💾 Archived View for aphrack.org › issues › phrack63 › 17.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
==Phrack Inc.==
Volume 0x0b, Issue 0x3f, Phile #0x11 of 0x14
|=------------[ Security Review Of Embedded Systems And Its ]------------=|
|=------------[ Applications To Hacking Methodology ]------------=|
|=-----------------------------------------------------------------------=|
|=----[ Cawan: <chuiyewleong[at]hotmail.com> or <cawan[at]ieee.org> ]----=|
--=[ Contents
1. - Introduction
2. - Architectures Classification
3. - Hacking with Embedded System
4. - Hacking with Embedded Linux
5. - "Hacking Machine" Implementation In FPGA
6. - What The Advantages Of Using FPGA In Hacking ?
7. - What Else Of Magic That Embedded Linux Can Do ?
8. - Conclusion
--[ 1. - Introduction
Embedded systems have been penetrated the daily human life. In
residential home, the deployment of "smart" systems have brought out the
term of "smart-home". It is dealing with the home security, electronic
appliances control and monitoring, audio/video based entertainment, home
networking, and etc. In building automation, embedded system provides the
ability of network enabled (Lonwork, Bacnet or X10) for extra convenient
control and monitoring purposes. For intra-building communication, the
physical network media including power-line, RS485, optical fiber, RJ45,
IrDA, RF, and etc. In this case, media gateway is playing the roll to
provide inter-media interfacing for the system. For personal handheld
systems, mobile devices such as handphone/smartphone and PDA/XDA are going
to be the necessity in human life. However, the growing of 3G is not as
good as what is planning initially. The slow adoption in 3G is because it
is lacking of direct compatibility to TCP/IP. As a result, 4G with Wimax
technology is more likely to look forward by communication industry
regarding to its wireless broadband with OFDM.
Obviously, the development trend of embedded systems application is
going to be convergence - by applying TCP/IP as "protocol glue" for
inter-media interfacing purpose. Since the deployment of IPv6 will cause
an unreasonable overshooting cost, so the widespread of IPv6 products
still needs some extra times to be negotiated.
As a result, IPv4 will continue to dominate the world of networking,
especially in embedded applications. As what we know, the brand-old
IPv4 is being challenged by its native security problems in terms of
confidentiality, integrity, and authentication.
Extra value added modules such as SSL and SSH would be the best solution
to protect most of the attacks such as Denial of Service, hijacking,
spooling, sniffing, and etc. However, the implementation of such value
added module in embedded system is optional because it is lacking of
available hardware resources. For example, it is not reasonable to
implement SSL in SitePlayer[1] for a complicated web-based control and
monitoring system by considering the available flash and memory that
can be utilized.
By the time of IPv4 is going to conquer the embedded system's world,
the native characteristic of IPv4 and the reduced structure of embedded
system would be problems in security consideration.
These would probably a hidden timer-bomb that is waiting to be exploited.
As an example, by simply performing port scan with pattern recognition to
a range of IP address, any of the running SC12 IPC@CHIP[2] can be
identified and exposed. Once the IP address of a running SC12 is confirmed,
by applying a sequence of five ping packet with the length of 65500 is
sufficient to crash it until reset.
--[ 2. - Architectures Classification
With the advent of commodity electronics in the 1980s, digital utility
began to proliferate beyond the world of technology and industry. By its
nature digital signal can be represented exactly and easily, which gives
it much more utility. In term of digital system design, programmable
logic has a primary advantage over custom gate arrays and standard cells
by enabling faster time-to-complete and shorter design cycles. By using
software, digital design can be programmed directly into programmable
logic and allowing making revisions to the design relatively quickly.
The two major types of programmable logic devices are Field Programmable
Logic Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs).
FPGAs offer the highest amount of logic density, the most features,
and the highest performance. These advanced devices also offer features
such as built-in hardwired processors (such as the IBM Power PC),
substantial amounts of memory, clock management systems, and support
for many of the latest very fast device-to-device signaling technologies.
FPGAs are used in a wide variety of applications ranging from data
processing and storage, instrumentation, telecommunications, and digital
signal processing. Instead, CPLDs offer much smaller amounts of logic
(approximately 10,000 gates). But CPLDs offer very predictable timing
characteristics and are therefore ideal for critical control applications.
Besides, CPLDs also require extremely low amounts of power and are very
inexpensive.
