SlideShare a Scribd company logo

INSIDE ARM-X - Countermeasure 2019

Saumil Shah
Saumil Shah

The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.

Technology
1 of 35
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 INSIDE SAUMIL SHAH @therealsaumil 7 November 2019 COUNTERMEASURE|2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Inside an IoT device…
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram …same same but different
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Starting an ARM-X device
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2 - Booting the device Kernel
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Kernel and hostfs ready hostfs NFS /armx
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3 - ARM-X Userland
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 4 - nvram and userland init
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram nvram and userland init scripts conf conf init scripts libnvram
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram init scripts Services Apps libnvram ARM-X: Device "booted up" x x x x conf conf
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 5 - ARM-X hostfs/debug Shell
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 How to add a new device to ARM-X BUILDROOT Firmware image
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 1: Web/FTP site
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2: Hidden UART interfaces Vcc (+3.3V) GND TX/RX GND
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Serial Console - working
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3: Take it directly from the chip!
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 DEMO TIME!
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 HERE BE THE GOODS Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil IP Camera CTF Challenge - blog.exploitlab.net
NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Thank you and … QUESTIONS? @therealsaumil COUNTERMEASURE|2019

Recommended

INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
AWS ロボを作ろう JAWSUG Kobe
AWS ロボを作ろう JAWSUG KobeAWS ロボを作ろう JAWSUG Kobe
AWS ロボを作ろう JAWSUG Kobe崇之 清水
 
3D Project network
3D Project network3D Project network
3D Project networkAdrian Barker
 
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistribution
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistributionUSB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistribution
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistributionNaoto MATSUMOTO
 
On the verification of configurable nocs in simulation and hardware emulation...
On the verification of configurable nocs in simulation and hardware emulation...On the verification of configurable nocs in simulation and hardware emulation...
On the verification of configurable nocs in simulation and hardware emulation...Sameh El-Ashry
 
Easing the Path to Network Transformation - Network Transformation Experience...
Easing the Path to Network Transformation - Network Transformation Experience...Easing the Path to Network Transformation - Network Transformation Experience...
Easing the Path to Network Transformation - Network Transformation Experience...Liz Warner
 

Recommended

INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020INSIDE ARM-X Cansecwest 2020
INSIDE ARM-X Cansecwest 2020Saumil Shah
 
Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Announcing ARMX Docker - DC11332
Announcing ARMX Docker - DC11332Saumil Shah
 
Introducing ARM-X
Introducing ARM-XIntroducing ARM-X
Introducing ARM-XSaumil Shah
 
AWS ロボを作ろう JAWSUG Kobe
AWS ロボを作ろう JAWSUG KobeAWS ロボを作ろう JAWSUG Kobe
AWS ロボを作ろう JAWSUG Kobe崇之 清水
 
3D Project network
3D Project network3D Project network
3D Project networkAdrian Barker
 
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistribution
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistributionUSB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistribution
USB 3.0 CAPTURE HDMI 4K with Loop-through for Image redistributionNaoto MATSUMOTO
 
On the verification of configurable nocs in simulation and hardware emulation...
On the verification of configurable nocs in simulation and hardware emulation...On the verification of configurable nocs in simulation and hardware emulation...
On the verification of configurable nocs in simulation and hardware emulation...Sameh El-Ashry
 
Easing the Path to Network Transformation - Network Transformation Experience...
Easing the Path to Network Transformation - Network Transformation Experience...Easing the Path to Network Transformation - Network Transformation Experience...
Easing the Path to Network Transformation - Network Transformation Experience...Liz Warner
 
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
 
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC..."Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...Edge AI and Vision Alliance
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Anne Nicolas
 
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleHSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleAMD Developer Central
 
Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Arun Gupta
 
AWS SAM でLambda開発
AWS SAM でLambda開発AWS SAM でLambda開発
AWS SAM でLambda開発虎の穴 開発室
 
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Amazon Web Services
 
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19Daisuke Morishita
 
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...AMD Developer Central
 
Final lisa opening_keynote_draft_-_v12.1tb
Final lisa opening_keynote_draft_-_v12.1tbFinal lisa opening_keynote_draft_-_v12.1tb
Final lisa opening_keynote_draft_-_v12.1tbr Skip
 
