virtualizing iot - hack in the box · virtualizing iot hitb2018dxb, november 2018 with code...
TRANSCRIPT
![Page 1: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/1.jpg)
Virtualizing IoT
HITB2018DXB, November 2018
with Code Coverage Guided Fuzzing
NGUYEN Anh Quynh, aquynh -at- gmail.com
KaiJern LAU, kj -at- theshepherd.io
![Page 2: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/2.jpg)
About NGUYEN Anh Quynh
> Nanyang Technological University, Singapore
> PhD in Computer Science
> Operating System, Virtual Machine, Binary analysis, etc
> Usenix, ACM, IEEE, LNCS, etc
> Blackhat USA/EU/Asia, DEFCON, Recon, HackInTheBox,
Syscan, etc
> Capstone disassembler: http://capstone-engine.org
> Unicorn emulator: http://unicorn-engine.org
> Keystone assembler: http://keystone-engine.org
![Page 3: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/3.jpg)
About kaijern.xwings.L
Electronic fan boy, making
toys from hacker to hacker
Badge Maker
> Reversing Binary
> Reversing IoT Devices
> Part Time CtF player
Crew since 2008, from Kuala
Lumpur till now AMS, SG,
BEIJING and DXB
Broker
> 2006 (ctf) till end of time
> Core Crew
> Review Board
> 2005, HITB CTF, Malaysia, First Place /w 20+ Intl. Team
> 2010, Hack In The Box, Malaysia, Speaker
> 2012, Codegate, Korean, Speaker
> 2015, VXRL, Hong Kong, Speaker
> 2015, HITCON Pre Qual, Taiwan, Top 10 /w 4K+ Intl. Team
> 2016, Codegate PreQual, Korean, Top 5 /w 3K+ Intl. Team
> 2016, Qcon, Beijing, Speaker
> 2016, Kcon, Beijing, Speaker
> 2016, Intl. Antivirus Conference, Tianjin, Speaker
> MacOS SMC, Buffer Overflow, suid
> GDB, PE File Parser Buffer Overflow
> Metasploit Module, Snort Back Oriffice
> Linux ASLR bypass, Return to EDX
Stays in the lab 24/7 by
hoping making the world a
better place
Founder
> IoT Research
> Blockchain Research
> Fun Security Research
> 2017, Kcon, Beijing, Trainer
> 2017, DC852, Hong Kong, Speaker
> 2018, KCON, Beijing, Trainer
> 2018, DC010, Beijing, Speaker
> 2018, Brucon, Brussel, Speaker
> 2018, H2HC, San Paolo, Brazil, Speaker
> 2018, HITB, Beijing/Dubai, Speaker
> 2018, beVX, Hong Kong, Speaker
![Page 4: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/4.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
Secret Menu
![Page 5: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/5.jpg)
Fuzzing
> Automated software testing technique to find bugs
> Feed craft input data to the program under test
> Monitor for errors like crash/hang/memory leaking
> Focus more on exploitable errors like memory corruption,
info leaking
> Maximize code coverage to find bugs
> Blackbox fuzzing
> Whitebox fuzzing
> Graybox fuzzing, or Coverage Guided Fuzzing
![Page 6: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/6.jpg)
Coverage-guided Fuzzer
> Instrument target binary to collect coverage info
> Mutate the input to maximize the coverage
> Repeat above steps to find bugs
> Proved to be very effective
> Easier to use/setup & found a lot of bugs
> Trending in fuzzing technology
> American Fuzzy Lop (AFL) really changed the game
![Page 7: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/7.jpg)
Guided Fuzzer for Embedded
> Guided fuzzer was introduced for powerful PC systems
> Bring over to embedded world?
