Embedded security researcher,fresh Dr. :)...First framework for automated large scale security...
97
Transcript of Embedded security researcher,fresh Dr. :)...First framework for automated large scale security...
2/97
• Embedded security researcher,fresh Dr. :)
# whoami
3/97
Intro
4/97
Embedded DevicesAre Everywhere
by Wilgengebroed on Flickr [CC-BY-2.0]
5/97
Embedded DevicesSmarter and More Complex
by Wilgengebroed on Flickr [CC-BY-2.0]
6/97
Embedded DevicesMore Interconnected
by Wilgengebroed on Flickr [CC-BY-2.0]
7/97
Embedded SoftwareFirmware is Everywhere
• Embedded devices are diverse – but all of them run software, commonly referred to as firmware
8/97
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
9/97
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
• By 2014, there were 14 billion Internet connected objects (Cisco, Internet of Things Connections Counter, 2014)
10/97
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
• By 2014, there were 14 billion Internet connected objects (Cisco, Internet of Things Connections Counter, 2014)
• By 2020, there will be between 20 and 50 billion interconnected IoT/embedded devices (Cisco, The Internet of Everything in Motion, 2013)
11/97
Importance of Embedded Systems' Security
• Embedded devices are ubiquitous– Even invisible, they are essential to our lives
• Can operate for many years– Legacy systems, no (security) updates
• Have a large attack surface– Web interfaces– Networking services– Debug interfaces (forgotten, backdoor)– ...
12/97
Many Examples of Insecure Embedded Systems
● Routers
13/97
● Routers● Printers
Many Examples of Insecure Embedded Systems
Networked printers at risk(30/12/2011, McAfee Labs)
14/97
● Routers● Printers● VoIP
Cisco VoIP Phones Affected By On Hook Security Vulnerability(12/06/2012, Forbes)
Many Examples of Insecure Embedded Systems
15/97
● Routers● Printers● VoIP● Cars
Hackers Reveal Nasty New Car Attacks – With Me Behind The Wheel (12/08/2013, Forbes)
Many Examples of Insecure Embedded Systems
16/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones
17/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks
Remote Control
Firing Module
18/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks● Etc.
19/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks● Etc.
Each of the above is a result of individual analysis
Manual and tedious efforts → Does not scale
20/97
ReviewManual Analysis Process
●
firmware
21/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
IHEX format
plain text firmware
22/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
detect CPU,static analysis
dynamic analysis
Motorola m68k-based CPU
23/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns? 802.15.4 functions
UART “boot>” prompts
detect CPU,static analysis
dynamic analysis
24/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy devicedetect CPU,static analysis
dynamic analysis
25/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device setup devicedetect CPU,static analysis
dynamic analysis
26/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
setup devicedetect CPU,static analysis
dynamic analysis
27/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
Open Problem: Hard to automate
setup devicedetect CPU,static analysis
dynamic analysis
28/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
Goal: Automate these steps
setup devicedetect CPU,static analysis
dynamic analysis
29/97
Goals and Challenges
30/97
Idea → Goal
Perform large scale automated analysis to better understand, classify and analyze firmware images, without using devices
31/97
Challenges
• Large number of devices → Analysis without devices
• Large number of firmware files → Scalable architectures
• Highly heterogeneous systems → Generic techniques
• Increasingly “smart”, “connected” → Focus on web interfaces & APIs
• Highly unstructured firmware data → Large dataset classification
• Vulnerable devices exposed → Technology-independent device fingerprinting
32/97
Challenges → Solutions
• Large number of devices → Analysis without devices
• Large number of firmware files → Scalable architectures
• Highly heterogeneous systems → Generic techniques
• Increasingly “smart”, “connected” → Focus on web interfaces & APIs
• Highly unstructured firmware data → Large dataset classification
• Vulnerable devices exposed → Technology-independent device fingerprinting
33/97
Large Scale Challenge 1:Firmware and Device Classification
34/97
Firmware ClassificationWhy and How?
● Why?– There are hundred thousands
firmware packages (Costin et al., USENIX Security 2014)
– Any volunteer for manual triage? :)● How?
