Firmware Cartography: Charting the Course for Modern Server Compromise

Presented at Black Hat USA 2019, Aug. 8, 2019, 12:10 p.m. (50 minutes).

The modern server is the Matryoshka doll of computers, computers inside computers, a giant, undocumented mess. Undocumented devices have made homes at undocumented addresses, on buses, and in protocols most server owners don't know exist. With few exceptions, however, they and their secrets can't really stay hidden -- you just have to know how to look.

In this talk, we'll cover our methodology for vulnerability hunting in undocumented server components, mapping the paths laid out in binary firmware images. Tracking the interactions between software, hardware, and everything in-between exposes the permeable (or missing!) security controls that attempt to block you from opening these new worlds to explore. Through PoC helper libraries and chaining useful primitives together, oh, the places you'll go.

In addition to showing how to find new vulnerabilities, we'll use case studies of public vulns found by ourselves and others, explaining what makes them unique, or common, and other unreleased exploitation details. We'll release initial versions of Binary Ninja plugins we're working on at Atredis Partners, bringing UEFI coverage to the new platform and its hot MLIL. And who knows, we might disclose some new bugs or useful post exploitation details if we're able.


Presenters:

  • Nathan Keltner / Natron - CTO, Cofounder, Atredis Partners   as Nathan Keltner
    Nathan Keltner leads and coordinates advanced, custom-scoped projects for Atredis Partners. Nathan's primary responsibilities include assessment and consulting organization oversight and methodology design and implementation, firmware reverse engineering, penetration testing, various vulnerability research, and working with everyone else to keep the Atredibus pointed the right direction. Nathan spent the last several years focused on assessing complex, multi-tiered environments, including back end cloud application and server infrastructure, UEFI- and BMC-focused server assessments for server manufacturers and their clients, mobile firmware RE and vulnerability hunting for mobile carriers, and building the team at Atredis Partners. Prior to co-founding Atredis Partners, he worked as a Sr. Research Consultant in Accuvant's Applied Research team and as a penetration tester at Fishnet Security.
  • Dionysus Blazakis - Principal Research Consultant, Atredis Partners
    Dion Blazakis has over 15 years of experience designing, implementing, and evaluating software, systems, and devices. Dion specializes in large reverse engineering tasks, exploit development, and the design and implementation of task specific program analysis tooling. He has held positions including Software Engineer, Firmware Engineer, Principal Analyst, Director of Research and Development, and CTO. He has secure satellite cable systems, evaluated cryptographic ASICs, audited mixed hardware/software DRM systems, exploited browsers and embedded systems, and automated the extraction of iPhone application behaviors for MDM policy enforcement. Dion is best known for his award winning research related to script interpreter (ex. Javascript engines) exploitation techniques. He is also known for his work reverse engineering and documenting Apple OS exploit mitigation and isolation technologies. In 2010, he won the Pwnie award at Blackhat for "Most Innovative Research" related to his work on interpreter exploitation. In 2011, his 0-day exploit won the iPhone category of the Pwn2Own contest. Dion's research describing a software side-channel exposed via garbage collection was nominated for another Pwnie Award in 2013. Dion is also a coauthor of the "iOS Hacker's Handbook".

Links:

Similar Presentations: