ECE-531 Introduction to IoT

Course Info

Syllabus

Course Map

Schedule

Module 1

N/A

Module 2 Software Analysis and Tools

GOALS: install all necessary dev, deploy, & analysis tool

TODO Install Ubuntu 20.04 as VM in VMWare Workstation Pro 17 `[4/4]`

Get ISO
Provision hd with 50-100 gb
Install as new VM
Install VMWware Tools for file transfer

TODO Configure devbox with following tools. `[1/1]`

BASIC TOOLS: [3/3]
- ssh
- net-tools
- vim

TODO Configure devbox with following tools. `[2/2]`

BASIC TOOLS: [5/5]
- ssh
- tmux
- powerline
- chrome
- git tools
ADVANCED TOOLS: [1/1]
- VMware Workstation (inside ubuntu)

TODO Configure deployment box (vm inside vm) `[3/3]`

Dolwnload QEMU
Download buildroot
select vagrant or direct install method

TODO Download & Analyze HS110 `[4/4]`

Download firmware
Run binwalk on binary
Review output of binwalk [5/5]
- run and save entropy graph
- run '$ strings -n 10 10300 > strings.out'
- run '$ strings -n 10 439C > 439C-strings.out'
- explore f/s i.e. 'squashfs-root:$ tree bin' & 'etc:$ tree .'
- hone in on start up ps's i.e. shd 'usr/bin:$ tree .'
Analyze applications found in the firmware
- Quick Inventory
- Static Analysis
- Dynamic Analysis (chroot req'd when dyn libraries called by applications, see below)
  - run in emulator, QEMU. copy qemu-*-static into the binwalk output directory you're working in. Add ' -h' flag…
  - list libraries called by application (i.e. SHD) '$ mips-linux-gnu-readelf -d user/bin/shd', '-d'= dump dyn dependencies
  - list location of libraries above.. i.e. '$ ls -al lib' (shows preloaded libraries, assume will be called by app's)
- Tools: GDB, LLDB, binutils, DTrace, Strace,

CODE BLOCKS:

strings -n 10 10300 > strings.out 
strings -n 10 439C > 439C-strings.out

OWASP Model Template

1. Information Gathering / Recon
2. Obtain Firmware
3. Anayzing Firmware
4. Extract Filesystem
5. Analyze F/S contents
6. Emulating firmware
7. Dynamic Analysis
8. Runtime Analysis
9. Binary Exploitation

TODO Assignment: NC220 Firmware Analysis (use OWASP model) `[0/0]`

Information Gathering / Recon
1. Source: Provided via course material
2. Files:
  1. NC220_v1.1.12₁₆₀₃₂₁_a
  2. NC220_v1.1.12₁₆₀₃₂₁_b
  3. NC220_v1.2.0₁₇₀₅₁₆
3. Structure / single binary file + pdf of license
4. Misc:
  1. NVD NIST: https://nvd.nist.gov/products/cpe/search/results?namingFormat=2.3&keyword=NC220
    1. 160321_a CVE's (same for 160321_b)
      1. CVE-2020-13224
      2. CVE-2020-10231
      3. CVE-2020-11445
    2. 170516 CVE's
      1. CVE-2020-13224
      2. CVE-2020-12109
      3. CVE-2020-12110
      4. CVE-2020-10231
      5. CVE-2020-11445
Obtain / Extract Firmware
- Run binwalk on each binary, output to separate 'binout' folders
- Inventory:
  - binout₁₆_a
    - cpu=mips, uboot=1.1.3, OS=linux,
    - 0x19E70 / 'xz' compressed data
    - 0x1E6F85 / 'JFFS2' file system, little endian
    - 0x1F160 / 'LZMA' compressed data (extracted)
  - binout₁₆_b
    - 0x1C7F61 / 'JFFS2' file system, little endian
    - 0x13C / 'LZMA' compressed data (extracted)
  - binout₁₇
    - 0x1C7B7A / 'JFFS2' file system, little endian
    - 0x170 / 'LZMA' compressed data (extracted)
Analyze Extracted Firmware
- v. 16_a
  - strings.out results:
    - root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:/bin/sh
    - grep 'lib' strings_1E.out => (see attached, 14 lib files)
  - tree / file struct results / see output file 'tree.out'
    - note /wlan/MT7620_AP_2T2R-4L_V15.BIN
      - MediaTek MT7620: wifi radio, 580MHz MIPS CPU, 2 UART's, yes GPIO
    - telnetd directory present
    - libc present
- v. 16_b
  - strings results:
    - Linux version 2.6.36+ (root@CentOS.libin) (gcc version 3.4.2) #291 Fri Mar 18 10:50:56 CST 2016
    - root:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:/bin/sh
    - RaLink RT2860 NIC
- v. 17
  - strings resutls:
  - Linux version 2.6.36 (falcon@FalconsUbuntu) (gcc version 3.4.2) #167 Tue May 16 15:53:16 CST 2017
  - 2.6.36 mod_unload MIPS32_R2 32BIT
  - \hroot:$1$gt7/dy0B$6hipR95uckYG1cQPXJB.H.:0:0:Linux User,,,:/home/root:/bin/sh
Extract File System
- COMPLETED IN SECTION 3
Analyze F/S contents
1. static run / busybox
inside cpio-root...

