Vadim Bardakov - AVR & MSP exploitation

1,404 views

Published on

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,404
On SlideShare
0
From Embeds
0
Number of Embeds
389
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Vadim Bardakov - AVR & MSP exploitation

  1. 1. AVR & MSP exploitation Vadim Bardakov Security Researcher Digital Security (ERPScan)
  2. 2. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices © 2002—2013, Digital Security 2
  3. 3. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices • Inc. amount of easily accessible data channels • Microcontroller firmware can be retrieved © 2002—2013, Digital Security 3
  4. 4. AVR & MSP exploitation Jokes © 2002—2013, Digital Security 4
  5. 5. AVR & MSP exploitation What if it works? © 2002—2013, Digital Security 5
  6. 6. AVR & MSP exploitation Oops… © 2002—2013, Digital Security 6
  7. 7. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis © 2002—2013, Digital Security 7
  8. 8. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis • Planarization • etc. © 2002—2013, Digital Security 8
  9. 9. AVR & MSP exploitation Firmware extraction MSP430: • FRAM • 5xx • 6xx © 2002—2013, Digital Security 9
  10. 10. AVR & MSP exploitation RAM MSP © 2002—2013, Digital Security AVR 10
  11. 11. AVR & MSP exploitation RAM General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 11
  12. 12. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 12
  13. 13. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers SP Additional I/O registers Internal RAM © 2002—2013, Digital Security ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 13
  14. 14. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security Additional I/O registers Internal RAM SP ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 14
  15. 15. AVR & MSP exploitation Stack errors General purpose registers SP Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security I/O Special Function Registers Additional I/O registers Internal RAM ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 15
  16. 16. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 16
  17. 17. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 17
  18. 18. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 18
  19. 19. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 19
  20. 20. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Seems OK I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20
  21. 21. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Unknown offset Global Variables Internal RAM © 2002—2013, Digital Security 21
  22. 22. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Bypassing checks © 2002—2013, Digital Security Internal RAM 22
  23. 23. AVR & MSP exploitation Buffer overflow Access: • Local variables • Return address: • Compiler-generated instructions • Interruption • Bootloader © 2002—2013, Digital Security 23
  24. 24. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } Casual for UART handlers © 2002—2013, Digital Security 24
  25. 25. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xB . “x010xFC”xN Atmel Studio 6.1 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 25
  26. 26. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 26
  27. 27. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 DoS © 2002—2013, Digital Security 27
  28. 28. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } void uart_puts(const char *s ) { while (*s) uart_putc(*s++); print “xff”xB . “x010xFC”xN. P uart_puts(p); 000001C8 LDD R24,Y+1 000001CA LDD R25, Y+2 000001CB CALL 0x0000014E Load indirect with displacement Load immediate Call subroutine Dumping RAM } © 2002—2013, Digital Security 28
  29. 29. AVR & MSP exploitation Reprogramming © 2002—2013, Digital Security 29
  30. 30. AVR & MSP exploitation Reprogramming Open-source bootloaders sucks in production. © 2002—2013, Digital Security 30
  31. 31. AVR & MSP exploitation Reprogramming Load code to RAM print “xff”xB . “x000x16”xN. ROPTail Interruption handler Ideal for ROP © 2002—2013, Digital Security 31
  32. 32. AVR & MSP exploitation Reprogramming Gain control to SPM print Code . “x000xFC”xN. P Atmex +00000343: 95E8 …. +00000351: 95E8 SPM Store program memory SPM Store program memory Writing code to FLASH © 2002—2013, Digital Security 32
  33. 33. AVR & MSP exploitation Sum • Simple attacks can be conducted blindly • Different consequences: • DoS • Modifying device configuration • etc. © 2002—2013, Digital Security 33
  34. 34. Digital Security in Moscow: +7 (495) 223-07-86 Digital Security in Saint Petersburg: +7 (812) 703-15-47 www.dsec.ru www.erpscan.com v.bardakov@dsec.ru © 2002—2013, Digital Security 34

×