RED                                     BALLOON                                     Security                FRAK: Firmware...
5th Year Ph.D. Candidate                                                Intrusion Detection Systems Lab                   ...
5th Year Ph.D. Candidate                                                Intrusion Detection Systems Lab                   ...
5th Year Ph.D. Candidate                                                Intrusion Detection Systems Lab                   ...
5th Year Ph.D. Candidate                                                Intrusion Detection Systems Lab                   ...
Interrupt-Hijack Shellcode                      [blackhat USA 2011]7.27.2012	                     Defcon	  20	  
HP-RFU Vulnerability                HP LaserJet 2550 Rootkit                         [28c3]                               ...
WORKFLOW                                                       [XYZ Embedded {Offense|Defense}]                           ...
WORKFLOW                                                       [XYZ Embedded {Offense|Defense}]                           ...
WORKFLOW                                                                                         [XYZ Embedded {Offense|De...
WORKFLOW                                                                                         [XYZ Embedded {Offense|De...
WORKFLOW                                                                                         [XYZ Embedded {Offense|De...
WORKFLOW                                                                                         [XYZ Embedded {Offense|De...
WORKFLOW                                                                                             [XYZ Embedded {Offens...
WORKFLOW                                                                                             [XYZ Embedded {Offens...
WORKFLOW                                                                                             [XYZ Embedded {Offens...
Payload Design                                      Reasons why Ang stays                                      home on Fri...
Payload Design                                      Reasons why Ang stays                                      home on Fri...
Payload Design                                      Reasons why Ang stays                                      home on Fri...
Payload Design                                      Reasons why Ang stays                                      home on Fri...
Payload Design                                               Reasons why Ang stays                                        ...
F R A K irmware          everse                      nalysis   onsole                [Better Living Through Software Engin...
F R A K                                       irmware     everse   nalysis   onsole    Firmware Unpacking         Firmware...
F R A K                                                       irmware     everse   nalysis   onsole  HP-RFU    Cisco IOS  ...
F R A K                                                       irmware     everse   nalysis   onsole  HP-RFU     Cisco IOS ...
F R A K                                                            irmware    everse   nalysis   onsole  HP-RFU     Cisco ...
F R A K                                                            irmware    everse   nalysis   onsole  HP-RFU     Cisco ...
F R A K      irmware   everse                      nalysis   onsole      Unpack, Analyze, Modify, Repack: Cisco IOS7.27.20...
Payload Design      Payload                          Reasons why Ang stays   Developement                                 ...
Demos                •    Packer/Repacker for Cisco IOS, HP-RFU                •    Automagic Binary Analysis             ...
FRAK Konsole7.27.2012	     Defcon	  20	  
FRAK is still WIP. For Early Access                                                           Contact                     ...
7.27.2012	     Defcon	  20	  
Upcoming SlideShare
Loading in...5
×

DefCon 2012 - Finding Firmware Vulnerabilities

712

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
712
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

