EXPLOITING EMBEDDED SYSTEMS THE SEQUEL!

More documents

Recommendations

Info

Debugging and Reversing• BDI2000 speaks GDB protocol• Any supported processor core can be debugged over remote gdb• gdb must be compiled for specific processor• Other embedded debuggers are mostly… badDebugging ROM code - demonstrationCopyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22
New Attack Classes• Exploitable NULL pointer vulnerabilities• This common wrapper returns a NULL pointer if passed 0• But what if 0x0 is mapped in memory??void *xmalloc(size_t amt){if (amt != 0) {void *block = malloc(amt);if (block == NULL) {fprintf(stderr, "out of memory\n");exit(EXIT_FAILURE);}return block;}return NULL;}Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23
Page 1 and 2: EXPLOITING EMBEDDEDSYSTEMSTHE SEQUE
Page 3 and 4: Embedded Architectures• MIPS and
Page 5 and 6: The ARM Architecture• RISC based
Page 7 and 8: The BDI2000JTAG Support for:• MIP
Page 9 and 10: The JTAG Interface - ARM/XSCALE•
Page 11 and 12: The Serial Interface• Support for
Page 13 and 14: Locating the JTAG pointsTypical sce
Page 15 and 16: Connecting the BDI2000Copyright ©
Page 17 and 18: Defeating the Watchdog• Software
Page 19 and 20: Debugging and Reversing• Flash on
Page 21: Debugging and Reversing• Decrypte
Page 25 and 26: New Attack Classes - Vector Rewrite
Page 27 and 28: New Attack Classes - Prevention•
Page 29 and 30: System-On-Chip Designs• Many chip
Page 31 and 32: Exploitation (ARM)• The ARM proce
Page 33 and 34: ExploitationTwo Step Exploitation1
Page 35 and 36: Exploitation (ARM)Set remote config
Page 37 and 38: Exploitation• Successful exploit
Page 39 and 40: Firmware PatchConsiderations:• Ne
Page 41 and 42: Injector 2.0• Watch for downloads
Page 43 and 44: Exploit DemonstrationDEMO!Copyright
Page 45 and 46: Summary• Security flaws are abund

EXPLOITING EMBEDDED SYSTEMS THE SEQUEL!

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?