BruCON 0x0A has ended
Back To Schedule
Thursday, October 4 • 11:00 - 12:00
Finding 0days in embedded systems with code coverage guided fuzzing

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Coverage guided fuzzing becomes a trending technique to discover vulnerabilities in powerful systems such as PC, and is a main contributor to countless 0days in the last few years. 

Unfortunately, this breakthrough methodology is not yet applied to find bugs in embedded devices (like network routers, IP cameras, etc). We found some of the reasons as follows: 

- As closed ecosystems, embedded devices usually come without built-in shell access or development facilities such as compiler & debugger. This makes it impossible to introduce a fuzzer to directly run & find bugs inside them. 

- In case available for download (rarely), most embedded firmware are not open source, which limit usage of available guided fuzzers such as AFL & LibFuzzer, as these tools require source code to inject basic block instrumentation at compile time. 

- Most existing work focus on Intel architecture, while all embedded devices run on other CPUs such as ARM, MIPS or PowerPC. Our study reveals that fuzzing tools on these architectures are sorely lacking. 

This research aims to overcome the mentioned issues to build a new guided fuzzer for embedded systems. 

- We emulate the firmware so we can put in our fuzzing & debugging tools. We will first explain how we directly extract firmware from physical devices, then emulate them in Virtual Machine with a lot of tricks involving static binary dependency duplication, patching firmware for NVRAM simulation in order to feed actual response for program configuration. 

- We will introduce a new lightweight dynamic binary instrumentation (DBI) framework that supports all platforms & embedded architectures in use today, including Arm, Arm64, Mips, PowerPC & Sparc (plus, we also support Intel X86). The design & implementation of this framework will be presented in details, so the audience can also see many other applications of our DBI beyond this project. 

- We will discuss how we built a powerful guided fuzzer to run inside emulated firmware. Using our own DBI at the heart for basic block instrumentation, this requires no firmware source code, and can find vulnerabilities in binary-only applications on all kind of embedded CPUs available. 

In a limited time of just few months, our fuzzer discovered many 0days in some widely popular embedded network devices. Among them, several vulnerabilities allow pre-authenticated remote code execution that affect multi-million users, and can be potentially turned into a new botnet-worm with massive-scale infection. These bugs will be released to public in our talk if the vendors fix them in time. 

The audience can expect a deeply technical, but still entertaining presentation, with many exciting demos.

avatar for Quynh Nguyen Anh

Quynh Nguyen Anh

Dr.Nguyen Anh Quynh is a regular speaker at industrial information security conferences such as Blackhat USA/Europe/Asia, DEFCON, RECON, Syscan, HackInTheBox, Shakacon, Opcde, ZeroNights, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Eusecwest, etc. He also presented his researches... Read More →
avatar for Lau Kai Jern

Lau Kai Jern

KaiJern, Lau (xwings) is the IoT/Blockchain researcher at JD Security (JD.COM), Advisor for UnicornTeam/HACKNOWN Team and also Hack In The Box Security Conference core crew. His research topic mainly on hardware and software of embedded device, blockchain security, reverse engineering... Read More →

Thursday October 4, 2018 11:00 - 12:00 CEST
01. Westvleteren University