file bin/busybox

showed lsb (least sig bit) = little endian, use -mipsel-, need to copy into firmwwar dir

which qemu-mipsel-static cp /usr/bin/qemu-mipsel-static . sudo chroot . ./qemu-mipsel-static bin/busybox

capture output...

Sample Output…

Dynamic section at offset 0xe8 contains 24 entries:
Tag Type Name/Value
0x00000001 (NEEDED) Shared library: [libcrypt.so.0]
0x00000001 (NEEDED) Shared library: [libm.so.0]
0x00000001 (NEEDED) Shared library: [libc.so.0]
0x0000000c (INIT) 0x4057a4
0x0000000d (FINI) 0x44fce8
0x00000004 (HASH) 0x4001d0
0x00000005 (STRTAB) 0x403c24
0x00000006 (SYMTAB) 0x401404
0x0000000a (STRSZ) 7038 (bytes)
0x0000000b (SYMENT) 16 (bytes)
0x70000016 (MIPS_RLD_MAP) 0x49b5b4
0x00000015 (DEBUG) 0x0
0x00000003 (PLTGOT) 0x49b5c0
0x00000011 (REL) 0x0
0x00000012 (RELSZ) 0 (bytes)
0x00000013 (RELENT) 8 (bytes)
0x70000001 (MIPS_RLD_VERSION) 1
0x70000005 (MIPS_FLAGS) NOTPOT
0x70000006 (MIPS_BASE_ADDRESS) 0x400000
0x7000000a (MIPS_LOCAL_GOTNO) 91
0x70000011 (MIPS_SYMTABNO) 642
0x70000012 (MIPS_UNREFEXTNO) 29
0x70000013 (MIPS_GOTSYM) 0xc
0x00000000 (NULL) 0x0

Emulating Firmware
- run tool qemu-user-static / user mode emulation / good for single binaries, etc
Dynamic Analysis
Runtime Analysis
Binary Exploitation

Module 3

GOALS:

A
- Devolop and analyze an attack surface of an IoT System
- Implement client comms via networking
- Use ELF on binaries
- Review linking and loading
B
- Implement Networking Communication
- Recognize essential properties of ARM Chipsets

