without built-in shell access for user interaction
> Without developement facilities required for building new tools
> Compiler > Debugger > Analysis tools
> Most fuzzers are built for X86 only > Embedded systems based on
Arm, Arm64, Mips, PPC > Existing DBIs are poor for non-X86 CPU
> Pin: Intel only > DynamoRio: experimental
support for Arm only
![Page 9: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/9.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
![Page 10: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/10.jpg)
The SoC
➢ Scale Down from PC ➢ System on Chip ➢ A chip with all the PCI-e slot and card in it
➢ Pinout to different parts ➢ Wifi, Lan, Bluetooth and etc ➢ Low power device
![Page 11: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/11.jpg)
Requirement
Hardware + GNU Command also
love hardware and not only hardware hacking
Once you cross over, there are things in the darkness that can keep your heart from feeling
the light again
![Page 12: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/12.jpg)
Getting Firmware
![Page 13: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/13.jpg)
c
c
c
Firmware and Hardware
Extract From Flash , Extract From APK, Traffic Sniffing or Just Download Technically 1. Download 2. Patch with Backdoor 3. Flash 4. pwned
If we need more ?1. RCE 2. Fuzz
![Page 14: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/14.jpg)
The Easy Way
![Page 15: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/15.jpg)
Complete Kit to Success
MIPS ARM AARCH64
![Page 16: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/16.jpg)
The Hackers Way: Virtualization
![Page 17: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/17.jpg)
More Resources = More Power
Processor RAM FLASH
Most Important, we got apt-get
Multicore MAX RAM MAX Space
Normally 1-2 Core Normally 256MB/512MB Normally 8MB/16MB/32MB/
256MB
![Page 18: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/18.jpg)
Booting Up
![Page 19: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/19.jpg)
Old vs New
argument: running new or old distro + kernel + hypervisor
script to boot mips2016 way
![Page 20: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/20.jpg)
Only Need One Process to Run
Since only one binary, do we really need qemu-system or just use good old qemu-static
Hunt for the one that spawn listener port
Hunt for the one that spawn services
![Page 21: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/21.jpg)
Easy Way Out, chroot
chroot is easy (still hardware dependent), but we will have issue with tools
Running without chroot
![Page 22: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/22.jpg)
Classic Case: File Not Found
![Page 23: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/23.jpg)
Now You See It
We found you
We Missed You
![Page 24: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/24.jpg)
The Answer
We found you
We Missed You
![Page 25: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/25.jpg)
The missing .SO and binary Issue
![Page 26: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/26.jpg)
Out from chroot, we need feeding
Feeding all the required so and binary with “ln –s”
![Page 27: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/27.jpg)
Out from chroot, we need feeding
“segfault” without clear error. strace come to rescue
Classical file not found error
![Page 28: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/28.jpg)
The Secretive NVRAM
![Page 29: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/29.jpg)
reply with nvram info
Dark Side of NVRAM
ask for nvram info
main process
Relationship between main binary is so intimate, but in actual fact. Is just a hit and run
Dark Side of the main process, we ignore and con’t to next stepinteractor
![Page 30: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/30.jpg)
A Fake NVRAM
ask for nvram info
main process
interactor
IF interactor is the medium,
can we fake it ?
reply with nvram info
Custom Interactor
![Page 31: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/31.jpg)
Wireless Device
![Page 32: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/32.jpg)
Faking wpa_supplicant
making eth0 looks like wlan0 works too
![Page 33: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/33.jpg)
Everything Things Else Fail
![Page 34: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/34.jpg)
jmp, cbz, cbnz and Friends
Original BIN Patched BIN
Argument: To Patch or To Fulfill Firmware Needs
![Page 35: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/35.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
![Page 36: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/36.jpg)
Issues
> Binary only - without source code > Existing guided fuzzers rely on source code
available > Source code is needed for branch
instrumentation to feedback fuzzing progress > Emulation such as QEMU mode support in
AFL is slow & limited in capability > Same issue for other tools based on
Dynamic Binary Instrumentation
> Without built-in shell access for user interaction > Without developement facilities required for
building new tools > Compiler > Debugger > Analysis tools
> Most fuzzers are built for X86 only > Embedded systems based on Arm,
Arm64, Mips, PPC > Existing DBIs are poor for non-X86 CPU
> Pin: Intel only > DynamoRio: experimental support for
Arm
Firmware Emulation
Closed System
Lack Support for Embedded
![Page 37: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/37.jpg)
Dynamic Binary Instrumentation (DBI)
making eth0 looks like wlan0 works too
![Page 38: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/38.jpg)
DBI Illustration
making eth0 looks like wlan0 works too
![Page 39: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/39.jpg)
DBI Techniques
making eth0 looks like wlan0 works too
![Page 40: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/40.jpg)
