• Aucun résultat trouvé

Analysis of security of embedded devices

N/A
N/A
Protected

Academic year: 2022

Partager "Analysis of security of embedded devices"

Copied!
89
0
0

Texte intégral

(1)
(2)

Who are we?

Andrei Costin Aurélien Francillon

Jonas Zaddach Davide Balzarotti

(3)

frmware · ǝɹ 4/91

Embedded Systems Are Everywhere

by Wilgengebroed on Flickr [CC-BY-2.0]

(4)

Smarter & More Complex

(5)

frmware · ǝɹ 6/91

Interconnected

by Wilgengebroed on Flickr [CC-BY-2.0]

(6)

Many Examples of Insecure Embedded Systems

Routers

(7)

frmware · ǝɹ 8/91

Routers

Printers

Many Examples of Insecure Embedded Systems

Networked printers at risk (30/12/2011, McAfee Labs)

(8)

Many Examples of Insecure Embedded Systems

Routers

Printers

VoIP

Cisco VoIP Phones Affected By On Hook Security Vulnerability (12/06/2012, Forbes)

(9)

10/91

frmware · ǝɹ

Routers

Printers

VoIP

Cars

Many Examples of Insecure Embedded Systems

Hackers Reveal Nasty New Car Attacks – With Me Behind The Wheel (12/08/2013, Forbes)

(10)

Many Examples of Insecure Embedded Systems

Routers

Printers

VoIP

Cars

Drones

(11)

12/91

frmware · ǝɹ

Many Examples of Insecure Embedded Systems

Routers

Printers

VoIP

Cars

Drones

...

(12)

Many Examples of Insecure Embedded Systems

Routers

Printers

VoIP

Cars

Drones

Each of the above is a result of individual analysis

Manual and tedious efforts → Does not scale

(13)

14/91

frmware · ǝɹ

The Goal

P e r fo r m a la r g e s c a l e a n a l y s i s to gain a better understanding

of firmware problems

(14)

The Problem With Large Scale Analysis

Heterogeneity of

Hardware, architectures, OSes

Users, requirements

Security goals

(15)

16/91

frmware · ǝɹ

The Problem With Large Scale Analysis

Heterogeneity of

Hardware, architectures, OSes

Users, requirements

Security goals

Manual analysis does not scale, it requires

Finding and downloading firmware

Unpacking and initial analysis

Re-discovering a similar bugs

(16)

Previous Approaches

Test on real devices [Bojinov09CCS]

Accurate results

Does not scale well

(17)

18/91

frmware · ǝɹ

Previous Approaches

Test on real devices [Bojinov09CCS]

Accurate results

Does not scale well

Scan devices on the Internet

Large scale testing [Cui10ACSAC]

Can only test for known vulnerabilities

Blackbox approach

More is too intrusive [Census2012]

(18)

Our Approach to The Large Scale Analysis

Collect a large number of firmware images

(19)

20/91

frmware · ǝɹ

Our Approach to The Large Scale Analysis

Collect a large number of firmware images

Perform broad but simple static analysis

(20)

Our Approach to The Large Scale Analysis

Collect a large number of firmware images

Perform broad but simple static analysis

Correlate across firmwares

(21)

22/91

frmware · ǝɹ

Our Approach to The Large Scale Analysis

Collect a large number of firmware images

Perform broad but simple static analysis

Correlate across firmwares

Advantages

No intrusive online testing, no devices involved

Scalable

(22)

Our Approach to The Large Scale Analysis

Collect a large number of firmware images

Perform broad but simple static analysis

Correlate across firmwares

Advantages

No intrusive online testing, no devices involved

Scalable

Many challenges remain

(23)

24/91

frmware · ǝɹ

Mainstream Systems

Have Centralized Updates

(24)

Challenge: Embedded Systems Update Sources are diverse

Public site

Manufacturer web site

FTP site

Hidden site

Accessed by firmware update utility

Restricted site

Request-only updates

Delivery on other media (CD-Rom, …)

Firmware only delivered on device

(25)