Videos / Slides

Project, Development, and Attack Surfaces
1. Project (I) / IoT₃₁_1.mp4
  - Large project, full system, lots of programming, best practices, well documented, secure, fully functional…
  - Keywords: best practices, modular c, attack surface,
2. Project (II) / IoT₃₁_2.mp4
  - Emulate a Thermostat
    - Minimum 3 set points over a day
      - Extra credit for more set points: Weekends, calendars, weekly programs, etc
    - works in degrees C
    - assumes thermocouple
    - program remotely via HTTP
    - report remotely via HTTP (dashboard?)
    - split programming into application (user) and interface (software / hardware)
    - will pe programmed via a known file with a time stamp and instructions for heat on/off
3. Personal Development Process / IoT₃₁_3.mp4
  - Repeatable workflow: first steps, makefile design, general structure, testing?, delivery of production?
  - Speed
  - Quality
  - Workflow Model, i.e.
    1. Template / Skeleton / necessary basic files?
    2. Functions defined in single file? or Each module in single file?
    3. Ea file has associated test?
    4. Application have discrete libraries, 'main' use minimized?
    5. Automated tests, ni ghtly, against repository?
    6. Automated nightly builds?
    7. etc.
4. Attack Surfaces / IoT₃₁_4.mp4
  - What it is
    - Anything a system touches or reads is potential attack.
    - IoT devices especially have very large attack surfaces; bluetooth, wifi, http, 5g, etc.
  - Importance
    - describes Ingress & Egress pathways
    - how sys can be improved / hardened
    - what is safe to neglect / ignore
  - How & Where to document it (not inside the source code!)
    - Create a discrete document / outline for internal use
  - Example ('ls')
  - Hardening
  - Keywords: well-formed environment variables, buffer lengths, well-formatted submitted data, malformed argument attack
5. Networking Support and Buildroot / IoT₃₂_1.mp4
  1. Making modifications to buildroot image:
```
#By default buildroot tracks one build, if want a separate, save 'out of tree'
1. $> make nconfig #Make edits / changes / save
2. $> make
3. run the start script (MAKE SURE TO USE MODIFIED SCRIPT FOR SSH, I.E. TEST-QEMU)
4. log in as root
5. $> adduser -h /<home_dir> -s /bin/sh <username>
6. modify /etc/shadow for new account, make :10933: change
7. test login with user
8. log out & test SSH connection ( ssh -p 222 sgc@localhost )
9. log out & test SCP from host to virt ( scp -P 2222 ./test sgc@localhost:~/ )
10. test execution ./test (may have to run chmod +x on file)
11. Complete, modfied Buildroot image ready to use.
```
  2. Modify buildroot image to include libraries-networking-libcur, curl
  3. Rebuild image and test (see above)
6. Networking Configurations / IoT₃₂_2.mp4
  1. Protocols, SLIRP vs TAP
    - SLIRP like serial, slow but low overhead, will stay connected
    - TAP uses virtual networking, will require PHY NIC, which would cause us CNX problems with Virt - Host, stick w/ SLIRP
  2. Run SimpleHTTPServer on HOST [2/2]
    - (from host) $ sudo python2 -m SimpleHTTPServer 80 (using python2 since host has both 2/3)
    - (from qemu) $ curl -v 192.168.45.128 (confirmed IP of host first)
7. Looking Over Libcurl.so / IoT₃₂_3.mp4
  
  #+BEGIN_EXAMPLE
  1. WORKFLOW - SCAN
    - Need to 'capture' libcurl.so from running system
    - Copy it / host$ scp -P 2222 localhost:/usr/lib/libcurl.so
    - Read it / host$ arm-linux-gnueabi-readelf -a libcurl.so
    - Dump it / host$ arm-linux-gnueabi-objdump -d libcurl.so > libcurl.dump
    - String it / host$ arm-linux-gnueabi-strings -n 5 libcurl.so > strings.out
    - Search it / host$ cat strings.out | grep curl > curl-strings.out
    #+END_EXAMPLE
    
    #+BEGIN_EXAMPLE
  2. WORKFLOW - RECORD
    - CPU type: ARM?, MIPS?, etc
    - Endian-ness: litte ?, big ?
    - Notable Libraries?
    - Notable functions (imported and exported)
    - Other Metadata…
  3. SSL Versions
  4. encrypted algorithms
  5. url's / websites
    
    #+END_EXAMPLE
8. A Libcurl Example - Setting Up / Iot₃₂_4.mp4
  - Set up empty git repo
  - make empty files; .gitignore, makefile, requestor.c
  - push inital commits to remote
  - edit makefile to match from slides (remember TABS != SPACES in makefile)
  - save and commit first edits
9. A Libcur Example - Code / IoT₃₂_5.mp4
  - NOTE: DON'T BE FOOLED BY VIM / MAKEFILE, ERASE FALSE 'TABS' AND CONFIRM KBD 'TABS'!!!
Networking
Linking & Loading
MISC / REFs / URLs
1. Sample Projects:

