0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/867 Thanks! 1 00:00:17,000 --> 00:00:19,099 A warm welcome to you all, and 2 00:00:19,100 --> 00:00:21,079 especially to humorous will now talk 3 00:00:21,080 --> 00:00:23,269 about the avatar to 4 00:00:23,270 --> 00:00:25,639 reverse engineering framework for Fermer. 5 00:00:25,640 --> 00:00:26,640 Thank you. 6 00:00:35,890 --> 00:00:36,999 All right. 7 00:00:37,000 --> 00:00:38,829 Thanks for the introduction. 8 00:00:38,830 --> 00:00:40,989 I stated, I Marios, and I'm here 9 00:00:40,990 --> 00:00:41,529 today 10 00:00:41,530 --> 00:00:43,689 to talk about Avatar 11 00:00:43,690 --> 00:00:44,589 two. 12 00:00:44,590 --> 00:00:45,729 I develop it as 13 00:00:45,730 --> 00:00:46,659 part of my Ph.D. 14 00:00:46,660 --> 00:00:47,199 studies 15 00:00:47,200 --> 00:00:48,339 over at your home. 16 00:00:48,340 --> 00:00:49,149 And if I say 17 00:00:49,150 --> 00:00:51,669 Avatar, I don't refer to 18 00:00:51,670 --> 00:00:53,949 a movie by James Cameron or a metal band, 19 00:00:53,950 --> 00:00:56,109 nor I refer to as actual Avatar 20 00:00:56,110 --> 00:00:57,549 two framework. 21 00:00:58,780 --> 00:01:01,209 Let's see how I 22 00:01:01,210 --> 00:01:03,279 try to communicate 23 00:01:03,280 --> 00:01:04,659 with you about the framework. 24 00:01:04,660 --> 00:01:06,369 So first, I want to tell 25 00:01:06,370 --> 00:01:08,079 you a little bit about binary firmware 26 00:01:08,080 --> 00:01:09,579 analysis of general 27 00:01:09,580 --> 00:01:11,619 want shortly to discuss the Turing 28 00:01:11,620 --> 00:01:12,279 landscape, to 29 00:01:12,280 --> 00:01:14,379 see what other people have done 30 00:01:14,380 --> 00:01:15,639 and are doing. 31 00:01:15,640 --> 00:01:18,069 Then I actually introduce the 32 00:01:18,070 --> 00:01:20,199 high level concepts of Avatar through 33 00:01:20,200 --> 00:01:22,269 to framework itself. 34 00:01:22,270 --> 00:01:24,369 And in the end, I'm going to 35 00:01:24,370 --> 00:01:26,559 give you a couple of examples to show 36 00:01:26,560 --> 00:01:28,989 how the tool can be used and 37 00:01:28,990 --> 00:01:30,279 is used by us, in fact. 38 00:01:31,570 --> 00:01:34,089 So let's not restrict 39 00:01:34,090 --> 00:01:35,949 binary film analyzes. 40 00:01:35,950 --> 00:01:38,709 Why are we interested in analyzing 41 00:01:38,710 --> 00:01:40,599 film well for better devices? 42 00:01:40,600 --> 00:01:42,699 Well, as we know, the amount 43 00:01:42,700 --> 00:01:44,919 of embedded devices is steadily 44 00:01:44,920 --> 00:01:47,049 increasing. Day by day words like 45 00:01:47,050 --> 00:01:49,509 Internet of Things and so on are around. 46 00:01:49,510 --> 00:01:51,489 In the end, these are just interconnected 47 00:01:51,490 --> 00:01:53,349 embedded devices. 48 00:01:53,350 --> 00:01:55,059 Misconfigurations, box 49 00:01:55,060 --> 00:01:57,159 and vulnerabilities are common on those 50 00:01:57,160 --> 00:01:58,239 devices. 51 00:01:58,240 --> 00:02:00,369 And I would say that 52 00:02:00,370 --> 00:02:02,649 a majority of the reported wounds 53 00:02:02,650 --> 00:02:05,409 we find so far on those devices 54 00:02:05,410 --> 00:02:07,989 are mainly misconfigurations 55 00:02:07,990 --> 00:02:09,819 on low end fruits like 56 00:02:11,710 --> 00:02:14,269 disclosed private keys. 57 00:02:14,270 --> 00:02:16,369 This configuration and the web server, or 58 00:02:16,370 --> 00:02:18,699 just simple box in 59 00:02:18,700 --> 00:02:20,489 the web server itself. 60 00:02:20,490 --> 00:02:22,779 However, we hope 61 00:02:22,780 --> 00:02:24,369 that in the future 62 00:02:24,370 --> 00:02:26,559 someone is going to change and renders 63 00:02:26,560 --> 00:02:29,049 maybe secure their software more 64 00:02:29,050 --> 00:02:31,209 and then would need to 65 00:02:31,210 --> 00:02:33,399 actually hunt for more complex 66 00:02:33,400 --> 00:02:35,649 box, which are also still 67 00:02:35,650 --> 00:02:37,059 in there and film will. 68 00:02:37,060 --> 00:02:39,459 However, when we want to find 69 00:02:39,460 --> 00:02:41,109 more complex box, 70 00:02:41,110 --> 00:02:42,729 we need more sophisticated 71 00:02:42,730 --> 00:02:44,769 tooling to succeed. 72 00:02:44,770 --> 00:02:45,369 Of course, we 73 00:02:45,370 --> 00:02:47,679 can sit down and reverse engineer 74 00:02:47,680 --> 00:02:49,809 a long time, but at some point in 75 00:02:49,810 --> 00:02:52,030 time, tooling will greatly benefit us. 76 00:02:53,590 --> 00:02:55,719 However, there are especially 77 00:02:55,720 --> 00:02:57,519 compared to desktop systems. 78 00:02:57,520 --> 00:02:58,299 A lot of 79 00:02:58,300 --> 00:03:00,729 challenges present for firmware 80 00:03:00,730 --> 00:03:01,779 analysis. 81 00:03:01,780 --> 00:03:03,549 First of all, there are a 82 00:03:03,550 --> 00:03:05,269 variety of platforms. 83 00:03:05,270 --> 00:03:06,909 There were riots of different parts 84 00:03:06,910 --> 00:03:07,329 system 85 00:03:07,330 --> 00:03:09,399 on chips, which all comes with their 86 00:03:09,400 --> 00:03:10,809 own memory layout 87 00:03:10,810 --> 00:03:13,179 and their own hardware peripherals, which 88 00:03:13,180 --> 00:03:15,249 may be mapped at certain addresses and 89 00:03:15,250 --> 00:03:17,979 may behave completely different on 90 00:03:17,980 --> 00:03:18,980 other devices. 91 00:03:20,410 --> 00:03:22,959 Furthermore, there's often no operating 92 00:03:22,960 --> 00:03:24,219 system level of abstraction. 93 00:03:25,870 --> 00:03:28,089 Some of the film will do is 94 00:03:28,090 --> 00:03:29,409 based on Linux. 95 00:03:29,410 --> 00:03:31,479 However, there's also a lot of 96 00:03:31,480 --> 00:03:33,759 monolithic firmware around which 97 00:03:33,760 --> 00:03:36,399 just use non kernel at all or 98 00:03:36,400 --> 00:03:38,469 have some small, tiny 99 00:03:38,470 --> 00:03:40,329 kernel embedded systems. 100 00:03:40,330 --> 00:03:42,579 In both cases, the 101 00:03:42,580 --> 00:03:45,009 hardware interactions will be embedded 102 00:03:45,010 --> 00:03:45,699 in the firmware 103 00:03:45,700 --> 00:03:47,799 court itself and not 104 00:03:47,800 --> 00:03:49,749 as part of the kernel. 105 00:03:49,750 --> 00:03:52,659 This forms actually a problem because 106 00:03:52,660 --> 00:03:54,789 when the firmware X's hardware is what 107 00:03:54,790 --> 00:03:57,549 might be, we are memory input output, 108 00:03:57,550 --> 00:04:00,279 or it might receive 109 00:04:00,280 --> 00:04:02,079 interrupts from the hardware, for 110 00:04:02,080 --> 00:04:02,379 instance, 111 00:04:02,380 --> 00:04:05,079 where new data is available on a bus. 112 00:04:05,080 --> 00:04:06,009 We need to 113 00:04:06,010 --> 00:04:08,599 somehow fetch it in our analyzes 114 00:04:08,600 --> 00:04:09,600 and our tooling. 115 00:04:10,780 --> 00:04:12,489 On top of that, there are just a 116 00:04:12,490 --> 00:04:14,679 variety of architectures 117 00:04:14,680 --> 00:04:16,479 like not only a lot of platforms, but 118 00:04:16,480 --> 00:04:18,819 also a lot of windows and architectures 119 00:04:18,820 --> 00:04:19,898 are around 120 00:04:19,899 --> 00:04:22,329 while we have on desktop systems, 121 00:04:22,330 --> 00:04:23,049 mainly 122 00:04:23,050 --> 00:04:25,189 x86 and x86 64 123 00:04:25,190 --> 00:04:26,190 around 124 00:04:26,830 --> 00:04:27,879 on embedded devices. 125 00:04:27,880 --> 00:04:29,319 So we can have all the different 126 00:04:29,320 --> 00:04:31,479 architectures from MIPS, PowerPC, 127 00:04:31,480 --> 00:04:32,949 even sometimes SPARC. 128 00:04:32,950 --> 00:04:35,289 And just 129 00:04:35,290 --> 00:04:35,769 to give you 130 00:04:35,770 --> 00:04:37,749 one example, please don't attempt to read 131 00:04:37,750 --> 00:04:38,750 the next slide. 132 00:04:39,580 --> 00:04:41,649 This is just a list of the 133 00:04:41,650 --> 00:04:43,839 microarchitecture as defined by ARM. 134 00:04:45,220 --> 00:04:47,739 And this is just itself, 135 00:04:47,740 --> 00:04:49,869 not the third party windows for ARM, 136 00:04:49,870 --> 00:04:51,969 which made it system on 137 00:04:51,970 --> 00:04:52,659 chips. 138 00:04:52,660 --> 00:04:55,059 These are around 30 139 00:04:55,060 --> 00:04:57,249 different micro architectures, all 140 00:04:57,250 --> 00:04:58,779 with tiny differences 141 00:04:58,780 --> 00:05:01,119 in the architecture, which is quite 142 00:05:01,120 --> 00:05:03,309 sheltering to grasp in 143 00:05:03,310 --> 00:05:04,310 a generic tool. 144 00:05:06,820 --> 00:05:07,719 And there are even 145 00:05:07,720 --> 00:05:09,519 more challenges which we are facing in 146 00:05:09,520 --> 00:05:11,829 comparison to desktop systems. 147 00:05:11,830 --> 00:05:13,809 Biden Reanalyze was on desktop systems, 148 00:05:13,810 --> 00:05:15,939 normally greatly 149 00:05:15,940 --> 00:05:16,779 uses 150 00:05:16,780 --> 00:05:17,769 instrumentation, 151 00:05:17,770 --> 00:05:20,319 sort instruments, the software 152 00:05:20,320 --> 00:05:20,659 on the 153 00:05:20,660 --> 00:05:24,099 test or the analyzers to 154 00:05:24,100 --> 00:05:26,319 add certain hook or address any type, for 155 00:05:26,320 --> 00:05:28,179 instance, checks during RAM times that 156 00:05:28,180 --> 00:05:28,719 everything's 157 00:05:28,720 --> 00:05:31,479 going fine and on a better device. 158 00:05:31,480 --> 00:05:33,579 This was challenging due 159 00:05:33,580 --> 00:05:34,809 to two reasons. 160 00:05:34,810 --> 00:05:35,789 One. Again, the 161 00:05:35,790 --> 00:05:36,779 missing abstraction 162 00:05:36,780 --> 00:05:38,369 of the operating system. 163 00:05:38,370 --> 00:05:40,709 And furthermore, quite often, the court 164 00:05:40,710 --> 00:05:42,899 only recycles inside read 165 00:05:42,900 --> 00:05:44,979 only memory of a 166 00:05:44,980 --> 00:05:46,169 embedded device. 167 00:05:46,170 --> 00:05:47,349 So what does this mean? 168 00:05:47,350 --> 00:05:48,629 Read only memory. 169 00:05:48,630 --> 00:05:50,669 We will need to flesh it to change its 170 00:05:50,670 --> 00:05:52,679 contents. However, then on the other 171 00:05:52,680 --> 00:05:54,749 side, from where it might be 172 00:05:54,750 --> 00:05:57,119 encrypted or signed by the window. 173 00:05:57,120 --> 00:05:59,429 So instrumentation is 174 00:05:59,430 --> 00:06:01,999 harder than our desktop system. 175 00:06:02,000 --> 00:06:04,649 Likewise, emulation is challenging 176 00:06:04,650 --> 00:06:06,869 while on 177 00:06:06,870 --> 00:06:09,149 modern desktop systems, all abstraction, 178 00:06:09,150 --> 00:06:11,279 all hardware to actions is handled 179 00:06:11,280 --> 00:06:13,409 by the kernel, which can be easily 180 00:06:13,410 --> 00:06:15,419 obstructed by an emulator. 181 00:06:15,420 --> 00:06:17,579 We don't have this 182 00:06:17,580 --> 00:06:18,329 comprehensive 183 00:06:18,330 --> 00:06:20,279 possibilities for embedded devices. 184 00:06:22,260 --> 00:06:24,299 The reason for that is that there are a 185 00:06:24,300 --> 00:06:26,369 lot of peripherals around which 186 00:06:26,370 --> 00:06:26,819 are active 187 00:06:26,820 --> 00:06:28,619 differently with the hardware, 188 00:06:28,620 --> 00:06:30,749 and as a result, am you 189 00:06:30,750 --> 00:06:32,069 being able to emulate 190 00:06:32,070 --> 00:06:33,819 all of the underlying hardware? 191 00:06:33,820 --> 00:06:36,689 Also, a better device is 192 00:06:36,690 --> 00:06:39,329 a lot of implementation effort. 