– Machine Learning (ML)– E.g., python's scikit-learn
35/97
Firmware ClassificationML Details
● Random Forests, Decision Trees● File size● Entropy value● Extended entropy information● Category strings● Category unique strings
36/97
Firmware ClassificationML Examples
37/97
Firmware ClassificationML Summary
● The local optimum for our setup– Features [size, entropy, entropy extended,
category strings, category unique strings]
– Random Forests classifier
– Training sets based on 40% of each category
– Achieves more than 90% accuracy
38/97
Large Scale Challenge 2:Automated Static Analysis
39/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
40/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
FirmwareAnalysis Cloud
41/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
FirmwareAnalysis Cloud
Password Hash Cracker
42/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
Firmware Analysis & Reports DB
FirmwareAnalysis Cloud
Password Hash Cracker
Data Enrichment
Correlation Engine
43/97
Static Firmware AnalysisTypes of Tests
● Misconfiguration● Web-server configs, Code repositories
● Credentials● Weak/Default/Hard-coded
● Data enrichment● Versions → Software packages● Keywords → Known problems (telnet, shell, UART, backdoor)
● Correlation and clustering● Based on: Fuzzy hashes, Private SSL keys, Credentials
44/97
Example:Firmware content correlation
Firmware 1
45/97
Example:Firmware content correlation
Firmware 1
46/97
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
47/97
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
48/97
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
49/97
Example:Firmware HTTPS keys correlation
50/97
Example:Firmware HTTPS keys correlation
51/97
Example:Firmware HTTPS keys correlation
52/97
Example:Firmware HTTPS keys correlation
Vendor A
53/97
Example:Firmware HTTPS keys correlation
Vendor A
54/97
Example:Firmware HTTPS keys correlation
Vendor A
55/97
Example:Firmware HTTPS keys correlation
Vendor A
56/97
Example:Firmware HTTPS keys correlation
Same key
Vendor A
57/97
Example:Firmware HTTPS keys correlation
Same key
Vendor A
Vendor B
58/97
Example:Firmware HTTPS keys correlation
Vendor B
Same key
Vendor A
59/97
Example:Firmware HTTPS keys correlation
For one certificate, we found at least: - 1 vulnerability
- 2 vendors
- 35K online devices
In total: - 109 private RSA keys for HTTPS certificates
Same key
60/97
Static Firmware AnalysisSome Results
● 38 new vulnerabilities
● 693 firmware images with at least one vulnerability
● 140K online devices correlated to some vulnerabilities
61/97
Large Scale Challenge 3:Automated Dynamic Analysis
62/97
Dynamic Firmware AnalysisAutomated and Large Scale
63/97
Dynamic Firmware AnalysisAutomated and Large Scale
64/97
Dynamic Firmware AnalysisAutomated and Large Scale
65/97
Dynamic Firmware AnalysisAutomated and Large Scale
66/97
Dynamic Firmware AnalysisAutomated and Large Scale
67/97
Dynamic Firmware AnalysisAutomated and Large Scale
68/97
Dynamic Firmware AnalysisAutomated and Large Scale
69/97
Dynamic Firmware AnalysisEmulator's Dilemma
70/97
Dynamic Firmware AnalysisEmulator's Dilemma
71/97
Dynamic Firmware AnalysisEmulator's Dilemma
72/97
Dynamic Firmware AnalysisEmulator's Dilemma
73/97
Dynamic Firmware AnalysisEmulator's Dilemma
74/97
Dynamic Firmware AnalysisEmulator's Dilemma
75/97
Dynamic Firmware AnalysisEmulator's Dilemma
76/97
Dynamic Firmware AnalysisEmulator's Dilemma
77/97
Dynamic Firmware AnalysisEmulator's Dilemma
78/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
79/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
80/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
81/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
82/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
83/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
84/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
85/97
Dynamic Firmware AnalysisSome Results
● High-severity vulnerability impact● Command injection, XSS, CSRF● Automated+scalable static and dynamic analysis● 225 high-severity vulnerabilities, many previously unknown● 185 firmware images (~10% of original)● 13 vendors (~25% of original)
● Total alerts from the tools● 6068 dynamic analysis alerts on 58 firmware images● 9046 static analysis alerts on 145 firmware images● Manual triage and confirmation is challenging
86/97
Applications
87/97
Application ExampleIndustry Players
● 1 big player in SCADA/ICS/embedded● In ”Top 100” of ”Fortune Global 500” (2015)
● 3 years R&D contract (from 2015)
● Using our frameworks● For their own firmware life-cycle● Firmware collection, unpacking, analysis● Dynamic analysis and symbolic execution
88/97
Firmware.REFirst project of its kind
89/97
Firmware.REDemo Time!
90/97
Conclusions
● Plenty of latent vulnerabilities in embedded firmware
● Firmware security analysis is absolutely necessary
● Involves many untrivial steps and challenges● A broader view on firmwares is not just
beneficial, but necessary
91/97
Conclusions
● Security● Tradeoff with both cost and time-to-market● Clearly not a priority for some vendors
● Vendors are encouraged to:● Integrate this or similar frameworks in their
firmware SoftDev and QA cycles● Have an easy to reach
[email protected] security response team
92/97
Summary
● We build-up research expertise and implement our expertise in working prototypes
● First framework for automated large scale security analysis and classification of firmwares and embedded devices● Simple and advanced analysis using dynamic
and static techniques● Quick identification of (un)known
vulnerabilities● Automated classification and fingerprinting
93/97
References
● Please read, share, RT!● ”Automated Dynamic Firmware Analysis at
Scale: A Case Study on Embedded Web Interfaces” http://firmware.re/dynamicanalysis/
● ”A Large-Scale Analysis of the Security of Embedded Firmwares” http://firmware.re/usenixsec14/
● www.firmware.re ● www.s3.eurecom.fr/~costin/
94/97
Tools
● http://binwalk.org/ ● http://www.binaryanalysis.org/● http://rips-scanner.sourceforge.net/ ● http://www.arachni-scanner.com/ ● https://www.owasp.org/index.php/OWASP_Zed ● http://w3af.org/ ● http://www.metasploit.com/ ● http://www.tenable.com/products/nessus-vulnerability-scanner
95/97
Tools
● https://shodan.io ● https://zmap.io ● https://scans.io ● https://censys.io
96/97
Acknowledgements
● Dr. Jonas Zaddach
● Prof. Aurelien Francillon
● Prof. Davide Balzarotti
● Dr. Apostolis Zarras
97/97
The End
Thank You!Questions?
{name}@firmware.re
@costinandrei
