Upgrade to Pro — share decks privately, control downloads, hide ads and more …

ShmooCon 2016 - Exploiting Memory Corruption Vulnerabilities on the FreeRTOS Operating System

jsandin
January 16, 2016

ShmooCon 2016 - Exploiting Memory Corruption Vulnerabilities on the FreeRTOS Operating System

This talk was presented at ShmooCon in 2016.

Abstract:

The platforms powering the growth of the Internet-of-Things include tried-and-true embedded Real-Time Operating Systems (RTOSes). These lean OSes are designed for performance and reliability, but they force application developers to use C and often lack the exploit mitigations implemented in consumer OSes. This unforgiving environment places the burden of security entirely on the programmer and makes the risk of memory corruption vulnerabilities on these increasingly ubiquitous systems very real.

This talk will focus on FreeRTOS as an example of an RTOS that has seen widespread adoption by vendors and developers for the IoT. We will present security-relevant internals of the OS, put common memory corruption vulnerabilities in context, explain the steps an attacker can take to achieve reliable exploitation, and make recommendations that can help developers build more secure systems. This research is based on experience code reviewing, fuzzing, and developing attacks against both vendor SDKs and open-source libraries.

Attendees will understand the risks facing users of this new class of devices. Pentesters will learn how to review applications built for this operating system and determine the impact of bugs they identify. Defensive security practitioners will get an inside look at attacks against software written for this platform.

jsandin

January 16, 2016
Tweet

More Decks by jsandin

Other Decks in Programming

Transcript

  1. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM ▸

    Joel Sandin ([email protected] / @PartyTimeDotEXE) ▸ Do security and write software for fun and professionally ▸ Previously: ▸ Senior Security Consultant at Matasano Security (part of NCC Group) ▸ Helped write and support security and safety monitoring systems for the Akamai Platform as a Senior Systems Software Engineer 2 ABOUT ME
  2. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM RESEARCH

    OBJECTIVES ▸ Learn more about embedded systems internals and vulnerabilities ▸ Embedded systems a new area for me ▸ Interested in things from an OS perspective ▸ What kind of bugs arise in this context? ▸ What does exploitation look like in practice? ▸ Think like an attacker to understand the impact 3
  3. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHY

    FREERTOS? ▸ One of many operating systems (Contiki, RIOT, TinyOS, NodeMCU) either purpose-built or seeing new interest in context of IoT ▸ Great OS and representative example: ▸ Flexible licensing, used commercially ▸ Major vendors (Atmel, Texas Instruments, STMicro, Olimex) provide ports to tons of platforms ▸ Big developer community, open source 4
  4. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHATS

    THE RISK WITH THESE TYPES OF SYSTEMS? ▸ New generation of developers using C on this platform ▸ Wonderful OS, but (like others) doesn’t protect the developer / lacks mitigation protection: ▸ no W^X*, no ASLR (* only certain parts of lx106 memory map eXecutable) ▸ MPU supported on Cortex-M3, but not commonly used (and doesn’t raise the bar…) ▸ otherwise everything running in supervisor mode 5
  5. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM NOT

    TALKING ABOUT BUGS *IN* FREERTOS! ▸ Message of the talk isn’t that FreeRTOS has bugs ▸ FreeRTOS isn’t designed to make an attackers job hard ▸ Up to developer to make sure applications are secure ▸ What we’ll see is that the consequences of a mistake are catastrophic ▸ Focus was exploitation of applications in the context of FreeRTOS and LwIP 6
  6. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM PREVIOUS

    WORK ▸ Recent VXWorks research by Yannick Formaggio is amazing! ▸ Barnaby Jack's (RIP) vector rewrite attacks and subsequent two talks are a big inspiration ▸ Awesome past Phenoelit talks about embedded exploitation from FX and FtR predate this work by over 10 years ▸ Tactical Network Solutions has some great blog posts about advanced embedded / commercial RTOS exploitation ▸ Work on baseband security has also dealt with memory corruption in that context (commercial RTOSes) 7
  7. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM TALK

    OUTLINE ▸ Bug hunting ▸ Security relevant internals for FreeRTOS and LwIP ▸ Stack smashing in practice (with discussion of other bug classes) ▸ Step through example of end-to- end exploitation 8
  8. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHAT

    KIND OF BUGS? ▸ Authn/Authz issues, backdoors are prevalent but not our focus ▸ Interested in memory corruption only: ▸ Everything from the OS, to servers and libraries they rely on, to the applications themselves are in C ▸ Expecting the usual suspects here: buffer overflows, heap corruption 10
  9. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM HOW

    WERE THEY FOUND ▸ Audited whatever I could get my hands on: ▸ FreeRTOS itself, lwIP, Espressif RTOS SDK + apps, contributed servers on github, FatFS, CoAP, mDNS implementations, more ▸ Bugs found via code review and fuzzing ▸ Some of the most serious bugs were easy to spot 11
  10. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHERE

    ARE THEY ▸ Lots of places where I *didn’t* find bugs ▸ FreeRTOS itself, lwIP - found no bugs ▸ Found bugs in contributed servers, vendor SDKs, FreeRTOS- based IoT platform from Espressif: ▸ Disclosed and fixed: stack buffer overflows (4), heap overflows (12), static buffer overflows (3) ▸ Problems disclosing some stuff, and more crashes still waiting to be triaged… 12
  11. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM BUFFER

    OVERFLOW EXAMPLE (FIXED) ▸ ESP8266 IOT Platform, processing nonce in server response (from cloud), user_esp_platform.c: ▸ Overflow with an oversized nonce in JSON, trigger with “nonce”: AAAAAAAAAAAAAAAA… 13
  12. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM HEAP

    OVERFLOW EXAMPLE (FIXED) ▸ Heap corruption in user_webserver.c url parsing code, trigger with a POST request to http://system_ip/ config?command=AAAAAAAABBBBBBBB… ▸ purl_frame->pFilename holds 40 bytes 14
  13. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM THE

    90S NEVER ENDED ▸ These aren’t “deep” bugs ▸ Memory corruption easy for developers to introduce: ▸ HTTP request handling, as well as requests for protocols like CoAP, mDNS, that violate standard ▸ Vendors don’t always help: disable “debugging” assertions that actually are security checks, include outdated versions in SDKs 15
  14. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITATION

    ▸ So what is actually happening under the hood when one of these bugs is triggered? ▸ Want to understand the impact - can we exploit these bugs? ▸ To put these bugs in context, lets first lets look at OS internals 16
  15. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM FREERTOS

    AND LWIP OVERVIEW ▸ FreeRTOS: real-time operating system made by Real Time Engineers Ltd. ▸ Provides task creation and management, IPC, synchronization primitives, memory management - that’s about it! ▸ Tiny: ~19k lines, 1k platform specific lines for a port ▸ Can run in under 1k memory ▸ LwIP: popular embedded TCP/IP stack originally written by Adam Dunkels, with support for different protocols (SNMP, DNS) and many contributed servers 18
  16. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM KEY

    DATA STRUCTURES ▸ Tasks: ▸ Fixed stack region allocated on the system heap (combines settings for stack and heap overflow) ▸ Scheduler: ▸ Lists: ready, suspended, terminated etc ▸ Task control blocks (TCBs) for all executing tasks ▸ pxCurrentTCB points to TCB of currently executing task ▸ Multiple heaps: ▸ System heap: all tasks (and kernel) share a single heap ▸ lwIP heap: used for packet data, network connection data structures, etc. ▸ System stack 20
  17. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM CONTEXT

    SWITCHING ▸ Real systems have multiple tasks - at the very least, server / network thread, and an “idle” task ▸ When switching context, the scheduler: 1. Stores task’s register state (including PC) on task stack 2. Updates task’s TCB->pxTopOfStack 3. Picks a task to run and restores state (including PC) using its TCB 21
  18. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM HEAP

    IMPLEMENTATION(S) ▸ Shared by whole system ▸ Singly-linked list of free chunks: chunk header is a size and next-chunk pointer ▸ When memory is requested, uses first-fit allocation, sets the next-chunk to NULL, add unused part to free list ▸ When memory is freed adjacent chunks are coalesced 24
  19. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM LWIP

    STACK ▸ Supports multiple APIs: native, netconn API, bsd sockets ▸ netconn API common and simple: ▸ Client registers handler that is called when events occur ▸ udp_handler(void *arg, struct udp_pcb *pcb, struct pbuf *p, struct ip_addr *addr, u16_t port) ▸ Uses a separate memory manager / memory region for inbound packet data 25
  20. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM STACK

    OVERFLOW DETECTION ▸ Optionally halt on stack overflow detection (inc/ StackMacros.h) ▸ Isn’t meant to detect overflow of stack-allocated buffers 26
  21. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM MEMORY