Homework

cURL client [4/4]
- Component Tests [2/2]
  - Test getopt.h
  - Test curl/curl.h
- Framework [8/8]
  - INCLUDES / LIBRARIES
    - unistd.h
    - stdio.h
    - stdlib.h
    - getopt.h
    - string.h
    - errno.h
  - GLOBAL CONSTANTS
    - OK 0
    - INIT_ERR 1
    - REQ_ERR 2
  - GLOBAL VARIABLES
    - modes / use for mutually exclusive option filter
  - GLOBAL FUNCTIONS
    - void curl_get
    - void curl_post
    - void curl_put
    - void curl_delete
    - void hw_help
    - void hw_usage
    - void hw_version
  - MAIN // ARGUMENTS
    - arguments.get
    - arguments.post
    - arguments.put
    - arguments.delete
    - arguments.help
    - arguments.version
    - arguments.url
    - arguments.data
  - MAIN // VARIABLES [5/5]
    - State Flags: INT gflag, oflag, pflag, dflag
    - Curl args: int c, char *message, char *url, CURL *curl, CURLCode res
    - getopt struct: -g –get, -o –post, -p –put, -d –delete,
    - make mutually exclusive, can only choose one of -g || -o || -p || -d
    - capture 'non-argument' options for *message
  - CASES - EDGE / FAIL [4/4]
    - error, too few args
    - error, too many args
    - error, no url
    - error, malformed url
  - RESPONSES [5/5]
    - capture curl codes
    - print strerror / errno.h messages
    - USAGE message
    - VERSION message
    - HELP message
- TESTING [2/2]
  - x86 TEST [3/3]
    - COMPILE
    - TEST PROPER USE
    - TEST IMPROPER USE
  - ARM/MIPS TEST [3/3]
    - COMPILE
    - TEST PROPER USE
    - TEST IMPROPER USE
- DEPLOY [3/3]
  - FINALIZE COMMENTS / EDITS
  - SANITIZE, REMOVE ANY DEBUG DATA
  - FINAL COMMITS / VERSIONING / VCS

FOOTNOTES:

Testing Code Changes:

#+BEGIN_EXAMPLE
1. WORKFLOW
  1. Make code edits, x86
  2. re run Make, x86
  3. test changes in x86
  4. run the 'amake' alias or 'make -f makefile-arm' for ARM build
  5. start qemu guest ([user@host ~]$ ./test-qemu.sh)
  6. confirm network connection between host and guest
  7. start python http server on host ([user@host ~]$ python2 -m SimpleHTTPServer
  8. copy arm compiled binary to guest ([user@host ~~]$ scp -P 2222 my-file sgc@localhost:~~/)
  9. run from guest, pointed to host, test use cases. DONE
  #+END_EXAMPLE
DEBUGGING: QEMU seg fault on POST, PUT, DELET (GET == OK)
```
Add code at bottom of hw.c to capture _*NON-OPTION ARGUMENTS*_ and
pass them to _*message pointer*_ !!!!
Only after adding and testing _message pointer_ , attempt the debugging below!!
```
1. TODO Trace Seg Fault Error [0/4]
  - Capture response
  - Add line number exit(1) in code, Rerun, work backwards up the code
  - Compile and test classmates code, test in QEMU environment, look for seg faults
  - Document fix once found.
2. TODO Watch remaining lectures for MOD 3
3. TODO Submit Assignment / Code [0/2]
  - ?? Need a oneliner for make file?
  - submit through canvas.

