Howdy neighbors,
I'll be bringing plenty of spare GoodFET boards to vegas, perhaps something new as well. If you'd like to build one in the Hardware Hacking Village, please bring the parts from the GoodFET11 BOM, with perhaps some extras to share. I've given away all of my assembled GoodFET boards, save the one I use for development, so don't expect to have any fun without soldering.
The Neighborcon Vegas CFP will come out soon. Neighborliness will be abounding during Black Hat Briefings for all those that need a break from the crowd or cannot afford the ticket. A shuttle should run regularly from Caesar's, and we'll have all sorts of neighborly workshops and competitions. The official announcement is being delayed to keep the crowd manageable, but it will definitely be happening.
I am in Taipei, R.O.C. for the next two weeks. Email me if you'd like to meet up for drinks, especially if you speak Chinese and can help me navigate the local electronics market.
New technical articles are coming soon, covering the debugging protocols of the MSP430 and Chipcon 8051 chips. MSP430X, MSP430X2, and others will follow as GoodFET support solidifies. Also some fixes for security vulnerabilities that I will be announcing at my Black Hat talk.
Cheers,
Travis Goodspeed
<travis at radiantmachines.com>
Tampilkan postingan dengan label speaking. Tampilkan semua postingan
Tampilkan postingan dengan label speaking. Tampilkan semua postingan
Rabu, 08 Juli 2009
Jumat, 29 Mei 2009
GoodFET11 Released
The GoodFET11 boards have arrived for HardHack in Berlin, where they were assembled earlier today. It was quite neighborly to see that intelligent people with steady hands, but no prior practice, had little trouble assembling the GoodFET's surface mount components.
GoodFET firmware ought to be functional in the next week or two, with I2C and the Chipcon debugging protocol as the first targets. Please contact me if you are interested in writing a client application in Python or another unix scripting language.
--Travis Goodspeed
<travis at radiantmachines.com>
Jumat, 22 Mei 2009
Black Hat '09, Defcon 17
Howdy y'all,
I'll be taking a trip to Vegas this summer for Black Hat and Defcon. Abstracts below are as submitted to the conferences, and there will be a tool released, of the extra-neighborly sort, at Black Hat. I also expect to do some hands-on stuff at Defcon's hardware hacking village.
For Defcon,
Locally Exploiting Wireless Sensors
Wireless sensors are often built with a microcontroller and a radio chip, connected only by a SPI bus. The radio, not the MCU, is responsible for symmetrical cryptography of each packet. When the key is loaded, it is sent as cleartext over the SPI bus, and an attacker with local access can steal the key using a few syringe probes and readily available hardware. This attack and other local attacks against wireless sensor networks will be presented in detail, including a live demo of an AES128 key being extracted from an operational network. Following the conclusion of the lecture, audience members will be brought onstage to perform the attack themselves on various pieces of example hardware.
For Black Hat,
A 16 bit Rootkit and Second Generation Zigbee Chips
This lecture in two parts presents first a self-replicating rootkit for wireless sensors, then continues with recent research into the security of second generation Zigbee radio chips such as the CC2430/2431 and the EM250.
--Travis Goodspeed
<travis at radiantmachines.com>
I'll be taking a trip to Vegas this summer for Black Hat and Defcon. Abstracts below are as submitted to the conferences, and there will be a tool released, of the extra-neighborly sort, at Black Hat. I also expect to do some hands-on stuff at Defcon's hardware hacking village.
For Defcon,
Locally Exploiting Wireless Sensors
Wireless sensors are often built with a microcontroller and a radio chip, connected only by a SPI bus. The radio, not the MCU, is responsible for symmetrical cryptography of each packet. When the key is loaded, it is sent as cleartext over the SPI bus, and an attacker with local access can steal the key using a few syringe probes and readily available hardware. This attack and other local attacks against wireless sensor networks will be presented in detail, including a live demo of an AES128 key being extracted from an operational network. Following the conclusion of the lecture, audience members will be brought onstage to perform the attack themselves on various pieces of example hardware.
