Embedded devices reverse engineering

Presented at REcon Brussels 2017, Jan. 27, 2017, 4 p.m. (60 minutes)

Embedded devices are everywhere. With new powerful micro CPUs which packs more power than CRAY-1 while costing just a couple of pence, question to use micro CPU or not is no more.Developers are using them for even the simplest of the tasks. IoT devices are using more powerful and more complex devices with multiple peripherals and cores, which supports TCP/IP stack and multitude of layer 2 networking protocols.There are different frameworks created to help developers to create complex software needed to drive these devices. Specifics of the environment force focus on continuous operations with high reliability while they should have a reduced power consumption and memory requirements, while security is mostly an afterthought if implemented at all.By introducing FreeRTOS as an example of frameworks for embedded devices firmware development, we’ll explore basics of its architecture and security features (and a lacks of them).Reverse engineering plays a big role in security assessment in the IOT space, being a very simple real-time operating system FreeRTOS lacks the traditional separation between kernel and userland space, which tends to make harder the identification of user code and framework code, increasing the time needed to perform reverse engineering. Access to peripherals is also in different ways has there are no well-known syscalls.While doing a security assessment on the automotive industry we came across the STM32F0 micro CPU made by STM based on an ARM Cortex6-M0. A simple processor used a lot in the IOT world ruing FreeRTOS, while doing our research for any resources related to reverse engineering documentation we came to the conclusion that there are not too many such resources, specifically compared to how common is this processor or the FreeRTOS.We’ll investigate FreeRTOS source code and show basics of memory organization. We’ll address some of IP stack specifics, way tasks are handled, SSL library and stack protection. We’ll cover tasks, mutexes, semaphores, and interrupt handling. Also we’ll show specifics of memory organization and memory structures used for task handling.We’re going to use a simple demo showing how to blink the led when button is pressed to demonstrate mapping between source and compiled code and to demonstrate execution flow in FreeRTOS.Building upon this example, we’ll demonstrate useful techniques for reverse engineering firmware of such OS. We will show how to differentiate between memory access from GPIO functions. We will demonstrate a tool (IDA Script) to help automate this process. It should cover automatically addressing pin names, signals and variables as defined in RTOS source code.Our presentation will start by explaining the concepts of FreeRTOS, moving into the security features that it lacks when compared with other Operating Systems. Then we will move into the reverse engineering using the STM32F0 as an example, we will show how to identify the reads and write operations into the peripherals and how our IDA plugin can help on those tasks.


Presenters:

Links:

Similar Presentations: