Post on 04-Jun-2018
SESSION ID:
#RSAC
Ang Cui
Embedded Exploitation Party Trick!
BR-T08
Ph.D.
Columbia University
Chief Scientist, Red Balloon
#RSAC
Who I am, What I Do
2
Ang Cui
#RSAC
Who I am, What I Do
3
DR. Ang Cui !
#RSAC
Who I am, What I Do
4
Co-founder,
Chief Scientist
Red Balloon Security
#RSAC
Who I am, What I Do
5
Security Researcher
#RSAC
Great stories start in mid-drama
6
@ RSA_2014
#RSAC
My friend,
the Avaya ONE-X phone (9608)
7
#RSAC
My friend,
the Avaya ONE-X phone (9608)
8
#RSAC
ASA-2014-099
9
#RSAC
RELEASED 2014
10
#RSAC
Avaya 9608 Vulnerability # 2
11
#RSAC
Vulnerability Details will not be published until we all…
https://downloads.avaya.com/css/P8/documents/100178648
12
#RSAC
Avaya 96xx Security Analysis
accidentally found this Exploit
… while trying to exploit another Exploit…
#RSAC
Avaya 96xx Security Analysis
Challenged by Avaya representative at NTSWG briefing on Cisco
Endpoint Exploitation
#RSAC
Avaya 96xx Security Analysis
Challenged by Avaya representative at NTSWG briefing on Cisco
Endpoint Exploitation
Challenge (eventually) accepted
#RSAC
Avaya 96xx exploitation process
Initial penetration
Difficult
Nearly zero attack surface without avaya environment
Resorted to physical tear-down
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
10gb of crash data
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
10gb of crash data
10K+ documented crashes
#RSAC
Avaya 96xx exploitation process
20 phone fuzz farm
1 month automated fuzzing
10gb of crash data
10K+ documented crashes
Ran basic clustering algorithm to determine unique root-causes
#RSAC
Avaya 96xx exploitation process
Chose top 4 unique crash cases
#RSAC
Avaya 96xx exploitation process
Chose top 4 unique crash cases
All Reliably reproducible
#RSAC
Avaya 96xx exploitation process
Chose top 4 unique crash cases
All Reliably reproducible
Manual analysis for exploitability
#RSAC
p3wn like it’s 1998!
96x1Hupgrade.txt
#RSAC
p3wn like it’s 1998!
Hrm -)
#RSAC
Consequence #1
27
#RSAC
Consequence #2
28
#RSAC
Consequence #3
29
#RSAC
Consequence #4
Hacked Once,
Hacked Always
30
#RSAC
What’s on this slide and why couldn’t I show it?!
31
#RSAC
Embedded Exploitation Party Trick
Exploitable… with an text editor
#RSAC
Embedded Exploitation Party Trick
Exploitable… with an text editor
I can describe it to you in a single sentence
#RSAC
Embedded Exploitation Party Trick
Exploitable… with an text editor
I can describe it to you in a single sentence
Someone (not you) can do terrible things to your entire VoIP
infrastructure
#RSAC
Command Injection Vulnerability in Firmware Update Code!
35
#RSAC
36
PARTAY TRICK (Demo)
Let’s p3wn together -)
#RSAC
37
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
It’s “This Level Stuff”
#RSAC
38
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
#RSAC
39
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
Billions are being spent on research.
#RSAC
40
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
Billions are being spent on research.
Just not the kind that helps you.
#RSAC
41
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
3. Embedded exploitation is effective
#RSAC
42
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
3. Embedded exploitation is effective
4. Embedded exploitation is persistent
#RSAC
43
THIS IS YOUR SITUATION
1. Embedded exploitation is not “next level stuff”
2. Embedded exploitation is cheap
3. Embedded exploitation is effective
4. Embedded exploitation is persistent
5. Embedded exploitation has no defense
#RSAC
44
Embedded Security landscape
Asymmetric Adversarial Dynamic
#RSAC
45
Embedded Security landscape
Which one Are You?
Asymmetric Adversarial Dynamic
#RSAC
46
1. You don’t know what software you are running
#RSAC
47
1. You don’t know what software you are running
2. You don’t have the right to look inside the software to find
vulnerabilities
#RSAC
48
1. You don’t know what software you are running
2. You don’t have the right to look inside the software to find
vulnerabilities
3. You can’t fix the vulnerability even if you know one exists
#RSAC
49
1. You don’t know what software you are running
2. You don’t have the right to look inside the software to find
vulnerabilities
3. You can’t fix the vulnerability even if you know one exists
4. You can update firmware
#RSAC
50
Firmware Update:
The act of of trading known vulnerabilities with unknown ones.
Ang’s Definition of Firmware Update
#RSAC
51
1. They know what software you are running
#RSAC
52
1. They know what software you are running
2. They look inside your software to find vulnerabilities
#RSAC
53
1. They know what software you are running
2. They look inside your software to find vulnerabilities
3. They can exploit the Vulnerabilities that you know about and
can’t fix
#RSAC
54
1. They know what software you are running
2. They look inside your software to find vulnerabilities
3. They can exploit the Vulnerabilities that you know about and
can’t fix
4. They know you probably don’t update firmware
#RSAC
55
We need a better game plan.
#RSAC
56
We need a better game plan.
Here is the distillation of
6 years of my
PhD research at
Columbia University
#RSAC
Sponsored By
57
#RSAC
My labor of love
58
219 Pages
Available Soon
Please read!
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense And…
• Run defense on RTOS without breaking functionality
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense
• Run defense on RTOS without breaking functionality
• Do it without requiring hardware modification
#RSAC
What we need in practical embedded defense
• retrofit existing devices with host-based defense
• Retrofit arbitrary devices with the same host-based defense
• Operating System Agnostic host-based defense
And…
• Run defense on RTOS without breaking functionality
• Do it without requiring hardware modification
• Do this without vendor IP / Source Code (just the binary!)
#RSAC
Two Ideas for Embedded Security
65
1 Universal
Host-Based Defense For
All Devices
Software Symbiote
#RSAC
Two Ideas for Embedded Security
66
2 Automated Attack
Surface Reduction
Autotomic Binary Structure Randomization
#RSAC
Two Ideas for Embedded Security
67
2 Strong Binary
Randomization For All
Devices
Autotomic Binary Structure Randomization
#RSAC
Symbiote Structure
Drop in a Defensive Symbiote Payload
#RSAC
UNPACKING ENGINE
* patent pending
#RSAC
* patent pending
Analysis
&
modification
#RSAC
* patent pending
#RSAC
REPACKED
* patent pending
#RSAC
#RSAC
#RSAC
#RSAC
HTTP, HTTPS LDAP SNMP TELNET PRINT SERVER SSH ETC, ETC RFU Firmware Update Service
#RSAC
HTTP, HTTPS LDAP SNMP TELNET PRINT SERVER SSH ETC, ETC RFU Firmware Update Service
#RSAC
Autotomic Binary Structure Randomization
• Automated Attack Surface Reduction
#RSAC
Autotomic Binary Structure Randomization
• Automated Attack Surface Reduction
• Automated Non-localized, In-place binary randomization
#RSAC
Autotomic Binary Structure Randomization
• Automated Attack Surface Reduction
• Automated Non-localized, In-place binary randomization
Autotomic Binary Reduction + Binary Structure Randomization
(ABR) (BSR)
#RSAC
Autotomic Binary Reduction
#RSAC
#RSAC
83
Busybox – ARM - Linux
All but unzip, sha512
51.3% binary reduction.
#RSAC
The short story…
It works!
Srsly, read the papers!
#RSAC
Make Impact
Transfer Technology, Protect What Matters
#RSAC
Make Impact
Today, Symbiote Technology Used In
Civilian Government
#RSAC
Make Impact
Today, Symbiote Technology Used In
Civilian Government
Military Infrastructure
#RSAC
Make Impact
Today, Symbiote Technology Used In
Civilian Government
Military Infrastructure
Enterprise Appliances
#RSAC
The World’s Most Secure Router
11:15 AM, Wednesday
DHS Science & Technology
Booth 202