INSIDE ARM-X - Countermeasure 2019

•

3 likes•16,487 views

The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.

Technology

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
INSIDE
SAUMIL SHAH
@therealsaumil
7 November 2019
COUNTERMEASURE|2019

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
# WHO AM I
Saumil Shah
CEO, Net Square
@therealsaumil
educating, entertaining
and exasperating
audiences since 1999

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Introducing ARM-X
• An ARM Firmware Emulation Framework.
• Ultimate Goal - create an IoT VM!
• A Virtual IoT device makes for easy
– runtime analysis
– reverse engineering
– fuzzing
– exploit development
• Great insight into embedded hardware by
trying to emulate it.

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Inside an IoT device…

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
…same same but different

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
compressed FS
CPU
Kernel
Boot Loader
mounted
FS
nvram
init
scripts
Services
Apps
libnvram
The IoT Boot Up Process
conf
conf
conf
conf
firmware
Loads Kernel.
Uncompresses FS to ramdisk,
invokes init process.
ramdiskuserland
Reads config from nvram.
Builds system config files on
the fly.
Starts up system services.
Invokes Applications and
Application services.
READY
POWER ON

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
QEMU
CPU and
Limited
Hardware
Kernel
Drivers
uncompressed
Filesystem
emulated
nvram
init scripts
Services
Apps
libnvram
Emulation: Goals and Challenges
x
x
x
x
BUILDROOT
Match the kernel with the
one on the device
chroot environment
Implemented as an INI file,
preloaded before "boot up"
conf
conf
Fix to match QEMU environment
Not all drivers load successfully

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
ARM-X Architecture

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Starting an ARM-X device

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
2 - Booting the device Kernel

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
QEMU
CPU and
Limited
Hardware
Kernel
Kernel and hostfs ready
hostfs NFS /armx

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
3 - ARM-X Userland

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
4 - nvram and userland init

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
QEMU
CPU and
Limited
Hardware
Kernel
Drivers
NFS /armx
emulated
nvram
nvram and userland init scripts
conf
conf
init scripts
libnvram

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
QEMU
CPU and
Limited
Hardware
Kernel
Drivers
NFS /armx
emulated
nvram
init scripts
Services
Apps
libnvram
ARM-X: Device "booted up"
x
x
x
x
conf
conf

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
5 - ARM-X hostfs/debug Shell

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
How to add a new device to ARM-X
BUILDROOT
Firmware image

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Obtaining the Firmware
Firmware
rootfs
Firmware .bin
file
rootfs+nvram
Serial Console
Direct from
Flash memory

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
1: Web/FTP site

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
2: Hidden UART interfaces
Vcc (+3.3V) GND
TX/RX
GND

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Serial Console - working

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
# cat /proc/partitions
major minor #blocks name
31 0 256 mtdblock0
31 1 64 mtdblock1
31 2 64 mtdblock2
31 3 1472 mtdblock3
31 4 128 mtdblock4
31 5 64 mtdblock5
31 6 2048 mtdblock6
31 7 32768 mtdblock7
31 8 30975 mtdblock8
31 9 131072 mtdblock9
31 10 98304 mtdblock10
Firmware Extraction
# cat /proc/mtd
dev: size erasesize name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "devconf"
mtd2: 00010000 00010000 "devdata"
mtd3: 00170000 00010000 "mydlink"
mtd4: 00020000 00010000 "langpack"
mtd5: 00010000 00010000 "nvram"
mtd6: 00200000 00010000 "flash"
mtd7: 02000000 00020000 "upgrade"
mtd8: 01e3ffa0 00020000 "rootfs"
mtd9: 08000000 00020000 "nflash"
mtd10: 06000000 00020000 "storage"
dd if=/dev/mtdblock8 …

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
3: Take it directly from the chip!

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
DEMO TIME!

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
HERE BE THE GOODS
Downloads: https://armx.exploitlab.net/
!
Announcements: @therealsaumil
IP Camera CTF Challenge - blog.exploitlab.net

NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Thank you
and … QUESTIONS?
@therealsaumil
COUNTERMEASURE|2019

This research aims is to propose configurable verification tool-based user scripts based UVM methodology, which are implemented by the author. Extracting the verification requirements and proposing a novel UVM verification architecture. By proposing UVM architecture to verify the 2D/3D NOCs with different network topologies, routing algorithms and flow control methodologies. The architecture supports simulation and hardware emulation platforms. Simulate/Emulate the configurable verification tool with a Network on Chip Designs.

Easing the Path to Network Transformation - Network Transformation Experience...

Liz Warner

Network transformation takes many forms: open platforms, virtualized infrastructure, containers and cloud native practices—and often a mix of any of these. Regardless of choice, the path to transformation typically requires new tools and new skills. Network Transformation Experience Kits provide a library of best-practice architecture and development guidelines addressing Industry needs in automation, interfaces standardization, security, resources management and more. These Experience Kits offer developers, technical leads, and other audiences a variety of materials needed to enable adoption of the new technologies and service-enabling capabilities needed for next-generation, open, agile and efficient networks. In this presentation, we will focus on containers technology to augment ease of use with high performance.

As the name would suggest, a Non-Maskable Interrupt (NMI) is an interrupt-like feature that is unaffected by the disabling of classic interrupts. In Linux, NMIs are involved in some features such as performance event monitoring, hard-lockup detector, on demand state dumping, etc… Their potential to fire when least expected can fill the most seasoned kernel hackers with dread. AArch64 (aka arm64 in the Linux tree) does not provide architected NMIs, a consequence being that features benefiting from NMIs see their use limited on AArch64. However, the Arm Generic Interrupt Controller (GIC) supports interrupt prioritization and masking, which, among other things, provides a way to control whether or not a set of interrupts can be signaled to a CPU. This talk will cover how, using the GIC interrupt priorities, we provide a way to configure some interrupts to behave in an NMI-like manner on AArch64. We’ll discuss the implementation, some of the complications that ensued and also some of the benefits obtained from it. Julien Thierry

"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...

Edge AI and Vision Alliance

For the full video of this presentation, please visit: https://www.embedded-vision.com/platinum-members/qualcomm/embedded-vision-training/videos/pages/may-2019-embedded-vision-summit-baum For more information about embedded vision, please visit: http://www.embedded-vision.com Felix Baum, Director of Product Management for AI Software at Qualcomm, presents the "Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoCs" tutorial at the May 2019 Embedded Vision Summit. Increasingly, machine learning models are being deployed at the edge, and these models are getting bigger. As a result, we are hitting the constraints of edge devices: bandwidth, performance and power. One way to reduce ML computation demands and increase power efficiency is quantization—a set of techniques that reduce the number of bits needed, and hence reduce bandwidth, computation and storage requirements. Qualcomm Snapdragon SoCs provide a robust hardware solution for deploying ML applications in embedded and mobile devices. Many Snapdragon SoCs incorporate the Qualcomm Artificial Intelligence Engine, comprised of hardware and software components to accelerate on-device ML. In this talk, Baum explores the performance and accuracy offered by the accelerator cores within the AI Engine. He also highlights the tools and techniques Qualcomm offers for developers targeting these cores, utilizing intelligent quantization to deliver optimal performance with low power consumption while maintaining algorithm accuracy.

Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...

Anne Nicolas

Modern SoC designs incorporate technologies from numerous vendors, each with their own inconsistent, confusing, undocumented and even contradictory terminology. The result is a mess of acronyms and product names which have a surprising impact on the ability to develop reusable, modular code thanks to the nature of the underlying IP being obscured. This presentation will dive into some of the misnomers plaguing the Arm ecosystem, with the aim of explaining why things are like they are, how they fit together under the architectural umbrella and how you, as a developer, can decipher the baffling ingredients list of your next SoC design! Will Deacon

HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole

AMD Developer Central

Machine Learning using Kubernetes - AI Conclave 2019

Arun Gupta

AWS SAM でLambda開発

虎の穴開発室

Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...

Amazon Web Services

Amazon EC2 A1 instances are the first EC2 instances powered by Arm-based AWS Graviton processors. They deliver significant cost savings for scale-out and Arm-based applications, such as web servers, containerized microservices, caching fleets, and distributed data stores that are supported by the extensive Arm ecosystem. In this chalk talk, learn about EC2 A1 instances, understand the use cases, and watch demonstrations of how easy it can be to migrate and run your workloads on EC2 A1. Discussion and questions are encouraged.

Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19

Daisuke Morishita

Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...

AMD Developer Central

Final lisa opening_keynote_draft_-_v12.1tb

r Skip

Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit

Amazon Web Services

Amazon EC2 A1 instances are the first EC2 instances powered by Arm-based AWS Graviton processors. They deliver significant cost savings for scale-out and Arm-based applications, such as web servers, containerized microservices, caching fleets, and distributed data stores that are supported by the extensive Arm product platform. In this workshop, you learn about EC2 A1 instances and experience how easy it can be to migrate and run your workloads on EC2 A1.

The state of server-side Swift

Ciprian Redinciuc

Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...

KTN

KTN ran a collaborators' workshop on 26 September 2019 in London to explain more about the Digital Security by Design Challenge announced by the government. The Digital Security by Design challenge has been recently announced by the Department for Business, Energy & Industrial Strategy (BEIS). This challenge, amounting to £70 million of government funding over 5 years, was delivered by UK Research and Innovation (UKRI) through the Industrial Strategy Challenge Fund (ISCF). This Collaborators' Workshop provides an opportunity to hear more details of the challenge and forthcoming competitions. A Scoping Workshop for this challenge was held on 30th May: http://ow.ly/oz6230pHlGl Find out more about the Defence and Security Interest Group at https://ktn-uk.co.uk/interests/defence-security Join the Defence and Security Interest Group at https://www.linkedin.com/groups/8584397 or Follow KTN_UK Defence group on Twitter https://twitter.com/KTNUK_Defence

IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios

Joe Cropper

Modern-Application-Design-with-Amazon-ECS

Amazon Web Services

容器一直是當代雲原生架構設計裡面非常重要的一門技術，Amazon ECS 自從 2015 年發布以來一直獲得許多客戶的喜愛，然而 Amazon ECS 要如何深入使用，有哪些最佳實踐呢？這個 session 我們將會帶領大家深入探討來 Amazon ECS 與 AWS Fargate 的最新功能，以及看看 Owling (奧丁丁) 團隊如何 All-in Amazon ECS 打造產品的最佳實踐。

IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019

Timothy Spann

Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...

Amazon Web Services

Low code & technology stacks.

Daniel Le Couilliard

PAN-OS - Network Security/Prevention Everywhere

Global Knowledge Training

Slide deck from our "PAN-OS - Network Security/Prevention Everywhere" webinar. Using Palo Alto Networks, PAN-OS, enterprises can build an IT Security Platform capable of delivering protection against all stages of the Cyber-Attack Lifecycle. From Reconnaissance to Act on Objective, the PAN-OS Single-Pass Parallel Processing (SP3) engine combines efficient throughput with maximum data protection. Instructor Ryan Sharpston describes how the SP3 Architecture can increase network traffic visibility and enable you to control your environment. HE also explored the Palo Alto Networks “SP3” process, the definition of “Zero Trust” in regards to network security, and how “PAN-OS” stays “current” with today’s threat landscape. He also covers the options available to “test-drive” the PAN-OS against your network. For more information on Palo Alto training, visit https://www.globalknowledge.com/us-en/training/course-catalog/brands/palo-alto-networks/

Demo to Prepare for “Hands-On Lab: Take a Deep Dive with Experts Who Have Int...

CA Technologies

The Hand That Strikes, Also Blocks

Saumil Shah

For over two decades, working as an cybersecurity entrepreneur, researcher and instructor, I have heard over and over again that attacks and defense are two sides of the same coin. But what does it really mean in application? What happens when sophisticated attacks collide with sophisticated defenses? Who wins? This is talk is aimed at a wide audience in cybersecurity – from the strategists to the practitioners. We will discuss Evolution, Attacks, Defense and PEBKAC. What factors shall affect the posture of trustworthiness and safety in the digital world in the next two years to come depend largely on the road we have followed over the past two decades. This talk looks above and beyond, albeit optimistically, about realigning some of the conventional approaches, slowly but strategically shifting mindsets of stakeholders and consumers alike, to bring about a more proactive approach to security.

Debugging with EMUX - RIngzer0 BACK2WORKSHOPS

Saumil Shah

The EMUX IoT Firmware Emulation Framework currently provides near native userland emulation for ARM and MIPS IoT devices. EMUX is actively used Saumil's popular ARM IoT Exploit Laboratory training for over 5 years. The Debugging with EMUX workshop shall be in two parts: Part 1 (30 minutes) - Setting up EMUX in 7 minutes - A tour of EMUX internals - EMUX utilities - Tracing userland processes within EMUX Part 2 (90 minutes) - Debugging an ARM IoT target in EMUX - Debugging a MIPS IoT Target in EMUX - Crash dump analysis

Similar to INSIDE ARM-X - Countermeasure 2019

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI

Anne Nicolas

"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...

Edge AI and Vision Alliance

Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...

Anne Nicolas

HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole

AMD Developer Central

Machine Learning using Kubernetes - AI Conclave 2019

Arun Gupta

AWS SAM でLambda開発

虎の穴開発室

Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...

Amazon Web Services

Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19

Daisuke Morishita

Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...

AMD Developer Central

Final lisa opening_keynote_draft_-_v12.1tb

r Skip

Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit

Amazon Web Services

Amazon EC2 A1 instances are the first EC2 instances powered by Arm-based AWS Graviton processors. They deliver significant cost savings for scale-out and Arm-based applications, such as web servers, containerized microservices, caching fleets, and distributed data stores that are supported by the extensive Arm product platform. In this workshop, you learn about EC2 A1 instances and experience how easy it can be to migrate and run your workloads on EC2 A1.

The state of server-side Swift

Ciprian Redinciuc

Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...

KTN

IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios

Joe Cropper

Modern-Application-Design-with-Amazon-ECS

Amazon Web Services

IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019

Timothy Spann

Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...

Amazon Web Services

Low code & technology stacks.

Daniel Le Couilliard

PAN-OS - Network Security/Prevention Everywhere

Global Knowledge Training

Demo to Prepare for “Hands-On Lab: Take a Deep Dive with Experts Who Have Int...

CA Technologies

Similar to INSIDE ARM-X - Countermeasure 2019 (20)

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI

"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...

Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...

HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole

Machine Learning using Kubernetes - AI Conclave 2019

AWS SAM でLambda開発

Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...

Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19

Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...

Final lisa opening_keynote_draft_-_v12.1tb

Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit

The state of server-side Swift

Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...

IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios

Modern-Application-Design-with-Amazon-ECS

IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019

Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...

Low code & technology stacks.

PAN-OS - Network Security/Prevention Everywhere

Demo to Prepare for “Hands-On Lab: Take a Deep Dive with Experts Who Have Int...

More from Saumil Shah

The Hand That Strikes, Also Blocks

Saumil Shah

Debugging with EMUX - RIngzer0 BACK2WORKSHOPS

Saumil Shah

Unveiling EMUX - ARM and MIPS IoT Emulation Framework

Saumil Shah

After 4 years, ARMX is changing its call sign. EMUX now features both ARM and MIPS device emulation, in a unified framework! Join us as we unveil EMUX and take you into the inner workings of emulating both ARM and MIPS IoT devices. We will be releasing a new Docker image featuring a MIPS CTF challenge to test your MIPS exploit development skills. Slides from my workshop at Ringzer0's December 2021 Workshop Advent Calendar.

Precise Presentations

Saumil Shah

Effective Webinars: Presentation Skills for a Virtual Audience

Saumil Shah

Cyberspace And Security - India's Decade Ahead

Saumil Shah

Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace

Saumil Shah

NSConclave2020 The Decade Behind And The Decade Ahead

Saumil Shah

Cybersecurity In India - The Decade Ahead

Saumil Shah

The Road To Defendable Systems - Emirates NBD

Saumil Shah

"Attack is a technical problem, defense is a political problem". For several years, cyber security has been misjudged as risk reduction. On one hand, business applications and architectures are growing rapidly. On the other hand, the cyber security organisation is struggling to be able to defend them in today's rapidly evolving threat landscape. This talk explores the gap in thought between the owner and the defender of today's business applications and what needs to be done to bridge it. We shall present proactive steps and measures to overcome the last hurdle in building defendable systems.

The CISO's Dilemma 44CON 2019

Saumil Shah

Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge

The CISO's Dilemma HITBGSEC2019

Saumil Shah

Schrödinger's ARM Assembly

Saumil Shah

ARM Polyglot Shellcode - HITB2019AMS

Saumil Shah

What Makes a Compelling Photograph

Saumil Shah

Make ARM Shellcode Great Again - HITB2018PEK

Saumil Shah

Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators. In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques

HackLU 2018 Make ARM Shellcode Great Again

Saumil Shah

Hack.LU 2018 ARM IoT Firmware Emulation Workshop

Saumil Shah

Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools. In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras. The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.

Make ARM Shellcode Great Again

Saumil Shah

ARM IoT Firmware Emulation Workshop

Saumil Shah

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks

Debugging with EMUX - RIngzer0 BACK2WORKSHOPS

Unveiling EMUX - ARM and MIPS IoT Emulation Framework

Precise Presentations

Effective Webinars: Presentation Skills for a Virtual Audience

Cyberspace And Security - India's Decade Ahead

Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace

NSConclave2020 The Decade Behind And The Decade Ahead

Cybersecurity In India - The Decade Ahead

The Road To Defendable Systems - Emirates NBD

The CISO's Dilemma 44CON 2019

The CISO's Dilemma HITBGSEC2019

Schrödinger's ARM Assembly

ARM Polyglot Shellcode - HITB2019AMS

What Makes a Compelling Photograph

Make ARM Shellcode Great Again - HITB2018PEK

HackLU 2018 Make ARM Shellcode Great Again

Hack.LU 2018 ARM IoT Firmware Emulation Workshop

Make ARM Shellcode Great Again

ARM IoT Firmware Emulation Workshop

Recently uploaded

Introduction to CHERI technology - Cybersecurity

mikeeftimakis1

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Large Language Model (LLM) and it’s Geospatial Applications

Rohit Gautam

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

UiPath Test Automation using UiPath Test Suite series, part 5

DianaGray10

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

Monitoring Java Application Security with JDK Tools and JFR Events

Ana-Maria Mihalceanu

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

FIDO Alliance

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Mind map of terminologies used in context of Generative AI

Kumud Singh

Climate Impact of Software Testing at Nordic Testing Days

Kari Kakkonen

My slides at Nordic Testing Days 6.6.2024 Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

By Design, not by Accident - Agile Venture Bolzano 2024

Pierluigi Pugliese

Recently uploaded (20)

Introduction to CHERI technology - Cybersecurity

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Removing Uninteresting Bytes in Software Fuzzing

Essentials of Automations: The Art of Triggers and Actions in FME

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Large Language Model (LLM) and it’s Geospatial Applications

Artificial Intelligence for XMLDevelopment

UiPath Test Automation using UiPath Test Suite series, part 6

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

UiPath Test Automation using UiPath Test Suite series, part 5

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Pushing the limits of ePRTC: 100ns holdover for 100 days

Monitoring Java Application Security with JDK Tools and JFR Events

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Mind map of terminologies used in context of Generative AI

Climate Impact of Software Testing at Nordic Testing Days

Epistemic Interaction - tuning interfaces to provide information for AI support

GraphRAG is All You need? LLM & Knowledge Graph

By Design, not by Accident - Agile Venture Bolzano 2024

INSIDE ARM-X - Countermeasure 2019

1. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 INSIDE SAUMIL SHAH @therealsaumil 7 November 2019 COUNTERMEASURE|2019

2. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999

3. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.

4. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

5. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

6. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Inside an IoT device…

7. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram …same same but different

8. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON

9. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully

10. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture

11. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture

12. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Starting an ARM-X device

13. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

14. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2 - Booting the device Kernel

15. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

16. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Kernel and hostfs ready hostfs NFS /armx

17. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3 - ARM-X Userland

18. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

19. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 4 - nvram and userland init

20. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram nvram and userland init scripts conf conf init scripts libnvram

21. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

22. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram init scripts Services Apps libnvram ARM-X: Device "booted up" x x x x conf conf

23. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

24. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 5 - ARM-X hostfs/debug Shell

25. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019

26. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 How to add a new device to ARM-X BUILDROOT Firmware image

27. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory

28. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 1: Web/FTP site

29. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2: Hidden UART interfaces Vcc (+3.3V) GND TX/RX GND

30. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Serial Console - working

31. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …

32. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3: Take it directly from the chip!

33. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 DEMO TIME!

34. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 HERE BE THE GOODS Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil IP Camera CTF Challenge - blog.exploitlab.net

35. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Thank you and … QUESTIONS? @therealsaumil COUNTERMEASURE|2019

INSIDE ARM-X - Countermeasure 2019

Recommended

Recommended

More Related Content

Similar to INSIDE ARM-X - Countermeasure 2019

Similar to INSIDE ARM-X - Countermeasure 2019 (20)

More from Saumil Shah

More from Saumil Shah (20)

Recently uploaded

Recently uploaded (20)

INSIDE ARM-X - Countermeasure 2019