    PROTECTION UNIT (MPU) SUPPORT ▸ Only on ARM Cortex-M3: ▸ Supports restricted tasks that can only write to own stack and up to 3 configurable memory regions ▸ No controls that prevent restricted tasks from creating regular tasks and thus elevating privileges ▸ Protects peripherals and data, not intended as a security control 27
  22. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITATION

    IN PRACTICE ▸ We’ve seen some bugs, and seen internals ▸ Lots of you probably already connecting the two ▸ Lets think like an attacker and talk about vulnerabilities, with a focus on stack buffer overflows 28
  23. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM TEST

    SETUP AND WORKFLOW ▸ Once you’ve spotted a potential bug in source, need to investigate ▸ Deploy the software on real hardware and develop payloads to trigger vuln ▸ Accumulated a lot of hardware in the process, some pictured 30
  24. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM TEST

    SETUP AND WORKFLOW (2) ▸ Some development boards and JTAG adapters I used: ▸ ATSAM4E-EK with Atmel SAM-ICE (ARM Cortex-M4) ▸ Olimex esp8266-EVB with Segger J-Link (lx106) ▸ Support for JTAG and can use open source tools (gcc, gdb) 31
  25. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM STACK

    OVERFLOWS ▸ We see that when we redirect execution via a stack overflow, happens in the context of a Task ▸ Unlike simpler systems, dedicated stack for task (not used by interrupt handlers) ▸ The scheduler will keep everything running while our payload executes ▸ On ARM, payload can be anywhere - on task stack or elsewhere 32
  26. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITING

    STACK BUFFER OVERFLOWS ‣ Want to execute (small) payload that gives us full RCE ▸ Two questions we need to answer for exploitation: 1. Where to redirect execution? 2. How to clean things up when done: task itself needs to keep functioning ‣ In practice this isn’t hard 33
  27. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM REDIRECTING

    EXECUTION, 90S STYLE ▸ What address do we put on stack? Lots of options: ‣ Address of a payload on task stack (if architecture allows it): ‣ Task stacks allocated at system start, we know the location ‣ Most likely know exactly where data lives on stack ‣ If not, window of addresses where it can be is probably small (task stack size passed on input) 34
  28. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM BETTER

    APPROACH - USING ROP ‣ If we have a register that contains address of our payload, can use ROP to manipulate register and call payload ‣ Not trying to bypass NX - use this because gadget addresses are predictable (even if payload address isn’t) ▸ Trampoline into full payload (on stack, in heap…) ▸ Chain to perform full exploitation 35
  29. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM REDIRECTING

    EXECUTION - “HELP” FROM OS ▸ Also have platform-specific options: ‣ predictable address of static data structure that we populated or even overflowed (36 bytes in this case) 36
  30. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM REDIRECTING

    EXECUTION - “HELP” FROM OS ▸ Also have platform-specific options: ‣ Ring-buffer for inbound network traffic can fall on predictable addresses (will be driver specific) ‣ Send packets to device to fill this buffer and jump to them! ‣ Hail Mary option if nothing else possible 37
  31. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHAT

    DO WE DO WHEN DONE ▸ Don’t want to break target task: May be lwIP’s own thread! ▸ In practice we annihilate preserved registers of caller ▸ *Can* piece together a safe place to return, safe values… ▸ Better: return to start of task ▸ For lwIP callback, return to tcpip_thread() ▸ uses static mbox, keeps functioning ▸ May leak memory (allocated by intermediate functions) but works 38
  32. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM OTHER

    BUG CLASSES ▸ Use of static buffers is common, what if they’re overflowed? ▸ Impact depends on placement of the buffer in relation to other static data - yet to find an interesting example ▸ Still a good place to put data for other purposes ▸ Heap corruption complicated in practice and still an open problem (but very interesting) - no time to cover it, talk to me after talk 39
  33. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM EXPLOITATION

    OBJECTIVES ▸ We have stack overflow in a lwIP callback on FreeRTOS (on ARM Cortex-M4) ▸ Go from executing very small (<100 byte) stager in our original request (or “nearby”) to being able to reliably execute arbitrary code on system ▸ Don’t destabilize system: Keep target service running ▸ We’ll use facilities in the OS to make it easy 41
  34. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM ATTACK

    OUTLINE ▸ Rough outline of an approach: 1. Exploit vulnerability to give us code execution of a “staging” payload 2. write a second-stage payload to unused area of memory 3. add network hook to get system to run payload as callback 4. callback listens for inbound packets and executes them 42
  35. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 1.