193 00:06:39,330 --> 00:06:41,100 Likewise, fall detection 194 00:06:42,510 --> 00:06:45,149 when we, for instance, fastest 195 00:06:46,350 --> 00:06:48,419 desktop systems, we most 196 00:06:48,420 --> 00:06:49,469 often times rely 197 00:06:49,470 --> 00:06:52,349 on observable crashes like 198 00:06:52,350 --> 00:06:54,149 segmentation, fault or 199 00:06:55,260 --> 00:06:57,389 error handling of the life of 200 00:06:57,390 --> 00:06:59,459 Lipsy for heap corruptions 201 00:06:59,460 --> 00:07:01,799 and so on. So we get a physical output 202 00:07:01,800 --> 00:07:04,439 or we got a notable, not noticeable 203 00:07:04,440 --> 00:07:07,079 output when we corrupt 204 00:07:07,080 --> 00:07:08,069 memory 205 00:07:08,070 --> 00:07:10,229 on firmware. This is different. 206 00:07:10,230 --> 00:07:12,389 Firstly, even line 207 00:07:12,390 --> 00:07:14,519 of Linux based embedded devices are 208 00:07:14,520 --> 00:07:16,049 not well. Most of the times 209 00:07:16,050 --> 00:07:18,149 are not utilizing Lipsy, 210 00:07:18,150 --> 00:07:20,579 so heap protections are 211 00:07:20,580 --> 00:07:22,679 way, way smaller, if 212 00:07:22,680 --> 00:07:23,969 present at all. 213 00:07:23,970 --> 00:07:25,079 And some devices 214 00:07:25,080 --> 00:07:26,730 may not even contain about a 215 00:07:28,320 --> 00:07:29,879 memory management unit, 216 00:07:29,880 --> 00:07:31,589 which at the first place enables the 217 00:07:31,590 --> 00:07:33,569 notion of set false or invalid memory 218 00:07:33,570 --> 00:07:34,649 accesses. 219 00:07:34,650 --> 00:07:35,650 So in this case, 220 00:07:37,230 --> 00:07:39,029 the film might just continue to be 221 00:07:39,030 --> 00:07:39,989 executed or 222 00:07:39,990 --> 00:07:41,940 to be corrupted the state of the program. 223 00:07:43,170 --> 00:07:46,079 Another big issue is interrupt trembling 224 00:07:46,080 --> 00:07:48,149 because a lot 225 00:07:48,150 --> 00:07:49,949 of film is basically designed in 226 00:07:49,950 --> 00:07:52,109 a way that it runs continuously 227 00:07:52,110 --> 00:07:54,089 inside a single main loop 228 00:07:54,090 --> 00:07:54,809 and 229 00:07:54,810 --> 00:07:56,789 just checks memory contents. 230 00:07:56,790 --> 00:07:58,199 Source memory contents are 231 00:07:58,200 --> 00:08:00,689 updated by interrupt handlers 232 00:08:00,690 --> 00:08:03,469 and will derive 233 00:08:03,470 --> 00:08:05,849 the execution pass of the main loop. 234 00:08:05,850 --> 00:08:07,439 Once triggered, 235 00:08:07,440 --> 00:08:09,869 if we go with static analysis, 236 00:08:09,870 --> 00:08:11,609 we will need to define 237 00:08:11,610 --> 00:08:13,799 where those interrupts are triggered. 238 00:08:14,940 --> 00:08:17,129 Furthermore, as we saw before, 239 00:08:17,130 --> 00:08:18,629 there are a lot of different mid-quarter 240 00:08:18,630 --> 00:08:20,249 architectures around, and micro 241 00:08:20,250 --> 00:08:22,619 architectures have a lot of 242 00:08:22,620 --> 00:08:23,909 small, tiny 243 00:08:23,910 --> 00:08:26,069 changes and single 244 00:08:26,070 --> 00:08:27,659 instructions only present to this 245 00:08:27,660 --> 00:08:28,709 microarchitecture. 246 00:08:30,360 --> 00:08:32,548 I mean, for instance, co-processor 247 00:08:32,549 --> 00:08:34,918 accesses on arm costs 248 00:08:34,919 --> 00:08:37,229 are very varying from 249 00:08:37,230 --> 00:08:39,959 core to core or from microarchitecture 250 00:08:39,960 --> 00:08:41,668 to microarchitecture. 251 00:08:41,669 --> 00:08:43,979 So this showed 252 00:08:43,980 --> 00:08:45,209 a little bit of the challenges 253 00:08:45,210 --> 00:08:47,129 we have in the field of dynamic firmware 254 00:08:47,130 --> 00:08:48,179 analyzers. 255 00:08:48,180 --> 00:08:51,119 Let's look at the tooling landscape. 256 00:08:51,120 --> 00:08:52,019 Compared to 257 00:08:52,020 --> 00:08:54,059 desktop surface systems, 258 00:08:54,060 --> 00:08:56,099 the tooling landscape is due to the 259 00:08:56,100 --> 00:08:58,799 challenges way smaller 260 00:08:58,800 --> 00:08:59,999 and especially 261 00:09:00,000 --> 00:09:02,159 smaller when only considering open source 262 00:09:02,160 --> 00:09:03,160 tools. 263 00:09:07,260 --> 00:09:09,419 Furthermore, while 264 00:09:09,420 --> 00:09:11,279 a lot of static 265 00:09:11,280 --> 00:09:13,139 analyzer systems for desktop systems 266 00:09:13,140 --> 00:09:14,129 exist, 267 00:09:14,130 --> 00:09:16,289 they may exceed 268 00:09:16,290 --> 00:09:16,859 the bounds 269 00:09:16,860 --> 00:09:19,859 when being applied to embedded firmware 270 00:09:19,860 --> 00:09:22,199 because they need to approximate 271 00:09:22,200 --> 00:09:24,419 environment, which is not 272 00:09:24,420 --> 00:09:27,209 always possible in the embedded case. 273 00:09:27,210 --> 00:09:29,399 And it is also possible to 274 00:09:29,400 --> 00:09:31,319 infer the behavior of peripherals and 275 00:09:31,320 --> 00:09:32,609 interrupts 276 00:09:32,610 --> 00:09:33,719 in the following. 277 00:09:33,720 --> 00:09:35,849 I will show you for open 278 00:09:35,850 --> 00:09:38,069 source tools which are 279 00:09:38,070 --> 00:09:40,020 aiming to analyze firmware. 280 00:09:41,640 --> 00:09:43,709 So obviously this is not a 281 00:09:43,710 --> 00:09:45,989 comprehensive list, but gives a glimpse 282 00:09:45,990 --> 00:09:46,529 of 283 00:09:46,530 --> 00:09:48,059 what have been done and what kind of 284 00:09:48,060 --> 00:09:49,890 different approaches are out there. 285 00:09:51,240 --> 00:09:53,519 So let's start with Phi 286 00:09:53,520 --> 00:09:55,679 Phi as symbolic 287 00:09:55,680 --> 00:09:57,839 execution engine for MSP 288 00:09:57,840 --> 00:10:00,269 for 30 firmware, which was based 289 00:10:00,270 --> 00:10:02,369 on clear so clear as the 290 00:10:02,370 --> 00:10:04,439 main symbolic execution 291 00:10:04,440 --> 00:10:06,509 framework here, which 292 00:10:06,510 --> 00:10:08,879 basically operates on the LVM immediate 293 00:10:08,880 --> 00:10:09,880 representation. 294 00:10:10,920 --> 00:10:12,989 In order to have fire working, the 295 00:10:12,990 --> 00:10:15,959 analyst needs to specify 296 00:10:15,960 --> 00:10:18,179 explicit analisis memory 297 00:10:18,180 --> 00:10:20,339 and interrupt specifications. 298 00:10:20,340 --> 00:10:22,679 The analytical specification hereby 299 00:10:22,680 --> 00:10:25,049 defines, among others, 300 00:10:25,050 --> 00:10:27,449 the memory layout of 301 00:10:27,450 --> 00:10:30,719 the firmware under analyzers. 302 00:10:30,720 --> 00:10:33,089 Furthermore, the memory 303 00:10:33,090 --> 00:10:34,090 specification. 304 00:10:35,040 --> 00:10:37,529 Specifies how memory should react 305 00:10:37,530 --> 00:10:39,659 when it's read to read from 306 00:10:39,660 --> 00:10:40,059 and write 307 00:10:40,060 --> 00:10:41,009 to. So this is 308 00:10:41,010 --> 00:10:43,529 basically a way to abstract memory 309 00:10:43,530 --> 00:10:45,749 ill so that one 310 00:10:45,750 --> 00:10:47,489 particular memory cells are accessed. 311 00:10:47,490 --> 00:10:49,679 Symbolic value or specific concrete 312 00:10:49,680 --> 00:10:51,899 values can be injected into 313 00:10:51,900 --> 00:10:52,900 the analysis. 314 00:10:53,940 --> 00:10:56,339 The interrupt specification is 315 00:10:56,340 --> 00:10:58,409 wealth defining at 316 00:10:58,410 --> 00:10:59,099 which points 317 00:10:59,100 --> 00:11:01,259 interrupt, quote unquote, which 318 00:11:01,260 --> 00:11:03,240 interrupt handler shall be executed. 319 00:11:04,530 --> 00:11:06,809 While this is a great work which 320 00:11:06,810 --> 00:11:08,579 don't need any presence of a physical 321 00:11:08,580 --> 00:11:11,429 device and could successfully 322 00:11:11,430 --> 00:11:13,499 analyze, quite so, there must be 430 323 00:11:13,500 --> 00:11:16,049 film where it required 324 00:11:16,050 --> 00:11:16,589 the presence 325 00:11:16,590 --> 00:11:19,109 of the source code of the film, because 326 00:11:19,110 --> 00:11:21,209 that's basically the way Hulk 327 00:11:21,210 --> 00:11:22,210 works. 328 00:11:24,420 --> 00:11:27,239 So unfortunately, 329 00:11:27,240 --> 00:11:29,429 source code is not that 330 00:11:29,430 --> 00:11:29,759 often 331 00:11:29,760 --> 00:11:31,619 available when we are analyzing film 332 00:11:31,620 --> 00:11:32,339 well. 333 00:11:32,340 --> 00:11:34,409 So let's have a look at 334 00:11:34,410 --> 00:11:36,959 binary analysis tools. 335 00:11:36,960 --> 00:11:39,419 First, there Film a Dying, 336 00:11:39,420 --> 00:11:41,669 which is a binary 337 00:11:41,670 --> 00:11:42,389 analysis 338 00:11:42,390 --> 00:11:43,919 framework based on 339 00:11:43,920 --> 00:11:46,019 Kohima popular full 340 00:11:46,020 --> 00:11:47,669 system emulator, which 341 00:11:47,670 --> 00:11:49,999 also enables 342 00:11:50,000 --> 00:11:51,719 use of space emulation of signal 343 00:11:51,720 --> 00:11:53,339 processors. 344 00:11:53,340 --> 00:11:55,439 However, in this context, Kojima 345 00:11:55,440 --> 00:11:57,809 is Houston's full system emulator 346 00:11:57,810 --> 00:11:59,999 and brings a lot of 347 00:12:00,000 --> 00:12:02,099 architecture which can be emulated 348 00:12:02,100 --> 00:12:03,359 and additionally, 349 00:12:03,360 --> 00:12:05,819 a lot of hardware bots 350 00:12:05,820 --> 00:12:08,159 or hardware layouts, 351 00:12:08,160 --> 00:12:10,319 former die targets, armored MIPS firmware 352 00:12:10,320 --> 00:12:12,659 and specifically and uses 353 00:12:12,660 --> 00:12:12,839 an 354 00:12:12,840 --> 00:12:14,519 instrumented Linux kernel. 355 00:12:14,520 --> 00:12:17,399 So basically, it takes the extracted 356 00:12:17,400 --> 00:12:19,559 Linux based firmware, puts it 357 00:12:19,560 --> 00:12:22,499 inside the chemo emulator, 358 00:12:22,500 --> 00:12:22,859 and 359 00:12:22,860 --> 00:12:24,509 runs it with their own implemented 360 00:12:24,510 --> 00:12:25,619 kernel. 361 00:12:25,620 --> 00:12:27,959 This kernel allows automated 362 00:12:27,960 --> 00:12:30,359 analysis what allows plugins 363 00:12:30,360 --> 00:12:32,479 for allows analyzers off 364 00:12:32,480 --> 00:12:34,799 webpages and secure network monitor 365 00:12:34,800 --> 00:12:36,849 protocol implementations. 366 00:12:36,850 --> 00:12:38,759 Additionally, interesting is that this 367 00:12:38,760 --> 00:12:40,259 framework has capabilities 368 00:12:40,260 --> 00:12:42,509 to automatically rule 369 00:12:42,510 --> 00:12:44,429 known exploits, mainly known 370 00:12:44,430 --> 00:12:46,769 from Metasploit against 371 00:12:46,770 --> 00:12:48,689 the emulated firmware. 372 00:12:48,690 --> 00:12:51,210 And quite interestingly, 373 00:12:52,320 --> 00:12:53,999 a lot of exploits 374 00:12:54,000 --> 00:12:56,369 found on one devices can be propagated 375 00:12:56,370 --> 00:12:57,779 to other devices, 376 00:12:58,980 --> 00:13:01,229 which basically means that there's also 377 00:13:01,230 --> 00:13:03,509 a huge code base shared among different 378 00:13:03,510 --> 00:13:06,119 kind of embedded devices, 379 00:13:06,120 --> 00:13:07,649 at least on the Linux based world. 380 00:13:09,390 --> 00:13:11,459 Yeah, unfortunately, the downside here 381 00:13:11,460 --> 00:13:13,949 is that it's only work for Linux based 382 00:13:13,950 --> 00:13:16,019 firmware and only if there's 383 00:13:16,020 --> 00:13:18,449 not two specific kernel modules around. 384 00:13:18,450 --> 00:13:21,119 Because if somebody's device needs to 385 00:13:21,120 --> 00:13:23,719 do hardware to actions this remote 386 00:13:23,720 --> 00:13:23,939 or 387 00:13:23,940 --> 00:13:26,279 specific hardware 388 00:13:26,280 --> 00:13:28,169 peripheral, this will most likely be 389 00:13:28,170 --> 00:13:31,049 done. We are specific kernel modules, 390 00:13:31,050 --> 00:13:33,149 and if they can't be emulated, 391 00:13:33,150 --> 00:13:35,099 Coumadin fails to succeed. 392 00:13:36,840 --> 00:13:38,579 Another interesting project, which was 393 00:13:38,580 --> 00:13:41,459 released this year is Lua Keemo, 394 00:13:41,460 --> 00:13:43,589 which is us the name kind 395 00:13:43,590 --> 00:13:44,369 of suggests, 396 00:13:44,370 --> 00:13:46,469 also based on XML. 397 00:13:46,470 --> 00:13:48,959 It is considered a work in progress, 398 00:13:48,960 --> 00:13:51,239 and the example released together 399 00:13:51,240 --> 00:13:53,709 with the tool was targeting 400 00:13:53,710 --> 00:13:55,199 BCM four three 401 00:13:55,200 --> 00:13:58,019 five eight chip's firmware. 402 00:13:58,020 --> 00:14:00,589 So these chips are 403 00:14:00,590 --> 00:14:02,369 wi fi chips 404 00:14:02,370 --> 00:14:05,309 used, for instance, in a lot of 405 00:14:05,310 --> 00:14:06,310 smartphones. 406 00:14:07,740 --> 00:14:09,989 They are enabling 407 00:14:09,990 --> 00:14:12,269 Lower Kimo, the prototyping of custom 408 00:14:12,270 --> 00:14:14,399 hardware platforms or bots, and 409 00:14:14,400 --> 00:14:16,559 Chemo Dragon with Lua, and 410 00:14:16,560 --> 00:14:17,609 also at 411 00:14:17,610 --> 00:14:19,769 instrumentation capabilities based on 412 00:14:19,770 --> 00:14:22,079 Lua for different events inside 413 00:14:22,080 --> 00:14:23,080 chemo. 414 00:14:24,840 --> 00:14:26,909 Unfortunately, this 415 00:14:26,910 --> 00:14:29,609 only emulates the firmware alone, 416 00:14:29,610 --> 00:14:30,509 and there is a lot 417 00:14:30,510 --> 00:14:32,040 of hardware interaction going on, 418 00:14:33,090 --> 00:14:34,799 especially during initialization 419 00:14:34,800 --> 00:14:36,869 function. This requires either 420 00:14:36,870 --> 00:14:39,089 a lot of modeling or trial 421 00:14:39,090 --> 00:14:39,779 and error to 422 00:14:39,780 --> 00:14:42,329 prune out execution parts which are not 423 00:14:42,330 --> 00:14:44,399 relevant for the analysis 424 00:14:44,400 --> 00:14:45,479 or for the analyst. 425 00:14:47,550 --> 00:14:50,069 So the last tool I 426 00:14:50,070 --> 00:14:52,529 want to talk about is Avatar, 427 00:14:52,530 --> 00:14:53,519 the first one. 428 00:14:53,520 --> 00:14:55,589 So some of you may have thought 429 00:14:55,590 --> 00:14:57,569 if I'm talking about Avatar two, there 430 00:14:57,570 --> 00:14:59,399 must have been the first avatar. 431 00:14:59,400 --> 00:15:01,949 And this tool 432 00:15:01,950 --> 00:15:04,379 was based on S3, which basically 433 00:15:04,380 --> 00:15:06,749 is again a combination of Kojima 434 00:15:06,750 --> 00:15:08,759 and Leave, which allows 435 00:15:08,760 --> 00:15:11,759 symbolic execution 436 00:15:11,760 --> 00:15:14,759 from key, more emulated firmware. 437 00:15:14,760 --> 00:15:17,169 Additionally, Avatar utilizers 438 00:15:17,170 --> 00:15:20,069 utilizes Mozilla and GDB 439 00:15:20,070 --> 00:15:23,009 and allows partial emulation 440 00:15:23,010 --> 00:15:23,579 of ARM 441 00:15:23,580 --> 00:15:24,509 firmware. 442 00:15:24,510 --> 00:15:26,129 So was partial emulation. 443 00:15:27,270 --> 00:15:29,399 It's basically means 444 00:15:29,400 --> 00:15:31,709 that the 445 00:15:31,710 --> 00:15:33,839 firmware itself or parts of the firmware 446 00:15:33,840 --> 00:15:34,849 itself. 447 00:15:34,850 --> 00:15:36,839 Run on the board on 448 00:15:36,840 --> 00:15:37,970 inside simulator emulator 449 00:15:39,480 --> 00:15:41,969 and specific 450 00:15:41,970 --> 00:15:43,169 hardware requests 451 00:15:43,170 --> 00:15:45,419 like a memory deal are 452 00:15:45,420 --> 00:15:47,549 forwarded to the actual physical device 453 00:15:47,550 --> 00:15:50,009 we as a collection of or more seedy 454 00:15:50,010 --> 00:15:51,210 and GDB. 455 00:15:52,410 --> 00:15:54,869 Additionally, Avatar provided 456 00:15:54,870 --> 00:15:57,389 way for ways for orchestration 457 00:15:57,390 --> 00:15:59,459 so that you can, for instance, start 458 00:15:59,460 --> 00:16:01,949 executing on the device, then 459 00:16:01,950 --> 00:16:03,119 transfer the important 460 00:16:03,120 --> 00:16:05,219 states or the important memory layouts 461 00:16:05,220 --> 00:16:08,189 and through rigid US inside the emulator 462 00:16:08,190 --> 00:16:10,949 and continue execution 463 00:16:10,950 --> 00:16:13,049 inside the emulator inside 464 00:16:13,050 --> 00:16:13,859 S3. 465 00:16:13,860 --> 00:16:16,019 This allows basically to skip 466 00:16:16,020 --> 00:16:16,379 all 467 00:16:16,380 --> 00:16:19,019 the initialization function of a bot 468 00:16:19,020 --> 00:16:21,210 which are not interested an analyzers. 469 00:16:22,260 --> 00:16:23,970 Additionally, and quite obviously, 470 00:16:25,110 --> 00:16:28,619 as S3 is using CLI, it also 471 00:16:28,620 --> 00:16:30,689 brings symbolic execution 472 00:16:30,690 --> 00:16:33,029 and selective symbolic execution 473 00:16:33,030 --> 00:16:34,049 for firmware. 474 00:16:35,250 --> 00:16:37,589 Unfortunately, Avatar one was 475 00:16:37,590 --> 00:16:40,799 heavily tied to the S2 infrastructure, 476 00:16:40,800 --> 00:16:43,079 and it requires in every 477 00:16:43,080 --> 00:16:43,679 set up 478 00:16:43,680 --> 00:16:45,749 the presence of the physical device 479 00:16:45,750 --> 00:16:47,939 to succeed with 480 00:16:47,940 --> 00:16:49,320 was the partial emulation. 481 00:16:50,790 --> 00:16:52,979 So what did we learn from 482 00:16:52,980 --> 00:16:54,959 looking at those four tools? 483 00:16:54,960 --> 00:16:57,389 First of all, there's a lot of focus 484 00:16:57,390 --> 00:16:58,499 on the 485 00:16:58,500 --> 00:16:59,889 architecture of 486 00:16:59,890 --> 00:17:01,379 them, really. 487 00:17:01,380 --> 00:17:04,108 The majority of tools utilizing 488 00:17:04,109 --> 00:17:06,299 Chemo's emulation capabilities 489 00:17:06,300 --> 00:17:06,509 as 490 00:17:06,510 --> 00:17:08,729 a basic block for building 491 00:17:08,730 --> 00:17:09,959 up the framework. 492 00:17:09,960 --> 00:17:12,659 Unfortunately, the resulting frameworks 493 00:17:12,660 --> 00:17:14,818 are then heavily bound 494 00:17:14,819 --> 00:17:17,429 to chemo so they don't see 495 00:17:17,430 --> 00:17:19,679 any ways or don't define 496 00:17:19,680 --> 00:17:20,819 any ways to 497 00:17:22,140 --> 00:17:24,088 get to analyze or stayed 498 00:17:24,089 --> 00:17:26,339 off the emulator into another tool. 499 00:17:31,580 --> 00:17:32,599 This missing 500 00:17:35,150 --> 00:17:37,279 way of transfer in states of 501 00:17:37,280 --> 00:17:39,619 analyzers is at the same time, 502 00:17:39,620 --> 00:17:41,809 a little bit the motivation 503 00:17:41,810 --> 00:17:44,479 of the avatar to framework. 504 00:17:44,480 --> 00:17:47,539 So in a very big picture, 505 00:17:47,540 --> 00:17:49,459 it's a framework for a 506 00:17:49,460 --> 00:17:51,529 dynamic multi target orchestration 507 00:17:51,530 --> 00:17:53,029 and instrumentation. 508 00:17:53,030 --> 00:17:55,489 We will see what this means with lifetime 509 00:17:55,490 --> 00:17:56,779 was later on. 510 00:17:56,780 --> 00:17:59,119 The focus of Avatar is on firmware 511 00:17:59,120 --> 00:18:01,369 analyzers, and the whole thing is an 512 00:18:01,370 --> 00:18:02,119 open source 513 00:18:02,120 --> 00:18:04,219 and titan based framework, 514 00:18:04,220 --> 00:18:04,969 which we 515 00:18:04,970 --> 00:18:06,739 released in June this year. 516 00:18:06,740 --> 00:18:08,899 So it's quite new and it's 517 00:18:08,900 --> 00:18:11,869 a research project, so 518 00:18:11,870 --> 00:18:14,089 we try to have a clean 519 00:18:14,090 --> 00:18:16,429 and usable code base, but 520 00:18:16,430 --> 00:18:17,599 sometimes some 521 00:18:17,600 --> 00:18:20,299 things may be a bit fragile 522 00:18:20,300 --> 00:18:22,189 in comparison to Avatar one. 523 00:18:22,190 --> 00:18:22,879 Avatar two 524 00:18:22,880 --> 00:18:24,949 was redesigned and we implemented 525 00:18:24,950 --> 00:18:27,709 from scratch to especially focus 526 00:18:27,710 --> 00:18:30,049 on better usability and 527 00:18:30,050 --> 00:18:31,519 a better abstraction 528 00:18:31,520 --> 00:18:32,569 of targets. 529 00:18:33,650 --> 00:18:35,689 It was developed by the Software and 530 00:18:35,690 --> 00:18:37,309 Systems Security Group at Euro. 531 00:18:37,310 --> 00:18:39,379 Com specifically next 532 00:18:39,380 --> 00:18:39,889 to me. 533 00:18:39,890 --> 00:18:42,319 The main developers are 534 00:18:42,320 --> 00:18:44,599 on the Easy or William Frisian and 535 00:18:44,600 --> 00:18:45,600 David Aboutwhat. 536 00:18:48,280 --> 00:18:50,889 The main goals, one we designed 537 00:18:50,890 --> 00:18:52,269 and started to write 538 00:18:52,270 --> 00:18:54,190 Avatar were to have 539 00:18:55,450 --> 00:18:57,009 the possibilities of target 540 00:18:57,010 --> 00:18:58,449 orchestration, separation 541 00:18:58,450 --> 00:19:00,609 of execution and memory and state 542 00:19:00,610 --> 00:19:01,869 transfer and synchronization 543 00:19:01,870 --> 00:19:02,870 capabilities, 544 00:19:04,120 --> 00:19:06,309 target orchestration means 545 00:19:06,310 --> 00:19:08,409 that we orchestrated 546 00:19:08,410 --> 00:19:11,469 different kind of frameworks 547 00:19:11,470 --> 00:19:13,839 with abstractions inside patents. 548 00:19:13,840 --> 00:19:15,939 Those targets could 549 00:19:15,940 --> 00:19:18,429 be anything debug emulators, 550 00:19:18,430 --> 00:19:20,649 other frameworks, and we easily want 551 00:19:20,650 --> 00:19:21,609 to be able 552 00:19:21,610 --> 00:19:23,859 to add new targets to the Avatar 553 00:19:23,860 --> 00:19:26,079 two ecosystem. 554 00:19:26,080 --> 00:19:28,509 Furthermore, we want a clean separation 555 00:19:28,510 --> 00:19:30,669 between execution and memory 556 00:19:30,670 --> 00:19:33,309 because this is basically the 557 00:19:33,310 --> 00:19:34,299 core concept, 558 00:19:34,300 --> 00:19:36,399 although the main requirement to 559 00:19:36,400 --> 00:19:38,859 allow AI or for warding 560 00:19:38,860 --> 00:19:41,619 or remote memory so that the analyzers 561 00:19:41,620 --> 00:19:43,839 runs inside one target and 562 00:19:43,840 --> 00:19:46,150 operates with memory of another target. 563 00:19:47,200 --> 00:19:48,699 Furthermore, state transfer and 564 00:19:48,700 --> 00:19:50,769 synchronization is important to 565 00:19:50,770 --> 00:19:53,199 us because once we are starting 566 00:19:53,200 --> 00:19:55,629 to analyze those and one specific target, 567 00:19:55,630 --> 00:19:56,439 we don't want to 568 00:19:56,440 --> 00:19:58,539 keep the analyzes local to that 569 00:19:58,540 --> 00:20:00,609 target. We may be or may 570 00:20:00,610 --> 00:20:02,439 want at a later point in time to switch 571 00:20:02,440 --> 00:20:04,959 to execution, for instance, from 572 00:20:04,960 --> 00:20:07,299 an embedded device to 573 00:20:07,300 --> 00:20:08,300 an emulator. 574 00:20:09,430 --> 00:20:11,769 And for doing so, we need easily 575 00:20:11,770 --> 00:20:12,459 easy ways 576 00:20:12,460 --> 00:20:13,650 to transfer the state. 577 00:20:16,680 --> 00:20:18,959 So we came up in the end 578 00:20:18,960 --> 00:20:20,909 with a framework which basically consists 579 00:20:20,910 --> 00:20:23,039 of four components the 580 00:20:23,040 --> 00:20:25,619 Avatar two Core, which is 581 00:20:25,620 --> 00:20:27,209 a patent library and 582 00:20:27,210 --> 00:20:30,089 is the main interface 583 00:20:30,090 --> 00:20:32,820 from the analyst to the analysis 584 00:20:34,110 --> 00:20:35,699 inside the framework. 585 00:20:35,700 --> 00:20:36,659 There are 586 00:20:36,660 --> 00:20:38,279 the so-called targets, which are the 587 00:20:38,280 --> 00:20:40,409 patent abstractions of so-called 588 00:20:40,410 --> 00:20:41,429 end points 589 00:20:41,430 --> 00:20:43,509 and hereby are 590 00:20:43,510 --> 00:20:44,039 all 591 00:20:44,040 --> 00:20:46,199 the things you you want to 592 00:20:46,200 --> 00:20:48,899 have as endpoints or emulators 593 00:20:48,900 --> 00:20:49,469 frameworks. 