EXPLOITING EMBEDDED SYSTEMS THE SEQUEL!

More documents

Recommendations

Info

Exploitation• Embedded stack overflows are reliable – few firmware revisions• Overwrite $pc, redirect to attacker code -- standard fare!• Can be very reliable on ARM as $pc can be operated on directly• Examples: redirect $pc to:ARM:MIPS:mov $pc, j Copyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 30
Exploitation (ARM)• The ARM processor supports THUMB mode• Very helpful for writing shellcode• ARM mode instructions are 32 bit, word aligned• THUMB mode instructions are 16 bit, half-word aligned• Results in very small code, and is easy to avoid NULL bytes• Switch to THUMB mode by executing the BX instruction with state bitclearedCopyright © 2007 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 31
Page 1 and 2: EXPLOITING EMBEDDEDSYSTEMSTHE SEQUE
Page 3 and 4: Embedded Architectures• MIPS and
Page 5 and 6: The ARM Architecture• RISC based
Page 7 and 8: The BDI2000JTAG Support for:• MIP
Page 9 and 10: The JTAG Interface - ARM/XSCALE•
Page 11 and 12: The Serial Interface• Support for
Page 13 and 14: Locating the JTAG pointsTypical sce
Page 15 and 16: Connecting the BDI2000Copyright ©
Page 17 and 18: Defeating the Watchdog• Software
Page 19 and 20: Debugging and Reversing• Flash on
Page 21 and 22: Debugging and Reversing• Decrypte
Page 23 and 24: New Attack Classes• Exploitable N
Page 25 and 26: New Attack Classes - Vector Rewrite
Page 27 and 28: New Attack Classes - Prevention•
Page 29: System-On-Chip Designs• Many chip
Page 33 and 34: ExploitationTwo Step Exploitation1
Page 35 and 36: Exploitation (ARM)Set remote config
Page 37 and 38: Exploitation• Successful exploit
Page 39 and 40: Firmware PatchConsiderations:• Ne
Page 41 and 42: Injector 2.0• Watch for downloads
Page 43 and 44: Exploit DemonstrationDEMO!Copyright
Page 45 and 46: Summary• Security flaws are abund

EXPLOITING EMBEDDED SYSTEMS THE SEQUEL!

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?