Embedded Device Exploitation
This course is designed for hackers, tinkerers, and hobbyists with limited experience and an interest in embedded systems analysis. The course starts with a basic introduction to electronics, using a series of hands-on lab exercises to give the student a comfortable foundation using various embedded analysis tools and techniques, including exercises in extracting and analyzing flash images from live hardware. Students will learn how to identify and extract critical data in the firmware, and perform basic vulnerability analysis on embedded code.
The course continues with advanced emulation and exploitation techniques against MIPS Linux systems, including stack overflows, return to libc and return oriented programming. Students will develop buffer overflow exploits against live MIPS Linux devices using only a firmware update image - no hardware required!
The course culminates with students identifying, exploiting, and patching 0-day vulnerabilities in a real-world embedded device. At the end of the course, students will have the knowledge and experience to perform hardware and firmware analysis of commercial off-the-shelf embedded systems.
No equipment or food necessary... we provide both!
March 10-14, 2014
- Introduction to electronics, package types, and component identification
- Interconnect types and design (GPIO, SPI, I2C, JTAG, etc.)
- Identifying flash chip types and methods to extract their contents
- Analysis and extraction of flash image contents
- Vulnerability analysis with unpacked firmware image
- Introduction to MIPS dis/assembly
- Embedded code emulation
- Introduction to MIPS stack overflows
- MIPS stack overflow exploitation techniques
- Return to libc in MIPS
- Return oriented programming in MIPS
- Firmware modification
You will need the following to succeed in class:
- Intimate familiarity with the Linux operating environment
- Knowledge of common networking protocols (TCP/IP, HTTP)
- Experience with programming/scripting languages (C and Python in particular)
- Familiarity with any assembly language
- Familiarity with IDA Pro
- Experience with PC vulnerability analysis and exploitation
Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions in Columbia, MD. He has 6 years experience analyzing embedded systems and operates the /dev/ttys0 blog which is dedicated to embedded hacking topics. He has presented at events such as Blackhat and DEF CON. His skin has never been exposed to sunlight and is bioluminescent at 200 meters (656 feet) below sea level.