On This Page

Practical ARM Exploitation

Xipiter | August 1-4



Overview

The purpose of the course is to introduce students with prior basic exploitation experience (on other architectures) to "real world" exploitation scenarios on the ARM processor architecture. The reality is that exploitation these days is harder and a bit more nuanced than it was in the past with the advent of protection mechanisms like XN, ASLR, stack cookies, etc. As such, this course is called "practical" because it aims to teach exploitation on ARM under the real-world circumstances in which the exploit developer will encounter (and have to circumvent) these protection mechanisms. The course materials focus on advanced exploitation topics (circumventing protection mechanisms) using Linux as the platform as a basis to learn the ARM architecture but with the obvious applications being platforms running on mobile phones, tablets, embedded devices, etc.

Our hope is that students with some previous exploitation experience go from knowing nothing about ARM on the first day to exploiting custom heap implementation (bypassing ASLR, NX) using their hand-built ROP connect-back-shell payload on the the last day.

Class Syllabus:

Day 1: Laying the Ground Work (with an eye to exploitation)

Slide Deck: "Intro"
Instructor Bios, Course Outline/Schedule, Course Goals

Slide Deck: "Introduction to the ARM Architecture"
Architecture Summary/Layout, Instructions/Registers, Instructions Modes, nuances

Lab: "Basics 1":"GDB"
Use GDB to debug/modify a faulty ARM app, rudimentary code injection.

Lab: "Basics 1B": "IDA"
Use IDA Pro to get familiar with ARM-isms: calling convention, IDA's ARM quirks.

Lab: "Basics 2":"Spotting Vulns in Source"
Students audit some little code snippets. (Student skills baseline/assessment tool).

Slide Deck: "Tools and the Lab Environment"
Intro to the QEMU ARM setup, intro to the exercises, intro to custom tools to assist with labs.)

Lab: "Basics 3": "IDA and GDB tag-team"
Use IDA and GDB in tandem to comprehend application flow subvert the app.

Lab: "Basics 4"
Trace through ARM app (dealing with ARM-isms: calling conventions, parameters) to reverse engineer and subvert a blackbox password app with embedded crypto.

Slide Deck: Shellcoding, ELFs, Dynamic Linking
Review of dynamic linking in ELFs. Intro to authoring ARM shellcode

Lab: "Basics 5": "Shellcoding"
Students modify assembly code stub, assemble it, and extract the shellcode to be loaded into an "loader" app.

Slide Deck: "Stack Overflows"
Basics of Stack Overflows (NOP sleds, bouncepoints, etc). Intro to defensive countermeasures: stack cookies, and subverting with "ROP-lite" return-to-libc. Finding bouncepoints on ARM. Nuances of stack overflows on ARM. The rediculousness of NOP sleds...

Lab: "Simple Stack Overflow"
Find and exploit a stack overflow bug in a vulnerable app. Students modify a "test harness" that both triggers the vulnerabilty and injects the payload. Modification of the harness with apppropriate addresses demonstrates comprehension.

Day 2: Basic to Intermediate Techniques

Review yesterday afternoon: Simple Stack Overflow walkthrough again.

Slide Deck: "Stack Overflows and Ret2Libc"
Introduce Non executable stack (XN)" and how to subvert it with Return-to-Text or commonly inaccurately referred to as (Return-to-LibC" or as we call it: "ROP Lite". Students get stepped through a vulnerability to see how this works step-by-step. (We come back to the nuances of ROP gadget finding later in the course)

Lab: "Simple Stack Overflow: XN Stack"
Using a "test harness" containing gadgets we give to the student (expecting them to just accept them for now until we come back to go into ROP-gadget finding in more detail later) to find and exploit a XN stack app by returning to mprotect()

Slide Deck: "Advanced Stack Overflows"
Introduction to XN, ASLR, and Stack cookies on on ARM. Discuss and see examples of ways to subvert stack cookies. (overwriting __stack_chk_guard, info disclosure bug, partial/full pointer overwrites, exception-handler overwrites)

Lab: "Advanced Stack XN"
Students exploit network based service that uses XN and Stack Cookies using partial pointer overwrites and ROP-Lite techniques

Slide Deck: "ROP"
Discuss reason for ROP (Code signing, ASLR, cookies). techniques/tools for manually finding gadgets manually on ARM. A walkthrough of useful gadgets found on our target. Structure of Gadgets"Chaining versus non-Chaining gadgets". Some ROP tricks/nuances on ARM.

Lab: "Custom ROP simplified"
Students find and exploit a vulnerable application by building a custom payload by stringing together a bunch of ROP gadgets (found for them by the instructors on the target).

Slide Deck: "ROP" (go through this as refresher same as above)

Lab: "Custom ROP with full root shell"
Students exploit a vulnerable application by handcrafting a ROP payload (with given gadgets) to obtain a full rootshell on the host.

Day 3 & 4: Intermediate to Advanced Techniques

Slide Deck: "Basic Heaps"
Intro to Heap Overflows on ARM: How stuff goes wrong, grooming/feng-shui-ing, etc. examining a toy heap implementation, TCMalloc's thread-cache freelist, and ways we can exploit all of these.

Lab: "Simple Heap Unlink"
Student will exploit a contrived network server, associating "protocol" events with heap events. Students will groom the target and exploit it with provided payload.

Slide Deck: "More Heaps"
More on heap exploitation. Singly Linked List (LIFO) exploitation. Review of Heap Overflow mitigations, taking a closer look at TCMalloc.

Lab: "Simple Heap (WMW) Write Me Where"
Student will exploit a contrived network server (this time that uses TCMalloc), associating "protocol" events with heap events. Students will groom the target and exploit it with a payload they must modify.

Slide Deck: "Application Level Heap Attacks"
Introduce application level exploitation: Techniques for investigating these kinds of vulnerabilities. Exploiting VTable overwrites, partial/full pointer overwrites.

Lab: "MultiHeap"
Student will locate and trigger a heap overflow in a custom heap implementation. Student will use heapspray and VTable overwrites to successfully exploit the application.

Slide Deck: "Stack Flipping"
Combining concepts introduced earlier (XN, ROP, and heap overflows) students will be introduced and shown how to evade XN by "flipping" the call stack into forged stack frames on the heap. Students will also be introduced to techniques and "gotchas" around finding "pivots" and nuances about ARM that make this more interesting.

Lab: "MultiHeap XN"
Students will use a heapspray or similar technique to overwrite a C++ object to create a fake vtable entry that redirects the stack pointer into the heap...executing their ROP payload to get a shell.

Slide Deck: "Defeating ASLR"
Students will be introduced to ASLR and how it is implemented as well as many of the nuances of how to defeat ASLR (infoleaks, developer debug code, RPC/RMI leaks, predictable ASLR PRNG, uninitialized mem, JIT, etc).

Lab: "MultiHeap XN ASLR"
Students will find and exploit an information disclosure vulnerability to remotely determine the location of libc and successfully craft (modify a given) payload to successfully evade XN, ASLR, and obtain a connectback shell into the owned application.

Slide Deck: "Conclusions - Closing"

http://www.armexploitation.com/

Who Should Take this Course

"Makers," Tinkerers, Developers, IT Professionals, Mobile Developers, Hackers, Penetration Testers, Forensic Investigators, reverse engineers, software security auditors/analysts, software exploitation engineers, jail breakers, and anyone interested.

Student Requirements

Students taking the "Practical ARM Exploitation" course should have a intermediate understanding of software security concepts on another architecture (such as x86). They should have hands-on familiarity with the following concepts:
  • Basic experience with IDA or a disassembler
  • Basic experience with a debugger
  • Cursory knowledge of Python or some equivalent high-level scripting language (Java, Ruby, etc)
  • C++ and C coding experience

What Students Should Bring

  • A laptop (running their favorite OS) capable of connecting to wired and wireless networks.
  • An installed valid VMWare
  • An installed copy of at least IDA Standard.
  • An SSH/Telnet client to access the hosted QEMU images and class hardware devices.

What Students Will Be Provided With

  • 100+ page coil bound lab manual
  • Access to the embedded systems that comprise the class environment
  • Undoubtedly some Xipiter swag of some kind ;-)

Trainers

Stephen A. Ridley is a security researcher at Xipiter. He has more than 10 years of experience in software development, software security, and reverse engineering. Prior to Xipiter, Mr. Ridley served as the Chief Information Security Officer of a financial services firm and prior to that was a Senior Researcher at Matasano. He also was Senior Security Architect at McAfee, and a founding member of the Security and Mission Assurance (SMA) group at a major U.S defense contractor where he did vulnerability research and reverse engineering in support of the U.S. intelligence community. He has spoken about reverse engineering and software security at Black Hat, ReCon, CanSecWest, EuSecWest, Syscan and other prominent information security conferences. Stephen is a co-author of "The Android Hacker's Handbook" published by Wiley & Sons.

Stephen Lawler is the Founder and President of a small computer software and security consulting firm. Mr. Lawler has been actively working in information security for over seven years, primarily in reverse engineering, malware analysis, and exploit development. While working at Mandiant, he was a principal malware analyst for high-profile computer intrusions affecting several Fortune 100 companies. Prior to this, as a founding member of the Security and Mission Assurance (SMA) division of a major U.S. Defense contractor where he discovered numerous 0-day vulnerabilities in "Commercial-Off-The-Shelf" (or COTS) software and pioneered several exploitation techniques that have only been recently discovered and published publicly. Prior to his work at a the major defense contractor, Stephen was the lead developer for the AWESIM sonar simulator as part of the US Navy SMMTT program. Stephen was also the technical editor for "Practical Malware Analysis" published by No Starch Press.