Upload
jonny-doin
View
33
Download
0
Embed Size (px)
Citation preview
NETWORK INSECURITY: SIMPLE HACKS OF ARM CORTEX-‐M DEVICES
Jonny Doin CEO, GridVortex
Agenda • IoT: Embedded + Internet (?)!• What it means to be connected to The Internet!• Embedded == Resource Scarcity (?)!• Design Hazards!• Exploits!• Famous Hacks on Things!• Compromising the Network!• Design for hacking!
IoT: Embedded + Internet
What is being called the Internet of Things is a new domain of a very old activity: Design of Embedded Systems, but with a twist: connection to the Internet.!!These systems must cope with a set of new requirements that were not imposed on earlier Embedded Systems.!
IoT: Embedded + Internet (2)
Traditionally, Embedded Systems were designed for specific-purpose networks, such as Industrial control networks.!!Such networks typically have well defined traffic and command sets:!• Profibus, DeviceNet, Modbus, ...!
The Internet Robustness principle underlying the TCP protocol:!!
“TCP implementations will follow a general principle of robustness: be conservative in what you do, be liberal in what you accept from others.”!"― Jon Postel, RFC 793 (1981)!
!In many respects, this ethics is what allows us to drive cars in 2-way highways.!!
hFp://www.usc.edu/webcast/archive/events/postel/postel.jpg
The Internet (2) The Internet was once called:!!The Information Superhighway!!That is great.!
hFp://anmblog.typepad.com/.a/6a00d8341c565553ef0168ea4ed606970c-‐500wi
The Internet (3) For an Embedded System, it is more like this:!!
hFp://www.urbanrealm.com/images/news/newspic_2558.jpg
What it means ...!The Internet is the most toxic environment ever designed in the history of computing.!!It can be compared to driving in a 2-way high-speed highway with no traffic laws packed with psycopath drivers.! hFp://thumbs.dreamsame.com/x/crazy-‐
driver-‐2144023.jpg
What it means ... (2)
Among the new communication protocols and functionality, connected Embedded Systems must cope with:!!
• Malformed Packets!• Corrupted payload!• High packet rates (flooding)!• Attacks!
What it means ...(3)
INTERNET REALITY:!
!YOU WILL!
BE HACKED!
hFp://stat.ks.kidsklik.com/staacs/files/2012/10/13496768121110667387.jpg
Embedded == Resource Scarcity!
hFp://cdn.hieix.com/photos/6561/MYTHBUSTERS5_031_event_main.jpg
In Embedded Systems, it is far too common to see design simplification due to Constrained Resources. !!
MYTH!!System Safety cannot be implemented
in small Embedded Devices!
Embedded == Resource Scarcity (2)!
hFp://i.livescience.com/images/i/000/034/425/original/boxjelly.jpg?1355348969
Take a very limited-resource organism: the Box Jellyfish. !!It has no brain. However, it has:!• EYES, !• JET PROPULSION, !• CHEMICAL WEAPONS!
!
Embedded == Resource Scarcity (3)!If Safety and Security are treated as NFRs, it is likely that it will not be implemented.!!Safety must be a Functional Requirement very early in the Design. Even the most simple of circuits can be designed with Failsafe Design behavior.!
Embedded == Resource Scarcity (4)!Even moderately small 8bit MCUs can have:!• " Cryptographic Hash Functions!• " Full Pointer safety verification!• " Failsafe Design!• " Full I/O Interface Integrity!
!For an ARM Cortex-M, there is NO EXCUSE. A SHA-256 block on an ARM@100MHz takes less than 25us.!
Design Hazards
The designer of Internet-connected systems must design for such hazards, taking into account that the system will be hacked and implementing failsafe behaviors, from design inception.!
Design Hazards (2)
INTERNET FAILSAFE DESIGN
REALITY:!!
YOU CAN’T!
hFp://cdn.toonvectors.com/images/35/22680/toonvectors-‐22680-‐140.jpg
Design Hazards (3)
If you don’t know how to hack into your system, it’s just because you don’t know it well enough.!!The Designer must be the Hacker Maximus of his/her own system.!!
hFp://chmatrix.com/wp-‐content/uploads/2013/11/alice-‐in-‐matrix.jpg
Exploits
Every design has weaknesses.!• Structural!• Architectural!• Design Flaws!• Core Logic!• Communications!
Exploits: Structural
The most common structural exploit from a communications channel is a buffer overflow exploit.!!It happens when a text stream overflows a buffer boundary.!
Exploits: Structural (2)
For systems written in C, buffer overflows can happen on garden variety input/output functions:!!
gets()!scanf()!sprintf()!
!!
Exploits: Structural (3) char *gets(char *s); !!int scanf(const char * restrict format, ...); !!int sprintf(char * restrict s, !
! !const char * restrict format, ...); !!In all these functions, the buffer size (char*)[] is not known to the function, so it can be exceeded.!
Exploits: Architectural (1)
Buffer overflow exploits can be used to gain control of a system, especially when the buffer is allocated on the Stack. !!Such an overflow is also called Buffer Overrun, and can place carefully crafted garbage at the stack, making the processor “return to” a crafted address. !
Exploits: Architectural (2)
ARM architecture RET2ZP exploit:!Return to Zero-Protection.!
Evolved from the well known ret2libc x86 exploit.!A buffer overflow allows a precisely placed return address that causes a jump to a known address in the libc codebase. !
Exploits: Architectural (3)
RET2ZP: Return Oriented Programming!Works in ARMv7 (Cortex-A and Cortex-M) even when the stack is marked XN (Execute Never).!The return address points to a libc function that creates more buffer space to, e.g., inject system() commands.!Published at Defcon18 by Zuk Avraham (Samsung)!
Exploits: Design Flaws (1) Injection Attacks:!Poorly designed command interfaces, unused terminal ports, otap protocols, App store injection:!
open console at streaming devices!command execution interfaces!open debug ports and backdoors!fake otap downloads!rogue Apps !
Exploits: System (1) Many Linux systems are busybox with open u-boot builds.!!Linux-based UART hacks!• Locate the UART serial lines in the PCB!• U-boot access via UART!• root the system!
Exploits: System (2) Linux USB hacks !• physically access USB interface!• usb vcp: U-boot access -> root!
• usb filesystem: boot file mods -> root!• U-boot scripts: -> root!
Exploits: System (3) SD-card and eMMC!• SPI lines interception!• direct access to filesystem!• boot script mods!• root the system!
!
Exploits: Communications (1) Webserver attacks!• url buffer overflow !• command execution!• system() access!• root with remote console !
Famous Hacks on Things At Defcon22, the GTVHacker (now exploitee.rs) presented a smashing demonstration of 20 famous Things mercilessly hacked in 45 minutes.!!All of them were Linux-based devices.!
Compromising the Network!Assume that your network will be compromised.!
Have a failsafe and intelligent behavior that copes with that.!
Distributed intelligence can lead to safer connected systems.!
Designing for Hacking!
A system that has been hacked loses its internal integrity.!
System compromise detection mechanisms can be implemented in hardware and low-level.!
Designing for Hacking (2)!
Deeply Embedded Systems Designers, either Bare-Metal or not, must have full control over ALL CODE in the system. !
Black Boxes can mean bad surprises.!
Designing for Hacking (3) Er,
Houston, ... Full Control means!!
FAST RESPONSE!
ON!FAILURES!
hFp://i.space.com/images/i/000/020/852/original/apollo-‐13-‐service-‐module.jpg?1345740866
Final Thoughts Good Embedded Engineering has no shortcuts. You must design for Network Insecurity, Compromised Commands, and HW failure. Always design as if people’s lives depend on you.