HACK.LU Luxembourg

Similar documents
Recon Montreal

ADVANCED PROCESSOR ARCHITECTURES AND MEMORY ORGANISATION Lesson-17: Memory organisation, and types of memory

EXPLORING LINUX KERNEL: THE EASY WAY!

Going Linux on Massive Multicore

A+ Guide to Managing and Maintaining Your PC, 7e. Chapter 1 Introducing Hardware

Red Hat Linux Internals

Embedded Linux Platform Developer

Lesson Objectives. To provide a grand tour of the major operating systems components To provide coverage of basic computer system organization

Open Network Install Environment (ONIE) LinuxCon North America 2015

Analysis of Open Source Drivers for IEEE WLANs

Procedure: You can find the problem sheet on Drive D: of the lab PCs. Part 1: Router & Switch

Real-time Debugging using GDB Tracepoints and other Eclipse features

Complete Integrated Development Platform Copyright Atmel Corporation

Eddy Integrated Development Environment, LemonIDE for Embedded Software System Development

CCNA 2 Chapter 5. Managing Cisco IOS Software

Frontiers in Cyber Security: Beyond the OS

How to design and implement firmware for embedded systems

Peach Fuzzer Platform

Putting it on the NIC: A Case Study on application offloading to a Network Interface Card (NIC)

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

Hacking. Aims. Naming, Acronyms, etc. Sources

Example of Standard API

ALTIRIS Deployment Solution 6.8 PXE Overview

Implementation and Implications of a Stealth Hard-Drive Backdoor

Supporting the Alert Standards Format (ASF) 2.0 Specification

RISC-V Software Ecosystem. Andrew Waterman UC Berkeley

UNCLASSIFIED Version 1.0 May 2012

Security Overview of the Integrity Virtual Machines Architecture

ROM Monitor. Entering the ROM Monitor APPENDIX

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Objectives. Chapter 2: Operating-System Structures. Operating System Services (Cont.) Operating System Services. Operating System Services (Cont.

Computers. Hardware. The Central Processing Unit (CPU) CMPT 125: Lecture 1: Understanding the Computer

Configuration Maximums VMware vsphere 4.1

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Hi and welcome to the Microsoft Virtual Academy and

Embedded devices as an attack vector

Digitale Signalverarbeitung mit FPGA (DSF) Soft Core Prozessor NIOS II Stand Mai Jens Onno Krah

DsPIC HOW-TO GUIDE Creating & Debugging a Project in MPLAB

C-GEP 100 Monitoring application user manual

Configuration Maximums VMware vsphere 4.0

Introduction to Routing and Packet Forwarding. Routing Protocols and Concepts Chapter 1

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Chapter 1 Computer System Overview

I/O Attacks in Intel-PC Architectures and Countermeasures

Release Notes for Dominion SX Firmware 3.1.6

Virtualization and Other Tricks.

Programación de Sistemas Empotrados y Móviles (PSEM)

IOTIVITY AND EMBEDDED LINUX SUPPORT. Kishen Maloor Intel Open Source Technology Center

Enhanced Diagnostics Improve Performance, Configurability, and Usability

Software based Finite State Machine (FSM) with general purpose processors

Exploring the Remote Access Configuration Utility

Embedded Software Development

Figure 1: Graphical example of a mergesort 1.

What s New in Ghost Solution Suite 3.0

Von der Hardware zur Software in FPGAs mit Embedded Prozessoren. Alexander Hahn Senior Field Application Engineer Lattice Semiconductor

USER GUIDE: MaaS360 Services

"EZHACK" POPULAR SMART TV DONGLE REMOTE CODE EXECUTION

Enterprise-Class Virtualization with Open Source Technologies

Configuration Maximums VMware Infrastructure 3

Dell Server Management Pack Suite Version 6.0 for Microsoft System Center Operations Manager User's Guide

FOG Guide. IPBRICK International. July 17, 2013

ERIKA Enterprise pre-built Virtual Machine

GETTING STARTED WITH ANDROID DEVELOPMENT FOR EMBEDDED SYSTEMS

Chapter 2 System Structures

Sistemi ad agenti Principi di programmazione di sistema

Application-Level Debugging and Profiling: Gaps in the Tool Ecosystem. Dr Rosemary Francis, Ellexus

Configuring Virtual Blades

VEEAM ONE 8 RELEASE NOTES

Type Message Description Probable Cause Suggested Action. Fan in the system is not functioning or room temperature

Operating Systems 4 th Class

WinClon CC. Network-based System Deployment and Management Tool. A Windows Embedded Partner

Computer Setup (F10) Utility Guide HP Compaq dx2200 Microtower Business PC

Real-Time Virtualization How Crazy Are We?

Overview. Open source toolchains. Buildroot features. Development process

Introducing Ring -3 Rootkits

Virtualization for Cloud Computing

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

Advanced Computer Networks. Network I/O Virtualization

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM

13.1 Backup virtual machines running on VMware ESXi / ESX Server

VisorALARM-Manager Application Quick Guide. (Ver. 1.3) Dm 380-I. V:3.0

Attacking Hypervisors via Firmware and Hardware

FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

ConnectKey 2.0 WorkCentre 6655i 6655

Providing a jump start to EFI application development and a uniform pre-boot environment

Chapter 3: Operating-System Structures. System Components Operating System Services System Calls System Programs System Structure Virtual Machines

Architecture of the Kernel-based Virtual Machine (KVM)

Virtual Switching Without a Hypervisor for a More Secure Cloud

How To Test Your Code

RTOS Debugger for ecos

CHAPTER 7: The CPU and Memory

Dongwoo Kim : Hyeon-jeong Lee s Husband

Setup Cisco Call Manager on VMware

Remote Supervisor Adapter II. User s Guide

Installing Cable Modem Software Drivers

Running a Program on an AVD

Transcription:

Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org HACK.LU 2010 - Luxembourg

Purpose of this presentation G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 2/40 Hardware trust? Hardware manufacturers are reluctant to disclose their specifications You do not really know what firmwares do behind your back Consequently you cannot really trust them... So here comes the need for reverse engineering Previous works A SSH server in your NIC, Arrigo Triulzi, PacSec 2008 Can you still trust your network card?, Y-A Perez, L. Duflot, CanSecWest 2010

Purpose of this presentation G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 3/40 What is this presentation about? Why? Reverse engineering of the Broadcom Ethernet NetExtreme firmware Building an instrumentation toolset for the device Developing a new firmware from scratch To have a better understanding of the device internals To look for vulnerabilities inside the firmware code To develop an open-source alternative firmware for the community To develop a rootkit firmware embedded in the network card!

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 4/40 Plan Overview of the NIC architecture 1 Overview of the NIC architecture 2 3

Where should we begin? G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 5/40 About the target Sources Targeted hardware: Broadcom Ethernet NetExtreme NIC Standard range of Ethernet cards family from Broadcom Massively installed on personal laptops, home computers, enterprises... Broadcom device specifications (incomplete, sometimes erroneous) Linux open-source kernel module (tg3) A firmware code is published as a binary blob in the kernel tree It is actually not loaded by the Linux driver

The targeted device G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 6/40

NIC overview G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 7/40

Device overview G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 8/40 Core blocks The PHY block DSP on the Ethernet link Passes raw data to the MAC block The MAC block Processes and queues network frames Passes them to the driver MAC components one or two MIPS CPU a non-volatile EEPROM memory a volatile SRAM memory a set of registers to configure the device

Communicating with the device G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 9/40 PCI interface Cards are connected to the PCI bus Device is accessible using memory-mapped I/O Mapped on 16 bits (64 KB) First 32 KB are a direct mapping onto the device registers Last 32 KB constitute a R/W window into the internal volatile memory The base of the window can be set using a register EEPROM memory can be accessed in R/W using a dedicated set of registers We have access to registers, volatile and EEPROM memory through the PCI bus.

Physical PCI view G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 10/40

Different kinds of memory G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 11/40 EEPROM Manufacturer s information, MAC address,... Firmware images Non-documented format Volatile memory Registers Copy of the firmware image executed by the CPU Network packet structures, temporary buffers MANY registers to configure and control the device Some of them are non-documented

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 12/40 Plan Overview of the NIC architecture Accessing the device s internal memory Getting to debug firmware code 1 Overview of the NIC architecture 2 3

Instrumenting the device Accessing the device s internal memory Getting to debug firmware code We want to Get easy access to all kinds of memory Dump the executing firmware code Inject and execute some code Test it Debug it At first we have to easily access the device s memory, so we are going to write a little kernel module. G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 13/40

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 14/40 Plan Overview of the NIC architecture Accessing the device s internal memory Getting to debug firmware code 1 Overview of the NIC architecture 2 Accessing the device s internal memory Getting to debug firmware code 3

