A new Course: “Software Exploitation via Hardware Exploitation”

Posted on January 31, 2014 by


For the last couple of years we’ve been teaching Practical ARM Exploitation. It’s sold out at every public offering (CanSecWest 2012 and BlackHat 2012 & 2013) and we’ve been fortunate enough to give it privately to a number of really amazing organizations. In 2011 we did a talk entitled “Hardware Hacking For Software People” at ReCon about how we’d begun tinkering in the off hours with hardware devices. Two years later (in early 2013) we spoke at NoSuchCon in Paris, France about how the ARM Exploitation and “hardware hacking” was beginning to really converge.

For the last few years (while maintaining our full consulting load during work hours) we also started (in the “after hours”) manufacturing fully assembled FaceDancers for the community (at INT3.cc) while developing our own hardware/software product called Tally.

In the latter part of 2013 we were fortunate enough to be asked to speak about all these experiences at the 30th Annual Chaos Communication Congress. IMG_0193During that talk we spoke about some of our experiences and simple techniques for attacking point-of-sales systems, set-top boxes, routers, etc. Also during that talk we tentatively announced that we had a new course planned for release in 2014. Well this is that announcement. The new course is entitled: “Software Exploitation Via Hardware Exploitation” or as we jokingly refer to it: “SExViaHEx

This is the course that we’ve always wanted to take ourselves. It is the course that I as a reverse engineer and software security/exploitation person wanted to take before I started tinkering with the stuff that went into our 2011 “Hardware Hacking For Software People” talk. We have always wanted to take a course to give us a solid enough foundation to begin plying our “software security” skills against embedded systems…A course that would help us hurdle the “hardware barrier to entry”. This is that course.

We teamed up with Joe Fitzpatrick of SecuringHardware.com to offer what we think will be an awesome course for software reverse engineers, software security specialists, exploit writers, forensics investigators, and developers alike.

In this full four-day course we will teach and do hands-on exercises against real-world Commercial-Off-The-Shelf consumer products like routers, mobile devices, game systems, and other embedded systems. We’ll also target simpler hardware devices that were custom developed for the course. (These “contrived” targets will only be used for a few select units with most of the exercises being against real targets.) The course consists of roughly 20 units each designed to teach specific techniques and concepts.

Concepts taught (hands-on) in the course include:

  • Bus spying, tampering, spoofing, injection (UART, SPI, I2C, USB, etc.)
  • All you need to know about simple serial interfaces (UART, SPI, I2C)
  • Finding Pinouts (JTAG, Serial, etc)
  • All about JTAG: Using JTAG surreptitiously for reverse engineering, attacks, and exploit development, also: “JTAG Fuzzing”
  • Stealing Firmware non-destructively (JTAG, direct interface, serial interfaces, etc.)
  • Stealing Firmware destructively (pulling chips from the board and reading them)
  • Parsing Firmware images and disassembling them
  • Firmware analysis
  • Simple Side Channel Attacks: how they work and how to use them in the real-world.
  • Power Analysis and Power Side Channel attacks.
  • “Glitching Attacks”
  • ARM Exploitation via hardware debuggers
  • Attacking Low-power RF devices (Zigbee, etc)

Students will get hands 0n experience with tools like:

  • JTAG Adapters (JLINK)
  • IDA, OpenOCD, GDB
  • BusPirate, BusBlaster
  • CPLDs (in lieu of FPGAs)
  • Oscilloscopes
  • Multimeter (Ammeter, Voltmeter, etc)
  • Logic Analyzers

Students will also be introduced to a number of broader techniques, tools, and concepts which are too expensive or time consuming to perform in this course such as differential power analysis, FPGAs,  low-power RF technologies…just to name a few.

In this course we will also send some students home with  hardware devices such as our manufactured FaceDancers, BusPirates, copies of Android Hackers Handbook (which discusses many of these topics), and maybe more.

The goal of this course is to get “straight to the point” skipping EE theory and “how to use a soldering iron” fundamentals and getting straight to practical hardware knowledge that can help you immediately begin reverse engineering and attacking embedded devices.

Course Prerequisites:

To get the most from this course you simply need to have the basic skills of a good software developer.

  • Working knowledge of C/C++ or how “compiled languages” work
  • Knowledge of a high level scripting language like Python or Ruby
  • Working knowledge of some form of assembly language (x86 or ARM preferred)
  • Ideally some exploitation experience recommended but not required.
  • Experience with software debuggers (such as GDB or WinDBG) or strong understanding of what a debugger is.
  • Familiarity with disassemblers (such as IDA) or the concepts of disassemblers.

We are really looking forward to sharing this class with the information security community and the broader technology community as a whole. Please let us know what you think… A full syllabus as well as planned venues will be available shortly.

** Simul-post over at Joe Fitzpatrick’s blog as well.