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS SummitGetting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS SummitAmazon Web Services
 
The state of server-side Swift
The state of server-side SwiftThe state of server-side Swift
The state of server-side SwiftCiprian Redinciuc
 
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...KTN
 
IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
IBM Cloud Private and IBM Power Systems: Overview and Real-World ScenariosIBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
IBM Cloud Private and IBM Power Systems: Overview and Real-World ScenariosJoe Cropper
 
Modern-Application-Design-with-Amazon-ECS
Modern-Application-Design-with-Amazon-ECSModern-Application-Design-with-Amazon-ECS
Modern-Application-Design-with-Amazon-ECSAmazon Web Services
 
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019Timothy Spann
 
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...Amazon Web Services
 
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...Seval Çapraz
 
Low code & technology stacks.
Low code & technology stacks.Low code & technology stacks.
Low code & technology stacks.Daniel Le Couilliard
 
PAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywherePAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywhereGlobal Knowledge Training
 
The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 

More Related Content

Similar to INSIDE ARM-X - Countermeasure 2019

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIAnne Nicolas
 
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC..."Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...Edge AI and Vision Alliance
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Anne Nicolas
 
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleHSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleAMD Developer Central
 
Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Arun Gupta
 
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Amazon Web Services
 
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19Daisuke Morishita
 
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...AMD Developer Central
 
Final lisa opening_keynote_draft_-_v12.1tb
Final lisa opening_keynote_draft_-_v12.1tbFinal lisa opening_keynote_draft_-_v12.1tb
Final lisa opening_keynote_draft_-_v12.1tbr Skip
 
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS SummitGetting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS SummitAmazon Web Services
 
The state of server-side Swift
The state of server-side SwiftThe state of server-side Swift
The state of server-side SwiftCiprian Redinciuc
 
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...KTN
 
IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
IBM Cloud Private and IBM Power Systems: Overview and Real-World ScenariosIBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
IBM Cloud Private and IBM Power Systems: Overview and Real-World ScenariosJoe Cropper
 
Modern-Application-Design-with-Amazon-ECS
Modern-Application-Design-with-Amazon-ECSModern-Application-Design-with-Amazon-ECS
Modern-Application-Design-with-Amazon-ECSAmazon Web Services
 
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019Timothy Spann
 
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...Amazon Web Services
 
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...Seval Çapraz
 
PAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywherePAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywhereGlobal Knowledge Training
 

Similar to INSIDE ARM-X - Countermeasure 2019 (20)

Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMIKernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
Kernel Recipes 2019 - No NMI? No Problem! – Implementing Arm64 Pseudo-NMI
 
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC..."Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
"Efficient Deployment of Quantized ML Models at the Edge Using Snapdragon SoC...
 
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
Embedded Recipes 2019 - Knowing your ARM from your ARSE: wading through the t...
 
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric CaspoleHSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
HSA-4024, OpenJDK Sumatra Project: Bringing the GPU to Java, by Eric Caspole
 
Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019Machine Learning using Kubernetes - AI Conclave 2019
Machine Learning using Kubernetes - AI Conclave 2019
 
AWS SAM でLambda開発
AWS SAM でLambda開発AWS SAM でLambda開発
AWS SAM でLambda開発
 
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
Introduction to EC2 A1 instances, powered by the AWS Graviton processor - CMP...
 
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
Spring Boot and Spring Cloud Inside NissanConnect at SPRING FEST '19
 
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
Keynote (Dr. Lisa Su) - Developers: The Heart of AMD Innovation - by Dr. Lisa...
 
Final lisa opening_keynote_draft_-_v12.1tb
Final lisa opening_keynote_draft_-_v12.1tbFinal lisa opening_keynote_draft_-_v12.1tb
Final lisa opening_keynote_draft_-_v12.1tb
 
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS SummitGetting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
Getting Started with ARM-Based EC2 A1 Instances - CMP302 - Anaheim AWS Summit
 
The state of server-side Swift
The state of server-side SwiftThe state of server-side Swift
The state of server-side Swift
 
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
Digital Security by Design: Imperas’ Interests - Simon Davidmann, Imperas Sof...
 
IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
IBM Cloud Private and IBM Power Systems: Overview and Real-World ScenariosIBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
IBM Cloud Private and IBM Power Systems: Overview and Real-World Scenarios
 
Modern-Application-Design-with-Amazon-ECS
Modern-Application-Design-with-Amazon-ECSModern-Application-Design-with-Amazon-ECS
Modern-Application-Design-with-Amazon-ECS
 
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
IoT Edge Data Processing with NVidia Jetson Nano oct 3 2019
 
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
Amazon EC2 A1 instances, powered by the AWS Graviton processor - CMP303 - San...
 
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
GPU-Accelerated Route Planning of Multi-UAV Systems Using Simulated Annealing...
 
Low code & technology stacks.
Low code & technology stacks.Low code & technology stacks.
Low code & technology stacks.
 
PAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention EverywherePAN-OS - Network Security/Prevention Everywhere
PAN-OS - Network Security/Prevention Everywhere
 

More from Saumil Shah

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksSaumil Shah
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise PresentationsSaumil Shah
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadSaumil Shah
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceSaumil Shah
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadSaumil Shah
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadSaumil Shah
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDSaumil Shah
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019Saumil Shah
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019Saumil Shah
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM AssemblySaumil Shah
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSSaumil Shah
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling PhotographSaumil Shah
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainSaumil Shah
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great AgainSaumil Shah
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopSaumil Shah
 

More from Saumil Shah (20)

The Hand That Strikes, Also Blocks
The Hand That Strikes, Also BlocksThe Hand That Strikes, Also Blocks
The Hand That Strikes, Also Blocks
 
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSDebugging with EMUX - RIngzer0 BACK2WORKSHOPS
Debugging with EMUX - RIngzer0 BACK2WORKSHOPS
 
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkUnveiling EMUX - ARM and MIPS IoT Emulation Framework
Unveiling EMUX - ARM and MIPS IoT Emulation Framework
 
Precise Presentations
Precise PresentationsPrecise Presentations
Precise Presentations
 
Effective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual AudienceEffective Webinars: Presentation Skills for a Virtual Audience
Effective Webinars: Presentation Skills for a Virtual Audience
 
Cyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade AheadCyberspace And Security - India's Decade Ahead
Cyberspace And Security - India's Decade Ahead
 
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In CyberspaceCybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
Cybersecurity And Sovereignty - A Look At Society's Transformation In Cyberspace
 
NSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade AheadNSConclave2020 The Decade Behind And The Decade Ahead
NSConclave2020 The Decade Behind And The Decade Ahead
 
Cybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade AheadCybersecurity In India - The Decade Ahead
Cybersecurity In India - The Decade Ahead
 
The Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBDThe Road To Defendable Systems - Emirates NBD
The Road To Defendable Systems - Emirates NBD
 
The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019The CISO's Dilemma 44CON 2019
The CISO's Dilemma 44CON 2019
 
The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019The CISO's Dilemma HITBGSEC2019
The CISO's Dilemma HITBGSEC2019
 
Schrödinger's ARM Assembly
Schrödinger's ARM AssemblySchrödinger's ARM Assembly
Schrödinger's ARM Assembly
 
ARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMSARM Polyglot Shellcode - HITB2019AMS
ARM Polyglot Shellcode - HITB2019AMS
 
What Makes a Compelling Photograph
What Makes a Compelling PhotographWhat Makes a Compelling Photograph
What Makes a Compelling Photograph
 
Make ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEKMake ARM Shellcode Great Again - HITB2018PEK
Make ARM Shellcode Great Again - HITB2018PEK
 
HackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great AgainHackLU 2018 Make ARM Shellcode Great Again
HackLU 2018 Make ARM Shellcode Great Again
 
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopHack.LU 2018 ARM IoT Firmware Emulation Workshop
Hack.LU 2018 ARM IoT Firmware Emulation Workshop
 
Make ARM Shellcode Great Again
Make ARM Shellcode Great AgainMake ARM Shellcode Great Again
Make ARM Shellcode Great Again
 
ARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation WorkshopARM IoT Firmware Emulation Workshop
ARM IoT Firmware Emulation Workshop
 

Recently uploaded

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Recently uploaded (20)

The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 

INSIDE ARM-X - Countermeasure 2019

  • 1. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 INSIDE SAUMIL SHAH @therealsaumil 7 November 2019 COUNTERMEASURE|2019
  • 2. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # WHO AM I Saumil Shah CEO, Net Square @therealsaumil educating, entertaining and exasperating audiences since 1999
  • 3. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Introducing ARM-X • An ARM Firmware Emulation Framework. • Ultimate Goal - create an IoT VM! • A Virtual IoT device makes for easy – runtime analysis – reverse engineering – fuzzing – exploit development • Great insight into embedded hardware by trying to emulate it.
  • 4. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 5. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 6. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Inside an IoT device…
  • 7. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 CPU and Hardware Kernel Drivers File System nvram User Processes API UI libnvram …same same but different
  • 8. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 compressed FS CPU Kernel Boot Loader mounted FS nvram init scripts Services Apps libnvram The IoT Boot Up Process conf conf conf conf firmware Loads Kernel. Uncompresses FS to ramdisk, invokes init process. ramdiskuserland Reads config from nvram. Builds system config files on the fly. Starts up system services. Invokes Applications and Application services. READY POWER ON
  • 9. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers uncompressed Filesystem emulated nvram init scripts Services Apps libnvram Emulation: Goals and Challenges x x x x BUILDROOT Match the kernel with the one on the device chroot environment Implemented as an INI file, preloaded before "boot up" conf conf Fix to match QEMU environment Not all drivers load successfully
  • 10. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
  • 11. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 ARM-X Architecture
  • 12. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Starting an ARM-X device
  • 13. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 14. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2 - Booting the device Kernel
  • 15. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 16. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Kernel and hostfs ready hostfs NFS /armx
  • 17. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3 - ARM-X Userland
  • 18. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 19. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 4 - nvram and userland init
  • 20. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram nvram and userland init scripts conf conf init scripts libnvram
  • 21. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 22. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 QEMU CPU and Limited Hardware Kernel Drivers NFS /armx emulated nvram init scripts Services Apps libnvram ARM-X: Device "booted up" x x x x conf conf
  • 23. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 24. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 5 - ARM-X hostfs/debug Shell
  • 25. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
  • 26. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 How to add a new device to ARM-X BUILDROOT Firmware image
  • 27. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Obtaining the Firmware Firmware rootfs Firmware .bin file rootfs+nvram Serial Console Direct from Flash memory
  • 28. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 1: Web/FTP site
  • 29. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 2: Hidden UART interfaces Vcc (+3.3V) GND TX/RX GND
  • 30. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Serial Console - working
  • 31. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 # cat /proc/partitions major minor #blocks name 31 0 256 mtdblock0 31 1 64 mtdblock1 31 2 64 mtdblock2 31 3 1472 mtdblock3 31 4 128 mtdblock4 31 5 64 mtdblock5 31 6 2048 mtdblock6 31 7 32768 mtdblock7 31 8 30975 mtdblock8 31 9 131072 mtdblock9 31 10 98304 mtdblock10 Firmware Extraction # cat /proc/mtd dev: size erasesize name mtd0: 00040000 00010000 "u-boot" mtd1: 00010000 00010000 "devconf" mtd2: 00010000 00010000 "devdata" mtd3: 00170000 00010000 "mydlink" mtd4: 00020000 00010000 "langpack" mtd5: 00010000 00010000 "nvram" mtd6: 00200000 00010000 "flash" mtd7: 02000000 00020000 "upgrade" mtd8: 01e3ffa0 00020000 "rootfs" mtd9: 08000000 00020000 "nflash" mtd10: 06000000 00020000 "storage" dd if=/dev/mtdblock8 …
  • 32. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 3: Take it directly from the chip!
  • 33. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 DEMO TIME!
  • 34. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 HERE BE THE GOODS Downloads: https://armx.exploitlab.net/ ! Announcements: @therealsaumil IP Camera CTF Challenge - blog.exploitlab.net
  • 35. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019 Thank you and … QUESTIONS? @therealsaumil COUNTERMEASURE|2019