Advanced ARM exploitation presented at BlackHat USA 2012

by Stephen Ridley, Stephen Lawler,

Tags: Exploitation ARM

Summary : "Hardware Hacking" is all the rage. Early last year (2011) we at DontStuffBeansUpYourNose.com debuted a talk entitled "Hardware Hacking for Software People" (see: http://bit.ly/pGAGlO). The talk was a collection of experiences and simple techniques we as laymen had discovered/used over the years to perform very simple hardware penetration testing. We covered a range of topics from hardware eavesdropping and bus tapping to simple integrated circuit interfacing and debugging. The popularity of the talk, paper/slides, and video was surprising. People were really hungry for this stuff.
Although that talk did conclude with demonstration of a real-world bug in a home cable modem, it did not dive into the gritty details of exploitation on embedded processors. Late last year (2011) we developed and privately delivered 5 day courses that taught Advanced software exploitation on ARM microprocessors (used in iPhones, appliances, iPads, Androids, Blackberries, et al.) We opened that course to the public for CanSecWest 2012 and Blackhat 2012 (see http://bit.ly/wKHKsG) The response to that too has been very surprising.
The purpose of the talk is to reach a broader audience and share the more interesting bits of the research that went into developing the Practical ARM Exploitation course that we are giving at Blackhat 2012. We discuss reliably defeating XN, ASLR, stack cookies, etc. using nuances of the ARM architecture on Linux (in embedded applications and mobile devices). We will also demonstrate these techniques and discuss how we were able to discover them using several ARM hardware development platforms that we custom built (see: http://bit.ly/zaKZYH ). We will also share some anecdotal "hardware hacking" experiences we had exploiting similar bugs on embedded devices running on other platforms (see: http://bit.ly/pGAGlO)