> No support for introducing new tools
> Not open source
> Lack support for embedded hardware
![Page 8: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/8.jpg)
Issues
Restricted
System
Closed
System
Lack Support
for Embedded
> Binary only - without source code
> Existing guided fuzzers rely on source code
available
> Source code is needed for branch
instrumentation to feedback fuzzing
progress
> Emulation such as QEMU mode
support in AFL is slow & limited in
capability
> Same issue for other tools based on
Dynamic Binary Instrumentation
> Without built-in shell access for user
interaction
> Without developement facilities
required for building new tools
> Compiler
> Debugger
> Analysis tools
> Most fuzzers are built for X86 only
> Embedded systems based on
Arm, Arm64, Mips, PPC
> Existing DBIs are poor for non-X86
CPU
> Pin: Intel only
> DynamoRio: experimental
support for Arm
![Page 9: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/9.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
Secret Menu
![Page 10: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/10.jpg)
The SoC
➢ Scale Down from PC
➢ System on Chip
➢ A chip with all the PCI-e slot and card in it
➢ Pinout to different parts
➢ Wifi, Lan, Bluetooth and etc
➢ Low power device
![Page 11: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/11.jpg)
Requirement
Hardware + GNU Command
also
love hardware and not only hardware hacking
Once you cross over, there are things in the
darkness that can keep your heart from
feeling the light again
![Page 12: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/12.jpg)
Lets Get Started
![Page 13: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/13.jpg)
Device Limited Bug
If all_model = one_firmware
In The Beginning:
We Need Firmware
![Page 14: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/14.jpg)
Getting Firmware
![Page 15: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/15.jpg)
c
c
c
Firmware and Hardware
Extract From Flash , Extract From APK, Traffic Sniffing or Just Download
Technically 1. Download 2. Patch with Backdoor 3. Flash 4. pwned
If we need more ?
1. RCE 2. Fuzz
![Page 16: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/16.jpg)
The Easy Way
![Page 17: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/17.jpg)
Complete Kit to Success
MIPS ARM AARCH64
Classic LIBC IssueHow Many Dev Board
Hardware is not “down gradable”
![Page 18: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/18.jpg)
Assembly Instruction Compatibility
ARM AARCH64
![Page 19: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/19.jpg)
Current Work Around
![Page 20: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/20.jpg)
Qemu Static
QEMU-Static is good for binary execution without additional
software or hardware interection
![Page 21: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/21.jpg)
Current Primitive Firmware Emulation
Leaving squashfs and going into a unknown world
Its not easy after 2016
![Page 22: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/22.jpg)
Why Firmware Emulation
![Page 23: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/23.jpg)
More Resources = More Power
Processor RAM FLASH
Most Important, we got apt-get
Multicore MAX RAM MAX Space
Normally 1-2 Core Normally
256MB/512MB
Normally
8MB/16MB/32MB/256MB
![Page 24: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/24.jpg)
Objectives
![Page 25: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/25.jpg)
Only One Process with Interaction
most of the devices comes with one big binary
Hunt for the one that spawn
listener port
![Page 26: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/26.jpg)
Booting Up
![Page 27: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/27.jpg)
Distro and Kernel Mix and Match
argument: running new or old distro + kernel
script to boot arm script to boot mips
![Page 28: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/28.jpg)
chroot
![Page 29: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/29.jpg)
Easy Way Out, chroot
chroot is easy (still hardware dependent), but we will have issue with tools
Running without chroot
![Page 30: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/30.jpg)
Classic Case: File Not Found
![Page 31: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/31.jpg)
The File Missing Trick
We found you
We Missed You
![Page 32: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/32.jpg)
The missing .SO and binary Issue
![Page 33: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/33.jpg)
Out from chroot, we need feeeding
Feeding all the required so and binary with “ln –s”
![Page 34: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/34.jpg)
Out from chroot, we need feeding
“segfault” without clear error. strace come to rescue
Classical file not found error
![Page 35: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/35.jpg)
The Secretive NVRAM
![Page 36: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/36.jpg)
reply with
nvram info
Dark side of NVRAM
ask for nvram info
main process
interactor
Relationship between main binary is so intimate,
but in actual fact. Is just a hit and run
![Page 37: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/37.jpg)
reply with
nvram info
Dark Side of NVRAM
ask for nvram info
main process
Relationship between main binary is so intimate,
but in actual fact. Is just a hit and run
Dark Side of the main process, we ignore and con’t to next step
interactor
![Page 38: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/38.jpg)
A fake NVRAM
ask for nvram info
main process
interactor
IF interactor is the medium,
can we fake it ?
reply with
nvram info
![Page 39: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/39.jpg)
A fake NVRAM
ask for nvram info
main process
interactor
reply with
nvram info
Custom Interactor
IF interactor is the medium,
can we fake it ?
