Download as PDF, PPTX
Uploaded byZoltan Balazs
MIPS-X
The document discusses building an emulation environment called MIPS-X for analyzing MIPS-based IoT devices. It introduces the presenters and their backgrounds in IoT and embedded security research. It then covers challenges in emulating MIPS CPUs and building toolchains, kernels, and filesystems to support running IoT firmware. The talk agenda is outlined which includes demos of using QEMU and Docker for MIPS emulation. Next steps discussed are refining emulation of device NVRAM and developing automated build systems for analyzing IoT firmware.
More Related Content
![[ENG] IPv6 shipworm + My little Windows domain pwnie](https://cdn.slidesharecdn.com/ss_thumbnails/prez-120915051946-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ENG] Hacker halted 2012 - Zombie browsers, spiced with rootkit extensions](https://cdn.slidesharecdn.com/ss_thumbnails/hhonlyfinal-121108030835-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[HUN] Zombi tűzróka, avagy mire képes egy rosszindulatú böngősző kiegészitő](https://cdn.slidesharecdn.com/ss_thumbnails/balzszeh2012-120915052201-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ENG] Zombie browsers spiced with rootkit extensions - Hacktivity 2012](https://cdn.slidesharecdn.com/ss_thumbnails/hacktivityonly-121013141039-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ENG] Hacktivity 2013 - Alice in eXploitland](https://cdn.slidesharecdn.com/ss_thumbnails/exploitland-131019060054-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[HUN] Hacktivity2009 - M&M’s: Mafia & Malware’s](https://cdn.slidesharecdn.com/ss_thumbnails/mms2-120915051804-phpapp02-thumbnail.jpg?width=640&height=640&fit=bounds)
![[HUN] Védtelen böngészők - Ethical Hacking](https://cdn.slidesharecdn.com/ss_thumbnails/sablonzombituzrokareloaded-130511045009-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -](https://cdn.slidesharecdn.com/ss_thumbnails/ohmquest-130827053519-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![[ Hackersuli ] Privacy on the blockchain](https://cdn.slidesharecdn.com/ss_thumbnails/ethmeetupv2-240410090359-6036fe82-thumbnail.jpg?width=640&height=640&fit=bounds)
MIPS-X
- 1. The Next IoTFrontier Patrick Ross - Village Idiot Labs Zoltan Balazs - Head of Vuln Research @ CUJO AI Hacktivity 2021 MIPS-X
- 2. INTRO Patrick Ross ● Co-founderVillage Idiot Labs (@villageidiotlab) ○ Security research in IoT ○ Content developer (labs + ctf + etc) ● Co-organizer of IoT Village ● Defcon 26 Black Badge holder
- 3. INTRO Zoltan Balazs Head ofVulnerability Research Lab @ CUJO AI ● Zombie Browser Toolkit ● HWFW Bypass tool (Similar stuff was used in PacketRedirect in Danderspritz FlewAvenue by EQGRP) ● Malware Analysis Sandbox Tester tool ● Played with crappy IoT devices – my RCE exploit code running on ~600 000 IP cameras via Persirai ● Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances ● Co-organizer of the Hackersuli meetup ○ this is my 12th presentation here ● Programme committee member of the Hacktivity conference ● Volunteer at IoTVillage
- 4. WHY SHOULD YOULISTEN TO THIS? ● Are you into emulating IoT devices? ● Are you interested in the suffering of embedded device development? ● Have you ever debugged MIPS Assembly? ● Do you want to build a lab for IoT devices? ● stay for the memes ● Enjoy the show! y e s no ● stay for the learning opportunity to find 0-day in your IoT devices
- 5. WHY ARE WEDOING THIS?
- 6. … somehow getroot on device … because you know, this is why you want to find bugs and exploit it … welcome to catch 22 $ gdbserver /bin/sh: gdbserver: not found wget http://myserver/gdbserver .. can’t create file … read-only filesystem Everyone has a different definition of “fun” Traditional debug and exploit development
- 7. The current toolsavailable did not fit our needs.. ● Firmadyne Cool, but a bit bloated ● Some outdated, incorrect blog posts on how to do this manually ● ARM-X Also Cool, but no MIPS support :-( WHY ARE WE DOING THIS (cont’d) Let’s add it :)
- 8. ● Architectures ● Virtualizationvs Emulation ● Intro to the pain ○ MIPS-X ■ Kernel ■ Filesystem ■ NVRAM ■ QEMU VM ○ Docker ● DEMO! TALK AGENDA
- 9. ● Intel/AMD -CISC, desktops, servers ● ARM - RISC, embedded, now Macbook ● MIPS - RISC, embedded ● PowerPC - RISC, embedded, old Apple ● Sparc - RISC, mostly high-end servers, embedded CPU Architectures
- 10.
- 11.
- 12.
- 13.
- 14. ● Traditional virtualizationlike Virtualbox or VMware won’t help you here... ● You have to emulate the CPU instruction set ● QEMU has the best support for CPU emulation for different CPUs ● QEMU development boards are basically “virtual machines”, where the HW and BIOS is “emulated” ● “FUN” FACT: kernels compiled for an IoT device won’t run in a QEMU emulated environment, as HW, peripherals is totally different VIRTUALIZATION vs EMULATION
- 15. WHICH KERNEL? If you wantto build your own, new kernel ● “Just use Buildroot” If you need an older, pre-built kernel ● https://people.debian.org/~aurel32/qemu/ ● “apt-get install ...” works 😎 ● just use archive.debian.org as repo If you want to compile your own - 2.6.x or 3.x MIPS kernel ● Warning
- 16. Pre-built Debian OR Buildroot ? Pre-built debian hostfs~ 280 Mbyte Buildroot hostfs ~ 65 Mbyte How to apt-get Internet connection 1. Start your favourite network proxy on your host 2. sudo socat UDP4-RECVFROM:53,fork UDP4-SENDTO:8.8.8.8:53 3. /etc/resolv.conf to 192.168.100.1 4. echo 'Acquire::http::Proxy "http://192.168.100.1:8080/";' > /etc/apt/apt.conf.d/proxy.conf 5. Change the apt repositories. Replace everything http://ftp. and http://security. to http://archive.
- 17. Intro to thepain
- 18. Building a suitableMIPS kernel undergoes a lot of trials and tribulations ● Buildroot/toolchain for compiling ● Need a MIPS compiler ... - > cross compiling ○ You can try to compile in QEMU, but it will be sloooooow ● Need legacy kernel as well as headers/modules -> to support old firmware ○ Think Linux 2.6.32 - one of the most popular Linux version in IoT ● Building a recent MIPS kernel is easy ○ https://gist.github.com/sjaeckel/94120aeb2dacfa693b1dd360de451b89 Static vs dynamically linked binaries ● Key useful ones (gdbserver, netcat, socat, telnetd) are better made from scratch KERNEL
- 19. Choose your crosscompiler toolchain wisely Buildroot Openwrt Crosstool-ng Musl Code sourcery codebench Dockcross Debian cross tools …. TOOLCHAIN HELL
- 21. ● QEMU onDebian (and probably other distros) can easily run a single STATIC or DYNAMIC binary from another CPU architecture! ● Sometimes running a single binary is enough, you don’t need full system emulation ○ # apt install qemu-user qemu-user-static gcc-mips-linux-gnu binutils-mips-linux-gnu binutils-mips-linux-gnu-dbg build-essential ○ # mips-linux-gnu-gcc -static -o hello64 hello64.c ○ # mips-linux-gnu-gcc -o hello64dyn hello64.c ● https://azeria-labs.com/arm-on-x86-qemu-user/ SINGLE BINARY vs FULL SYSTEM EMULATION
- 22. cd /usr/mips-linux-gnu sudo mkdiretc sudo ldconfig -c etc/ld.do.cache -r .
- 23. Not all binariesare created equally (MIPS isn’t necessarily MIPS.) ○ MIPS-I (register to register), MIPS-2, MIPS-3 (64 bit datatypes), MIPS32, MIPS64, microMIPS (code compression, 16/32/64) ● CHROOT and hostfs network filesystem ● Persistent vs Non-persistent disks FILESYSTEM
- 24. https://github.com/getCUJO/MIPS-X/blob/main/hostfs_builder/buildroot_notes.txt Use board qemu_mips32r6_malta_defconfig enableSSHD, bash, dialog, gdbserver, enable gcc 10, C++ in toolchain, nfs https://github.com/getCUJO/MIPS-X/blob/main/hostfs_builder/README.md https://github.com/getCUJO/MIPS-X/blob/main/hostfs_builder/hostfs_builder.sh Building the hostfs
- 25. ● Typically neededto support the target binaries ● Workflow for reverse engineering what NVRAM parameters are needed ● Discover parameters ● (try to) Emulate them :-) NVRAM
- 26. ● Networking ○ DefaultQEMU nic does NOT like to do it the way WE want to ● Goal is to have the same memory layout as the IoT device ○ If this is achieved, exploits become portable ● Accessibility ○ Networking (exposing service ports, ability to ssh) ○ Debugging the target binary using GDB/gef ○ Local to the QEMU instance ○ QEMU level debugging (kernel level) FUN QEMU VM
- 27. DOCKER +------------------------------------------------------------+ | Host machine| | +------------------------------------------------------+ | | | Docker container | | | | +------------------------------------------------+ | | | | | QEMU | | | | | | +------------------------------------------+ | | | | | | | "Host" kernel + filesystem | | | | | | | | +------------------------------------+ | | | | | | | | | chrooted IoT firmware rootfs | | | | | | | | | | +------------+ | | | | | | | | | | | webserver | | | | | | | | | | | | | | | | | | | | | | | +------------+ | | | | | | | | | +------------------------------------+ | | | | | | | | +----------------+ +-----------------+ | | | | | | | | | SSH server | | gdbserver | | | | | | | | | +----------------+ +-----------------+ | | | | | | | +------------------------------------------+ | | | | | +------------------------------------------------+ | | | +------------------------------------------------------+ | +------------------------------------------------------------+
- 28.
- 29. ● Continue onNVRAM refinement ● Develop a CI/CD model where you can provide a firmware file, and it will auto unplack/build a shell IoT VM environment NEXT STEPS
- 30. PROFIT ● Paying itforward to the Security community ● Continue to drive positive momentum in bug bounty and put pressure on the vendors to improve their secure systems development ● Open-source means anyone can contribute!
- 31.