Linux Kernel Module Accessing the device s internal memory Getting to debug firmware code Basics At boot time, the BIOS assigns each device a physical memory range The OS maps this range onto a virtual address range In MMIO mode, we have to get the device s base virtual address then just access it like any other memory A kernel proxy between the NIC and userland The module provides primitives for reading and writing inside the NIC (registers, volatile, EEPROM) It exposes them to userland by creating a virtual char device Processes can then use open, read, write, seek syscalls G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 15/40

Extracting the firmware code Accessing the device s internal memory Getting to debug firmware code Firmware dump We can dump the executed firmware code from userland Based at address 0x10000 in volatile memory (refering to the specs) We can directly disassemble MIPS code, obviously it is not encrypted, nor obfuscated Static analysis Static disassembly analysis already made possible We will focus on how to dynamically analyze the executed code G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 16/40

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 17/40 Plan Overview of the NIC architecture Accessing the device s internal memory Getting to debug firmware code 1 Overview of the NIC architecture 2 Accessing the device s internal memory Getting to debug firmware code 3

Going further Overview of the NIC architecture Accessing the device s internal memory Getting to debug firmware code Plan Using this kernel proxy, we can easily dump and modify the device s memory from userland Now we have to control what is executed on the NIC, the firmware code Two firmware debuggers InVitroDbg is a firmware emulator based on a modified Qemu. InVivoDbg is a real firmware debugger to control code executed on the NIC. Both use the kernel proxy to interact with the NIC. G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 18/40

G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 19/40 InVitroDbg Overview of the NIC architecture Accessing the device s internal memory Getting to debug firmware code A firmware emulator Emulates the NIC MIPS CPU Interacts with the physical NIC memory Mechanism Based on a modified Qemu Firmware code embedded in a userland ELF executable Code segment mapped at the firmware base address Catches memory faults and redirects accesses to the real device Debugging made possible using the GDB stub of Qemu

Architecture de InVitroDbg Accessing the device s internal memory Getting to debug firmware code G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 20/40

G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 21/40 InVivoDbg Overview of the NIC architecture Accessing the device s internal memory Getting to debug firmware code Firmware debugger Firmware code really executed on the NIC Controlling the CPU using dedicated registers Mechanism CPU control with NIC registers: halt, resume, hbp CPU registers found in non-documented NIC registers Debugger core written in Ruby Integrated with the Metasm dissassembly framework Real-time IDA-like graphical interface for debugging

Debuggers comparison Accessing the device s internal memory Getting to debug firmware code InVitro Firmware code executed in userland No injection in the device memory A lot of transactions on the PCI bus Fake memory view from the PCI bus InVivo IDA-like GUI Easily extensible with Ruby scripts Few PCI transactions required Real memory view from the NIC CPU G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 22/40

Extending InVivoDbg Accessing the device s internal memory Getting to debug firmware code Execution flow tracing Reuse the Metasm plugin BinTrace (A. Gazet & Y. Guillot) Log every basic block executed Save a trace which can be visualized offline Support differential analysis of different traces Interest Quickly visualize the default execution path of the code Monitor the effect of various stimuli (received packet, driver communication... ) on execution G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 23/40

Execution flow trace Accessing the device s internal memory Getting to debug firmware code G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 24/40

Extending InVivoDbg Accessing the device s internal memory Getting to debug firmware code Memory access tracing Step-by-step firmware code Log each memory access (lw, sw, lh, sh, lb, sb) Save the generated trace Replay the trace Interest Does not rely on firmware code analysis Extracts the very core behavior of the firmware Logs every register access tells us what the firmware is actually doing, e.g. how it configures the device G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 25/40

Memory access trace Accessing the device s internal memory Getting to debug firmware code G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 26/40

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 27/40 Plan Overview of the NIC architecture Reversing the EEPROM format Description of the bootstrap process Building your own firmware 1 Overview of the NIC architecture 2 3

Creating a new firmware: what for? Reversing the EEPROM format Description of the bootstrap process Building your own firmware Multiple purposes Provides an open-source alternative to proprietary firmware Creates a rootkit firmware resident in the NIC Code testing We control the firmware image in volatile memory We control the MIPS CPU state Thus we can quickly inject and test code in memory How to get our code loaded during the device bootstrap? G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 28/40

