Practical exploit development for AVR-based devices. presented at t2 2015

by Alexander Bolshev, Boris Ryutin,

Summary : Today, one can find many devices based on AVR microcontrollers. The range of such devices spans from Arduino-based amateur projects to serious automotive, home automation or industrial control system controllers and gateways. There are many talks have been given on reversing and exploits development for AVR-based devices, however there is still a lack of full-scale guide that answers the question: "I have AVR device. I (possibly) have firmware. I found potential flaw that looks like an exploitable vulnerability. What should I do now?" The goal of this workshop is to give answers to such type of questions.
During the workshop, the audience will learn how to reverse engineer AVR firmware and specifics of exploitation. We will review AVR architecture, detail on tools and technics, teach how to write ROP chains for AVR and demonstrate other approaches to enforces MCU to do what wasn't expected by firmware developer. We will also cover post-exploitation topics such as reflashing and altering the bootloader. The journey into secrets of AVR microcontrollers will start from simple programs, quickly move on to popular Arduino libraries and finish with a case of the real exploitation of an industrial gateway. We will talk about how to use Radare2 and IDA for reversing and exploiting of AVR firmware. Besides we will release additional tools that make the outlined tasks easier.
If you have Arduino or other AVR development board, please bring it to workshop: you will be able to do all examples concurrently with us; also, we will give you more firmware samples to train acquired skills.
Alexander Bolshev is the information security researcher at Digital Security. He holds a Ph.D. in computer security and also works as assistant professor at Saint-Petersburg State Electrotechnical University. He works on distributed systems, hardware and industrial protocols security. He is the author of several whitepapers in topics of heuristic intrusion detection methods, SSRF attacks, OLAP systems and ICS security. He spoke at the following conferences: Black Hat USA/EU/UK, ZeroNights,, Confidence, S4.
Boris (@dukebarman) has graduated from the Baltic State Technical University "Voenmeh", faculty of rocket and space technology, and is currently a postgraduate student there. An security engineer at ZORSecurity. A recurring writer for the IIakep magazine, a contributor and developer in several open-source information security projects. Radare2 evangelist. Boris has been awarded with some bug bounties.