The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
INSIDE ARM-X - Countermeasure 2019
1. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
INSIDE
SAUMIL SHAH
@therealsaumil
7 November 2019
COUNTERMEASURE|2019
2. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
# WHO AM I
Saumil Shah
CEO, Net Square
@therealsaumil
educating, entertaining
and exasperating
audiences since 1999
3. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Introducing ARM-X
• An ARM Firmware Emulation Framework.
• Ultimate Goal - create an IoT VM!
• A Virtual IoT device makes for easy
– runtime analysis
– reverse engineering
– fuzzing
– exploit development
• Great insight into embedded hardware by
trying to emulate it.
7. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
CPU and
Hardware
Kernel
Drivers
File System
nvram
User Processes
API
UI
libnvram
…same same but different
8. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
compressed FS
CPU
Kernel
Boot Loader
mounted
FS
nvram
init
scripts
Services
Apps
libnvram
The IoT Boot Up Process
conf
conf
conf
conf
firmware
Loads Kernel.
Uncompresses FS to ramdisk,
invokes init process.
ramdiskuserland
Reads config from nvram.
Builds system config files on
the fly.
Starts up system services.
Invokes Applications and
Application services.
READY
POWER ON
9. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
QEMU
CPU and
Limited
Hardware
Kernel
Drivers
uncompressed
Filesystem
emulated
nvram
init scripts
Services
Apps
libnvram
Emulation: Goals and Challenges
x
x
x
x
BUILDROOT
Match the kernel with the
one on the device
chroot environment
Implemented as an INI file,
preloaded before "boot up"
conf
conf
Fix to match QEMU environment
Not all drivers load successfully
34. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
HERE BE THE GOODS
Downloads: https://armx.exploitlab.net/
!
Announcements: @therealsaumil
IP Camera CTF Challenge - blog.exploitlab.net
35. NETSQUARE (c) SAUMIL SHAHCOUNTERMEASURE | 2019
Thank you
and … QUESTIONS?
@therealsaumil
COUNTERMEASURE|2019