594 00:20:49,470 --> 00:20:52,049 Teabaggers, however, 595 00:20:52,050 --> 00:20:53,729 targets and points are not 596 00:20:53,730 --> 00:20:55,619 talking directly to each other. 597 00:20:55,620 --> 00:20:56,620 They are 598 00:20:57,480 --> 00:20:59,639 just interconnected by an additional 599 00:20:59,640 --> 00:21:01,650 layer of so-called protocols, 600 00:21:04,170 --> 00:21:05,879 which we can also see here. 601 00:21:05,880 --> 00:21:08,429 And this picture where we have 602 00:21:08,430 --> 00:21:09,329 the avatar to call 603 00:21:09,330 --> 00:21:11,549 at the top, which defines and 604 00:21:11,550 --> 00:21:13,379 orchestrates a set of targets 605 00:21:13,380 --> 00:21:15,929 which all talk we are execution 606 00:21:15,930 --> 00:21:17,309 protocol, a memory protocol 607 00:21:17,310 --> 00:21:19,199 and request a protocol to the distinct 608 00:21:19,200 --> 00:21:20,339 endpoints. 609 00:21:20,340 --> 00:21:22,229 So the question is why 610 00:21:22,230 --> 00:21:23,939 did we add the abstraction 611 00:21:23,940 --> 00:21:25,169 for protocols? 612 00:21:25,170 --> 00:21:27,509 The idea is quite simple. 613 00:21:27,510 --> 00:21:28,739 A lot of 614 00:21:29,790 --> 00:21:31,199 tools actually have 615 00:21:31,200 --> 00:21:32,699 similar ways to communicate. 616 00:21:32,700 --> 00:21:33,779 For instance, 617 00:21:33,780 --> 00:21:36,249 both key mode and almost 618 00:21:36,250 --> 00:21:37,439 Edee offer 619 00:21:37,440 --> 00:21:39,839 a GDB server to talk to the analysts 620 00:21:39,840 --> 00:21:41,280 for a framework or to the 621 00:21:42,360 --> 00:21:44,190 software under analyzers. 622 00:21:45,450 --> 00:21:47,999 And by separating the protocols 623 00:21:48,000 --> 00:21:50,399 into purposes like 624 00:21:50,400 --> 00:21:52,859 execution or memory, we 625 00:21:52,860 --> 00:21:53,860 allow 626 00:21:55,410 --> 00:21:58,049 the clean separation 627 00:21:58,050 --> 00:21:59,969 of those different concepts during the 628 00:21:59,970 --> 00:22:00,970 execution. 629 00:22:02,460 --> 00:22:04,589 Oops. So let's move on 630 00:22:04,590 --> 00:22:06,779 to the implementer targets, which 631 00:22:06,780 --> 00:22:07,079 could 632 00:22:07,080 --> 00:22:08,729 also be a 633 00:22:08,730 --> 00:22:10,829 small cross of know your open source. 634 00:22:10,830 --> 00:22:13,409 MASCOT's on the top left. 635 00:22:13,410 --> 00:22:15,569 We have Zarqa Fitch, which 636 00:22:15,570 --> 00:22:17,699 was actually the 637 00:22:17,700 --> 00:22:18,299 mascot 638 00:22:18,300 --> 00:22:19,300 of 3TB, 639 00:22:20,190 --> 00:22:21,899 which was quite interesting because this 640 00:22:21,900 --> 00:22:23,099 pushes users to 641 00:22:23,100 --> 00:22:25,379 spit or total spit water 642 00:22:25,380 --> 00:22:27,989 from another water or face above 643 00:22:27,990 --> 00:22:29,969 and shoot at single box and puts them 644 00:22:29,970 --> 00:22:32,189 down. So I think it's quite matching 645 00:22:32,190 --> 00:22:33,959 mascot FAU-G to be 646 00:22:33,960 --> 00:22:36,389 on the bottom left. 647 00:22:36,390 --> 00:22:38,639 We have quibble, which is 648 00:22:38,640 --> 00:22:39,929 the full system emulator. 649 00:22:39,930 --> 00:22:41,999 We just talked about a little 650 00:22:42,000 --> 00:22:43,229 bit more 651 00:22:43,230 --> 00:22:45,959 on the top right there, a of framework, 652 00:22:45,960 --> 00:22:48,389 which is a reverse engineering framework 653 00:22:48,390 --> 00:22:50,459 based on Cremer and 654 00:22:50,460 --> 00:22:52,739 aims to allow 655 00:22:52,740 --> 00:22:53,699 repeatable 656 00:22:53,700 --> 00:22:55,050 reverse engineering. 657 00:22:56,520 --> 00:22:58,769 It does so by basically 658 00:22:58,770 --> 00:23:01,109 recording all 659 00:23:01,110 --> 00:23:03,489 the non deterministic Io, 660 00:23:03,490 --> 00:23:04,229 adhering 661 00:23:04,230 --> 00:23:06,689 to the software under emulation 662 00:23:06,690 --> 00:23:08,459 and then later on those non 663 00:23:08,460 --> 00:23:10,589 deterministic I can just 664 00:23:10,590 --> 00:23:12,929 replay to the very same stuff software 665 00:23:12,930 --> 00:23:15,059 from the same initialization state, 666 00:23:15,060 --> 00:23:17,219 which will result into the 667 00:23:17,220 --> 00:23:18,869 same execution 668 00:23:18,870 --> 00:23:21,029 that went edge of doing so 669 00:23:21,030 --> 00:23:21,809 is 670 00:23:21,810 --> 00:23:23,879 that the 671 00:23:23,880 --> 00:23:26,279 resulting memory footprint of a record 672 00:23:26,280 --> 00:23:28,349 is way smaller than 673 00:23:28,350 --> 00:23:30,779 instruction or memory trace. 674 00:23:30,780 --> 00:23:33,179 Additionally, Ponda allows a plugin 675 00:23:33,180 --> 00:23:34,379 system which 676 00:23:34,380 --> 00:23:37,739 allows to hook different functions 677 00:23:37,740 --> 00:23:39,959 or different events inside Keemo to 678 00:23:39,960 --> 00:23:41,310 add phone analyzers. 679 00:23:45,110 --> 00:23:47,239 The last tool on the slide 680 00:23:47,240 --> 00:23:49,879 is the anger framework, which is, 681 00:23:49,880 --> 00:23:50,569 as of now 682 00:23:50,570 --> 00:23:52,669 still under development, will 683 00:23:52,670 --> 00:23:54,739 be made public or will be merged into 684 00:23:54,740 --> 00:23:56,089 the public branch 685 00:23:56,090 --> 00:23:57,559 soonish. 686 00:23:57,560 --> 00:23:58,999 And anger is basically 687 00:23:59,000 --> 00:24:00,289 a symbolic 688 00:24:00,290 --> 00:24:02,359 execution framework, 689 00:24:02,360 --> 00:24:02,689 which 690 00:24:02,690 --> 00:24:04,879 provides quite powerful symbolic 691 00:24:04,880 --> 00:24:07,609 execution entrance capabilities. 692 00:24:07,610 --> 00:24:08,610 Sorry. 693 00:24:10,130 --> 00:24:12,409 Oh one thing I forgot. 694 00:24:12,410 --> 00:24:14,389 We also support a fifth target, which is 695 00:24:14,390 --> 00:24:16,609 not represented on the slide, which 696 00:24:16,610 --> 00:24:17,610 was almost 697 00:24:19,550 --> 00:24:19,999 a tool 698 00:24:20,000 --> 00:24:22,189 to talk to JTC interfaces, which 699 00:24:22,190 --> 00:24:23,569 then in turn can talk. 700 00:24:23,570 --> 00:24:25,999 We are the gateway protocol to embedded 701 00:24:26,000 --> 00:24:27,019 devices. 702 00:24:27,020 --> 00:24:28,729 So just a little bit of background 703 00:24:28,730 --> 00:24:31,519 knowledge. J Tech is 704 00:24:31,520 --> 00:24:33,769 debugging port 705 00:24:33,770 --> 00:24:36,229 present on some embedded devices. 706 00:24:36,230 --> 00:24:38,209 And if it is available, we can use 707 00:24:38,210 --> 00:24:40,789 Mortada to dynamically debug 708 00:24:42,050 --> 00:24:43,939 firmware on the target device. 709 00:24:45,890 --> 00:24:48,199 As we've seen before, a lot 710 00:24:48,200 --> 00:24:50,449 of tools are based on XML. 711 00:24:50,450 --> 00:24:52,819 So if we want to 712 00:24:52,820 --> 00:24:55,639 have them easily integrated 713 00:24:55,640 --> 00:24:58,039 into the Avatar ecosystem, 714 00:24:58,040 --> 00:24:58,369 we 715 00:24:58,370 --> 00:25:00,529 need to have our changes of more or less 716 00:25:00,530 --> 00:25:02,839 locally. That's what we did. 717 00:25:02,840 --> 00:25:05,119 So we changed Khemu a little bit to work 718 00:25:05,120 --> 00:25:07,459 with Avatar and to forward to state 719 00:25:07,460 --> 00:25:09,619 and memory and so on. 720 00:25:09,620 --> 00:25:11,809 And all of the changes 721 00:25:11,810 --> 00:25:12,979 are located in one single 722 00:25:12,980 --> 00:25:15,139 sub folder, which make 723 00:25:15,140 --> 00:25:15,619 it 724 00:25:15,620 --> 00:25:17,959 straightforward to implement new KHEMU 725 00:25:17,960 --> 00:25:20,149 based targets for Avatar two. 726 00:25:21,440 --> 00:25:23,599 More specifically, the changes which we 727 00:25:23,600 --> 00:25:26,029 did or the most notable is the addition 728 00:25:26,030 --> 00:25:28,429 of a configurable machine, which is 729 00:25:28,430 --> 00:25:30,499 similar to the 730 00:25:30,500 --> 00:25:33,049 Lua based port description 731 00:25:33,050 --> 00:25:34,639 present in leukemia. 732 00:25:34,640 --> 00:25:37,549 But the here by 733 00:25:37,550 --> 00:25:39,679 the configuration of the hardware 734 00:25:39,680 --> 00:25:41,659 we want to emulate is 735 00:25:41,660 --> 00:25:43,999 defined in adjacent file, 736 00:25:44,000 --> 00:25:45,169 which was automatically 737 00:25:45,170 --> 00:25:47,389 generated by Avatar two based on 738 00:25:47,390 --> 00:25:49,129 the specifications and I-listed and 739 00:25:49,130 --> 00:25:50,130 Python. 740 00:25:51,530 --> 00:25:52,939 It allows, in general, 741 00:25:52,940 --> 00:25:55,099 flexible configuration of 742 00:25:55,100 --> 00:25:57,379 two different hardware you may want 743 00:25:57,380 --> 00:25:58,969 to emulate. 744 00:25:58,970 --> 00:26:01,639 Additionally, we added new peripherals 745 00:26:01,640 --> 00:26:04,099 Avatar Peripheral, which communicates 746 00:26:04,100 --> 00:26:05,299 with Avatar two. 747 00:26:05,300 --> 00:26:07,549 We are politics message cues 748 00:26:07,550 --> 00:26:09,739 and basically allows 749 00:26:09,740 --> 00:26:12,349 the remote memory from inside chemo. 750 00:26:12,350 --> 00:26:14,629 So the idea is that if chemo, 751 00:26:14,630 --> 00:26:16,399 or if there is some peripheral 752 00:26:16,400 --> 00:26:18,469 was memory mapped, i o which you have to 753 00:26:18,470 --> 00:26:20,509 emulate, you will use the avatar 754 00:26:20,510 --> 00:26:23,059 peripheral, which will then forward 755 00:26:23,060 --> 00:26:25,279 all memory reads and writes to the Avatar 756 00:26:25,280 --> 00:26:27,139 two framework, which will then dispatch 757 00:26:27,140 --> 00:26:29,329 it, for instance, to the 758 00:26:29,330 --> 00:26:30,330 physical device. 759 00:26:33,380 --> 00:26:35,269 A couple of other features I want to 760 00:26:35,270 --> 00:26:37,669 highlight about the framework is 761 00:26:37,670 --> 00:26:38,119 that we 762 00:26:38,120 --> 00:26:39,589 aim to design 763 00:26:39,590 --> 00:26:41,329 architecture independent. 764 00:26:41,330 --> 00:26:43,579 This basically means that we 765 00:26:43,580 --> 00:26:45,799 have for subfolder inside 766 00:26:45,800 --> 00:26:47,299 the framework, which just deals with 767 00:26:47,300 --> 00:26:49,849 architecture abstractions 768 00:26:49,850 --> 00:26:53,059 so that the framework can work with those 769 00:26:53,060 --> 00:26:55,159 architectural abstractions laugher to any 770 00:26:55,160 --> 00:26:56,160 analyzes. 771 00:26:57,410 --> 00:26:58,909 As of now, we have 772 00:26:58,910 --> 00:27:01,009 abstractions for ARM x86 773 00:27:01,010 --> 00:27:03,949 and 86 64, 774 00:27:03,950 --> 00:27:04,909 and we are currently 775 00:27:04,910 --> 00:27:08,179 developing another one for MIPS 776 00:27:08,180 --> 00:27:10,189 Avatar to use as an internal memory 777 00:27:10,190 --> 00:27:11,389 layered representation. 778 00:27:11,390 --> 00:27:13,099 So just to lay out or not some memory 779 00:27:13,100 --> 00:27:15,499 contents itself in order to be able 780 00:27:15,500 --> 00:27:15,649 to 781 00:27:15,650 --> 00:27:17,659 push it to different targets or to come 782 00:27:17,660 --> 00:27:19,879 to the adjacent 783 00:27:19,880 --> 00:27:22,189 file needed for the key, 784 00:27:22,190 --> 00:27:23,419 more configurable machine. 785 00:27:24,530 --> 00:27:26,929 Furthermore, Avatar allows modeling 786 00:27:26,930 --> 00:27:28,099 of peripheral worlds 787 00:27:28,100 --> 00:27:29,509 directly in Python so 788 00:27:29,510 --> 00:27:31,249 you can move on and 789 00:27:31,250 --> 00:27:33,859 script your peripheral directly 790 00:27:33,860 --> 00:27:36,319 implies if you know how it has to behave, 791 00:27:36,320 --> 00:27:38,599 or if you just want to have something 792 00:27:38,600 --> 00:27:40,549 which statically returns the same values 793 00:27:40,550 --> 00:27:42,439 because you don't care about the specific 794 00:27:42,440 --> 00:27:43,999 peripheral. 