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 29/40 Plan Overview of the NIC architecture Reversing the EEPROM format Description of the bootstrap process Building your own firmware 1 Overview of the NIC architecture 2 3 Reversing the EEPROM format Description of the bootstrap process Building your own firmware

Reversing the EEPROM format Reversing the EEPROM format Description of the bootstrap process Building your own firmware Non-documented format EEPROM contains non-volatile data Data is r/w accessible using specific device registers Format is not documented by Broadcom spec. sheets Contents Discovered by firmware code and memory analysis It contains A bootstrap header Device metadata (manufacturer s id, device revision... ) Device configuration (MAC, voltages,... ) A set of firmware images (bootstrap code, default image, PXE... ) G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 30/40

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 31/40 Plan Overview of the NIC architecture Reversing the EEPROM format Description of the bootstrap process Building your own firmware 1 Overview of the NIC architecture 2 3 Reversing the EEPROM format Description of the bootstrap process Building your own firmware

Description of the bootstrap process Reversing the EEPROM format Description of the bootstrap process Building your own firmware Firmware bootstrap So? How is the firmware loaded from EEPROM to volatile memory? Method: reset the device and stop the CPU as quick as possible! Result: CPU executes code at address 0x4000 0000 This memory zone is execute-only (not read/write), probably a ROM Hack: An non-documented device register holds the current dword pointed by $pc We can dump the ROM by modifying $pc and polling this register! G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 32/40

Description of the bootstrap process Reversing the EEPROM format Description of the bootstrap process Building your own firmware G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 33/40

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 34/40 Overview of the NIC architecture Description of the bootstrap process Reversing the EEPROM format Description of the bootstrap process Building your own firmware Bootstrap No trusted bootstrap sequence! Every time the source power is plugged-in, or a PCI reset is issued, or the reset register is set: 1 CPU starts on a boot ROM 1 Initializes EEPROM access 2 Loads bootstrap firmware in memory from EEPROM 2 Execution of the bootstrap firmware 1 Configures the core of the device (power, clocks... ) 2 Loads a second-stage firmware from EEPROM 3 Execution of the second-stage firmware Is the default firmare executed Configures networking (Ethernet link, MAC,... ) Can load another firmware if requested

. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 35/40 Plan Overview of the NIC architecture Reversing the EEPROM format Description of the bootstrap process Building your own firmware 1 Overview of the NIC architecture 2 3 Reversing the EEPROM format Description of the bootstrap process Building your own firmware

Developing your own firmware Reversing the EEPROM format Description of the bootstrap process Building your own firmware Building our own firmware All we need is A cross-compiled binutils for MIPS ld-scripting to map the firmware at 0x10000 We can start developing our firmware in C Inject our firmware in the EEPROM Memory mapping Memory view from the CPU is documented in the specs Volatile memory is accessible from address 0 Memory greater than 0xC000 0000 maps into device registers G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 36/40

Developing our own firmware Reversing the EEPROM format Description of the bootstrap process Building your own firmware Size requirements Code can reside between 0x10000 and 0x1c000 48 KB memory shared by code, stack, and incoming packet buffers Firmware structure Initialize the stack ($sp = 0x1c000) Configure the device for working (way far beyond this talk) Perform custom malicious/fun actions from the NIC! G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 37/40

Examples of customized firmware Reversing the EEPROM format Description of the bootstrap process Building your own firmware Remote firmware debugger Remote debugging using the Ethernet link Would offer debugging even if the machine is shut down Rootkit capabilities Rootkit (still in development) Take over the network Packet interception/forge by the firmware Embedding an IP/UDP stack and a light DHCP client Stealthy communication (OS never aware) Corrupt physical memory Reuse DMA capabilities over PCI to corrupt system RAM Write access OK, read access still unstable The device and the OS driver still have to work properly! G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 38/40

G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 39/40 Conclusion Overview of the NIC architecture Reversing the EEPROM format Description of the bootstrap process Building your own firmware In a nutshell... Reverse engineering of a proprietary firmware for security purpose Made possible with a few free open-source tools (Qemu, Ruby, Metasm, binutils,... ) Real-time firmware debugging! But depends on targeted device (here Broadcom NICs) No firmware signature/encryption in Broadcom Ethernet NICs One can build and load its own firmware To offer an open-source alternative for the community To build a highly stealthy rootkit embedded in the NIC

Thank you for your attention! Reversing the EEPROM format Description of the bootstrap process Building your own firmware Questions? G. Delugré Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware 40/40

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information