Exploiting Real Time Operating Systems

Exploiting Real Time Operating Systems
Event on 2015-08-10 09:00:00
Exploiting Real Time Operating SystemsCPE/ECE Credits: 5Course Description

This course will teach students how to analyze, reverse, debug, and exploit embedded RTOS firmware. Hands-on experience with a variety of real-world devices, RTOS’s, and architectures equip students with the practical knowledge and skills necessary to be proficient in RTOS vulnerability analysis and exploitation.PrerequisitesDue to the nature of the material, we do expect students to already have experience with:

  • basic overflows and ROP
  • be comfortable in IDA’s user interface
  • some prior knowledge of MIPS and ARM (a plus, but not required)

 

This course is a natural progression for students already familiar with embedded Linux exploitation; if you attended Embedded Device Exploitation, then you meet the criteria.Day 1Basic introduction to the concept of Real Time Operating Systems

  • What is an RTOS?
  • Challenges in reversing and exploiting RTOS code

Overview of MIPS architecture and design

  • Common instructions / registers
  • MIPS RE crash course

Firmware analysis of our first target device

  • Initial analysis and extraction of compressed / obfuscated code and data
  • Identifying the main RTOS code and loading it into IDA
  • Identifying the RTOS base load address and major segments (.text, .data, .bss, etc)

Debugging our first target device

  • JTAG vs UART debugging
  • VxWorks debugging interface
  • Dumping memory sections

Augmenting IDA’s auto analysis

  • Loading dumped .bss segment into IDA
  • Identification of symbol and function tables
  • Parsing symbol tables and renaming functions with IDAPython

Searching for backdoors

  • Identification of running services on the device
  • Examining service code for possible backdoors
  • Find and exploit a backdoor on our first target device

Day 2Searching for stack overflows

  • Common low-hanging fruit (HTTP, UPnP)
  • Finding text parsing bugs
  • Locate and verify a stack overflow bug in our first target device

Exploiting RTOS overflows

  • Useful ROP gadgets
  • Overwriting critical data
  • Overwriting existing code
  • Architecture-specific concerns (e.g., cache incoherency in MIPS)
  • Write an overflow exploit for our first target device

How not to crash your target

  • Techniques to prevent the target from crashing
  • Write an overflow exploit that doesn’t crash our first target device

Practical exploitation of LAN services from the WAN

  • Exploiting networked targets with HTML and JavaScript
  • Write a browser-based exploit against our first target device

Day 3Fresh meat

  • Hardware analysis of our second target device
  • Firmware analysis and disassembly of our second target device

Identifying functions without a symbol table

  • Format string analysis
  • Identifying leaf functions
  • Manually reversing leaf functions
  • Automated function analysis

Debugging without a debugger

  • Detecting system crashes
  • UART messages
  • Code snippet emulation

Searching for stack overflows

  • Finding pre-auth parsing bugs
  • Locate and verify a stack overflow vulnerability in our second target device

Writing stack overflows with limited debugging

  • Proper understanding of memory and static code analysis
  • Planning ahead
    • Crash mitigation
    • ROP gadgets
  • Write a stack overflow exploit for our second target device

Day 4More bugs!

  • Finding more parsing bugs in our second target device
  • Identifying dynamic call paths
  • Writing more complex ROP chains

Re-programming and RTOS in memory

  • Re-programming RTOS kernel code on-the-fly
  • Leaking sensitive information through existing services

Low-hanging crypto

  • Custom crypto implementations
  • Auto-generated WPA keys
  • Auto-generated WPS pins

Breaking custom crypto

  • Poor encryption methods
  • Known plain text attacks

Finding WPS crypto bugs

  • Identifying pin generation functions
  • Identifying sources of entropy
  • Verifying hypotheses
  • Find a WPS implementation bug in our second target device

Practical exploitation of WPS crypto bugs

  • Examining 802.11 WPS packets
  • Leaking of seemingly benign info
  • Cracking WPS pins in our second target device

Day 5Firmware analysis of our third target device

  • Initial analysis and extraction of compressed / obfuscated code and data
  • Identifying the main RTOS code and loading it into IDA
  • Identifying the RTOS base load address and major segments (.text, .data, .bss, etc)

Augmenting IDA’s auto analysis

  • Identification of symbol and function tables
  • Parsing symbol tables and renaming functions with IDAPython

V-Chip backdoors

  • Identification of code processing user input
  • Examining infrared processing code for possible backdoors in the V-Chip password
  • Find and exploit a backdoor on our third target device

Hidden manufacturer menus

  • Custom IR codes
  • IR code sequences
  • Identify hidden manufacturer IR codes in our third target device

Requirements

You will need the following to succeed in class:

  • Intimate familiarity with the Linux operating environment
  • Knowledge of common networking protocols (TCP/IP, HTTP)
  • Experience with programming/scripting languages (C and Python in particular)
  • Familiarity with any assembly language
  • Familiarity with IDA Pro
  • Experience with PC vulnerability analysis and exploitation

Instructor Bio

Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions in Columbia, MD. He has 6 years experience analyzing embedded systems and operates the /dev/ttys0 blog which is dedicated to embedded hacking topics. He has presented at events such as Blackhat and DEF CON. His skin has never been exposed to sunlight and is bioluminescent at 200 meters (656 feet) below sea level.

at Tactical Network Solutions
8825 Stanford Blvd
Columbia, United States

This entry was posted in Stack Overflow and tagged , , , , . Bookmark the permalink.