The ARM IoT Exploit Laboratory 


Instructor:  Saumil Shah
Dates:  June 5 to 8  2023
Capacity:  30 Seats






Class Abstract



The world of ARM IoT devices is growing rapidly. Routers, IP cameras, Network video recorders, VoIP systems and several other "smart" appliances are now running on ARM SoCs. While the hardware is the latest and greatest, the software running on it is a different story.

 

The ARM IoT Exploit Laboratory is a newly updated class. This class takes a closer look at the hardware and the firmware running on it. Students shall learn how to analyse, emulate and exploit the firmware on a variety of ARM IoT devices. The class starts with extracting the firmware directly from the devices, moves on to creating an emulated test environment for fuzzing and debugging, and writing end to end exploits for the devices. The class shall feature an array of hardware targets of varying complexity. Students shall have ample time for hands on exercises to sharpen their exploitation skills.


 


UPDATED CONTENT



- Extra exercises on defeating Stack Cookies


- Fresh content on Infoleak bugs


- A preview into the world of ARM64 exploitation


- Hardware level firmware extraction from IoT devices


EMUX:A new firmware emulation framework for accurate emulation of IoT devices,including nvram.


- New hardware targets: Network video recorders, multiple IP cameras, multiple routers, and perhaps more.




KEY LEARNING OBJECTIVE 



- A quick introduction to ARM architecture and assembly


- An introduction to ARM IoT devices


- Under the hood - circuit boards, pins, interfaces and flash chips


- Firmware Extraction via UART


- Firmware Extraction directly from flash memory


- Introducing the EMUX Firmware Emulation Framework


- How to emulate an IoT device in EMUX


- Exploiting vulnerabilities in the IoT device


- Bypassing exploit mitigation technologies - DEP and ASLR


- Practical ARM ROP chains


- Customised ARM shellcode


- Overcoming limitations - payload size, bad characters, encodings


- A deeper look into firmware emulation - emulating nvram, patching factory defaults


- Working around missing emulated hardware - tracing binaries, patching libraries


- Exercises, exercises and more exercises


- The Lab environment is a mixture of physical ARM hardware and EMUX Docker images




WHO SHOULD ATTEND 



- Past x86/ARM Exploit Laboratory students


- Pentesters working on ARM embedded environments. (SoCs, IoT, etc)


- Red Team members, who want to pen-test custom binaries and exploit custom build applications


- Bug Hunters, who want to write exploits for all the crashes they find


- Members of military or government cyberwarfare units


- Members of reverse engineering research teams


- People frustrated at IoT devices to the point they want to break 'em!




CONTENTS



PART 1 - Exploitation and Shellcode



- A quick introduction to ARM architecture and assembly language


- EXERCISE - Learn ARM assembly by compiling and reverse engineering binaries


- EXERCISE - Using GDB for debugging ARM ELF binaries


- An introduction to ARM IoT devices


- Introducting the EMUX Firmware Emulation Framework


- Debugging the emulated IoT device


- Memory Corruption


- Exploiting Stack Overflow conditions in ARM binaries


- Writing customised ARM shellcode


- EXERCISE - end to end stack overflow exploit





PART 2 - Overcoming Exploit Mitigation Technology



- Bypassing exploit mitigation technologies - DEP and ASLR


- Practical ARM ROP chains


- Attacking the actual hardware


- Overcoming cache coherency issues


- Overcoming limitations in the exploit payloads - size, bad characters and encodings




Part 3 - In-depth Infoleaks and defeating Stack Cookies



- Case Study of a production web server exploit


- Turning a memory corruption bug into an infoleak


- Leaking base and stack addresses from the target process


- Practical approach to brute forcing Stack Cookies/canaries


- End to end exploit with infoleak and stack cookie bypass




Part 4 - A preview into ARM64



- Key differences between ARM32 and ARM64


- Basics of ARM64 assembly


- An overview of the 64-bit process memory layout


- ARM64 Registers and their purpose


- Limitations and opportunities in ARM64 exploits


- Functions on ARM64 vs ARM32




Exploitation hands-on exercises



- EXERCISES - three hardware targets to emulate and exploit


- BONUS CHALLENGES - for those hungry for more




Part 5 - Firmware Extraction & Emulation



- Under the hood - a tour of the circuit boards, pins, interfaces and flash chips


- Obtaining the firmware via UART, bootloader or an EEPROM programmer


- Unpacking the firmware and static analysis


- How to emulate an IP camera in EMUX


- Matching the device - choosing the right CPU to emulate


- Matching the device - compiling a custom kernel


- EXERCISE - emulate a home router in EMUX


- Complexities in emulation - hotpatching and hooking functions


- EXERCISE - emulate a compilcated IoT device




Prerequisites:


- A conceptual understanding of how functions work in C programming 


- Knowledge of how a stack works, basic stack operations


- Familiarity with GDB 


- Not be allergic to command line tools


- If none of the above apply, then enough patience to go through the pre-class tutorials


-  SKILL LEVEL: ADVANCED 





Hardware Requirements:


- A working laptop (no Netbooks, no Tablets, no iPads)


- Intel Core i3 (equivalent or superior) required


- 8GB RAM required, at a minimum


- Wireless network card


- 40 GB free Hard disk space


Software Requirements:


- Linux / Windows / Mac OS X desktop operating systems 


- Docker installed and working 


- Command line git client installed and working 


- Administrator / root access MANDATORY 


Students will be provide with:


Students will be provided with all the lab images used in the class. Students will also be provided with the [fully loaded version of EMUX]which is not available publicly.


The ARM IoT Exploit Laboratory uses a "Live Notes" system that provides a running transcript of the instructor's system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.


Bio


Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book". Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.


TWITTER

To Register

Click here to register.