![Page 40: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/40.jpg)
br0
![Page 41: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/41.jpg)
The bridge trick
The switch looking device
![Page 42: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/42.jpg)
Wireless Device
![Page 43: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/43.jpg)
Faking wpa_supplicant
making eth0 looks like wlan0 works too
![Page 44: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/44.jpg)
Everything Things Else Fail
![Page 45: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/45.jpg)
BL, BNE, BEQ and friends
Patched BIN
Argument: To Patch or To Fulfill Firmware Needs
Original BIN
![Page 46: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/46.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
Secret Menu
![Page 47: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/47.jpg)
Issues
> Binary only - without source code
> Existing guided fuzzers rely on source code
available
> Source code is needed for branch
instrumentation to feedback fuzzing
progress
> Emulation such as QEMU mode support in
AFL is slow & limited in capability
> Same issue for other tools based on
Dynamic Binary Instrumentation
> Without built-in shell access for user
interaction
> Without developement facilities required for
building new tools
> Compiler
> Debugger
> Analysis tools
> Most fuzzers are built for X86 only
> Embedded systems based on Arm,
Arm64, Mips, PPC
> Existing DBIs are poor for non-X86 CPU
> Pin: Intel only
> DynamoRio: experimental support for
Arm
Firmware
Emulation
Closed
System
Lack Support
for Embedded
![Page 48: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/48.jpg)
Dynamic Binary Instrumentation (DBI)
making eth0 looks like wlan0 works too
![Page 49: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/49.jpg)
DBI Illustration
making eth0 looks like wlan0 works too
![Page 50: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/50.jpg)
DBI Techniques
making eth0 looks like wlan0 works too
![Page 51: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/51.jpg)
Hooking Mechanisms - Inline
making eth0 looks like wlan0 works too
![Page 52: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/52.jpg)
Hooking Mechanisms - Detour
making eth0 looks like wlan0 works too
![Page 53: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/53.jpg)
Detour Injection Mechanisms
making eth0 looks like wlan0 works too
![Page 54: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/54.jpg)
Jump-trampoline Technique
making eth0 looks like wlan0 works too
![Page 55: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/55.jpg)
Jump-callback Technique
making eth0 looks like wlan0 works too
![Page 56: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/56.jpg)
Call-trampoline Technique
making eth0 looks like wlan0 works too
![Page 57: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/57.jpg)
Call-callback Technique
making eth0 looks like wlan0 works too
![Page 58: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/58.jpg)
Problems of Existing DBI
making eth0 looks like wlan0 works too
![Page 59: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/59.jpg)
SKORPIO Framework
making eth0 looks like wlan0 works too
![Page 60: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/60.jpg)
SKORPIO Architecture
making eth0 looks like wlan0 works too
![Page 61: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/61.jpg)
Cross Platform - Memory
making eth0 looks like wlan0 works too
![Page 62: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/62.jpg)
Cross architecture - Save/Restore Context
making eth0 looks like wlan0 works too
![Page 63: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/63.jpg)
Cross Architecture - Callback argument
making eth0 looks like wlan0 works too
![Page 64: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/64.jpg)
Cross Architecture - Branch distance
making eth0 looks like wlan0 works too
![Page 65: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/65.jpg)
Cross Architecture - Branch for PPC
making eth0 looks like wlan0 works too
![Page 66: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/66.jpg)
Cross Architecture - Scratch Register
making eth0 looks like wlan0 works too
![Page 67: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/67.jpg)
Cross Architecture - Flush Code Cache
making eth0 looks like wlan0 works too
![Page 68: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/68.jpg)
Code Boudary & Relocation
making eth0 looks like wlan0 works too
![Page 69: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/69.jpg)
