Practical Firmware Reversing and Exploit Development for AVR-based Embedded Devices (closed)

Presented at DeepSec 2015 „DeepSec No. 9“, Unknown date/time (Unknown duration).

Today, you can find many devices based on AVR microcontrollers, from arduino-based amateur projects to serious automotive, home automation or industrial control system controllers and gateways. You may find many talks about reversing and exploit development for AVR-based devices, however there is still a lack of a full-scale guide that answers the question: "I have an AVR device. I have firmware (?). I have found something that looks like a vulnerability. What should I do now?". The goal of this workshop is to give an answer to this question. During this workshop, you will learn AVR firmwares reversing and exploitation specifics. We will talk about tools and technics, review AVR architecture, teach you how to write ROP chains for AVR and use other methods that enforces MCU to do what wasn't expected by firmware developers. Post-exploitation topics (like reflashing and altering the bootloader) will also be covered. We will start our journey with simple programs, quickly move on to popular Arduino libraries and finish it with case of a real exploitation of an industrial gateway. We will talk about how to use Radare2 and (a bit) IDA Pro in reversing and exploiting AVR firmwares, also we will show you how to develop tools that help you with your task. To participate this class you will need just a basic understanding of reverse engineering and buffer overflow/memory corruption vulnerabilities. All topics will be divided into four equal parts: introduction to AVR architecture and assembly, pre-exploitation (firmware extraction, debugging technics, circuit reverse engineering, etc.), firmware reversing and exploitation (including some post-exploitation technics). Please bring a laptop with at least 4 GB RAM, 15 GB free hard drive space, two USB ports and installed VMWare/VirtualBox or Parallels virtual machine. You will be supplied with all required software (virtual machine image) and hardware (debuggers and AVR development boards).

Presenters:

  • Boris Ryutin - ZORSecurity
    Boris (@dukebarman) has graduated from the Baltic State Technical University "Voenmeh", faculty of rocket and space technology. Currently he is a postgraduate student there, works as a security engineer at ZORSecurity and as a contributor to MALWAS post-exploitation framework Boris is a recurring writer for the ][akep magazine, and a contributor and developer involved in several open-source information security projects. Radare2 evangelist. Multiple bug bounty awardee.
  • Alexander Bolshev (Digital Security) - ZORSecurity
    Alexander Bolshev is an information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. His research interests lie in distributed systems, mobile, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and ICS security. He spoke at the following conferences: Black Hat USA/EU/UK, ZeroNights, t2.fi, CONFIdence, S4.

Links:

Similar Presentations: