A firmware analysis tour
with Avatar
in 7 minutes
(maybe)
Aurélien Francillon, Eurecom
Cryptacus Meeting, 6 Nov 2016
HDD backdoor
●
How bad would be a compromised hard disk firmware?
–
●
●
Is this a realistic threat model ?
We reverse engineered and backdoored an HDD
–
~10 person-month effort
–
Without any privileged information
–
No significant performance overhead
Data-exfiltration backdoor
–
No cooperation from host
–
Stealthy
«Implementation and Implications of a Stealth Hard-Drive Backdoor»
J. Zaddach, et. al., ACSAC 2013
IRATEMONK ?
11/23/16 -
-p5
Lesson learnt
●
●
How could we analyze a firmware to find
backdoors?
Performing security analysis of embedded
systems is very challenging !
–
Very hard to analyze the disk
–
Static v/s Dynamic analysis
–
20 Mbytes of statically linked code, without symbols
=> We need to develop new methodologies
and tools for dynamic security analysis of
embedded systems
6
Avatar project and goals
●
We need tools and methodologies to
analyze large firmware code
–
Find vulnerabilities
–
Verify functionality
–
Reverse engineering
–
Security testing
« Avatar: A Framework to Support Dynamic Security Analysis of Embedded
Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti,
NDSS 2014
Security evaluation tools
 Techniques
that are typically used on a PC
 Advanced debugging techniques
◦ Tracing
◦ Fuzzing
◦ Tainting
◦ Symbolic Execution
 Integrated tools
◦ IDA Pro
◦ GDB
◦ Eclipse
A device of devices
A device of devices
CPU
A device of devices
CPU
Buttons
LEDs
USB
Modem
WIFI
Ethernet
A device of devices
CPU
IRQ
Controller
BUS
Controller
Buttons
LEDs
Memory
Controller
Timers
USB
Modem
WIFI
Ethernet
Challenges
●
●
●
Advanced dynamic analysis needs
emulation
Emulating a firmware requires not
only instruction set emulation but
also peripheral emulation
But peripherals often unknown,
interact with the physical world and
other embedded devices...
Avatar goal
Physical embedded device
Emulator
Firmware
CPU
?
Avatar goal
Physical embedded device
Emulator
Firmware
CPU
Avatar
●
Orchestrate execution between emulator
and device
–
●
●
Currently S2E, a symbolic execution engine for
binary code, is used as the emulator
Forward peripheral accesses to the device
under analysis
Do not attempt to emulate peripherals
–
No documentation
–
Reverse engineering is difficult
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
IRQ
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
IRQ
Memory
Registers
CPU state
Analysis script
Avatar overview
Emulator
...
mov
mov
add
ldr
cmp
r2, r0
r3, r1
r3, r3, #1
r2, [r2, #0]
r2, r3
...
Avatar
plugins
Analysis
plugins
Device
In-memory
stub
IRQ
Memory
Registers
CPU state
Analysis script
Bottlenecks
• Emulated execution is much slower than
execution on the real device
–
Memory accesses pass through lowbandwidth debug link
• IRQs can saturate debug link
Improving performance
• Transfer state/execution
– From the device to the emulator
– From the emulator to the device
Improving performance
• Transfer state/execution
– From the device to the emulator
– From the emulator to the device
Device
Emulator
State
Avatar
State
Register
Memory
28
Improving performance
• Transfer state/execution
– From the device to the emulator
– From the emulator to the device
Device
Emulator
State
Avatar
State
Register
Memory
11/23/16
29
Improving performance
• Transfer state/execution
– From the device to the emulator
– From the emulator to the device
Full separation mode
Device
Emulator
State
Avatar
State
Register
Memory
Memory access
optimization
Device
Emulator
State
Avatar
State
Register
Memory
IO Memory
Avatar in more details
Use cases
Hard disk drive
GSM phone
EconoTag
(Zigbee sensor mote)
Avatar Summary

Enables to perform some analysis that were impossible before:
●
Selective symbolic/concolic execution, analysis on whole system
analysis, from (partial) binary code, reverse engineering
framework, tracing …

Is a versatile, Open Source platform
●
http://s3.eurecom.fr/tools/avatar/

We are currently using it to analyze many different devices
●
Have a device to analyze? Come for a STEM

Under active development, currently extending it to
●
support other analysis frameworks (Angr, Panda, klee, mixed
analysis…)
●
Better interaction with hardware (fast custom USB3 dongle)
« Avatar: A Framework to Support Dynamic Security Analysis of Embedded
Systems' Firmwares » J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti,
NDSS 2014
People involved
Luca Bruno
Sandeep Nuckchady
(fuzzer, Avatar)
Students projects:
Luka Malisa (initial experiments)
Kjell Braden (Avatar MMU Support)
Jonas Zadach
Lucian Cojocar
(VU Amsterdam)
Davide Balzarotti