Well, it is the time to discuss about Hardware Description Language
(HDL). HDL is a software programming language used to model the intended
operation of a piece of hardware. There are two aspects to the description
of hardware that an HDL facilitates: true abstract behavior modeling and
hardware structure modeling. The behavior of hardware may be modeled and
represented at various levels of abstraction during the design process.
Higher level models describe the operation of hardware abstractly, while
lower level models include more detail, such as inferred hardware
structure. There are two types of HDL: VHDL and Verilog-HDL. The history
of VHDL started from 1980 when the USA Department of Defence (DoD) wanted
to make circuit design self documenting, follow a common design methodology
and be reusable with new technologies. It became clear there was a need for
a standard programming language for describing the function and structure
of digital circuits for the design of integrated circuits (ICs). The DoD
funded a project under the Very High Speed Integrated Circuit (VHSIC)
program to create a standard hardware description language.
The result was the creation of the VHSIC hardware description language or
VHDL as it is now commonly known. The history of Verilog-HDL started from
1981, when a CAE software company called Gateway Design Automation that was
founded by Prabhu Goel. One of the Gateway's first employees was Phil
Moorby, who was an original author of GenRad's Hardware Description
Language (GHDL) and HILO simulator. On 1983, Gateway released the Verilog
Hardware Description Language known as Verilog-HDL or simply Verilog
together with a Verilog simulator. Both VHDL and Verilog-HDL are reviewed
and adopted by IEEE as IEEE standard 1076 and 1364, respectively.
Modern hardware implementation of embedded systems can be classified
into two categories: hardcore processing and softcore processing. Hardcore
processing is a method of applying hard processor(s) such as ARM, MIPS,
x86, and etc as processing unit with integrated protocol stack.
For example, SC12 with x86, IP2022 with Scenix RISC, eZ80, SitePlayer
and Rabbit are dropped in the category of hardcore processing.Instead,
softcore processing is applying a synthesizable core that can be targeted
into different semiconductor fabrics. The semiconductor fabrics should be
programmable as what FPGA and CPLD do. Altera[3] and Xilinx[4] are the
only FPGA/CPLD manufacturers in the market that supporting softcore
processor. Altera provides NIOS processor that can be implemented in SOPC
Builder that is targeted to its Cyclone and Stratix FPGAs. Xilinx provides
two types of softcore: Picoblaze, that is targeted to its CoolRunner-2
CPLD; and Microblaze, that is targeted to its Spartan and Virtex FPGAs.
For the case of FPGAs with embedded hardcore, for example ARM-core in
Stratix, and MIPS-core in Virtex are classified as embedded hardcore
processing. On the other hand, FPGAs with embedded softcore such as
NIOS-core in Cyclone or Stratix, and Microblaze-core in Spartan or Virtex
are classified as softcore processing. Besides, the embedded softcore can
be associated with others synthesizable peripherals such as DMA controller
for advanced processing purpose.
In general, the classical point of view regarding to the hardcore
processing might assuming it is always running faster than softcore
processing. However, it is not the fact. Processor performance is often
limited by how fast the instruction and data can be pipelined from external
memory into execution unit. As a result, hardcore processing is more
suitable for general application purpose but softcore processing is more
liable to be used in customized application purpose with parallel
processing and DSP. It is targeted to flexible implementation in adaptive
platform.
--[ 3. - Hacking with Embedded System
When the advantages of softcore processing are applied in hacking, it
brings out more creative methods of attack, the only limitation is the
imagination. Richard Clayton had shown the method of extracting a 3DES key
from an IBM 4758 that is running Common Cryptographic Architecture
(CCA)[5]. The IBM 4758 with its CCA software is widely used in the banking
industry to hold encryption keys securely. The device is extremely
tamper-resistant and no physical attack is known that will allow keys to be
accessed. According to Richard, about 20 minutes of uninterrupted access to
the IBM 4758 with Combine_Key_Parts permission is sufficient to export the
DES and 3DES keys. For convenience purpose, it is more likely to implement
an embedded system with customized application to get the keys within the
20 minutes of accessing to the device. An evaluation board from Altera was
selected by Richard Clayton for the purpose of keys exporting and
additional two days of offline key cracking.
In practice, by using multiple NIOS-core with customized peripherals
would provide better performance in offline key cracking. In fact,
customized parallel processing is very suitable to exploit both symmetrical
and asymmetrical encrypted keys.