795 00:27:44,000 --> 00:27:46,609 Additionally, we want to keep 796 00:27:46,610 --> 00:27:49,129 our Tatu Core a small and 797 00:27:49,130 --> 00:27:51,079 maintainable as possible. 798 00:27:51,080 --> 00:27:52,699 But on the other side, there are a lot of 799 00:27:52,700 --> 00:27:54,469 tasks which are 800 00:27:54,470 --> 00:27:56,019 which have to be repeated during and 801 00:27:56,020 --> 00:27:56,839 analyzers. 802 00:27:56,840 --> 00:27:58,339 For instance, we frequently want to 803 00:27:58,340 --> 00:28:00,649 assemble or disassemble instructions. 804 00:28:00,650 --> 00:28:02,929 So in order to enable it, we 805 00:28:02,930 --> 00:28:05,899 added a flexible plug in systems, 806 00:28:05,900 --> 00:28:08,359 which also has already 807 00:28:08,360 --> 00:28:09,889 a couple of example, plug ins, for 808 00:28:09,890 --> 00:28:12,019 instance, in the orchestration plugin, 809 00:28:12,020 --> 00:28:14,959 which automatically orchestrates 810 00:28:14,960 --> 00:28:17,329 the execution of targets 811 00:28:17,330 --> 00:28:18,529 in the normal way. 812 00:28:18,530 --> 00:28:19,129 You would write 813 00:28:19,130 --> 00:28:21,379 an avatar script, you explicitly 814 00:28:21,380 --> 00:28:22,380 define which 815 00:28:23,630 --> 00:28:24,979 when you did what. 816 00:28:24,980 --> 00:28:25,579 When you do 817 00:28:25,580 --> 00:28:27,169 what. While in the 818 00:28:27,170 --> 00:28:29,299 orchestration setting, you will just 819 00:28:29,300 --> 00:28:31,399 define a set of transitions, and Avatar 820 00:28:31,400 --> 00:28:33,679 two will automatically 821 00:28:33,680 --> 00:28:35,809 change the state around 822 00:28:35,810 --> 00:28:37,939 according to your defined transitions. 823 00:28:37,940 --> 00:28:39,799 Likewise, there's an instruction for 824 00:28:39,800 --> 00:28:41,630 water, which basically. 825 00:28:42,730 --> 00:28:44,769 Aims to deal with those and emulated 826 00:28:44,770 --> 00:28:47,409 instructions, so small micro architecture 827 00:28:47,410 --> 00:28:48,909 depend on instructions. 828 00:28:48,910 --> 00:28:51,309 So once Avatar encounters one 829 00:28:51,310 --> 00:28:54,489 of those instructions, it were 830 00:28:54,490 --> 00:28:57,009 not executed inside emulator, but 831 00:28:57,010 --> 00:28:58,479 on the embedded device. 832 00:28:58,480 --> 00:28:59,949 So that's a state changes. 833 00:28:59,950 --> 00:29:01,480 At least they're accordingly. 834 00:29:02,800 --> 00:29:05,199 So after this 835 00:29:05,200 --> 00:29:05,679 kind of 836 00:29:05,680 --> 00:29:07,929 high level talking about the framework, 837 00:29:07,930 --> 00:29:10,059 let's go directly to the 838 00:29:10,060 --> 00:29:11,259 examples 839 00:29:11,260 --> 00:29:11,859 I will 840 00:29:11,860 --> 00:29:13,989 and the following sure to use 841 00:29:13,990 --> 00:29:16,989 cases how to use Avatar as 842 00:29:16,990 --> 00:29:18,159 dynamic instrumentation 843 00:29:18,160 --> 00:29:19,899 framework and 844 00:29:19,900 --> 00:29:21,999 how to use it as dynamic 845 00:29:22,000 --> 00:29:24,039 orchestration framework. 846 00:29:24,040 --> 00:29:26,379 So if you want 847 00:29:26,380 --> 00:29:28,329 to write an avatar script, you normally 848 00:29:28,330 --> 00:29:30,669 need to do three or four things. 849 00:29:30,670 --> 00:29:32,829 First, you need to create the main avatar 850 00:29:32,830 --> 00:29:33,849 object. 851 00:29:33,850 --> 00:29:35,979 Then you need to refine the set of 852 00:29:35,980 --> 00:29:37,509 targets you want to deal with in your 853 00:29:37,510 --> 00:29:38,619 analyzes. 854 00:29:38,620 --> 00:29:40,779 Optionally, if required, if you have 855 00:29:40,780 --> 00:29:42,429 more than one target or KHEMU based 856 00:29:42,430 --> 00:29:44,529 target, you need to define a memory 857 00:29:44,530 --> 00:29:45,369 layout. 858 00:29:45,370 --> 00:29:47,529 And last but not least, you need 859 00:29:47,530 --> 00:29:49,299 to specify an execution plan. 860 00:29:51,360 --> 00:29:53,670 So let's start with a 861 00:29:55,230 --> 00:29:56,069 simple demo, 862 00:29:56,070 --> 00:29:58,799 which basically is a demonstration for 863 00:29:58,800 --> 00:29:59,669 Hello World. 864 00:29:59,670 --> 00:30:02,099 So we have 865 00:30:02,100 --> 00:30:04,289 here on the left, I hope the font is 866 00:30:04,290 --> 00:30:05,760 big enough for everyone to read it 867 00:30:06,960 --> 00:30:09,449 an executable file 8ot out 868 00:30:09,450 --> 00:30:10,359 and 869 00:30:10,360 --> 00:30:12,419 Python script helloworld or pay, which 870 00:30:12,420 --> 00:30:15,089 we should see here also on the right. 871 00:30:15,090 --> 00:30:18,149 So if we execute 872 00:30:18,150 --> 00:30:18,929 a note out, 873 00:30:18,930 --> 00:30:20,159 basically nothing happens. 874 00:30:20,160 --> 00:30:22,559 Just exits with the error code 875 00:30:22,560 --> 00:30:23,849 42 876 00:30:23,850 --> 00:30:25,139 on the right side. 877 00:30:25,140 --> 00:30:27,509 We have our full analysis 878 00:30:27,510 --> 00:30:29,939 of what analysis of instrumentation 879 00:30:29,940 --> 00:30:32,129 on one side. 880 00:30:32,130 --> 00:30:33,359 So a step 881 00:30:33,360 --> 00:30:35,549 zero, we create the avatar 882 00:30:35,550 --> 00:30:37,229 object and defines architecture. 883 00:30:37,230 --> 00:30:39,389 For those analyzers, we add 884 00:30:39,390 --> 00:30:39,569 the 885 00:30:39,570 --> 00:30:41,639 concrete target, which is in this case, 886 00:30:41,640 --> 00:30:43,139 a GDP target. 887 00:30:43,140 --> 00:30:45,569 Then we not only 888 00:30:45,570 --> 00:30:46,619 etc. but 889 00:30:47,700 --> 00:30:47,879 as 890 00:30:47,880 --> 00:30:48,899 a sub process. 891 00:30:48,900 --> 00:30:51,119 The end points the GDP server where 892 00:30:51,120 --> 00:30:53,189 our avatar target connects towards the 893 00:30:53,190 --> 00:30:53,729 end, 894 00:30:53,730 --> 00:30:55,409 which was basically just 895 00:30:55,410 --> 00:30:57,599 executing this old 896 00:30:57,600 --> 00:30:58,589 file. 897 00:30:58,590 --> 00:31:01,229 We initialize the GDP 898 00:31:01,230 --> 00:31:03,629 target, which will 899 00:31:03,630 --> 00:31:05,819 connect to the GDP server 900 00:31:05,820 --> 00:31:07,409 and does all the initialization 901 00:31:07,410 --> 00:31:08,410 functions. 902 00:31:09,840 --> 00:31:11,759 Down here we have some shellcode which we 903 00:31:11,760 --> 00:31:14,189 want to inject into the target. 904 00:31:14,190 --> 00:31:17,039 This shellcode is basically 905 00:31:17,040 --> 00:31:19,139 just a show called for 906 00:31:19,140 --> 00:31:21,839 the simple Helloworld 907 00:31:21,840 --> 00:31:23,279 output on steady order. 908 00:31:23,280 --> 00:31:24,929 So it basically just us. 909 00:31:24,930 --> 00:31:26,900 So it's called right helloworld. 910 00:31:28,500 --> 00:31:30,689 Here is the interesting 911 00:31:30,690 --> 00:31:32,759 part of the framework we 912 00:31:32,760 --> 00:31:34,959 instrument GDB from the outside 913 00:31:34,960 --> 00:31:37,559 we had was to write memory. 914 00:31:37,560 --> 00:31:38,549 That's the current 915 00:31:38,550 --> 00:31:41,039 location of the instruction pointer. 916 00:31:41,040 --> 00:31:43,109 The memory we rewrite has the lengths 917 00:31:43,110 --> 00:31:45,719 of our shell. Called is our shell code 918 00:31:45,720 --> 00:31:46,259 and 919 00:31:46,260 --> 00:31:47,549 raw memory 920 00:31:47,550 --> 00:31:49,169 after we wrote this. 921 00:31:49,170 --> 00:31:49,799 We want 922 00:31:49,800 --> 00:31:51,449 to continue our 923 00:31:51,450 --> 00:31:52,709 execution. 924 00:31:52,710 --> 00:31:55,109 So let's see 925 00:31:55,110 --> 00:31:55,499 the demo 926 00:31:55,500 --> 00:31:57,059 gods with us. 927 00:31:57,060 --> 00:31:58,919 And here we go. 928 00:31:58,920 --> 00:32:01,050 We had Helloworld as an output. 929 00:32:02,130 --> 00:32:04,649 Well, this is just a very simple demo. 930 00:32:04,650 --> 00:32:06,929 It directly demonstrates 931 00:32:06,930 --> 00:32:09,029 the instrumentation capabilities 932 00:32:09,030 --> 00:32:10,589 of Avatar two 933 00:32:10,590 --> 00:32:13,039 and especially what 934 00:32:13,040 --> 00:32:15,149 what what I really like is 935 00:32:15,150 --> 00:32:17,309 the possibility to script really be 936 00:32:17,310 --> 00:32:19,679 from the outside like without being 937 00:32:19,680 --> 00:32:21,929 without having to execute your 938 00:32:21,930 --> 00:32:24,239 Python script from inside 3D. 939 00:32:24,240 --> 00:32:24,869 So you 940 00:32:24,870 --> 00:32:26,159 can say here on the right 941 00:32:26,160 --> 00:32:28,229 side the full analyzer, so you're 942 00:32:28,230 --> 00:32:30,180 doing a centralized in one place. 943 00:32:32,120 --> 00:32:33,859 Let's continue with binary 944 00:32:33,860 --> 00:32:36,049 instrumentation on a real 945 00:32:36,050 --> 00:32:37,249 target, 946 00:32:37,250 --> 00:32:39,349 a real target. 947 00:32:39,350 --> 00:32:41,599 We choose Huawei, 948 00:32:41,600 --> 00:32:43,579 which is a pure 949 00:32:43,580 --> 00:32:44,509 rootkit, which 950 00:32:44,510 --> 00:32:46,669 was presented last 951 00:32:46,670 --> 00:32:48,079 year at the ISS, 952 00:32:49,280 --> 00:32:51,319 and it basically 953 00:32:52,490 --> 00:32:54,049 injects or basically 954 00:32:54,050 --> 00:32:56,419 works based on code injection 955 00:32:56,420 --> 00:32:58,579 on, yeah, normal commercial off 956 00:32:58,580 --> 00:32:59,599 the shelf policy. 957 00:33:00,680 --> 00:33:02,899 The policy itself has multiple board. 958 00:33:02,900 --> 00:33:05,299 We can have a look if everything 959 00:33:05,300 --> 00:33:06,619 works and we can see it. 960 00:33:12,980 --> 00:33:13,980 So. 961 00:33:16,550 --> 00:33:18,199 No, no. 962 00:33:18,200 --> 00:33:19,279 Here we go. 963 00:33:19,280 --> 00:33:21,409 So this stone here is 964 00:33:21,410 --> 00:33:22,549 the open policy, 965 00:33:24,380 --> 00:33:26,869 which we can possibly could very shortly. 966 00:33:30,350 --> 00:33:32,599 Well, most of the right one. 967 00:33:36,030 --> 00:33:37,829 OK. Sorry for that, 968 00:33:37,830 --> 00:33:39,529 I forgot to do it beforehand. 969 00:33:40,530 --> 00:33:41,530 OK, so 970 00:33:42,620 --> 00:33:43,139 so this 971 00:33:43,140 --> 00:33:45,449 demo is very fragile, which 972 00:33:45,450 --> 00:33:47,039 was going to show up. 973 00:33:47,040 --> 00:33:49,289 But here we basically have 974 00:33:49,290 --> 00:33:50,699 our P.A. starting to 975 00:33:50,700 --> 00:33:52,859 boot. We see several bots 976 00:33:52,860 --> 00:33:55,229 here, here 977 00:33:55,230 --> 00:33:57,299 on the side. We have human 978 00:33:57,300 --> 00:33:58,139 machine interface 979 00:33:58,140 --> 00:34:00,209 port, which basically deals with 980 00:34:00,210 --> 00:34:02,279 all interactions to the exterior worlds 981 00:34:02,280 --> 00:34:04,289 like SD cards, a physical switch, the 982 00:34:04,290 --> 00:34:05,729 network interface. So you would be 983 00:34:05,730 --> 00:34:06,730 interface 984 00:34:08,130 --> 00:34:10,049 on the top here. 985 00:34:10,050 --> 00:34:12,389 We have the 986 00:34:14,310 --> 00:34:16,529 ideas for this programable 987 00:34:16,530 --> 00:34:18,269 loader controller, so here you can 988 00:34:18,270 --> 00:34:20,879 connect the different aisles. 989 00:34:20,880 --> 00:34:22,529 Right now, all the policy is booted. 990 00:34:22,530 --> 00:34:23,609 Everything that's fine. 991 00:34:23,610 --> 00:34:26,339 It has no also detected 992 00:34:26,340 --> 00:34:28,468 all the status LEDs here for different 993 00:34:28,469 --> 00:34:29,399 aisles. 