Exploiting Real Time Operating Systems

CPE/ECE Credits: 40

  • This course will teach students how to analyze, reverse, debug, and exploit embedded RTOS firmware. Hands-on experience with a variety of real-world devices, RTOS’s, and architectures equip students with the practical knowledge and skills necessary to be proficient in RTOS vulnerability analysis and exploitation.

  • Due to the nature of the material, we do expect students to already have experience with:

    • basic overflows and ROP
    • be comfortable in IDA’s user interface
    • some prior knowledge of MIPS and ARM (a plus, but not required)

    This course is a natural progression for students already familiar with embedded Linux exploitation; if you attended IoT Firmware Exploitation, then you meet the criteria.

    No equipment or food necessary… we provide both!

  • Day 1
    Basic introduction to the concept of Real Time Operating Systems
    Overview of MIPS architecture and design
    Firmware analysis of our first target device
    Debugging our first target device
    Augmenting IDA’s auto analysis
    Searching for backdoors

    Day 2
    Searching for stack overflows
    Exploiting RTOS overflows
    How not to crash your target
    Practical exploitation of LAN services from the WAN

    Day 3
    Hardware & firmware analysis
    Identifying functions without a symbol table
    Debugging without a debugger
    Searching for stack overflows
    Writing stack overflows with limited debugging
    Write stack overflow exploits for our second target device

    Day 4
    Parsing bugs
    Dynamic call path identification
    Complex ROP chains
    Re-programming RTOS kernel code on-the-fly
    Low-hanging crypto
    Breaking custom crypto
    Finding WPS crypto bugs
    Practical exploitation of WPS crypto bugs

    Day 5
    More firmware analysis
    Augmenting IDA’s auto analysis
    V-Chip backdoors
    Hidden manufacturer menus

  • Craig Heffner is a Vulnerability Researcher with Tactical Network Solutions in Columbia, MD.

    He has 6 years experience analyzing embedded systems and operates the /dev/ttyS0 blog which is dedicated to embedded hacking topics.

    He has presented at events such as Blackhat and DEFCON.

    His skin has never been exposed to sunlight and is bioluminescent at 200 meters (656 feet) below sea level.

  • Private, on-site training available. Call +1 (443) 276-6990 or email us at sales@tacnetsol.com.