Emulating Samsung's Baseband for Security Testing

Presented at Black Hat USA 2020 Virtual, Aug. 5, 2020, 10 a.m. (40 minutes)

The most crucial interface between modern mobile phones and cellular networks are baseband processors. Basebands are responsible for processing the complicated 2G thru 5G protocols, which gives them a large attack surface. Unfortunately, exploring this surface is cumbersome: finding flaws over-the-air is not scalable, crashes are difficult to reproduce, and devices typically lack even basic debugging interfaces.<br><br>To address these concerns, we designed and built an emulation environment for Samsung's "Shannon" baseband (ShannonEE). We leverage and combine the strengths of two existing frameworks, avatar2 & PANDA, to provide a flexible and extensible platform geared towards vulnerability research. We are able to load and run ARMv7-R Shannon firmware images, which typically exceed 30MB in size and have 65K+ functions. We emulate the custom Shannon RTOS and its peripherals accurately enough to enable task switching and timer interrupts, leading to powerful dynamic analysis platform. We also support different versions of Shannon SoCs, spanning multiple generation of Samsung Galaxy phones.<br><br>To take full advantage of ShannonEE, we ported TriforceAFL, allowing for targeted, coverage guided, task or protocol, fuzzing. Unlike over-the-air fuzzing, our platform allows for in-depth introspection of the baseband's internal state when triggering crashes and gdb-based memory examination providing backtraces and detailed task information. We demonstrate how our emulator can be used to investigate and understand the impact of n-days and how you would go about finding new vulnerabilities.

Presenters:

• Marius Muench - Postdoctoral Researcher, Vrije Universiteit Amsterdam
  Marius is a postdoctoral researcher at the Systems and Network Security Group at VU Amsterdam (VUSec) and lead author and maintainer of the avatar2 framework. He conducted his PhD studies at EURECOM where he systematically tackled challenges for dynamic binary firmware analysis. Additional research interests include binary exploitation and software-based defenses.
• Grant Hernandez - Security Researcher, University of Florida
  <span>Grant Hernandez is a researcher specializing in mobile and firmware vulnerabilities. He recently defended his Ph.D. from the University of Florida while working with the Florida Institute of Cyber Security (FICS). After graduation he joined Qualcomm's Product Security Initiative (QPSI) team.</span>

Links:

• https://www.blackhat.com/us-20/briefings/schedule/#emulating-samsung39s-baseband-for-security-testing-20564

Similar Presentations:

• REcon 2023 / How to Hack Shannon Baseband (from a Phone)
• CanSecWest 2022 / FirmWire: Taking Baseband Security Analysis to the Next Level
• Texas Cyber Summit 2019 / Keynote - Shannon "Snubs" Morse