Presented at TROOPERS17 (2017)
March 21, 2017, 11:30 a.m.
Developing for embedded platforms typically relies on an early stage to bootstrap the device into a known state before entering application code. These bootloaders are often a monolithic, poorly understood codebase cargo culted about between projects.
In the process of porting the rust language to run on the GreatFET, a number of early stage boot issues needed to be diagnosed. In the interest of solving them with minimal effort, richö developed a new tool called fwdiff to compare the behaviour of early stage firmware images in an emulated environment, in order to drastically reduce the time and effort involved in diagnosing these issues, since the compile/flash/debug attach/step process can take huge amounts of time.
As it happens, it's possible to model an embedded device using the Unicorn Engine to emulate the MCU itself, and runtime hooks to model the rest of the system. On top of this framework, it's then possible to effectively diagnose flaws in an implementation of a bootloader by comparing it's behaviour to a black box sample of a working image.
This talk will discuss some of the challenges faced in getting rust code working on GreatFET, how these techniques could be applied to any embedded platform, and introduce and release the fwdiff tool, as well as profiles for some initial hardware platforms.
Dominic Spill is senior security researcher for Great Scott Gadgets. The US government recently labelled him as "extraordinary". This has gone to his head.
The US government has terrifyingly declared that richö is an alien of extraordinary ability. When he's computering, he's normally reversing something, or hacking skateboards in the name of security research. When he's not computering, he's normally BASE jumping, skydiving, or flinging himself down a hill.