--[ 4. - Hacking with Embedded Linux
For application based hacking, such as buffer overflow and SQL
injection, it is more preferred to have RTOS installed in the embedded
system. For code reusability purpose, embedded linux would be the best
choice of embedded hacking platform. The following examples have clearly
shown the possible attacks under an embedded platform. The condition of
the embedded platform is come with a Nios-core in Stratix and uClinux
being installed. By recompiling the source code of netcat and make it run
in uClinux, a swiss army knife is created and ready to perform penetration
as listed below: -
a) Port Scan With Pattern Recognition
A list of subnet can be defined initially in the embedded system
and bring it into a commercial building. Plug the embedded system
into any RJ45 socket in the building, press a button to perform port
scan with pattern recognition and identify any vulnerable network
embedded system in the building. Press another button to launch attack
(Denial of Service) to the target network embedded system(s). This
is a serious problem when the target network embedded system(s) is/are
related to the building evacuation system, surveillance system or
security system.
b) Automatic Brute-Force Attack
Defines server(s) address, dictionary, and brute-force pattern
in the embedded system. Again, plug the embedded system into any RJ45
socket in the building, press a button to start the password guessing
process. While this small box of embedded system is located in a hidden
corner of any RJ45 socket, it can perform the task of cracking over
days, powered by battery.
c) LAN Hacking
By pre-identify the server(s) address, version of patch, type
of service(s), a structured attack can be launched within the area
of the building. For example, by defining:
http://192.168.1.1/show.php?id=1%20and%201=2%20union%20select%20
8,7,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),5,4,
3,2,1
**char(47,101,116,99,47,112,97,115,115,119,100) = /etc/passwd
in the embedded system initially. Again, plug the embedded system into
any RJ45 socket in the building (within the LAN), press a button to
start SQL injection attack to grab the password file of the Unix
machine (in the LAN). The password file is then store in the flash
memory and ready to be loaded out for offline cracking. Instead of
performing SQL injection, exploits can be used for the same
purpose.
d) Virus/Worm Spreading
The virus/worm can be pre-loaded in the embedded system. Again,
plug the embedded system into any RJ45 socket in the building, press a
button to run an exploit to any vulnerable target machine, and load the
virus/worm into the LAN.
e) Embedded Sniffer
Switch the network interface from normal mode into promiscuous mode
and define the sniffing conditions. Again, plug the embedded system
into any RJ45 socket in the building, press a button to start the
sniffer. To make sure the sniffing process can be proceed in switch
LAN, ARP sniffer is recommended for this purpose.
--[ 5. - "Hacking Machine" Implementation In FPGA
The implementation of embedded "hacking machine" will be demonstrated
in Altera's NIOS development board with Stratix EP1S10 FPGA. The board
provides a 10/100-base-T ethernet and a compact-flash connector. Two
RS-232 ports are also provided for serial interfacing and system
configuration purposes, respectively. Besides, the onboard 1MB of SRAM,
16MB of SDRAM, and 8MB of flash memory are ready for embedded linux
installation[6]. The version of embedded linux that is going to be applied
is uClinux from microtronix[7].
Ok, that is the specification of the board. Now, we start our journey
of "hacking machine" design. We use three tools provided by Altera to
implement our "hardware" design. In this case, the term of "hardware" means
it is synthesizable and to be designed in Verilog-HDL. The three tools
being used are: QuartusII ( as synthesis tool), SOPC Builder (as
Nios-core design tool), and C compiler. Others synthesis tools such as
leonardo-spectrum from mentor graphic, and synplify from synplicity are
optional to be used for special purpose. In this case, the synthesized
design in edif format is defined as external module. It is needed to import
the module from QuartusII to perform place-and-route (PAR). The outcome of
PAR is defined as hardware-core. For advanced user, Modelsim from mentor
graphic is highly recommended to perform behavioral simulation and Post-PAR
simulation. Behavioral simulation is a type of functional verification to
the digital hardware design. Timing issues are not put into the
consideration in this state. Instead, Post-PAR simulation is a type of
real-case verification. In this state, all the real-case factors such as
power-consumption and timing conditions (in sdf format) are put into the
consideration. [8,9,10,11,12]
A reference design is provided by microtronix and it is highly
recommended to be the design framework for any others custom design with
appropriate modifications [13]. Well, for our "hacking machine" design
purpose, the only modification that we need to do is to assign the
interrupts of four onboard push-buttons [14]. So, once the design
framework is loaded into QuartusII, SOPC Builder is ready to start
the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet
interface, compact-flash interface and so on. Before starting to generate
synthesizable codes from the design, it is crucial to ensure the check-box
of "Microtronix uClinux" under Software Components is selected (it is in
the "More CPU Settings" tab of the main configuration windows in SOPC
Builder). By selecting this option, it is enabling to build a uClinux
kernel, uClibc library, and some uClinux's general purpose applications by
the time of generating synthesizable codes. Once ready, generate the design
as synthesizable codes in SOPC Builder following by performing PAR in
QuartusII to get a hardware core. In general, there are two formats of
hardware core:-
a) .sof core: To be downloaded into the EP1S10 directly by JTAG and
will require a re-load if the board is power cycled
**(Think as volatile)
b) .pof core: To be downloaded into EPC16 (enhanced configuration
device) and will automatically be loaded into the
FPGA every time the board is power cycled
**(Think as non-volatile)
The raw format of .sof and .pof hardware core is .hexout. As hacker,
we would prefer to work in command line, so we use the hexout2flash tool
to convert the hardware core from .hexout into .flash and relocate the
base address of the core to 0x600000 in flash. The 0x600000 is the startup
core loading address of EP1S10. So, once the .flash file is created, we
use nios-run or nr command to download the hardware core into flash memory
as following:
[Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash
After nios-run indicates that the download has completed successfully,
restart the board. The downloaded core will now start as the default core
whenever the board is restarted.
Fine, the "hardware" part is completed. Now, we look into the
"software" implementation. We start from uClinux. As what is stated, the
SOPC Builder had generated a framework of uClinux kernel, uClibc library,
and some uClinux general purpose applications such as cat, mv, rm, and etc.
We start to reconfigure the kernel by using "make xconfig".
[Linux Developer] ...uClinux/: cd linux
[Linux Developer] ...uClinux/: make xconfig
In xconfig, perform appropriate tuning to the kernel, then use
"make clean" to clean the source tree of any object files.
[Linux Developer] ...linux/: make clean
To start building a new kernel use "make dep" following by "make".
[Linux Developer] ...linux/: make dep
[Linux Developer] ...linux/: make
To build the linux.flash file for uploading, use "make linux.flash".
[Linux Developer] ...uClinux/: make linux.flash
The linux.flash file is defined as the operating system image.
As what we know, an operating system must run with a file system.
So, we need to create a file system image too. First, edit the config
file in userland/.config to select which application packages get
built. For example:
#TITLE agetty
CONFIG_AGETTY=y
If an application package's corresponding variable is set to 'n'
(for example, CONFIG_AGETTY=n), then it will not be built and copied
over to the target/ directory. Then, build all application packages
specified in the userland/.config as following:
[Linux Developer] ...userland/: make
Now, we copy the pre-compiled netcat into target/ directory.
After that, use "make romfs" to start generating the file system or
romdisk image.
[Linux Developer] ...uClinux/: make romfs
Once completed, the resulting romdisk.flash file is ready to be
downloaded
to the target board. First, download the file system image following by
the operating system image into the flash memory.
[Linux Developer] ...uClinux/: nios-run -x romdisk.flash
[Linux Developer] ...uClinux/: nios-run linux.flash
Well, our FPGA-based "hacking machine" is ready now.
Lets try to make use of it to a linux machine with /etc/passwd
enabled. We assume the ip of the target linux machine is 192.168.1.1
as web server in the LAN that utilize MySQL database. Besides, we know
that its show.php is vulnerable to be SQL injected. We also assume it has
some security protections to filter out some dangerous symbols, so we
decided to use char() method of injection. We assume the total columns in
the table that access by show.php is 8.
Now, we define:
char getpass[]="http://192.168.1.1/show.php?id=1%20and%201=2%20union
%20select%208,7,load_file(char(47,101,116,99,47,112,97,115,115,119,
100)),5,4,3,2,1";
as attacking string, and we store the respond data (content of
/etc/passwd) in a file name of password.dat. By creating a pipe to the
netcat, and at the same time to make sure the attacking string is always
triggered by the push-button, well, our "hacking machine" is ready.
Plug the "hacking machine" into any of the RJ45 socket in the LAN,
following by pressing a button to trigger the attacking string against
192.168.1.1. After that, unplug the "hacking machine" and connect to a
pc, download the password.dat from the "hacking machine", and start the
cracking process. By utilizing the advantages of FPGA architecture,
a hardware cracker can be appended for embedded based cracking process.
Any optional module can be designed in Verilog-HDL and attach to the
FPGA for all-in-one hacking purpose. The advantages of FPGA implementation
over the conventional hardcore processors will be deepened in the
following section, with a lot of case-studies, comparisons and
wonderful examples.
Tips: