On This Page

The Advanced ARM Iot Exploit Laboratory

Saumil Shah | August 6-7



Overview

The Internet of Things (IoT) universe comprises largely of ARM based systems. In its third year, The ARM IoT Exploit Laboratory brings you two intense 2-day courses featuring a practical hands-on approach to exploit development on ARM based systems. The ADVANCED class is perfectly suited for students who are keen to dive into the world of modern ARM exploit development.

Our intermediate/advanced level class assumes that students are already familiar with ARM architecture, ARM assembly language, basics of memory corruption on ARM and ARM shellcode.

The ADVANCED class begins with a quick recap of how functions work in the ARM environment, and quickly moves onto bypassing exploit mitigation techniques with ARM Return Oriented Programming (ROP). Our lab environment features ARM IoT hardware as well as ARM virtual machine targets.

The class concludes with an end-to-end "Firmware-To-Shell" hack, testing out ARM exploitation skills against commercial ARM based SoHo routers. Students will analyse the device's firmware, learn how to debug it in a virtual environment, build an exploit which involves tight ROP chaining and ASLR bypass, and finally succeed in getting a shell on the actual hardware.

For those keen on end to end ARM exploitation, it is recommended to take both the INTRO and ADVANCED classes in succession in a 4-day format.

As with the popular Exploit Laboratory, all topics are delivered in a down-to-earth, learn-by-example methodology. The same trainers who brought you The Exploit Laboratory for over 12 years have been working hard in putting together an all new class based on past feedback!

LEARNING OBJECTIVES:
-------------------
* How functions work in ARM - a quick recap
* Introduction to Return Oriented Programming
* Bypassing exploit mitigation using ROP
* Practical ARM ROP
* Bypassing ASLR
* Exercise: Applying ARM ROP chains to an existing non-ROP exploit
* An Introduction to firmware extracting
* Emulating and debugging a SoHo router's firmware in a virtual environment
* "Firmware-To-Shell" - exploiting an actual SoHo router
* The Lab environment is a mixture of physical ARM hardware and ARM virtual machines.

DAILY SCHEDULE:
---------------
DAY 1
* How functions work in ARM - a quick recap
* Introduction to Exploit Mitigation Techniques (XN/DEP and ASLR)
* Introduction to ARM Return Oriented Programming
* Bypassing exploit mitigation on ARM using ROP
* ARM ROP Tools
* Practical ROP Chains on ARM
* EXERCISE - Exploit featuring ARM ROP Chains
* Bypassing ASLR
* EXERCISE - End to end exploit with ASLR and XN/DEP bypass

DAY 2
* An Introduction to firmware extracting
* Emulating and debugging a SoHo router's firmware in a virtual environment
* "Firmware-To-Shell" - exploiting an actual SoHo router
* EXERCISE - Working SoHo Router exploit in an emulated environment
* EXERCISE - Attacking a DLINK ARM Router - from firmware to shell
* BONUS EXERCISE - Attacking a TRIVISION ARM IP Camera - from firmware to shell

Who Should Take this Course

- Past Exploit Laboratory students (Red Team / Black Belt / Master) who want to take their elite exploitation skills to the ARM platform.
- Pentesters working on ARM embedded environments. (SoCs, IoT, etc)
- Red Team members, who want to pen-test custom binaries and exploit custom built applications.
- Bug Hunters, who want to write exploits for all the crashes they find.
- Members of military or government cyberwarfare units.
- Members of reverse engineering research teams.
- People frustrated at IoT devices to the point they want to break them!

Student Requirements

- Proper understanding of ARM Architecture, ARM Assembly language and ARM Shellcode
- If not, then please also consider taking the ARM IoT Exploit Lab: INTRO class
- A conceptual understanding of how functions work in C programming
- Knowledge of how a stack works, basic stack operations
- Familiarity with debuggers (gdb, WinDBG, OllyDBG or equivalent)
- Not be allergic to command line tools.
- Have a working knowledge of shell scripts, cmd scripts or Perl.
- SKILL LEVEL: INTERMEDIATE/ADVANCED

PRE-CLASS TUTORIALS:
--------------------
The following tutorials have been specially prepared to get students up to speed on essential concepts before coming to class.

a) Operating Systems - A Primer
http://www.slideshare.net/saumilshah/operating-systems-a-primer

b) How Functions Work
http://www.slideshare.net/saumilshah/how-functions-work-7776073

c) Introduction to Debuggers
http://www.slideshare.net/saumilshah/introduction-to-debuggers

What Students Should Bring

* A working laptop capable of running VMware Player/Workstation/Fusion
* Intel Core i3 (equivalent or superior) required
* 8GB RAM required, at a minimum
* Wireless network card
* 40 GB free Hard disk space
* If you're using a new Macbook or Macbook Pro, please bring your dongle-kit

What Students Will Be Provided With

Students will be provided with all the lab images used in the class. The ARM IoT Exploit Laboratory uses a "Live Notes" system that provides a running transcript of the instructor's system to all the students. Our lab environment, plus about 800MB of curated reading material, will be made available to all attendees to take with them and continue learning after the training ends.

Trainers

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest, Hack.lu, Hack-in-the-box and others. He has authored two books titled "Web Hacking: Attacks and Defense" and "The Anti-Virus Book". Saumil graduated with an M.S. in Computer Science from Purdue University, USA and a B.E. in Computer Engineering from Gujarat University. He spends his leisure time breaking software, flying kites, traveling around the world and taking pictures.