![Page 1: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/1.jpg)
Avatar2: A Multi-target Orchestration
Platform
Marius Muench, Dario Nisi, Aurelien Francillon & Davide Balzarotti
Workshop on Binary Analysis Research 2018
![Page 2: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/2.jpg)
Introduction
DynamicB inaryA nalysis
1
![Page 3: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/3.jpg)
Motivation
• Having a huge variety of tools is awesome
• But analysis state is mostly local to the single tools
• A lot of effort to integrate specific tools into other
2
![Page 4: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/4.jpg)
Being able to interconnect debuggers,
emulators and analysis frameworks greatly
benefits dynamic binary analysis
2
![Page 5: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/5.jpg)
A link to the past
2014: The avatar framework:
• Connects S2E and OpenOCD/GDB
• Targets ARM firmware
• Partial emulation together with real hardware
• Tightly coupled to S2E and OpenOCD/GDB
Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis
of Embedded Systems’ Firmwares.” NDSS 2014.
3
![Page 6: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/6.jpg)
A link to the past
2014: The avatar framework:
• Connects S2E and OpenOCD/GDB
• Targets ARM firmware
• Partial emulation together with real hardware
• Tightly coupled to S2E and OpenOCD/GDB
Zaddach, Jonas, et al. ”AVATAR: A Framework to Support Dynamic Security Analysis
of Embedded Systems’ Firmwares.” NDSS 2014.
3
![Page 7: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/7.jpg)
Imagine a tool that ...
4
![Page 8: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/8.jpg)
Imagine a tool that ...
4
![Page 9: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/9.jpg)
Imagine a tool that ...
4
![Page 10: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/10.jpg)
Imagine a tool that ...
4
![Page 11: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/11.jpg)
Imagine a tool that ...
4
![Page 12: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/12.jpg)
Imagine a tool that ...
4
![Page 13: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/13.jpg)
Imagine a tool that ...
4
![Page 14: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/14.jpg)
Imagine a tool that ...
4
![Page 15: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/15.jpg)
Imagine a tool that ...
4
![Page 16: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/16.jpg)
One framework to orchestrate them all?
• Capable of interconnecting a variety of tools
• Expose a consistent API to the analyst
• Easy scriptability
• Operate in an highly asynchronous environment
: Careful crafted architecture required
5
![Page 17: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/17.jpg)
Avatar2- The architecture
Avatar2
Target0
ExecutionProtocol
MemoryProtocol
Endpoint0
RegisterProtocol
Targetn
ExecutionProtocol
MemoryProtocol
Endpointn
RegisterProtocol
. . .
. . .
. . .
6
![Page 18: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/18.jpg)
Additional features
• Architecture independent design
• Internal memory layout representation
• Legacy python support
• Peripheral modeling
• Plugin System
• Assembler/Disassembler
• Orchestrator
• Instruction Forwarder
7
![Page 19: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/19.jpg)
Examples
Example I:
Facilitating replication
& reproduction
Example II:
Symbolic Execution
& Complex Software
Example III:
Record & Replay for Firmware
8
![Page 20: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/20.jpg)
Example I - Replicating Harvey
• Proof of concept implementation of HARVEY [1]
• Malware for a COTS PLC
• The plc utilizes multiple boards
• Code injection via JTAG
[1] Garcia, Luis, et al. ”Hey, My Malware Knows Physics Attacking PLCs with
Physical Model Aware Rootkit.” NDSS 2016.
9
![Page 21: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/21.jpg)
Figure 1: Harvey’s modifications to the GPIO-output ISR1
1Taken from [1]. Original title: ”Figure 5. Original GPIO-output update ISR assembly code compared to
modified subroutine with branch to malicious code.”
10
![Page 22: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/22.jpg)
1 from avatar2 import Avatar, ARMV7M, OpenOCDTarget
2
3 output_hook = ’’’mov r5,0xfffffffd
4 mov r4, r5
5 mov r5, 0
6 b 0x2000233E’’’
7
8 avatar = Avatar(arch=ARMV7M)
9 avatar.load_plugin(’assembler’)
10
11 t = avatar.add_target(OpenOCDTarget, openocd_script=’harvey.cfg’,
12 gdb_executable=’arm-none-eabi-gdb’)
13
14 t.init()
15 t.set_breakpoint(0xd270)
16 t.cont()
17 t.wait()
18
19 t.inject_asm(’b 0x20002514’,addr=0x20002338)
20 t.inject_asm(output_hook,addr=0x20002514)
21
22 t.cont() 11
![Page 23: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/23.jpg)
Example I - Results
• Implementation of PoC in approx. 30 lines of Python
• All of this could –and has – been done without avatar2
• Unified and centralized interface
• Easy to exchange scripts
• Modifications can easily be integrated
12
![Page 24: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/24.jpg)
Example II - Symbolic Execution of Firefox
• Firefox with inserted bug
• Executed concretely inside gdb until function of interest
• Automated memory layout extraction from gdb
• Transfer of layout into angr
• Memory contents copied-on-read
• Symbolic function arguments
• Analysis of only one thread
13
![Page 25: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/25.jpg)
Example II - Results
• Implementation in approx. 60 lines of Python
• Execution statistics:
• Approximatly 10 minutes of runtime2
• 36 executed basic blocks
• 21 uniquely accessed pages
• Found the bug
• angr alone was not able to find the bug
• Could be achieved by tedious population of state without
avatar2
• Demonstrates State Transfer and Orchestration capabilities
2Hardware: VM with four Intel Xeon E5-2650L cores and 16GB of RAM
14
![Page 26: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/26.jpg)
Example III - Recording Firmware Execution
• Dynamic binary analysis of firmware often requires the device
• PANDA [2] allows to record and replay execution
• Allows exchange of executions for further analysis without the
device
[2] Whelan, Ryan J., et al. ”Repeatable Reverse Engineering with the Platform for
Architecture-Neutral Dynamic Analysis.” MIT Lincoln Laboratory Lexington 2015.
15
![Page 27: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/27.jpg)
1 from avatar2 import ARMV7M, Avatar, OpenOCDTarget, PandaTarget
2
3 avatar = Avatar(arch=ARMV7M)
4 avatar.load_plugin(’orchestrator’)
5
6 nucleo = avatar.add_target(OpenOCDTarget, [...])
7 panda = avatar.add_target(PandaTarget, [...])
8
9 rom = avatar.add_memory_range(0x08000000, 0x1000000,
10 file=firmware)
11 ram = avatar.add_memory_range(0x20000000, 0x14000)
12 mmio= avatar.add_memory_range(0x40000000, 0x1000000,
13 forwarded=True, forwarded_to=nucleo)
14
15 avatar.init_targets()
16 [...]
17 panda.begin_record(’panda_record’)
18 avatar.resume_orchestration(blocking=False)
19 [...]
20 avatar.stop_orchestration()
21 panda.end_record()
16
![Page 28: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/28.jpg)
Example III - Results
• Implementation in approx. 30 lines of Python
• Successful recording of firmware’s execution
• Replayable without presence of hardware
• Without avatar2, cumbersome implementation of peripherals
required
• Demonstration of separation between execution and memory
17
![Page 29: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/29.jpg)
Discussion
• So far, only five targets implemented
• Achieving genericity is difficult
• Overhead for implementing new targets varies
• Unsolved challenges for analysis of embedded devices
• Interrupts
• Debug access
18
![Page 30: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/30.jpg)
Conclusion
• Multi-target orchestration is not limited to firmware
• We are just at the beginning ...
• More tomorrow morning!
• ”What You Corrupt Is Not What You Crash: Challenges in
Fuzzing Embedded Devices.”
• Session 1A: IoT, Kon Tiki Ballroom, 12.20pm
19
![Page 31: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/31.jpg)
Artifacts?
• The full framework is open source:
https://github.com/avatartwo/avatar2
• Presented examples at:
https://github.com/avatartwo/bar18_avatar2
• Pre-built vagrant box:
avatar/2bar18 avatar2
20
![Page 32: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/32.jpg)
Backup slide #1: Changes to QEMU
Avatar2 provides a costomized QEMU
• All located in a single subfolder: hw/avatar
• New board: Configurable Machine
• Already present in the first avatar
• Allows flexible configuration of emulated hardware
• New peripheral: remote memory
• Communicates with avatar2 via posix message queues
• Utilizes custom remote-memory protocol
21
![Page 33: s3.eurecom.frs3.eurecom.fr/slides/bar18_muench.slides.pdf · Title: Avatar2: A Multi-target Orchestration Platform Author: Marius Muench, Dario Nisi, Aurélien Francillon & Davide](https://reader034.vdocuments.us/reader034/viewer/2022042322/5f0c0c057e708231d4337c4b/html5/thumbnails/33.jpg)
Backup Slide #2: Event handling in avatar2
• Targets are emitting events
• Events are registered by protocols forwarded to the avatar2
core
• Fast queue for execution state updates
• Enables callbacks and inspection mechanisms
22