Reverse Engineering and Exploit Development For Embedded Systems

Ali Abbasi

News

Bug Credits for Zero-days

Written on 26.09.23 (last change on 20.09.24) by Simon Wörner

Hi,

I've added a note field for your GitHub account / name so we can credit you for the found bugs when we do the cumulated reporting.
If you found bugs and want to be credited please enter a GitHub account / your name / a nickname until the end of the week.

 

Simon

Grades are out - The End

Written on 25.09.23 by Ali Abbasi

Hi,

The final grades are out in the CMS. You can see it in the Tests And Exams section.

Thank you, everybody, for attending this course and for the fantastic work you have done throughout the course. I was impressed by all of you.

I hope you continue the great work you are doing in the… Read more

Hi,

The final grades are out in the CMS. You can see it in the Tests And Exams section.

Thank you, everybody, for attending this course and for the fantastic work you have done throughout the course. I was impressed by all of you.

I hope you continue the great work you are doing in the future. If you need a recommendation or are looking for a Job/Ph.D. position, please let me know, and I will personally vouch for each of you.

 

Cheers,

Ali

PS: As mentioned before, there will be prizes for the top 3 students. Due to delivery issues, I will hand in awards during the System Security lecture in October. I will contact you individually once I have delivery information for the prizes.

 

 

Winter is Coming....Exam Date

Written on 20.09.23 by Ali Abbasi

Hi Everybody,

Here is just a reminder that your exam date is approaching. Regarding the time, here is the time each of you take the exam:

 

13:00 to 13:30: Lorenz

13:30 to 14:00: Tristan

14:00 to 14:30: Ulysse

14:30 to 15:00: Raoul

15:00 to 15:30 Addison

 

Fabian and… Read more

Hi Everybody,

Here is just a reminder that your exam date is approaching. Regarding the time, here is the time each of you take the exam:

 

13:00 to 13:30: Lorenz

13:30 to 14:00: Tristan

14:00 to 14:30: Ulysse

14:30 to 15:00: Raoul

15:00 to 15:30 Addison

 

Fabian and Florian:

14:00 to 15:00 21st September.

 

Location:

CISPA C0 building room 2-16

 

 

Remember to submit your reports beforehand and bring your laptop.

Note: Those who will have the exam tomorrow (Fabian and Florian) should be able to share their screen on their computer.

 

We will try to have a hand-in prize date. It depends on CISPA procurement. If they are fast and prizes are delivered on time, the top 3 students will get their awards from the ZF. Otherwise, we have to delay the award date.

 

Cheers,

Ali

 

Reminder on Exam Registration

Written on 17.09.23 by Ali Abbasi

Hi,

This is a reminder that you should register for the exam by the end of today.

 

Cheers,

Ali

 

Exam Registration

Written on 13.09.23 by Ali Abbasi

Hi,

Please make sure to register for the exam before 18th September.

 

Cheers,

Ali

 

Updated Diffs for embed OS Build

Written on 11.09.23 (last change on 11.09.23) by Tobias Scharnowski

Hi everyone,

we updated the patches for the embed OS target to remove hard-to-triage interactions between the emulator and the target.

  1. Please re-download the floating point patch mbed_disable_hard_floats.diff
  2. Please also apply the second patch mbed_fix_invalid_CONTROL_write.diff

Regards,

Tobi

Final Project Target 1

Written on 08.09.23 (last change on 10.09.23) by Simon Wörner

Hi,

 

just to make sure there is no confusion: The first target is BLE_GAP of mbed-os-example-ble (Day 7 Task 2), to enable fuzzing be sure to apply the software floating point patch (mbed_disable_hard_floats.diff).

 

Regards,
Simon

Day 9 Submission Extension

Written on 07.09.23 by Simon Wörner

Hi,

we extended the submission deadline of day 9 to Sunday 23:59.

 

Simon

Order of Presentation

Written on 04.09.23 by Ali Abbasi

Hi,

The order of presentation for tomorrow is the following:

1. Avatar 2: A multi-target orchestration platform.", 2018
2. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices, NDSS 2018
3. Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented… Read more

Hi,

The order of presentation for tomorrow is the following:

1. Avatar 2: A multi-target orchestration platform.", 2018
2. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices, NDSS 2018
3. Firm-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation, Usenix Sec 2019
4. HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation, Usenix 2020
5. PartEmu: Enabling Dynamic Analysis of Real-World TrustZone Software Using Emulation, Usenix 2020
6. DICE: Automatic emulation of dma input channels for dynamic firmware analysis, IEEE S&P, 2021
7. What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation, CCS 2022
8. Hoedur: Embedded Firmware Fuzzing using Multi-Stream Inputs, Usenix Sec 2023
9. Greenhouse: Single-Service Rehosting of Linux-Based Firmware Binaries in User-Space Emulation, Usenix Sec 2023

Day 6 Submission Form

Written on 04.09.23 by Ali Abbasi

Hi,

Day 6 Submission Form is now available.

 

Ali

SDCard Reader

Written on 31.08.23 by Ali Abbasi

Hi,

For tomorrow's practical session, please have an SDCard reader with you.

 

Cheers,

Ali

 

Selecting the paper

Written on 28.08.23 by Ali Abbasi

Hi,

To select the paper for 10 mins presentation, here is the forum link:

 

https://cms.cispa.saarland/emsecexpdevs2023/forum/viewtopic.php?t=1

 

Cheers,

Ali

 

Software/Hardware Requirement

Written on 23.08.23 by Ali Abbasi

Hi Everybody,

We are getting close to the start day of our course. I wanted to give you some heads-up about the location and some requirements.

 

Requirements:

1. Please Bring a Laptop with you. It should be a Linux machine, preferably Ubuntu. Please also install Linux build environment… Read more

Hi Everybody,

We are getting close to the start day of our course. I wanted to give you some heads-up about the location and some requirements.

 

Requirements:

1. Please Bring a Laptop with you. It should be a Linux machine, preferably Ubuntu. Please also install Linux build environment for it. You should have an SSH client installed on it.

2. Please have a USB hub for 4th and 5th course day (next week, Thursday and Friday).

 

Important Note: If you use a pacemaker or any other medical device sensitive to electrical interference, please inform us ASAP.

 

Location:

The course location will be in CISPA main building, room 0.01. We will start every day at 10:00 AM and have lectures until 12:00. We will have lunch time between 12:00 and 13:00. We will start the practical session from 13:00 until 17:00 (or whatever it takes).

 

Recommended Text Book for the course:

1. Fuzzing Against the Machine, Automate Vulnerability Research with Emulated IoT Devices on QEMU

2. The Hardware Hacking Handbook

3. Real-Time Embedded Systems, Design Principles and Engineering Practices

 

 

Verbal Exam Date:

There is going to be a verbal exam. The verbal exam is designed so that by doing all the practical parts and delivering your final project, you do not need to study for it. We will talk about your final project in the verbal exam. The verbal exam date is Monday, 25th September, from 09:00 AM until 17:00. Your exact time slot will be announced at the end of the last lecture. If you can not attend the exam date, please inform us ASAP. The exam location will be my office at CISPA main building, room 2-16.

 

 

Cheers,

Ali

 

 

 

 

Course Registration

Written on 12.07.23 by Ali Abbasi

Hi Everybody,

I see that some students already registered in the course without writing me an email first.

You will get removed from the course on 15 July unless you wrote your background and justification for this course and got approval from me.

 

Ali

 
Show all

About the course

From critical infrastructure to consumer electronics, embedded systems are all around us and underpin the technological fabric of everyday life. As a result, the security of embedded systems is crucial to us.

Therefore, in this course, we will work toward understanding the fundamentals of developing software/hardware exploits against embedded systems. In this course. We will cover topics such as firmware extraction, modification, and different hardware serial protocols. We also cover topics such as exploit development for ARM-based embedded devices and write exploits for vulnerabilities such as uninitialized stack variables, off-by-one bugs, Use-after-free, and utilize techniques such as ROP, Signal-oriented programming, to attack embedded systems. We also attack micro-controllers and try to extract secrets from them by utilizing reverse-engineering techniques. Finally, we perform fuzz-testing on embedded firmware via re-hosting.

 

 

Prerequisites

Do not register directly, before contacting us (abbasi@cispa.de). While we do not have a formal registration requirement, it is absolutely essential that you only apply for this course when you already passed the system security course, or have a very strong background in system security. There is a high probability that you fail the course if you do not have such a background. It is not worth it, do not try.

  • You should have experience in systems-oriented programming. In addition, it helps if you have experience in the C programming language to understand some of the topics, Python is helpful as well.
  • You should have a basic understanding of operating systems (e.g., memory management, scheduling, etc.).
  • You should be familiar with Linux.

Time and Location and structure

The lecture will take place in two weeks from 28 August to 1st September and 4th to 8th September. There will be lectures in the morning followed by practical exercises in the afternoon. The exam will be the week after on 13th September.

Grading

To pass the course, you must score at least 50% on the final oral exam. In the final exam, you can reach 100 points, so you need to achieve at least 50 points in the final exam to pass the course. To be admitted to the exam, you must achieve at least 50% of the points from the exercises.

You will typically have the task of exploiting a vulnerable program to extract a secret flag.

 

  • Strict no cheating policy
    You may discuss the assignments with other students, but you are not allowed to collaborate with others on the solution. Your solution should be original and not an existing solution (e.g., from someone else or from the internet). All submissions will be automatically checked for plagiarism, as we have a strict no-cheating policy. If we find a case of plagiarism, we will assign zero points. If you ever get stuck, you can ask questions in the forum or participate in the exercise lessons. We invite you to help fellow students who have asked questions but avoid giving away the solution. Nobody likes spoilers :)

 

 

Oral Exam

At the end of the semester, there will be an oral exam for a duration of 30 minutes. All questions of the exam are in English.

Registration

Register for the course here in the CISPA CMS pending prior communication.

Privacy Policy | Legal Notice
If you encounter technical problems, please contact the administrators.