26/91

frmware · ǝɹ

Challenge: Embedded Systems

Update Mechanisms are diverse

(26)

Collecting a Dataset

No large scale firmware dataset yet

As opposed to existing datasets in security or other research areas

(27)

28/91

frmware · ǝɹ

Collecting a Dataset

No large scale firmware dataset yet

As opposed to existing datasets in security or other research areas

We collected a subset of the firmwares available for download

(28)

Collecting a Dataset

No large scale firmware dataset yet

As opposed to existing datasets in security or other research areas

We collected a subset of the firmwares available for download

Still many firmwares are not publicly available

(29)

30/91

frmware · ǝɹ

Collecting a Dataset

No large scale firmware dataset yet

As opposed to existing datasets in security or other research areas

We collected a subset of the firmwares available for download

Still many firmwares are not publicly available

→ www.firmware.re project

(30)

Challenge:

Firmware Identification

← Clearly a Firmware

(31)

32/91

frmware · ǝɹ

Challenge:

Firmware Identification

← Clearly a Firmware Clearly not a Firmware →

(32)

Challenge:

Firmware Identification

← Clearly a Firmware Clearly not a Firmware →

?

(33)

34/91

frmware · ǝɹ

Challenge:

Firmware Identification

E.g., upgrade by printing a PS document

(34)

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

(35)

36/91

frmware · ǝɹ

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

(36)

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

(37)

38/91

frmware · ǝɹ

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

(38)

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

Printer driver

(39)

40/91

frmware · ǝɹ

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

ASCII85 Printer driver

(40)

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

ELF

ASCII85 Printer driver

(41)

42/91

frmware · ǝɹ

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

ELF

ASCII85 Printer driver

Binary patch?

(42)

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

ELF

ASCII85 Printer driver

Update executable?

Binary patch?

(43)

44/91

frmware · ǝɹ

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

ZIP

EXE PS

ELF

ASCII85 Printer driver

Update executable?

Binary patch?

Whole FW image?

(44)

Challenge:

Unpacking & Custom Formats

How to reliably unpack and learn formats?

Firmware updates often are

”russian dolls”

Sometimes result of unpacking is just a binary data blob

ZIP

EXE PS

ELF

ASCII85 Printer driver

Update executable?

Binary patch?

Whole FW image?

(45)

46/91

frmware · ǝɹ

Our Approach to

Unpacking & Custom Formats

Often a firmware image is just a binary blob

File carving required

Bruteforce at every offset with all known unpackers

Have good heuristics when to stop carving

(46)

Our Approach to

Unpacking & Custom Formats

Often a firmware image is just a binary blob

File carving required

Bruteforce at every offset with all known unpackers

Have good heuristics when to stop carving

We compared existing tools and used BAT (Binary Analysis Toolkit)

Supports recursive extraction and carving

Extended it with multiple custom unpackers

(47)

48/91

frmware · ǝɹ

Challenge:

Scalability & Computational Limits

Unpacking and file carving is very CPU intensive

(48)

Challenge:

Scalability & Computational Limits

Unpacking and file carving is very CPU intensive

Results in millions of unpacked files

Manual analysis infeasible

One-to-one fuzzy hash comparison is CPU intensive

(49)

50/91

frmware · ǝɹ

Challenge:

Scalability & Computational Limits

Fuzzy hashing becomes difficult with lots of files

26k 850 d

150 y

130k # firmwares CPU Time

(50)

Challenge:

Results Confirmation

An issue found statically

Cannot guarantee exploitability

May not apply to a real device

E.g., vulnerable daemon present but never started

(51)

52/91

frmware · ǝɹ

Challenge:

Results Confirmation

An issue found statically

Cannot guarantee exploitability

May not apply to a real device

E.g., vulnerable daemon present but never started

Issue confirmation is difficult

Requires advanced analysis (static & dynamic)

Does not scale for heterogeneous firmware

Often requires real embedded devices

(52)

Internet

Crawl

Firmware Datastore

Architecture

(53)