Module 4

Daemon Processes / video IoT₄₁₁

Notes:
- Forking processes
- default file permissions, groups, acl's, etc
- Linux must know to start up your daemon
- Languages: Python, Ruby, Perl, Bash, we will use C
- Bash
  - Better suppor than c
  - really the only supported way to config linux startup
- C
  - Native linux unix support
  - Powerful

Filesystems / video Iot₄₁₂

YES: kernel access, OS versions, networking, sys logging, filesystems
NO: console, users, home directories, user interactivity
without a console, STDIN.. STDOUT… STDERRR don't really mean anything Have to make use of 'close(STDIN_FILENO);' etc, 'close..' part of C api.
SIGNAL MANAGEMENT:
- users send C-c, C-z, etc, Daemons do not, but we still need to send the under lying 'signals'
- signal(SIGKILL, _signal_handler);
- signal(SIGTERM, _signal_handler);
- signal(SIGHUP, _signal_handler);
SYSLOG:
- alternative to console stderr, stdout. system wide logger, can use with daemons.
CHDIR:
- since no home or working directory, will be using chdir to set directories
PERMISSIONS:
- Everything manual, nothing automated, will have to set everyting.
SESSIONS:
- sessions have process groups, process groups have processes…
FORKING:
- avoiding locking up 'spawning process' forking creates copy of process in another process.
- parent process gets PID, child gets 0; err is negative
PID_T PIT = FORK(); IF (PID > 0 ) EXIT(0); IF (PID < 0) EXIT(1);
WORKFLOW: (always end process name with a 'd')
1. Set up main
2. Setup log, syslog
3. 'Fork' a process…
4. Error check, if failed, will have returned '0', use IF (PID > 0)…
5. If greater than zero, we are in the parent process of a child process , what we want is to exit the parent process and get down into the child process… once in the child process we can continue on and do whatever we'd like
6. Session ID check, if it's not what we want (is less than 0) exit w / error.
if(setsid() < -1){ syslog(LOG_ERR, ERROR_FORMAT, strerror(errno)); return ERR_SETSID; }

Close file descriptors manually (since no console)

close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDEER_FILENO);

UMASK
1. umask(S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
SIGNAL HANDLER
1. signal(SIGTERM, _signal_handler); //underscore prefix denotes static method defined at compile time signal(SIGHUP, _signal_handler);
can now call DO_WORK…
1. _do_work();

Kernels & Booting / video IoT₄₁₃

Configuring OS for Daemons

Starting up Daemons…
1. INIT: oldest, initially unix system v
2. UPSTART: usedin Debian and Red Had distros
3. SYSTEMD: used in most current service manager
  1. problem w/ systemd; complex, violates unix design philosophy, but widely used.

Securing Application

keywords: init, inittab, rcS, rcK, 'S'+'NN' prefix indicates start order i.e. S01, S50, S40

Example Startup Script / video IoT₄₁₅

Script format…

#!/bin/sh
<stuff that always happens>
<start function>
<case handling args>
<stop function>
exit $?

Test empty script (i.e. sample_framed)

i.e. ./sample_framed {start | stop | restart}

FIll out after having tested…

using sample daemon

terminal commands to move to qemu

@host> scp -P 2222 sampled sgc@localhost:~/
@qemu> mv sampled /usr/sbin
## move a start script into the qemu guest
mv <myscript> /etc/init.d
## call S80sampled (want all other services to start first... i.e. S80...)
## reboot, login, check out /var/log/messages

Files

ece531.md

Latest commit

History

ece531.md

File metadata and controls

Table of Contents

ECE-531 Introduction to IoT

Course Info

Syllabus

Course Map

Schedule

Module 1

Module 2 Software Analysis and Tools

GOALS: install all necessary dev, deploy, & analysis tool

TODO Install Ubuntu 20.04 as VM in VMWare Workstation Pro 17 [4/4]

TODO Configure devbox with following tools. [1/1]

TODO Configure devbox with following tools. [2/2]

TODO Configure deployment box (vm inside vm) [3/3]

TODO Download & Analyze HS110 [4/4]

CODE BLOCKS:

OWASP Model Template

TODO Assignment: NC220 Firmware Analysis (use OWASP model) [0/0]

inside cpio-root...

showed lsb (least sig bit) = little endian, use -mipsel-, need to copy into firmwwar dir

capture output...

Module 3

GOALS:

Videos / Slides

Homework

FOOTNOTES:

Module 4

Daemon Processes / video IoT411

Filesystems / video Iot412

Kernels & Booting / video IoT413

Securing Application

Example Startup Script / video IoT415

Module 5

Module 6

Module 7

Module 8

Misc Info / Notes