Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Efficient Reverse Engineering of Automotive Firmware

19.450 Aufrufe

Veröffentlicht am

The fi rmware executed by components found in a car provide a starting point for adversaries to obtain con fidential information and discover potential vulnerabilities. However, the process of reverse engineering a specific component is typically considered a complex and time-consuming task. In this paper we discuss several techniques which we used to significantly increase the efficiency of reverse engineering the fi rmware of an instrument cluster.

Veröffentlicht in: Technologie
  • You can try to use this service ⇒ www.HelpWriting.net ⇐ I have used it several times in college and was absolutely satisfied with the result.
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • ⇒ www.WritePaper.info ⇐ is a good website if you’re looking to get your essay written for you. You can also request things like research papers or dissertations. It’s really convenient and helpful.
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Efficient Reverse Engineering of Automotive Firmware

  1. 1. 1 Efficient Reverse Engineering of Automotive Firmware Alyssa Milburn Security Analyst, Riscure milburn@riscure.com / @noopwafel (with Niek Timmers)
  2. 2. 2 Reverse Engineering Getting Firmware IP Tuning / manipulation Efficient Reverse Engineering of Automotive Firmware Hacking ??? Reverse Engineering Understanding
  3. 3. 3 Automotive Firmware?
  4. 4. 4 Instrument Cluster • Speedometer/gauges • Display (screen) • Speaker! • Blinky lights! • 32-bit CPU • CAN bus • I2C bus • EEPROM
  5. 5. 5 How can we get the firmware? Efficient Reverse Engineering of Automotive Firmware External flash Debug interfaces Leaks Software vulnerabilities Hardware attacks
  6. 6. 6 What makes this challenging? • “Non-standard” platforms • New concepts • Complexity Efficient Reverse Engineering of Automotive Firmware
  7. 7. 7
  8. 8. 8 What makes this challenging? No tools?! Let’s make some! • Static analysis (disassembly): too complicated • Dynamic analysis (emulation / debugging): no tools? Efficient Reverse Engineering of Automotive Firmware
  9. 9. 9 What do we need? • Processor (instruction set) emulator • Timers, interrupts • CAN controller • I2C controller • EEPROM • Display controller Efficient Reverse Engineering of Automotive Firmware
  10. 10. 10Efficient Reverse Engineering of Automotive Firmware Emulating the CPU architecture
  11. 11. 11 “Implementing” peripherals Efficient Reverse Engineering of Automotive Firmware
  12. 12. 12 How difficult was it? ~ 1 man-week of work ~ 3000 lines of (terrible) code (excluding support tooling) Efficient Reverse Engineering of Automotive Firmware
  13. 13. 13 Dynamic analysis
  14. 14. 14 Debugging Efficient Reverse Engineering of Automotive Firmware Step! Break! Watch! gdb “stub” gdb
  15. 15. 15 Debugging (gdb) hbreak *0x11032 Hardware assisted breakpoint 1 at 0x11032 (gdb) c Continuing. 0x00011032 in ?? () (gdb) Efficient Reverse Engineering of Automotive Firmware
  16. 16. 16 Execution tracing Efficient Reverse Engineering of Automotive Firmware
  17. 17. 17 Execution tracing Efficient Reverse Engineering of Automotive Firmware 0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930
  18. 18. 18 Execution tracing Efficient Reverse Engineering of Automotive Firmware 0x02920 0x02922 (jump) 0x02926 0x02928 0x0292c 0x02930
  19. 19. 19 Execution tracing Efficient Reverse Engineering of Automotive Firmware
  20. 20. 20 Execution tracing Efficient Reverse Engineering of Automotive Firmware
  21. 21. 21 Hacks! Efficient Reverse Engineering of Automotive Firmware
  22. 22. 22 Hacks! Efficient Reverse Engineering of Automotive Firmware
  23. 23. 23 Initial state Running (booted) Send CAN message Observe CAN response State rewinding 100ms boot time Efficient Reverse Engineering of Automotive Firmware
  24. 24. 24 Taint tracking Efficient Reverse Engineering of Automotive Firmware 1 ?? 2 ?? 3 ?? 4 ?? 5 ?? 6 ?? 7 ?? 8 ?? CAN messageData[2] = CAN.read() Data[7] = Data[2] CAN message CAN message Data[7] == Y?
  25. 25. 25 Fuzzing Efficient Reverse Engineering of Automotive Firmware CAN message Memory Memory[5] == 0xc7? Path 1 Path 2
  26. 26. 26 ./cc.py dcm discovery CARING CARIBOU v0.1 ------------------- Starting diagnostics service discovery Found diagnostics at arbitration ID 0x????, reply at 0x???? UDS Efficient Reverse Engineering of Automotive Firmware
  27. 27. 27 UDS: security access Efficient Reverse Engineering of Automotive Firmware Random key Random key == calculateKey(seed)? We found calculateKey! Seed (challenge)
  28. 28. 28 UDS: security access sending requestSeed (0x3) CAN0: RCV [id ####] 02 27 03 aa aa aa aa aa CAN0: TRQ [id ####] 06 67 03 47 2e 8e 70 aa sending sendKey CAN0: RCV [id ####] 06 27 04 41 9b 35 42 aa comparison at 0002f390 (419b3542 vs 419b3542) is tainted with 000000c0 CAN0: TRQ [id ####] 02 67 04 aa aa aa aa aa Efficient Reverse Engineering of Automotive Firmware
  29. 29. 29 EEPROM contents Efficient Reverse Engineering of Automotive Firmware Reverse engineering is hard work! updateEEPROM(id, value) Identification (VIN) Features/ configuration (UDS) security state Odometer 
  30. 30. 30 Takeaways Efficient Reverse Engineering of Automotive Firmware • Reverse engineering is not so hard! • Lots of other “tricks” to try: • Symbolic execution • Deobfuscation (if necessary) • Smarter fuzzing • You can’t hide secrets in firmware: • Use asymmetric cryptography (i.e. public keys) • Use the secure hardware inside modern processors
  31. 31. 31 Thanks to… Efficient Reverse Engineering of Automotive Firmware Santiago CordobaEloi Sanfelix Ramiro Pareja
  32. 32. 32 Challenge your security Alyssa Milburn Security Analyst, Riscure milburn@riscure.com / @noopwafel Efficient Reverse Engineering of Automotive Firmware icons8.com • Training • Tools • Services

×