54/91

frmware · ǝɹ

Architecture

Internet Public Web Interface

Crawl Submit

Firmware Datastore

(54)

Architecture

Internet Public Web Interface

Crawl Submit

Firmware Datastore

Firmware Analysis Cloud

(55)

56/91

frmware · ǝɹ

Architecture

Internet Public Web Interface

Crawl Submit

Firmware Datastore

Master

Firmware Analysis Cloud

(56)

Internet Public Web Interface

Crawl Submit

Firmware Datastore

Master

Distribute

Unpacking Static Analysis

Firmware Analysis Cloud

Password Hash Cracker

Architecture

(57)

58/91

frmware · ǝɹ

Internet Public Web Interface

Crawl Submit

Firmware Datastore

Master

Workers

Distribute

Unpacking Static Analysis Fuzzy Hashing

Firmware Analysis &

Reports DB Firmware

Analysis Cloud

Password Hash Cracker

Architecture

(58)

Internet Public Web Interface

Crawl Submit

Firmware Datastore

Master

Distribute

Unpacking Static Analysis

Firmware Analysis &

Reports DB Firmware

Analysis Cloud

Password Hash Cracker

Data Enrichment

Correlation Engine

Architecture

(59)

60/91

frmware · ǝɹ

Crawler

Multiple seeds

FTP-index engines

Google Custom search engines

Several download techniques

WGET scripts

Beautiful Soup scripts

759 K collected files, 1.8 TB of disk space

(60)

www.Firmware.RE (beta)

Will provide Unpacking and Analysis

(61)

62/91

frmware · ǝɹ

www.Firmware.RE (beta)

Will provide Unpacking and Analysis

(62)

Unpacking

759 K total files collected

(63)

64/91

frmware · ǝɹ

Unpacking

759 K total files collected

172 K filtered interesting files

Filter non firmware

(64)

Unpacking

759 K total files collected

172 K filtered interesting files

32 K analyzed

Filter non firmware

Random selection

(65)

66/91

frmware · ǝɹ

Unpacking

759 K total files collected

172 K filtered interesting files

32 K analyzed

26 K unpacked (fully or partially)

Filter non firmware

Random selection

Successful unpack

(66)

759 K total files collected

172 K filtered interesting files

32 K analyzed

26 K unpacked (fully or partially)

1.7 M resulted files after unpacking

Unpacking

Filter non firmware

Random selection

Successful unpack

Unpacked files

(67)

68/91

frmware · ǝɹ

Static Analysis

Misconfigurations

Web-server configs, Credentials, Code repositories

Data enrichment

Version banners → Software packages and versions

Keywords → Known problems (e.g., telnet, shell, UART, backdoor)

Correlation/clustering

Fuzzy hashes, SSL certificates, Credentials

(68)

Correlation via fuzzy-hashes (ssdeep, sdhash)

Example: Correlation

Firmware 1

(69)

70/91

frmware · ǝɹ

Example: Correlation

Correlation via fuzzy-hashes (ssdeep, sdhash)

Firmware 1

(70)

Example: Correlation

Correlation via fuzzy-hashes (ssdeep, sdhash)

Firmware 1 Firmware 2

Firmware 3

95%

99%

0%

Firmware 4

Firmware 5

(71)

73/91

frmware · ǝɹ

Example: Correlation

Correlation via fuzzy-hashes (ssdeep, sdhash)

Firmware 1 Firmware 2

Firmware 3

95%

99%

0%

Firmware 4

Firmware 5

(72)

SSL cert correlation + vulnerability propagation

Example: SSL certificates

(73)

75/91

frmware · ǝɹ

SSL cert correlation + vulnerability propagation

Example: SSL certificates

(74)

SSL cert correlation + vulnerability propagation

Example: SSL certificates

Vendor A

(75)

77/91

frmware · ǝɹ

SSL cert correlation + vulnerability propagation

Example: SSL certificates

Vendor A

(76)

SSL cert correlation + vulnerability propagation

Example: SSL certificates

Vendor A

(77)

79/91

frmware · ǝɹ

SSL cert correlation + vulnerability propagation

Example: SSL certificates

Vendor A

(78)

SSL cert correlation + vulnerability propagation

Example: SSL certificates

Vendor A

Vendor B

(79)

81/91

frmware · ǝɹ

SSL cert correlation + vulnerability propagation

Example: SSL certificates

Vendor A

Vendor B

(80)

SSL cert correlation + vulnerability propagation

Example: SSL certificates

Vendor A

Vendor B Common Vulnerabie Components

(81)

83/91

frmware · ǝɹ

Results: Summary

38 new vulnerabilities (CVE)

Correlated them to 140 K online devices

Affected 693 firmware files by at least one vuln

(82)

”Chamber of Horrors”

Several recently build images with linux kernels, busybox older than 9 years

Similar ”debug” backdoor daemon in

networking, home automation equipment

Forgotten or backdoor entries in authorized_key filess

(83)

85/91

frmware · ǝɹ

”Chamber of Horrors”

Linux kernel older than 4 years compiled by

root on a machine with public IP accepting SSH connections (GPS/Aerospace manufacturer)

Discovered vulnerability in wireless fireworks system, implemented PoC attack [3]

(84)

Contributions Summary

First large-scale static analysis of firmwares

Described the main challenges associated

Shown the advantages of performing a large- scale analysis of firmware images

Implemented a framework and several efficient static techniques

(85)

87/91

frmware · ǝɹ

Conclusions

A broader view on firmwares

Not only beneficial

But necessary for discovery and analysis of vulnerabilities

Correlation reveals firmware relationship

Shows how vulnerabilities reappear across different products

Could allow seeing how firmwares evolve

(86)

Conclusions

There are plenty of latent vulnerabilities

Security

Tradeoff with cost and time-to-market

Clearly not a priority for some vendors

(87)

89/91

frmware · ǝɹ

Thank you

To our advisors, Aurélien and Davide

To our friends and families

To the SECURE 2014 organizers

To everybody who is submitting firmware to us

To you for listening to this talk :)

frmware · ǝɹ

frmware · ǝɹ

(88)

The End

Q u e s t i o n s ?

{name.surname}@eurecom.fr

(89)

91/91

frmware · ǝɹ

References

[1] A. Costin, J. Zaddach, A. Francillon, D. Balzarotti, ”A Large-Scale Analysis of the Security of Embedded

Firmwares”, In Proceedings of the 23rd USENIX Conference on Security (to appear)

[2] A. Costin, J. Zaddach, ”Poster: Firmware.RE:

Firmware Unpacking and Analysis as a Service”, In Proceedings of the ACM Conference on Security and Privacy in Wireless Mobile Networks (WiSec) '14

[3] A. Costin, A. Francillon, ”Short paper: A Dangerous 'Pyrotechnic Composition': Fireworks, Embedded

Wireless and Insecurity-by-Design”, In Proceedings of the ACM Conference on Security and Privacy in

Wireless Mobile Networks (WiSec) '14

Références

Documents relatifs

Security and Privacy of Mobile Wallet Users in Bitcoin, Dash, Monero, and Zcash.. Alex Biryukov a , Sergei

The current stalemate in USA-EU relations over the matter of data protection and privacy law especially in the area of national security and mass surveillance, means that the

Once the security protocol properties are established, they can drive the user interface analysis and the socio-technical protocol analysis to ultimately assess whether the

In this line of work, we chose some of the significant works in the literature that have provided formal definitions of coercion-resistance and receipt-freeness, and used formulae

In this article,we introduced a secure data transfer solution of moving equipment using XML encryption and SSL protocol, and implemented it in Agriculture Chain

An IO could be, for example, a Venue Owner (VO) (such as mall, stadium, enterprise or municipality) or the traditional network operator; (iii) IT Equipment Vendor

The obtained results show that when the packet forwarding function is disabled by a large percentage of nodes of the MANET the global network performance severely

These prototypes include a malware detection system based on Information Retrieval techniques, a compression-based spam filter, and a Data Leak Prevention system that