DefCon 2012 - Finding Firmware Vulnerabilities

  1. 1. RED BALLOON Security FRAK: Firmware Reverse Analysis Konsole Ang Cui a@redballoonsecurity.com7.27.2012   Defcon  20  
  2. 2. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University W h o a m I What do I DO7.27.2012   Defcon  20  
  3. 3. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I What do I DO7.27.2012   Defcon  20  
  4. 4. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I Past publications: •  What do I Pervasive Insecurity of Embedded Network Devices. [RAID10] •  A Quantitative Analysis of the Insecurity DO of Embedded Network Devices. [ACSAC10] •  Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11] •  Defending Legacy Embedded Systems with Software Symbiotes. [RAID11] •  From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11]7.27.2012   Defcon  20  
  5. 5. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I Past Embedded Tinkerings: •  What do I •  Interrupt-Hijack Cisco IOS Rootkit HP LaserJet Printer Rootkit DO7.27.2012   Defcon  20  
  6. 6. Interrupt-Hijack Shellcode [blackhat USA 2011]7.27.2012   Defcon  20  
  7. 7. HP-RFU Vulnerability HP LaserJet 2550 Rootkit [28c3] Attacker 4. Win: Reverse Shell Server -> Kitteh 1. Reverse Proxy Printer -> Attacker Firewall 2. Reverse Proxy Printer -> Victim Server Network Printer 3. Attacker -> Server Via Reverse Proxy7.27.2012   Defcon  20  
  8. 8. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process:Binary Firmware Image Analysis and Manipulation Firmware Re-Packing Process 7.27.2012   Defcon  20  
  9. 9. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process:Binary Firmware Image Parse Analysis and Manipulation Package Manifest Firmware Re-Packing Process 7.27.2012   Defcon  20  
  10. 10. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress}Binary Firmware Image For each "Record" Record Parse In Firmware Record Record Record Digitally Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Firmware Re-Packing Process 7.27.2012   Defcon  20  
  11. 11. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For eachBinary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware Re-Packing Process 7.27.2012   Defcon  20  
  12. 12. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For eachBinary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware Re-Packing Process 7.27.2012   Defcon  20  
  13. 13. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For eachBinary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Record" Re-Pack Modified In Firmware File System Known Format or Proprietary Format? Re-Packing Process 7.27.2012   Defcon  20  
  14. 14. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For eachBinary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re-Pack Modified In Firmware Record Record Record Record Digitally File System Encrypted? Compressed? Checksummed? Signed? Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
  15. 15. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For eachBinary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re-Pack Modified In Firmware Repack Record Record Record Record Digitally File System All Binary Encrypted? Compressed? Checksummed? Signed? "records" Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
  16. 16. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For eachBinary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re- Re-Pack Modified In Firmware Repack Record generate Record Record Record Digitally File System All Binary Encrypted? Compressed? Checksummed? Package Signed? "records" Manifest Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
  17. 17. Payload Design Reasons why Ang stays home on Friday night7.27.2012   Defcon  20  
  18. 18. Payload Design Reasons why Ang stays home on Friday night Payload Developement7.27.2012   Defcon  20  
  19. 19. Payload Design Reasons why Ang stays home on Friday night Payload Developement Payload Testing7.27.2012   Defcon  20  
  20. 20. Payload Design Reasons why Ang stays home on Friday night Payload Developement Payload Testing STARE @ BINARY BLOB7.27.2012   Defcon  20  
  21. 21. Payload Design Reasons why Ang stays home on Friday night Payload DevelopementDesign Payload Payload Design Payload Payload Testing Developement STARE THIS PART @ BINARY L   BLOB7.27.2012   Defcon  20  
  22. 22. F R A K irmware everse nalysis onsole [Better Living Through Software Engineering]7.27.2012   Defcon  20  
  23. 23. F R A K irmware everse nalysis onsole Firmware Unpacking Firmware Analysis Engine Engine Firmware Modification Firmware Repacking Engine Engine Programmatic API Interactive Console7.27.2012   ACCESS Defcon  20   Access
  24. 24. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console7.27.2012   ACCESS ACCESS Defcon  20   Access
  25. 25. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked Firmware Binary Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console7.27.2012   ACCESS ACCESS Defcon  20   Access
  26. 26. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked XYZ Dynamic Firmware Software Instrumentation Binary Symbiotes & Rootkit Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console7.27.2012   ACCESS ACCESS Defcon  20   Access
  27. 27. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked XYZ Dynamic Firmware Software Instrumentation Binary Symbiotes & Rootkit Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console7.27.2012   ACCESS ACCESS Defcon  20   Access
  28. 28. F R A K irmware everse nalysis onsole Unpack, Analyze, Modify, Repack: Cisco IOS7.27.2012   Defcon  20  
  29. 29. Payload Design Payload Reasons why Ang stays Developement home on Friday night Payload Developement Payload Testing Payload Design Payload Testing STARE @ BINARY BLOB ? STARE THIS PART @ BINARY L   BLOB Thanks FRAK!7.27.2012   Defcon  20  
  30. 30. Demos •  Packer/Repacker for Cisco IOS, HP-RFU •  Automagic Binary Analysis •  IDA-Pro Integration •  Entropy-related Analysis •  Automated IOS/RFU Rootkit Injection7.27.2012   Defcon  20  
  31. 31. FRAK Konsole7.27.2012   Defcon  20  
  32. 32. FRAK is still WIP. For Early Access Contact Frak-request@redballoonsecurity.com7.27.2012   Defcon  20  
  33. 33. 7.27.2012   Defcon  20  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×