Tuesday, November 27, 2012

The Essential Of Hacking Methodology From The Perspective Of Embedded Hacker

The Essential Of Hacking Methodology From The Perspective Of Embedded Hacker

by cawan (cawan[at]ieee.org or chuiyewleong[at]hotmail.com)

on 27/11/2012

Hacking is about an action to a system. The system can be a single box or machine,
or can be a group of boxes or machines to be interconnected via a center communication
bus, which is usually known as network. For the case of single box or machine,
in fact, it can be assumed as a group of peripherals which are managed by a center
processing unit, over the system communication bus, such as PCI, PCIe, I2C, SPI, USB,
and etc. The group of peripherals can be in chip form or card form. In chip form, it
can be sound interface, network interface, video interface, or RAM interface, which is
defined as the lowest level of interface within the system. So, their communication
bus should be I2C, SPI, USB, or some variation of such standard communication bus. On
the other hand, in card form, it can be enhanced version of sound interface, video
interface, network interface, or some forms of extended features such as I/O card,
optical interface, or RF interface. Besides, there are also some custom communication
interface such as Cobranet, Ethersound, LonWorks, ARCNET, and etc. Well, they are
connected via PCI or PCIe. Regarding to the storage access such as hard disk, optical
driver, or SSD, they are connected via PATA (IDE), SATA, or SCSI bus. Since there are
so many types of buses in the same box or machine, the processor needs a chipset to
manage those buses in performing multiple access or multiplexing in order to allow
those peripherals can be run accordingly. In fact, the chipset is only necessary for
those systems which their processors are in von neumann architecture, where its
address bus and data bus are shared to the same physical bus. On the other hand, for
harvard architecture based processor, its address bus and data bus are separated, and
hence the chipset can be skipped.

For the case of a group of boxes or machines being interconnected via the network,
each of them must comply to a standard protocol among each others. In link layer, they
might need to comply ethernet, wifi, pppoe, or mpls, which is depending to the
physical medium of the associated communication bus. In higher layer, let's say the
network layer, almost all of them comply to TCP/IP. So, the TCP/IP is undoubtedly the
protocol glue among all the boxes or machines. From here onwards, the rest of the
issues are about application layer such as HTTP, HTTPS, FTP, TFTP, Telnet, SNMP, SMTP,
POP3, IMAP, and etc... which are the most common names in networking. On the other
hand, for the case of industrial networking, there are a huge variety of them, which
are dependent to the application domains. For example, in building automation industry,
there are bacnet, modbus, lontalk, profibus, and some others which are manufacturer
proprietary. Besides, in scada industry, there are modbus, iec60870, iec61850, and a
lot of others proprietary implemented items.

In order to run the hardware, we need software. So, we need something to manage the
hardware in overall, and this is kernel. The kernel will control various types of
hardware with appropriate kernel module or device driver. The kernel executive will
ensure the interoperability among the hardware resources. From application point of
view, the hardware resources are operated in transparent way via appropriate system
call. Of course, there are some protections imposed such as the kernel space is
prohibited to be accessed from user mode. Besides, each process space is isolated
among each other to avoid data collision or overwrite intentionally or unintentionally.

From hacker perspective, there are a lot of exploitation points can be considered to
launch the attacks. In general hacking methodology, majority of the attacks are about
exploiting the buffer to overwrite some system structures or registers, and causes
the system run unexpectedly. The buffer exploitation can be about the stack or the
heap. Besides, it is possible to exploit the kernel stack or heap from user mode via
some vulnerable kernel modules or device drivers. In order to control the system
once it is exploited, we need a piece of shellcode. The shellcode is something highly
customized which is dependent to the processor platform, OS platform, operation mode
(kernel/user), intentional action, avoidance of illegal characters, and etc. So, all
the attacks need to start from a target application. If the application runs locally,
then the malform local user input is the root cause to incur exploitation. In addition,
if the application is network savvy, then the attack can be launched from anywhere
within the network. Before launching any attack on the system at another part of the
same network, it is important to understand the protocol being used by the system.
So, a sniffer is necessary in this case to study the protocol based on the network
packets being captured. If the protocol is proprietary, then it needs some times to
analyze the packets sequence in understanding the protocol in details. However, if
the protocol is open source, then the analysis process will getting much easier by
referring the specification from time to time. On the other hand, it is possible to
perform fuzzing process to the system. With some level of understanding to the
protocol, it is possible to manipulate the data in different fields in the network
packet automatically and observe the reaction of the system. Yes, the fuzzing process
is some kind of trial and error or brute-force approach, but it is really effective.
Besides, it is possible to perform code analysis to the application to find any
vulnerability to be exploited, but it is really time-consuming.

From embedded hacker perspective, the hacking methodology suppose to be much simpler.
Due to the reduced hardware resources in embedded system, it is impossible to implement
full security protection which is really resouce-intensive. In fact, a large portion
of embedded linux system even didn't implement NX and ASLR all together. So, in this
case, ROP can be skipped when we are designing the exploit and shellcode for such
systems. Besides, for some very special cases, some network applications are even
don't have sanity check to the network packets. Thus, it is simpler to be exploited.
However, due to the nature of embedded system which is highly customized, it is a
need to master the skill of shellcode design for RISC processors such as ARM, MIPS,
and PPC. So, it is important to make those different types of instruction sets at
your own disposal. Besides, it is important to note that the peripherals being used
in embedded system are not something in standard or in generic. Instead, they are
something special with customized device driver. From the angle of embedded enginners
who designing the device driver, they just need to ensure the device driver can run
in the most stable way but not in the most secure way. Hence, it is most probably the
device driver is vulnerable to be exploited. Besides, the security concern to the
embedded system is really less as compared to the proper computer system. The reason
is simple, it is really not many people can imagine a headless embedded system is
hackable and the value behind to abuse the hacked embedded system. It is really hard
to convince somebody about an embedded system product can be changed into a proprietary
sniffer to perform dedicated MITM attack to the network. On the other hand, regarding
to the physical attack, it is really not hard to duplicate the data image from flash
chip. Besides, from higher level perspective, the ramdisk file can be manipulated
which is a remarkable security breach. In addition, the simple implementation of
bootloader does not has good security implication to block unauthorized access to
the system. In other words, once the configuration interface of the bootloader is
getting accessed, then it is just a few of commands to duplicate certain partitions in
flash to a network drive as data image. It is crucial to remember the term of readonly
in certain file system for embedded system is really nothing to do with the security.
It just means we can't simply add or remove a file from the file system, but we can
definitely overwrite the whole partition by using the device file in /dev. Nothing
special here.

Now, what is the essential of hacking methodology from the perspective of embedded
hacker ? Well, we already know hacking is just an action to a box or to a system.
Then what is the core of embedded system hacking ? In order to have a substantial
idea to start any meaningful attack to an embedded system, it is necessary to
understand the system and protocol internals. So, reverse engineering should be the
core of embedded system hacking methodology. When talking about the reversing of
binary, it comprises static and dynamic approaches. In static approach, it is about
to perform disassembly of the binary with any type of disassemblers. However, IDA Pro
should be the one with highest ranking to master with. Yes, it is really good in
generating comprehensive output in assembly language level with proper formatting.
But, in most of the times, we are only interested to some portions of the codes. So,
it is a little bit hard to find those little portions of codes from the big pool of
assembly instructions in IDA Pro enviroment. Of course, we can based on some special
pattern of string to do the job, but the existence of such string is not always true.
So, we need to cooperate with the dynamic approach. By using a good debugger such as
gdb, it is possible to set a breakpoint at an interesting address of symbol, and let
the program counter hit on the breakpoint. Then, it is easy to backtrace or to dump
some meaningful information from memory as guideline in locating the code portion
that we are interested with from the big pool of assembly instructions under the
IDA Pro environment. Yes, both of the static and dynamic approaches should be worked
together in proper way, and this is the fundamental skill of an embedded hacker.
On the other hand, the architecture of RISC processors should be in good
understanding. So, the concepts of calling conventions, registers, addressing modes,
operation modes, and memory management for each of the RISC processors should be in
our disposal. In addition, it is important to understand the linux kernel in detail.
Hence, the internals of runtime, loader, shared library, kernel module, and system
call should be with good understanding. Besides, it is also important to understand
the communication bus of the peripherals such as I2C, SPI, PCI, USB, and etc. By
understanding them, it is really helpful to interpret the communication data being
captured in signal level. Well, it is crucial in doing injection to find vulnerability
in signal level or in bus level. The possibility is only limited by our imagination.
As conclusion, reversing techniques in terms of hardware and software should be the
core of hacking methodology for a serious embedded hacker.

pdf version:


No comments:

Post a Comment