994 00:34:29,400 --> 00:34:31,138 To say about 995 00:34:31,139 --> 00:34:34,289 what's special here is that on 996 00:34:34,290 --> 00:34:36,839 lower board, which we can see here, 997 00:34:36,840 --> 00:34:39,089 it's a Cortex three 998 00:34:39,090 --> 00:34:41,488 MCU, which is just responsible 999 00:34:41,489 --> 00:34:43,738 for dealing with updates or 1000 00:34:43,739 --> 00:34:45,089 mainly responsible for dealing with 1001 00:34:45,090 --> 00:34:46,919 updates of the exterior road. 1002 00:34:46,920 --> 00:34:48,479 So updates of the 1003 00:34:49,570 --> 00:34:50,698 state 1004 00:34:50,699 --> 00:34:52,919 and this quoting some 1005 00:34:52,920 --> 00:34:54,988 MCU, interestingly, also 1006 00:34:54,989 --> 00:34:57,209 has enabled J 1007 00:34:57,210 --> 00:34:58,709 Tech Dybbuk Port so 1008 00:34:58,710 --> 00:35:00,839 we can easily sort out 1009 00:35:00,840 --> 00:35:03,179 some things and have here 1010 00:35:03,180 --> 00:35:03,819 on the side 1011 00:35:03,820 --> 00:35:05,909 our J Take Interface Connector to this 1012 00:35:05,910 --> 00:35:07,169 policy, 1013 00:35:07,170 --> 00:35:09,809 which will lead us to 1014 00:35:09,810 --> 00:35:10,810 the demo. 1015 00:35:11,850 --> 00:35:14,249 This device is particularly interesting 1016 00:35:14,250 --> 00:35:16,619 because parts 1017 00:35:16,620 --> 00:35:19,229 of the firmware are residing inside SRM, 1018 00:35:19,230 --> 00:35:21,359 so the board initialize us 1019 00:35:21,360 --> 00:35:23,519 and so we don't have perfect 1020 00:35:23,520 --> 00:35:26,249 and firmware is loaded 1021 00:35:26,250 --> 00:35:28,619 into into 1022 00:35:28,620 --> 00:35:28,769 the 1023 00:35:28,770 --> 00:35:29,879 SRM. 1024 00:35:29,880 --> 00:35:32,009 So this basically means 1025 00:35:32,010 --> 00:35:33,359 we can instrument 1026 00:35:33,360 --> 00:35:35,009 those parts of the firmware, 1027 00:35:35,010 --> 00:35:37,439 which we also did 1028 00:35:37,440 --> 00:35:37,709 in 1029 00:35:37,710 --> 00:35:39,959 the by re implementing the proof 1030 00:35:39,960 --> 00:35:42,179 of concept implementation of 1031 00:35:42,180 --> 00:35:43,019 hardware. 1032 00:35:43,020 --> 00:35:45,119 So here we basically do the same 1033 00:35:45,120 --> 00:35:46,649 creator IoT object. 1034 00:35:46,650 --> 00:35:48,090 Lots of assembler plug in 1035 00:35:49,860 --> 00:35:51,510 at an automated target 1036 00:35:53,100 --> 00:35:55,619 set a breakpoint at the main loop 1037 00:35:55,620 --> 00:35:57,329 because we want to skip all the 1038 00:35:58,890 --> 00:36:00,869 instruments, all the initialization 1039 00:36:00,870 --> 00:36:01,870 function. 1040 00:36:02,580 --> 00:36:04,859 We continue our execution until 1041 00:36:04,860 --> 00:36:06,389 we eventually 1042 00:36:06,390 --> 00:36:08,309 hits the spray point. 1043 00:36:08,310 --> 00:36:09,779 This is done, by the way, 1044 00:36:09,780 --> 00:36:11,909 and once we are here, we are going 1045 00:36:11,910 --> 00:36:13,919 to inject some assembly code. 1046 00:36:13,920 --> 00:36:16,379 So this assembly court is rather simple. 1047 00:36:16,380 --> 00:36:18,449 A state of just a proof of 1048 00:36:18,450 --> 00:36:20,579 concept implementation of the hardware 1049 00:36:20,580 --> 00:36:22,889 may were not full implementation, 1050 00:36:22,890 --> 00:36:24,989 but it already shows, well, we'll 1051 00:36:24,990 --> 00:36:27,119 show that 1052 00:36:27,120 --> 00:36:28,120 we can 1053 00:36:29,400 --> 00:36:31,499 divert the execution so that 1054 00:36:31,500 --> 00:36:34,739 people see the human machine interface 1055 00:36:34,740 --> 00:36:35,399 things. 1056 00:36:35,400 --> 00:36:37,859 Certain inputs are enabled 1057 00:36:37,860 --> 00:36:40,049 and we do so by hooking an interrupt 1058 00:36:40,050 --> 00:36:42,119 handler, which was executed 1059 00:36:42,120 --> 00:36:45,569 frequently to check the state of 1060 00:36:45,570 --> 00:36:47,879 the board and 1061 00:36:47,880 --> 00:36:50,069 modify the state manually. 1062 00:36:50,070 --> 00:36:52,229 So let's see if this 1063 00:36:52,230 --> 00:36:53,219 works. 1064 00:36:53,220 --> 00:36:54,479 I think I forgot 1065 00:36:54,480 --> 00:36:56,639 to mention to say that we try to have 1066 00:36:56,640 --> 00:36:58,499 both Python two and patents we you 1067 00:36:58,500 --> 00:36:59,639 a comparable code. 1068 00:36:59,640 --> 00:37:02,009 So let's use the latency python 1069 00:37:02,010 --> 00:37:03,179 in this example. 1070 00:37:04,680 --> 00:37:07,649 And here we go. 1071 00:37:07,650 --> 00:37:09,719 OK. So the camera is now off, so I 1072 00:37:09,720 --> 00:37:11,939 cannot show you, but 1073 00:37:11,940 --> 00:37:12,479 on here 1074 00:37:12,480 --> 00:37:14,729 to let's started to blink, 1075 00:37:14,730 --> 00:37:17,249 which basically symbolizing 1076 00:37:17,250 --> 00:37:19,319 that input is 1077 00:37:19,320 --> 00:37:21,479 present. Also, clearly no input is 1078 00:37:21,480 --> 00:37:23,279 connected to this policy. 1079 00:37:23,280 --> 00:37:25,379 I added a picture of it 1080 00:37:25,380 --> 00:37:27,839 just to be safe said in case just 1081 00:37:27,840 --> 00:37:29,309 or doesn't work, we can see it. 1082 00:37:31,470 --> 00:37:32,519 Let's move on 1083 00:37:32,520 --> 00:37:34,079 to the next example, 1084 00:37:34,080 --> 00:37:35,399 which aims to improve 1085 00:37:35,400 --> 00:37:37,859 fall detection on embedded devices. 1086 00:37:37,860 --> 00:37:40,619 This work is part of the 1087 00:37:40,620 --> 00:37:42,479 what you corrupt is not what you crash 1088 00:37:42,480 --> 00:37:44,789 paper by our research group, 1089 00:37:44,790 --> 00:37:45,689 which will be 1090 00:37:45,690 --> 00:37:47,699 presented at the Oscars next 1091 00:37:47,700 --> 00:37:48,179 year and 1092 00:37:48,180 --> 00:37:50,099 is a joint work on Siemens. 1093 00:37:50,100 --> 00:37:51,209 In parallel to this 1094 00:37:51,210 --> 00:37:53,559 talk, we uploaded so slides 1095 00:37:53,560 --> 00:37:56,369 so you can go and check out the paper. 1096 00:37:56,370 --> 00:37:58,859 If you're interested in more details of 1097 00:37:58,860 --> 00:38:00,689 what I'm going to say here. 1098 00:38:00,690 --> 00:38:02,969 In a nutshell, this paper investigates 1099 00:38:02,970 --> 00:38:05,189 the challenges specific to fast testing 1100 00:38:05,190 --> 00:38:07,109 embedded devices, which are, 1101 00:38:07,110 --> 00:38:08,999 on the one hand, fault detection and 1102 00:38:09,000 --> 00:38:11,189 instrumentation which we already 1103 00:38:11,190 --> 00:38:11,549 talked 1104 00:38:11,550 --> 00:38:13,709 about. But additionally, 1105 00:38:13,710 --> 00:38:16,049 one additional problem is scalability. 1106 00:38:16,050 --> 00:38:17,909 First, testing greatly 1107 00:38:17,910 --> 00:38:20,459 benefits from having the possibilities 1108 00:38:20,460 --> 00:38:22,649 of running 1109 00:38:22,650 --> 00:38:23,519 multiple 1110 00:38:23,520 --> 00:38:25,779 instances of the same fast. 1111 00:38:25,780 --> 00:38:27,419 Also, same software and fostered in 1112 00:38:27,420 --> 00:38:28,559 parallel. 1113 00:38:28,560 --> 00:38:30,989 This, in the better case, would mean 1114 00:38:30,990 --> 00:38:33,509 that you need a few test, traditionally 1115 00:38:33,510 --> 00:38:35,399 just a lot of different embedded. 1116 00:38:35,400 --> 00:38:37,779 Weiss's and 1117 00:38:37,780 --> 00:38:39,239 furthermore, in the paper, we 1118 00:38:39,240 --> 00:38:40,799 evaluate different strategies 1119 00:38:40,800 --> 00:38:43,349 to aid first testing of embedded devices. 1120 00:38:43,350 --> 00:38:44,429 For instance, for 1121 00:38:44,430 --> 00:38:45,510 the query hosting 1122 00:38:46,860 --> 00:38:48,809 static instrumentation or binary 1123 00:38:48,810 --> 00:38:49,949 rewriting. 1124 00:38:49,950 --> 00:38:52,349 And in the end, we try to 1125 00:38:53,400 --> 00:38:53,969 give 1126 00:38:53,970 --> 00:38:56,309 some approach or give some direction 1127 00:38:56,310 --> 00:38:58,799 by utilizing partial and full emulation 1128 00:38:58,800 --> 00:39:01,049 or firmware using the latter tool 1129 00:39:01,050 --> 00:39:02,050 framework. 1130 00:39:03,480 --> 00:39:05,339 So for this paper, the 1131 00:39:05,340 --> 00:39:06,389 set up has 1132 00:39:07,950 --> 00:39:10,419 two targets on the one hand 1133 00:39:10,420 --> 00:39:11,339 S.T.A.R.T. 1134 00:39:11,340 --> 00:39:13,859 two one five two EA 1135 00:39:13,860 --> 00:39:14,939 Development Board, 1136 00:39:14,940 --> 00:39:16,209 which we have here. 1137 00:39:16,210 --> 00:39:18,449 It's a nice 1138 00:39:18,450 --> 00:39:20,609 board which has nice features like 1139 00:39:20,610 --> 00:39:23,579 directly having a JTC interface embedded 1140 00:39:23,580 --> 00:39:24,539 and even 1141 00:39:24,540 --> 00:39:26,819 providing serial access to it over 1142 00:39:26,820 --> 00:39:28,019 USB. 1143 00:39:28,020 --> 00:39:29,399 On the other hand, the target we are 1144 00:39:29,400 --> 00:39:30,899 using is Panda, 1145 00:39:30,900 --> 00:39:33,779 the reverse engineering framework. 1146 00:39:33,780 --> 00:39:36,269 We have targeted software 1147 00:39:36,270 --> 00:39:37,739 for our test. 1148 00:39:37,740 --> 00:39:39,959 We used expert 1149 00:39:39,960 --> 00:39:40,949 on instrumented version 1150 00:39:40,950 --> 00:39:43,019 of expert was artificially 1151 00:39:43,020 --> 00:39:44,759 vulnerabilities, 1152 00:39:44,760 --> 00:39:46,829 and the analyzers itself 1153 00:39:47,880 --> 00:39:49,629 orchestrates in the sense that 1154 00:39:49,630 --> 00:39:51,869 the initialization of the better device 1155 00:39:51,870 --> 00:39:52,469 is run 1156 00:39:52,470 --> 00:39:54,029 on the physical keyboard. 1157 00:39:54,030 --> 00:39:55,949 And the emulation of the 1158 00:39:55,950 --> 00:39:57,359 main loop of the main part of the 1159 00:39:57,360 --> 00:39:59,159 firmware is done inside Panda 1160 00:40:00,360 --> 00:40:01,559 for the analysis. 1161 00:40:01,560 --> 00:40:04,289 We brought five panda plug ins, which 1162 00:40:04,290 --> 00:40:05,849 check on verify 1163 00:40:05,850 --> 00:40:07,469 during revelations of state of the 1164 00:40:07,470 --> 00:40:08,309 firmware 1165 00:40:08,310 --> 00:40:10,649 by mimicking already existing 1166 00:40:10,650 --> 00:40:13,589 techniques which are used for analyzing 1167 00:40:13,590 --> 00:40:14,939 desktop software. 1168 00:40:14,940 --> 00:40:17,009 So, for instance, we have something 1169 00:40:17,010 --> 00:40:18,479 which is similar to a shadow stack 1170 00:40:18,480 --> 00:40:20,759 implementation or some tools 1171 00:40:20,760 --> 00:40:23,009 with checks, while one plugin 1172 00:40:23,010 --> 00:40:25,499 which tries to check the consistency 1173 00:40:25,500 --> 00:40:27,659 of the heap by 1174 00:40:27,660 --> 00:40:29,999 tricking malachite freed 1175 00:40:30,000 --> 00:40:31,499 and reallocate object. 1176 00:40:33,060 --> 00:40:35,069 The big advantage of this approach is 1177 00:40:35,070 --> 00:40:37,229 that there's no need to 1178 00:40:37,230 --> 00:40:38,669 modify the firmware. 1179 00:40:41,580 --> 00:40:44,009 So for evaluating those, we did 100 1180 00:40:44,010 --> 00:40:46,289 first session of one hour each 1181 00:40:46,290 --> 00:40:48,719 in quite some different set ups. 1182 00:40:48,720 --> 00:40:50,819 We foster space and 1183 00:40:50,820 --> 00:40:52,289 then again, the native port. 1184 00:40:52,290 --> 00:40:54,899 Then we used partial emulation with 1185 00:40:54,900 --> 00:40:57,269 forwarding of i o to the board. 