Code Analysis
making eth0 looks like wlan0 works too
![Page 70: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/70.jpg)
Customize on Instrumentation
making eth0 looks like wlan0 works too
![Page 71: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/71.jpg)
Skorpio Sample C Code
making eth0 looks like wlan0 works too
![Page 72: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/72.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
Secret Menu
![Page 73: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/73.jpg)
Issues
> Binary only - without source code
> Existing guided fuzzers rely on source code
available
> Source code is needed for branch
instrumentation to feedback fuzzing
progress
> Emulation such as QEMU mode support in
AFL is slow & limited in capability
> Same issue for other tools based on
Dynamic Binary Instrumentation
> Without built-in shell access for user
interaction
> Without developement facilities required for
building new tools
> Compiler
> Debugger
> Analysis tools
> Most fuzzers are built for X86 only
> Embedded systems based on Arm,
Arm64, Mips, PPC
> Existing DBIs are poor for non-X86 CPU
> Pin: Intel only
> DynamoRio: experimental support for
Arm
Firmware
Emulation
Skorpio
DBI
Lack Support
for Embedded
![Page 74: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/74.jpg)
Fuzzer Features
making eth0 looks like wlan0 works too
![Page 75: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/75.jpg)
Fuzzer Design
making eth0 looks like wlan0 works too
![Page 76: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/76.jpg)
Fuzzer Implementation
making eth0 looks like wlan0 works too
![Page 77: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/77.jpg)
Fuzzer Instrumentation
making eth0 looks like wlan0 works too
![Page 78: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/78.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
Secret Menu
![Page 79: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/79.jpg)
*bug disclosed in geekpwn 2018, shanghai*
![Page 80: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/80.jpg)
Web Cam Buffer Overflow
Pre Authentication Bug
Buffer Overflow
Address Overwritten
Debug is almost Impossible *watchdog*
Emulation comes into play
![Page 81: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/81.jpg)
IoT with UDP Access
Web Cam with Motor
![Page 82: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/82.jpg)
Command Execution Injection
Chinese based WiFi Router
![Page 83: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/83.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
Secret Menu
![Page 84: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/84.jpg)
Issues
> Binary only - without source code
> Existing guided fuzzers rely on source code
available
> Source code is needed for branch
instrumentation to feedback fuzzing
progress
> Emulation such as QEMU mode support in
AFL is slow & limited in capability
> Same issue for other tools based on
Dynamic Binary Instrumentation
> Without built-in shell access for user
interaction
> Without developement facilities required for
building new tools
> Compiler
> Debugger
> Analysis tools
> Most fuzzers are built for X86 only
> Embedded systems based on Arm,
Arm64, Mips, PPC
> Existing DBIs are poor for non-X86 CPU
> Pin: Intel only
> DynamoRio: experimental support for
Arm
Firmware
Emulation
Skorpio
DBI
Guided
Fuzzer for Embedded
![Page 85: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/85.jpg)
Conclusions
making eth0 looks like wlan0 works too
![Page 86: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/86.jpg)
Coverage Guided Fuzzer vs Embedded Systems
Agenda
Emulating Firmware
Guided Fuzzer for Embedded
Skorpio Dynamic Binary Instrumentation
DEMO
Conclusions
Secret Menu
![Page 87: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/87.jpg)
Capstone 4.0
> Started 2013
> ~160 Contributors
> World Class Disassembler, Industrial Standard
> Used by almost all reverse engineering tools
> Foundation for 400+ opensource/public projects
> Current Release 3.0.5
> In version 3 since 2014
> Dec 2018, Capstone 4.0
> Why take us so long
hackersbadge.com
![Page 88: Virtualizing IoT - Hack In The Box · Virtualizing IoT HITB2018DXB, November 2018 with Code Coverage Guided Fuzzing NGUYEN Anh Quynh, ... > Reversing IoT Devices > Part Time CtF player](https://reader034.vdocuments.mx/reader034/viewer/2022042218/5ec44582bbaec001d325cb60/html5/thumbnails/88.jpg)
Questions
NGUYEN Anh Quynh, aquynh -at- gmail.com
KaiJern LAU, kj -at- theshepherd.io
Virtualizing IoTwith Code Coverage Guided Fuzzing