    CODE EXECUTION ▸ Briefly illustrate alternative for the bug I’m discussing: ▸ r1 always pointing 4 bytes behind part of request we control, so put stager there and used ROP to branch to r1+4+1 (gdb) x/3x $r1 0x2000a90e: 0xffffff3f 0xf2a7466f 0x4738173f ▸ Why increment r1? Annoying thing about Cortex-M is LSB always needs to be set on branch targets ▸ So we’ll use ROP to do the arithmetic and branch - we don’t have a lot of space to work with (48 bytes or 12 addresses), then restart thread as discussed 43
  36. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 2.

    PAYLOAD HIDING ▸ Solved the first problem: stager execution ▸ Need to write code for a lwIP callback somewhere safe: ▸ Lots of places to put it (using memcpy): ▸ (my choice) Past end of system stack buffer ▸ System heap (call malloc) ▸ In LwIP’s heap ▸ In stack of exploited task (use currentTCB->pxStack) ▸ On ESP8266, need to place payload in iram 45
  37. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 3.

    WIRING IN THE PAYLOAD: LWIP CALLBACKS ▸ This is ideal: Doesn’t interfere with task scheduling, no priority considerations, very simple: 1. ptel_pcb = udp_new(); 2. udp_bind(ptel_pcb, IP_ADDR_ANY, 53); 3. udp_recv(ptel_pcb, &payload, NULL); ▸ Now payload runs when we send udp traffic to 53 46
  38. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 3B.

    ALTERNATIVE APPROACH: TASK INSERTION ▸ If callback not an option, can create a new task ▸ Easiest to just use OS facilities to add our task: xTaskCreate(&payload, “rce service", configMINIMAL_STACK_SIZE, NULL, 0, NULL); ▸ To avoid starving other processes, make task block for “a while” after execution ▸ Task implements our server 47
  39. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM 4.

    PAYLOAD IMPLEMENTATION: RCE SERVICE ▸ What does our callback (or task) do? ▸ Waits for inbound packets, and runs them! ▸ Mark our packet with a magic value to indicate that its safe to run - callback branches to packet (*on lx106, first copy to iram) ▸ Inbound packet can implement more complex logic if needed ▸ Now we can execute larger payloads reliably 48
  40. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM WHAT

    CAN WE DO WITH IT? ▸ This all lives in system memory, gone on reset: ▸ Can write to flash to make it permanent ▸ Can send traffic off a secondary interface ▸ Access peripherals ▸ Ask me for a demo 50
  41. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM RECOMMENDATIONS

    ▸ Tell developers to manage memory safely in C… (welcome to another decade of memory corruption) ▸ Isolate these devices from rest of the network ▸ Security professionals: audit this technology and help fix vulnerabilities ▸ Vendors: opportunity and potential demand for additional protections (canaries, heap pointer integrity, W^X, randomized layout at least as an option) 52
  42. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM FUTURE

    WORK ▸ Easily a dozen platforms out there, more network stacks, plenty more to look at for anyone interested ▸ Only scratched the surface with auditing done so far - keep looking for bugs ▸ Additional challenges with ESP8266/lx106 that were only briefly mentioned in this talk ▸ FreeRTOS heap very interesting - look out for more details ▸ White paper in progress - follow me (@PartyTimeDotEXE) for release. 53
  43. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM THANKS

    AND PLUGS ▸ Siavash from NCC Group for suggesting RTOSes as a research area. ▸ Stephen Ridley and Stephen Lawler for their excellent ARM Exploitation training ▸ Referenced researchers (RIP Barnaby Jack) and anything I forgot ▸ Reviewers and friends who gave me feedback ▸ Shmoocon organizers and volunteers ▸ YOU! 54
  44. Q/A

  45. EXPLOITING MEMORY CORRUPTION VULNERABILITIES ON THE FREERTOS OPERATING SYSTEM ART

    AND IMAGE CREDITS ▸ Shmoo Group - Shmoocon logo ▸ Zhao Yichao & Zhang Mingtang - “Riding up a Mountain Path” ▸ Pieter Bruegel the Elder “The Hunters in the Snow” ▸ Theodor Kittelsen “Pesta i trappen” and “Nøkken” 56