The Essential Of Hacking Methodology From The Perspective Of Embedded Hacker by cawan (cawan[at]ieee.org or chuiyewleong[at]hotmail.

com) on 27/11/2012 Hacking is about an action to a system. The system can be a single box or machine, or can be a group of boxes or machines to be interconnected via a center communication bus, which is usually known as network. For the case of single box or machine, in fact, it can be assumed as a group of peripherals which are managed by a center processing unit, over the system communication bus, such as PCI, PCIe, I2C, SPI, USB, and etc. The group of peripherals can be in chip form or card form. In chip form, it can be sound interface, network interface, video interface, or RAM interface, which is defined as the lowest level of interface within the system. So, their communication bus should be I2C, SPI, USB, or some variation of such standard communication bus. On the other hand, in card form, it can be enhanced version of sound interface, video interface, network interface, or some forms of extended features such as I/O card, optical interface, or RF interface. Besides, there are also some custom communication interface such as Cobranet, Ethersound, LonWorks, ARCNET, and etc. Well, they are connected via PCI or PCIe. Regarding to the storage access such as hard disk, optical driver, or SSD, they are connected via PATA (IDE), SATA, or SCSI bus. Since there are so many types of buses in the same box or machine, the processor needs a chipset to manage those buses in performing multiple access or multiplexing in order to allow those peripherals can be run accordingly. In fact, the chipset is only necessary for those systems which their processors are in von neumann architecture, where its address bus and data bus are shared to the same physical bus. On the other hand, for harvard architecture based processor, its address bus and data bus are separated, and hence the chipset can be skipped. For the case of a group of boxes or machines being interconnected via the network, each of them must comply to a standard protocol among each others. In link layer, they might need to comply ethernet, wifi, pppoe, or mpls, which is depending to the physical medium of the associated communication bus. In higher layer, let's say the network layer, almost all of them comply to TCP/IP. So, the TCP/IP is undoubtedly the protocol glue among all the boxes or machines. From here onwards, the rest of the issues are about application layer such as HTTP, HTTPS, FTP, TFTP, Telnet, SNMP, SMTP, POP3, IMAP, and etc... which are the most common names in networking. On the other hand, for the case of industrial networking, there are a huge variety of them, which are dependent to the application domains. For example, in building automation industry, there are bacnet, modbus, lontalk, profibus, and some others which are manufacturer proprietary. Besides, in scada industry, there are modbus, iec60870, iec61850, and a lot of others proprietary implemented items. In order to run the hardware, we need software. So, we need something to manage the hardware in overall, and this is kernel. The kernel will control various types of hardware with appropriate kernel module or device driver. The kernel executive will ensure the interoperability among the hardware resources. From application point of view, the hardware resources are operated in transparent way via appropriate system call. Of course, there are some protections imposed such as the kernel space is prohibited to be accessed from user mode. Besides, each process space is isolated among each other to avoid data collision or overwrite intentionally or unintentionally. From hacker perspective, there are a lot of exploitation points can be considered to launch the attacks. In general hacking methodology, majority of the attacks are about exploiting the buffer to overwrite some system structures or registers, and causes the system run unexpectedly. The buffer exploitation can be about the stack or the heap. Besides, it is possible to exploit the kernel stack or heap from user mode via some vulnerable kernel modules or device drivers. In order to control the system once it is exploited, we need a piece of shellcode. The shellcode is something highly customized which is dependent to the processor platform, OS platform, operation mode (kernel/user), intentional action, avoidance of illegal characters, and etc. So, all the attacks need to start from a target application. If the application runs locally, then the malform local user input is the root cause to incur exploitation. In addition,

if the application is network savvy, then the attack can be launched from anywhere within the network. Before launching any attack on the system at another part of the same network, it is important to understand the protocol being used by the system. So, a sniffer is necessary in this case to study the protocol based on the network packets being captured. If the protocol is proprietary, then it needs some times to analyze the packets sequence in understanding the protocol in details. However, if the protocol is open source, then the analysis process will getting much easier by referring the specification from time to time. On the other hand, it is possible to perform fuzzing process to the system. With some level of understanding to the protocol, it is possible to manipulate the data in different fields in the network packet automatically and observe the reaction of the system. Yes, the fuzzing process is some kind of trial and error or brute-force approach, but it is really effective. Besides, it is possible to perform code analysis to the application to find any vulnerability to be exploited, but it is really time-consuming. From embedded hacker perspective, the hacking methodology suppose to be much simpler. Due to the reduced hardware resources in embedded system, it is impossible to implement full security protection which is really resouce-intensive. In fact, a large portion of embedded linux system even didn't implement NX and ASLR all together. So, in this case, ROP can be skipped when we are designing the exploit and shellcode for such systems. Besides, for some very special cases, some network applications are even don't have sanity check to the network packets. Thus, it is simpler to be exploited. However, due to the nature of embedded system which is highly customized, it is a need to master the skill of shellcode design for RISC processors such as ARM, MIPS, and PPC. So, it is important to make those different types of instruction sets at your own disposal. Besides, it is important to note that the peripherals being used in embedded system are not something in standard or in generic. Instead, they are something special with customized device driver. From the angle of embedded enginners who designing the device driver, they just need to ensure the device driver can run in the most stable way but not in the most secure way. Hence, it is most probably the device driver is vulnerable to be exploited. Besides, the security concern to the embedded system is really less as compared to the proper computer system. The reason is simple, it is really not many people can imagine a headless embedded system is hackable and the value behind to abuse the hacked embedded system. It is really hard to convince somebody about an embedded system product can be changed into a proprietary sniffer to perform dedicated MITM attack to the network. On the other hand, regarding to the physical attack, it is really not hard to duplicate the data image from flash chip. Besides, from higher level perspective, the ramdisk file can be manipulated which is a remarkable security breach. In addition, the simple implementation of bootloader does not has good security implication to block unauthorized access to the system. In other words, once the configuration interface of the bootloader is getting accessed, then it is just a few of commands to duplicate certain partitions in flash to a network drive as data image. It is crucial to remember the term of readonly in certain file system for embedded system is really nothing to do with the security. It just means we can't simply add or remove a file from the file system, but we can definitely overwrite the whole partition by using the device file in /dev. Nothing special here. Now, what is the essential of hacking methodology from the perspective of embedded hacker ? Well, we already know hacking is just an action to a box or to a system. Then what is the core of embedded system hacking ? In order to have a substantial idea to start any meaningful attack to an embedded system, it is necessary to understand the system and protocol internals. So, reverse engineering should be the core of embedded system hacking methodology. When talking about the reversing of binary, it comprises static and dynamic approaches. In static approach, it is about to perform disassembly of the binary with any type of disassemblers. However, IDA Pro should be the one with highest ranking to master with. Yes, it is really good in generating comprehensive output in assembly language level with proper formatting. But, in most of the times, we are only interested to some portions of the codes. So, it is a little bit hard to find those little portions of codes from the big pool of assembly instructions in IDA Pro enviroment. Of course, we can based on some special pattern of string to do the job, but the existence of such string is not always true. So, we need to cooperate with the dynamic approach. By using a good debugger such as

gdb, it is possible to set a breakpoint at an interesting address of symbol, and let the program counter hit on the breakpoint. Then, it is easy to backtrace or to dump some meaningful information from memory as guideline in locating the code portion that we are interested with from the big pool of assembly instructions under the IDA Pro environment. Yes, both of the static and dynamic approaches should be worked together in proper way, and this is the fundamental skill of an embedded hacker. On the other hand, the architecture of RISC processors should be in good understanding. So, the concepts of calling conventions, registers, addressing modes, operation modes, and memory management for each of the RISC processors should be in our disposal. In addition, it is important to understand the linux kernel in detail. Hence, the internals of runtime, loader, shared library, kernel module, and system call should be with good understanding. Besides, it is also important to understand the communication bus of the peripherals such as I2C, SPI, PCI, USB, and etc. By understanding them, it is really helpful to interpret the communication data being captured in signal level. Well, it is crucial in doing injection to find vulnerability in signal level or in bus level. The possibility is only limited by our imagination. As conclusion, reversing techniques in terms of hardware and software should be the core of hacking methodology for a serious embedded hacker.