1186 00:40:57,270 --> 00:40:59,549 We use partial insulation without 1187 00:40:59,550 --> 00:41:00,089 support, but 1188 00:41:00,090 --> 00:41:02,159 was an avatar peripheral and we utilized 1189 00:41:02,160 --> 00:41:04,109 fully utilizations 1190 00:41:04,110 --> 00:41:05,069 with the plug ins. 1191 00:41:05,070 --> 00:41:06,369 We called previously. 1192 00:41:06,370 --> 00:41:08,279 We could detect previously undetected 1193 00:41:08,280 --> 00:41:10,889 faults and quite interestingly, 1194 00:41:10,890 --> 00:41:11,039 the 1195 00:41:11,040 --> 00:41:13,049 full emulation provided better 1196 00:41:13,050 --> 00:41:15,509 performance than native, even 1197 00:41:15,510 --> 00:41:17,789 due to the fact that even inside 1198 00:41:17,790 --> 00:41:19,709 the emulator, the clock speed of the 1199 00:41:19,710 --> 00:41:22,229 emulated firmware is higher than on the 1200 00:41:22,230 --> 00:41:23,230 actual device. 1201 00:41:25,230 --> 00:41:27,419 Now, the next demo 1202 00:41:27,420 --> 00:41:30,329 is actually a subset of this work. 1203 00:41:30,330 --> 00:41:31,679 It shows the record 1204 00:41:31,680 --> 00:41:33,839 and replay features which we have 1205 00:41:33,840 --> 00:41:34,860 when using Panda. 1206 00:41:36,720 --> 00:41:39,299 This is especially cool because 1207 00:41:39,300 --> 00:41:40,919 normally if you analyze 1208 00:41:40,920 --> 00:41:42,779 or dynamically analyze an embedded 1209 00:41:42,780 --> 00:41:45,329 device, you need the device physically 1210 00:41:45,330 --> 00:41:47,429 with you physically present. 1211 00:41:47,430 --> 00:41:48,959 However, by utilizing 1212 00:41:48,960 --> 00:41:51,239 Panda, we can 1213 00:41:51,240 --> 00:41:53,219 record one execution and 1214 00:41:53,220 --> 00:41:56,189 replay it later to the 1215 00:41:56,190 --> 00:41:58,259 inside two emulator without the need 1216 00:41:58,260 --> 00:42:00,539 of having the device present. 1217 00:42:00,540 --> 00:42:02,609 So let's look 1218 00:42:02,610 --> 00:42:03,989 this up in a demo. 1219 00:42:03,990 --> 00:42:06,089 So first of all that you believe me, 1220 00:42:06,090 --> 00:42:08,189 the software 1221 00:42:08,190 --> 00:42:10,259 running on the sky is 1222 00:42:10,260 --> 00:42:13,409 actually the 1223 00:42:13,410 --> 00:42:15,749 example. Paula, as I 1224 00:42:15,750 --> 00:42:16,750 stated. 1225 00:42:17,700 --> 00:42:20,099 So we are just 1226 00:42:20,100 --> 00:42:23,149 looking at the serial output and writing. 1227 00:42:23,150 --> 00:42:25,229 Some refer to the serial output 1228 00:42:25,230 --> 00:42:26,219 input. 1229 00:42:26,220 --> 00:42:27,360 And here we have 1230 00:42:28,500 --> 00:42:30,929 echoed the example file itself 1231 00:42:30,930 --> 00:42:32,999 and the main loop of the firmware 1232 00:42:33,000 --> 00:42:35,639 just brings us back the documentary. 1233 00:42:35,640 --> 00:42:37,979 So fine this work so far. 1234 00:42:37,980 --> 00:42:38,849 So let's look 1235 00:42:38,850 --> 00:42:41,279 at the Avatar two script 1236 00:42:41,280 --> 00:42:43,349 for recording this. 1237 00:42:43,350 --> 00:42:44,849 This was a little bit more. 1238 00:42:46,570 --> 00:42:48,839 We have more huge than 1239 00:42:48,840 --> 00:42:51,000 the Avatar scripts we saw before 1240 00:42:52,350 --> 00:42:53,099 we defined 1241 00:42:53,100 --> 00:42:54,399 two targets here. 1242 00:42:54,400 --> 00:42:55,319 The Panda targeted 1243 00:42:55,320 --> 00:42:56,879 normal 2D target. 1244 00:42:56,880 --> 00:43:00,119 We at different memory made arrangements, 1245 00:43:00,120 --> 00:43:02,039 one for the read only memory. 1246 00:43:02,040 --> 00:43:03,029 With a firmware sample. 1247 00:43:03,030 --> 00:43:04,079 We searched one 1248 00:43:04,080 --> 00:43:06,239 for the run off of size 14 1249 00:43:06,240 --> 00:43:07,240 pages 1250 00:43:08,550 --> 00:43:09,539 and several ones 1251 00:43:09,540 --> 00:43:11,819 for memory mapped, all whereby 1252 00:43:11,820 --> 00:43:14,429 we want to emulate a similar interface 1253 00:43:14,430 --> 00:43:15,929 with an avatar peripheral. 1254 00:43:18,090 --> 00:43:19,469 You don't hear as an example 1255 00:43:19,470 --> 00:43:21,569 how to use the orchestration plugin. 1256 00:43:21,570 --> 00:43:22,859 So basically we define a 1257 00:43:22,860 --> 00:43:25,319 starting target at a transition 1258 00:43:25,320 --> 00:43:27,389 and starts orchestration. 1259 00:43:27,390 --> 00:43:29,699 This orchestration will 1260 00:43:29,700 --> 00:43:32,159 automatically transfer the state from 1261 00:43:32,160 --> 00:43:34,259 nuclear from the board to the panel at 1262 00:43:34,260 --> 00:43:35,239 once. 1263 00:43:35,240 --> 00:43:37,039 This specific addresses hit an 1264 00:43:37,040 --> 00:43:38,569 execution and was 1265 00:43:38,570 --> 00:43:39,969 synchronized as rum wrench. 1266 00:43:41,600 --> 00:43:43,309 Once we are there, we are beginning the 1267 00:43:43,310 --> 00:43:44,719 recovery and going 1268 00:43:44,720 --> 00:43:46,969 into an IPX8 and trial or 1269 00:43:46,970 --> 00:43:48,679 continuing the execution inside the 1270 00:43:48,680 --> 00:43:50,609 emulator, going into an iPod and channel 1271 00:43:50,610 --> 00:43:53,209 for dynamic for further 1272 00:43:53,210 --> 00:43:54,210 analysis. 1273 00:43:55,190 --> 00:43:57,559 So all we need to specify 1274 00:43:57,560 --> 00:43:58,879 a trace in the name. 1275 00:43:58,880 --> 00:43:59,880 OK. 1276 00:44:04,100 --> 00:44:07,009 And the demo 1277 00:44:07,010 --> 00:44:09,529 is not good with us this time. 1278 00:44:09,530 --> 00:44:11,869 The GDB protocol was unable 1279 00:44:11,870 --> 00:44:12,870 to connect. 1280 00:44:14,400 --> 00:44:15,739 Too bad. 1281 00:44:15,740 --> 00:44:16,549 I don't have time 1282 00:44:16,550 --> 00:44:17,779 to report it right now. 1283 00:44:17,780 --> 00:44:20,059 However, trust me, this works 1284 00:44:20,060 --> 00:44:21,060 and. 1285 00:44:28,500 --> 00:44:30,659 And on top of that, I've prepared 1286 00:44:30,660 --> 00:44:32,609 already some records before, which 1287 00:44:32,610 --> 00:44:33,419 are 1288 00:44:33,420 --> 00:44:35,669 impressively unspectacular, so we have 1289 00:44:35,670 --> 00:44:38,009 a run 1290 00:44:38,010 --> 00:44:38,879 replay 1291 00:44:38,880 --> 00:44:40,949 script which basically just executes a 1292 00:44:40,950 --> 00:44:43,349 panda with the configurable 1293 00:44:43,350 --> 00:44:44,939 machine, with the 1294 00:44:44,940 --> 00:44:47,009 configuration automatically 1295 00:44:47,010 --> 00:44:49,349 generated by Avatar. 1296 00:44:49,350 --> 00:44:51,419 So let's see if at 1297 00:44:51,420 --> 00:44:53,579 least the replay works of a 1298 00:44:53,580 --> 00:44:56,439 previously recorded execution 1299 00:44:56,440 --> 00:44:58,889 at four five. 1300 00:44:58,890 --> 00:44:59,699 And here 1301 00:44:59,700 --> 00:45:01,529 we go. We have a replay completed 1302 00:45:01,530 --> 00:45:03,989 successfully and a lot of debug output 1303 00:45:03,990 --> 00:45:04,799 about 1304 00:45:04,800 --> 00:45:06,509 sort of configurable machine, 1305 00:45:06,510 --> 00:45:09,689 the number of executed instructions and 1306 00:45:09,690 --> 00:45:10,769 the number of 1307 00:45:11,790 --> 00:45:14,169 replayed non deterministic 1308 00:45:14,170 --> 00:45:15,170 AI off. 1309 00:45:16,100 --> 00:45:18,489 OK, let's move on 1310 00:45:18,490 --> 00:45:19,769 to the last example. 1311 00:45:19,770 --> 00:45:22,349 I want to show you some work in progress 1312 00:45:22,350 --> 00:45:22,949 where we 1313 00:45:22,950 --> 00:45:25,409 basically want to leverage symbolic 1314 00:45:25,410 --> 00:45:27,679 execution to complex software using 1315 00:45:27,680 --> 00:45:28,499 Avatar. 1316 00:45:28,500 --> 00:45:30,539 So for this, we inserted an 1317 00:45:30,540 --> 00:45:32,239 artificially buck because we are still 1318 00:45:32,240 --> 00:45:33,419 testing phase 1319 00:45:33,420 --> 00:45:35,699 inside Firefox and executed 1320 00:45:35,700 --> 00:45:37,109 Firefox concretely 1321 00:45:37,110 --> 00:45:39,119 inside GDP until the function of 1322 00:45:39,120 --> 00:45:40,120 interest. 1323 00:45:40,680 --> 00:45:42,449 This was particularly interesting because 1324 00:45:42,450 --> 00:45:42,779 anger 1325 00:45:42,780 --> 00:45:45,209 itself won't be able to run complex 1326 00:45:45,210 --> 00:45:47,619 software as Firefox 1327 00:45:47,620 --> 00:45:49,709 or will be needed to create 1328 00:45:49,710 --> 00:45:51,059 it with a state. 1329 00:45:51,060 --> 00:45:53,549 We analyzed only one threat, 1330 00:45:53,550 --> 00:45:55,219 and once we had the 1331 00:45:56,400 --> 00:45:58,109 interest in the function, we 1332 00:45:58,110 --> 00:45:59,549 automatically extracted 1333 00:45:59,550 --> 00:46:01,829 the memory from GDP while the memory 1334 00:46:01,830 --> 00:46:04,199 lay from driving sorry not of memory 1335 00:46:04,200 --> 00:46:06,509 and copy just two layered into 1336 00:46:06,510 --> 00:46:08,879 anger, while then the memory 1337 00:46:08,880 --> 00:46:10,739 content itself a copy on Read. 1338 00:46:10,740 --> 00:46:12,959 So if any excessive memory, 1339 00:46:12,960 --> 00:46:15,149 it actually copies it from 1340 00:46:15,150 --> 00:46:16,859 GDP to anger. 1341 00:46:16,860 --> 00:46:18,329 Reason for that is that 1342 00:46:18,330 --> 00:46:20,429 anger to associate a lot of metro 1343 00:46:20,430 --> 00:46:23,189 information with the data 1344 00:46:23,190 --> 00:46:26,189 and this world, 1345 00:46:26,190 --> 00:46:28,379 if we will dump the full 1346 00:46:28,380 --> 00:46:30,569 memory contents into anger first 1347 00:46:30,570 --> 00:46:32,909 would exceed the amount 1348 00:46:32,910 --> 00:46:34,499 of RAM we have present, at least on this 1349 00:46:34,500 --> 00:46:35,849 machine. 1350 00:46:35,850 --> 00:46:38,549 Furthermore, we symbolize the symbolic 1351 00:46:38,550 --> 00:46:40,769 the function of symbolized the function 1352 00:46:40,770 --> 00:46:42,869 arguments and start of a symbolic 1353 00:46:42,870 --> 00:46:44,699 exploration. 1354 00:46:44,700 --> 00:46:46,289 Our preliminary results here 1355 00:46:46,290 --> 00:46:48,569 are that we had approximately 1356 00:46:48,570 --> 00:46:50,519 10 minutes of runtime in the script for 1357 00:46:50,520 --> 00:46:52,649 just executing thirty six 1358 00:46:52,650 --> 00:46:53,729 basic blocks 1359 00:46:53,730 --> 00:46:55,949 excessively and 21 uniquely 1360 00:46:55,950 --> 00:46:56,879 Rove's Patris 1361 00:46:56,880 --> 00:46:58,349 uniquely, and we found 1362 00:46:58,350 --> 00:46:59,350 the bug. 1363 00:47:00,030 --> 00:47:02,369 So let's recap the example we saw. 1364 00:47:02,370 --> 00:47:04,439 We saw five example 1365 00:47:04,440 --> 00:47:06,719 dynamic instrumentation of 3D 1366 00:47:06,720 --> 00:47:09,179 dynamic instrumentation of a APAC 1367 00:47:09,180 --> 00:47:11,189 fall detection on an development 1368 00:47:11,190 --> 00:47:12,989 board together was panda 1369 00:47:12,990 --> 00:47:15,209 record. What we did not saw the record, 1370 00:47:15,210 --> 00:47:16,799 but the replay 1371 00:47:16,800 --> 00:47:18,909 of the development brought in panda 1372 00:47:18,910 --> 00:47:19,709 setting, and 1373 00:47:19,710 --> 00:47:21,839 we very briefly saw symbolic 1374 00:47:21,840 --> 00:47:24,089 execution was Firefox and 3D. 1375 00:47:24,090 --> 00:47:26,249 Note that some of those examples 1376 00:47:26,250 --> 00:47:28,319 are already available open source, and 1377 00:47:28,320 --> 00:47:30,599 the ones which are not will most likely 1378 00:47:30,600 --> 00:47:32,840 be made available within the next months. 1379 00:47:34,770 --> 00:47:35,940 So let's wrap it up. 1380 00:47:37,200 --> 00:47:39,329 Dynamic firmware analysis is still 1381 00:47:39,330 --> 00:47:41,519 a very challenging topic, and I 1382 00:47:41,520 --> 00:47:43,649 don't claim to have all that. 1383 00:47:43,650 --> 00:47:45,989 We have solved it completely. 1384 00:47:45,990 --> 00:47:48,239 However, Avatar to tackle some 1385 00:47:48,240 --> 00:47:50,039 of the challenges and tries to 1386 00:47:51,120 --> 00:47:52,409 improve the state of the art. 1387 00:47:54,480 --> 00:47:56,549 Additionally, one interesting thing which 1388 00:47:56,550 --> 00:47:58,859 we recognized is that multi 1389 00:47:58,860 --> 00:47:59,249 target 1390 00:47:59,250 --> 00:48:01,109 orchestration for the concept of having 1391 00:48:01,110 --> 00:48:02,879 different emulators and frameworks 1392 00:48:02,880 --> 00:48:04,859 interacting with each other during the 1393 00:48:04,860 --> 00:48:06,239 same analyzes 1394 00:48:06,240 --> 00:48:08,339 is a concept which 1395 00:48:08,340 --> 00:48:09,149 was not 1396 00:48:09,150 --> 00:48:11,819 limited to firmware only, but also 1397 00:48:11,820 --> 00:48:14,039 desktop software analyzers 1398 00:48:14,040 --> 00:48:15,059 can benefit from it. 1399 00:48:16,650 --> 00:48:18,329 Although that's almost the end of 1400 00:48:18,330 --> 00:48:20,549 the year, we also make 1401 00:48:20,550 --> 00:48:22,049 some plans for the New 1402 00:48:22,050 --> 00:48:23,519 Year for the next year. 1403 00:48:23,520 --> 00:48:25,619 We basically want to move our main 1404 00:48:25,620 --> 00:48:27,509 development to get up. 1405 00:48:27,510 --> 00:48:30,119 Currently, we develop 1406 00:48:30,120 --> 00:48:32,099 a private repo, which is 1407 00:48:32,100 --> 00:48:34,229 a little bit set because keeping it 1408 00:48:34,230 --> 00:48:35,999 and saying is a little bit harder 1409 00:48:36,000 --> 00:48:37,619 than we want to introduce proper 1410 00:48:37,620 --> 00:48:39,539 versioning to the Avatar tool and of 1411 00:48:39,540 --> 00:48:41,669 course, add more and exciting targets to 1412 00:48:41,670 --> 00:48:45,029 enable more and exciting analyzes. 1413 00:48:45,030 --> 00:48:47,609 So if you're interested in helping us 1414 00:48:47,610 --> 00:48:49,139 or just want 1415 00:48:49,140 --> 00:48:50,429 to have some question, 1416 00:48:50,430 --> 00:48:52,979 feel free to contact us on ISC 1417 00:48:52,980 --> 00:48:54,569 on may just ask to 1418 00:48:54,570 --> 00:48:56,789 talk directly to me and 1419 00:48:56,790 --> 00:48:57,869 one small disclaimer. 1420 00:48:57,870 --> 00:48:59,999 We may be looking for people to join our 1421 00:49:00,000 --> 00:49:01,709 group in the near future future. 1422 00:49:02,800 --> 00:49:04,319 Although I'm running out of time. 1423 00:49:04,320 --> 00:49:06,659 I just Prinsloo acknowledgment 1424 00:49:06,660 --> 00:49:08,849 shortly, and I guess we can move 1425 00:49:08,850 --> 00:49:09,689 over 1426 00:49:09,690 --> 00:49:10,690 to the Q&A. 1427 00:49:20,660 --> 00:49:22,459 Thank you. And the first question goes to 1428 00:49:22,460 --> 00:49:23,460 the internet. 1429 00:49:27,720 --> 00:49:30,569 So does the framework 1430 00:49:30,570 --> 00:49:33,629 support the complex x86 1431 00:49:33,630 --> 00:49:36,020 systems like the Intel me? 1432 00:49:40,110 --> 00:49:42,299 So the framework itself is 1433 00:49:42,300 --> 00:49:43,919 not executing 1434 00:49:45,060 --> 00:49:46,079 any and 1435 00:49:46,080 --> 00:49:47,819 any software itself. 1436 00:49:47,820 --> 00:49:50,249 Instead, it uses underlying tools to 1437 00:49:52,140 --> 00:49:53,909 other tools and targets to execute 1438 00:49:53,910 --> 00:49:54,659 software. 1439 00:49:54,660 --> 00:49:56,849 So if you execute a concretely 1440 00:49:56,850 --> 00:49:58,229 on GDP, using 1441 00:49:58,230 --> 00:50:00,479 GDP on your machine, the tool 1442 00:50:00,480 --> 00:50:01,829 is just fine. 1443 00:50:01,830 --> 00:50:04,139 What you probably need to do is 1444 00:50:04,140 --> 00:50:06,389 to augment a little 1445 00:50:06,390 --> 00:50:08,279 bit to register definition insights, 1446 00:50:08,280 --> 00:50:10,569 architecture or insights 1447 00:50:10,570 --> 00:50:11,820 architecture abstractions. 1448 00:50:15,220 --> 00:50:16,719 OK, next question goes on microphone 1449 00:50:16,720 --> 00:50:17,789 four. 1450 00:50:17,790 --> 00:50:20,139 Yeah, I haven't heard about 1451 00:50:20,140 --> 00:50:22,299 Panda before, but as I understand, 1452 00:50:22,300 --> 00:50:25,179 you can record and replay executions 1453 00:50:25,180 --> 00:50:27,429 and that includes like 1454 00:50:27,430 --> 00:50:29,829 executions on possibly 1455 00:50:29,830 --> 00:50:32,259 the real hawk around, partly in Kuwait. 1456 00:50:32,260 --> 00:50:34,539 Could you use it for debugging as well? 1457 00:50:34,540 --> 00:50:37,029 Like also like reversible debugging, 1458 00:50:37,030 --> 00:50:38,889 like, for example, you step into code and 1459 00:50:38,890 --> 00:50:41,079 then you chomp back to a certain point 1460 00:50:41,080 --> 00:50:42,080 of the recording? 1461 00:50:43,840 --> 00:50:44,759 Actually, yes. 1462 00:50:44,760 --> 00:50:46,869 So the original purpose 1463 00:50:46,870 --> 00:50:48,159 of panda is 1464 00:50:48,160 --> 00:50:50,409 just reverse engineering of 1465 00:50:50,410 --> 00:50:52,809 software just executed on 1466 00:50:52,810 --> 00:50:54,669 inside the emulator. 1467 00:50:54,670 --> 00:50:57,219 And it also helps. 1468 00:50:57,220 --> 00:50:58,119 Or I don't 1469 00:50:58,120 --> 00:50:59,949 know how far the development state is for 1470 00:50:59,950 --> 00:51:01,719 stepping back, but I think they were 1471 00:51:01,720 --> 00:51:02,720 working on it. 1472 00:51:03,640 --> 00:51:04,779 And in general, 1473 00:51:04,780 --> 00:51:06,849 while replaying, you can 1474 00:51:06,850 --> 00:51:07,659 always 1475 00:51:07,660 --> 00:51:09,879 attach to the replay to 1476 00:51:09,880 --> 00:51:12,159 execution was GDP or another 1477 00:51:12,160 --> 00:51:14,379 tool and start analyzing for your 1478 00:51:14,380 --> 00:51:15,380 words and purposes. 1479 00:51:16,750 --> 00:51:17,750 Thank you. 1480 00:51:19,390 --> 00:51:21,280 The sensors have additional questions. 1481 00:51:24,200 --> 00:51:26,129 Then we go back to microphone four again. 1482 00:51:26,130 --> 00:51:28,369 Yeah, thanks. 1483 00:51:28,370 --> 00:51:30,919 First of all is the I have two questions, 1484 00:51:30,920 --> 00:51:33,089 OK? First is upon the 1485 00:51:33,090 --> 00:51:36,049 release now because I guess it's 1486 00:51:36,050 --> 00:51:38,239 it's part of is still going 1487 00:51:38,240 --> 00:51:41,419 to publish the paper about it or 1488 00:51:41,420 --> 00:51:42,920 no panda is released 1489 00:51:44,210 --> 00:51:46,939 as open source and we instrumented 1490 00:51:46,940 --> 00:51:48,589 and have a modified version of panda 1491 00:51:48,590 --> 00:51:50,659 insights about a two framework. 1492 00:51:50,660 --> 00:51:53,089 But you can also get it on 1493 00:51:53,090 --> 00:51:55,609 GitHub dot com slash panda 1494 00:51:55,610 --> 00:51:57,499 slash panda, I think. 1495 00:51:57,500 --> 00:51:59,839 OK. So a second 1496 00:51:59,840 --> 00:52:01,939 I remember the problem with Avatar 1497 00:52:01,940 --> 00:52:04,339 one, which was 1498 00:52:04,340 --> 00:52:07,039 it was a slow and 1499 00:52:07,040 --> 00:52:09,499 I want to know what are the improvements 1500 00:52:09,500 --> 00:52:11,029 in Avatar two? 1501 00:52:11,030 --> 00:52:12,849 So regarding this? 1502 00:52:12,850 --> 00:52:15,019 Yeah. Yeah, that's a very excellent 1503 00:52:15,020 --> 00:52:16,189 questions. 1504 00:52:16,190 --> 00:52:18,559 And we improved 1505 00:52:18,560 --> 00:52:19,560 the. 1506 00:52:20,840 --> 00:52:22,099 The speeds quite a lot. 1507 00:52:22,100 --> 00:52:24,799 Unfortunately, we couldn't see it in the 1508 00:52:24,800 --> 00:52:25,800 demo of 1509 00:52:26,810 --> 00:52:29,359 of of recording the executions 1510 00:52:29,360 --> 00:52:30,829 here, but 1511 00:52:30,830 --> 00:52:33,049 let's say Avatar one, 1512 00:52:33,050 --> 00:52:34,069 the main bottleneck 1513 00:52:34,070 --> 00:52:36,139 was memory interactions with the physical 1514 00:52:36,140 --> 00:52:37,099 device. 1515 00:52:37,100 --> 00:52:39,289 And we had some time 1516 00:52:39,290 --> 00:52:41,719 of benchmarks to transfer of of 1517 00:52:41,720 --> 00:52:42,949 40k pages, 1518 00:52:42,950 --> 00:52:45,109 which we needed for this example, 1519 00:52:45,110 --> 00:52:47,179 took an avatar, something around two to 1520 00:52:47,180 --> 00:52:49,999 five minutes. Well, here we are done and 1521 00:52:50,000 --> 00:52:51,889 one to five seconds. 1522 00:52:51,890 --> 00:52:53,959 So it's a significant speed up, 1523 00:52:53,960 --> 00:52:54,979 but still not 1524 00:52:56,060 --> 00:52:57,889 fast enough to compress real time 1525 00:52:57,890 --> 00:52:58,890 requirements. 1526 00:52:59,640 --> 00:53:00,640 Thanks. 1527 00:53:05,700 --> 00:53:07,639 OK, next question goes to microphone two. 1528 00:53:09,620 --> 00:53:11,939 Hi, I'm embedded 1529 00:53:11,940 --> 00:53:14,099 systems rather often have Real-Time 1530 00:53:14,100 --> 00:53:15,629 components. 1531 00:53:15,630 --> 00:53:18,929 Could you then, for example, just 1532 00:53:18,930 --> 00:53:21,089 walk into a free 1533 00:53:21,090 --> 00:53:23,279 autos threat to 1534 00:53:23,280 --> 00:53:25,589 just analyze a 1535 00:53:25,590 --> 00:53:27,090 non time critical parts? 1536 00:53:28,650 --> 00:53:30,869 Yes, this should be possible. 1537 00:53:30,870 --> 00:53:33,089 I mean, in general, we 1538 00:53:33,090 --> 00:53:35,429 have to investigate more a little bit 1539 00:53:35,430 --> 00:53:38,039 Real-Time Independent 1540 00:53:38,040 --> 00:53:38,969 Embedded Systems. 1541 00:53:38,970 --> 00:53:41,129 We currently put it a little bit out of 1542 00:53:41,130 --> 00:53:43,409 scope, but it's for sure one input 1543 00:53:43,410 --> 00:53:45,749 we will look to in the future. 1544 00:53:45,750 --> 00:53:48,359 And I think 1545 00:53:48,360 --> 00:53:48,599 we 1546 00:53:48,600 --> 00:53:50,579 are Real-Time critical parts. 1547 00:53:50,580 --> 00:53:52,289 Maybe just working. 1548 00:53:53,380 --> 00:53:54,380 To thank. 1549 00:53:57,370 --> 00:53:58,359 OK. 1550 00:53:58,360 --> 00:53:59,449 Yes, Internet 1551 00:54:00,580 --> 00:54:02,859 and hideous sort 1552 00:54:02,860 --> 00:54:04,929 of like to know if 1553 00:54:04,930 --> 00:54:07,569 there is a road map to 1554 00:54:07,570 --> 00:54:09,430 the maps 1555 00:54:11,580 --> 00:54:13,659 for maps support to ever 1556 00:54:13,660 --> 00:54:14,660 talk to. 1557 00:54:15,790 --> 00:54:17,889 No, there's no road 1558 00:54:17,890 --> 00:54:19,389 map currently available. 1559 00:54:19,390 --> 00:54:22,509 We started implementing it and it gets 1560 00:54:22,510 --> 00:54:24,669 improved a little bit side on a side. 1561 00:54:24,670 --> 00:54:25,749 If someone wants to 1562 00:54:25,750 --> 00:54:27,819 step in and help to it, 1563 00:54:27,820 --> 00:54:29,259 help with it. 1564 00:54:29,260 --> 00:54:30,279 We are happy. 1565 00:54:30,280 --> 00:54:32,589 I can tell what's this for what 1566 00:54:32,590 --> 00:54:35,229 has to be done to enable support 1567 00:54:35,230 --> 00:54:38,259 and well, 1568 00:54:38,260 --> 00:54:39,189 in general, 1569 00:54:39,190 --> 00:54:40,719 we are we are working on it. 1570 00:54:40,720 --> 00:54:42,909 But sorry, I cannot tell a specific time 1571 00:54:42,910 --> 00:54:43,960 when it's going to be ready. 1572 00:54:46,800 --> 00:54:48,150 OK. Any further questions? 1573 00:54:50,180 --> 00:54:51,840 No, thank you. 1574 00:54:52,880 --> 00:54:54,919 When you leave, please take your trash 1575 00:54:54,920 --> 00:54:57,199 for shoes and other belongings with you 1576 00:54:57,200 --> 00:54:58,280 and to wash your hands. 1577 00:55:04,370 --> 00:55:05,370 Thank you. 1578 00:55:21,650 --> 00:55:22,650 The.