Hooking Mechanisms - Inline
making eth0 looks like wlan0 works too
![Page 41: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/41.jpg)
Hooking Mechanisms - Detour
making eth0 looks like wlan0 works too
![Page 42: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/42.jpg)
Detour Injection Mechanisms
making eth0 looks like wlan0 works too
![Page 43: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/43.jpg)
Jump-trampoline Technique
making eth0 looks like wlan0 works too
![Page 44: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/44.jpg)
Jump-callback Technique
making eth0 looks like wlan0 works too
![Page 45: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/45.jpg)
Call-trampoline Technique
making eth0 looks like wlan0 works too
![Page 46: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/46.jpg)
Call-callback Technique
making eth0 looks like wlan0 works too
![Page 47: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/47.jpg)
Problems of Existing DBI
making eth0 looks like wlan0 works too
![Page 48: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/48.jpg)
SKORPIO Framework
making eth0 looks like wlan0 works too
![Page 49: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/49.jpg)
SKORPIO Architecture
making eth0 looks like wlan0 works too
![Page 50: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/50.jpg)
Cross Platform - Memory
making eth0 looks like wlan0 works too
![Page 51: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/51.jpg)
Cross architecture - Save/Restore Context
making eth0 looks like wlan0 works too
![Page 52: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/52.jpg)
Cross Architecture - Callback argument
making eth0 looks like wlan0 works too
![Page 53: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/53.jpg)
Cross Architecture - Branch distance
making eth0 looks like wlan0 works too
![Page 54: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/54.jpg)
Cross Architecture - Branch for PPC
making eth0 looks like wlan0 works too
![Page 55: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/55.jpg)
Cross Architecture - Scratch Register
making eth0 looks like wlan0 works too
![Page 56: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/56.jpg)
Cross Architecture - Flush Code Cache
making eth0 looks like wlan0 works too
![Page 57: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/57.jpg)
Code Boudary & Relocation
making eth0 looks like wlan0 works too
![Page 58: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/58.jpg)
Code Analysis
making eth0 looks like wlan0 works too
![Page 59: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/59.jpg)
Customize on Instrumentation
making eth0 looks like wlan0 works too
![Page 60: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/60.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
![Page 61: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/61.jpg)
Issues
> Binary only - without source code > Existing guided fuzzers rely on source code
available > Source code is needed for branch
instrumentation to feedback fuzzing progress > Emulation such as QEMU mode support in
AFL is slow & limited in capability > Same issue for other tools based on
Dynamic Binary Instrumentation
> Without built-in shell access for user interaction > Without developement facilities required for
building new tools > Compiler > Debugger > Analysis tools
> Most fuzzers are built for X86 only > Embedded systems based on Arm,
Arm64, Mips, PPC > Existing DBIs are poor for non-X86 CPU
> Pin: Intel only > DynamoRio: experimental support for
Arm
Firmware Emulation
Skorpio DBI
Lack Support for Embedded
![Page 62: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/62.jpg)
Fuzzer Features
making eth0 looks like wlan0 works too
![Page 63: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/63.jpg)
Fuzzer Design
making eth0 looks like wlan0 works too
![Page 64: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/64.jpg)
Fuzzer Implementation
making eth0 looks like wlan0 works too
![Page 65: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/65.jpg)
Fuzz network process
making eth0 looks like wlan0 works too
![Page 66: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/66.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
![Page 67: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/67.jpg)
Exploiting a RCE
making eth0 looks like wlan0 works too
![Page 68: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/68.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
![Page 69: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/69.jpg)
Issues
> Binary only - without source code > Existing guided fuzzers rely on source code
available > Source code is needed for branch
instrumentation to feedback fuzzing progress > Emulation such as QEMU mode support in
AFL is slow & limited in capability > Same issue for other tools based on
Dynamic Binary Instrumentation
> Without built-in shell access for user interaction > Without developement facilities required for
building new tools > Compiler > Debugger > Analysis tools
> Most fuzzers are built for X86 only > Embedded systems based on Arm,
Arm64, Mips, PPC > Existing DBIs are poor for non-X86 CPU
> Pin: Intel only > DynamoRio: experimental support for
Arm
Firmware Emulation
Skorpio DBI
Guided Fuzzer for Embedded
![Page 70: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/70.jpg)
Conclusions
making eth0 looks like wlan0 works too
![Page 71: Finding 0 Days in Embedded Systems · Hack in the box, Netherland and Singapore. Soon to be Beijing and Dubai HITB Security Conference > 2006 till end of time > Core Crew > Review](https://reader036.vdocuments.us/reader036/viewer/2022071215/6045a7e032c14d7b4774a782/html5/thumbnails/71.jpg)
Questions
NGUYEN Anh Quynh, aquynh -at- gmail.comKaiJern LAU, kj -at- theshepherd.io
Finding 0 Days in Embedded Systemswith Code Coverage Guided Fuzzing