For Black Hat,
A 16 bit Rootkit and Second Generation Zigbee Chips
This lecture in two parts presents first a self-replicating rootkit for wireless sensors, then continues with recent research into the security of second generation Zigbee radio chips such as the CC2430/2431 and the EM250.
--Travis Goodspeed
<travis at radiantmachines.com>
Senin, 18 Mei 2009
HardHack and PH Neutral, Berlin
On April Fool's day, I jumped into my car and left Knoxville to wander the world in search of neighborliness. Now I find myself in Berlin, finishing up some projects and living on döner.
At the end of this month, I'll be giving a workshop at HardHack on Friday 29 May on the GoodFET project. No slideshow, no projector, just a good old fashioned, informal sermon on the design as we build a few USB JTAG adapters then program them. Sign-ups for the workshop are here.
The GoodFET is self-programmable by USB, so upgrading firmware requires no additional hardware. As this is surface-mount, you'll need to have a steady hand and good eyesight. I've ordered parts and boards for the GoodFET11, with the GoodFET10 as a backup if the boards don't arrive in time.
On Saturday 30 May at 15h00, I'll be presenting at PH Neutral. Everything about the talk is a surprise, except that it involves embedded systems.
--Travis Goodspeed
<travis at radiantmachines.com>
Jumat, 17 April 2009
Notacon Masked ROM Challenge
Here at Notacon 6 in Cleveland, I'm having a competition involving the decoding of the MSP430F22x4's masked BSL ROM. The ROM, pictured below, begins with "0c06; 0c1e; 3fff; 40b2; a540; 012c; 90b2; ffde;" and ends with (in reverse order) "62b1; 0401; 0102; 0000; 0000; 0000; 4040; 27f2; ffff; ffff; ffff; ffff;".
Begin by downloading the high resolution version of the image, then marking it like so.
The first person to bring me a method for converting addresses to physical locations and back will win a Hack-A-Day Bus Pirate kit. A second kit will be given to the first person to bring me a script for generating correct bits from a binary (or Intel Hex) dump of the ROM.
Hints will be given during my lecture, "Fun with the MSP430", Saturday at noon.
--Travis Goodspeed
<travis at radiantmachines.com>
Begin by downloading the high resolution version of the image, then marking it like so.
The first person to bring me a method for converting addresses to physical locations and back will win a Hack-A-Day Bus Pirate kit. A second kit will be given to the first person to bring me a script for generating correct bits from a binary (or Intel Hex) dump of the ROM.
Hints will be given during my lecture, "Fun with the MSP430", Saturday at noon.
--Travis Goodspeed
<travis at radiantmachines.com>
Senin, 23 Februari 2009
SOURCE Boston and Notacon
Howdy Y'all,
The next stops of my tour will be SOURCE Boston in March and Notacon in April. In between, I might swing by Carolinacon, though I won't be speaking.
My SOURCE Boston lecture, Wireless Sensors as an Asset and a Liability, is my first attempt at a business lecture, albeit one that repeatedly leans on technical depth for credibility. First, I will explain exactly why this technology is too valuable to ignore. Entire industries will be revolutionized by it, and any firm refusing to use the technology will find itself at a significant competitive disadvantage. That being done, I'll continue by demonstrating just how easy it is to subvert this technology, using a few items from my bag of tricks that haven't made it into other conferences.
My Notacon lecture, Building Things with the MSP430, is also a departure from my previous topics, in that I won't mention security. Instead, I'll provide some helpful tips on how to build belt buckles, toys, and other other neighborly things. Attend if you're new to electronic design or the MSP430 microcontroller, or if you're sick of security and want to be a belt buckle engineer.
As always, email me if you'd like to meet at either conference.
--Travis Goodspeed
<travis at radiantmachines.com>
The next stops of my tour will be SOURCE Boston in March and Notacon in April. In between, I might swing by Carolinacon, though I won't be speaking.
My SOURCE Boston lecture, Wireless Sensors as an Asset and a Liability, is my first attempt at a business lecture, albeit one that repeatedly leans on technical depth for credibility. First, I will explain exactly why this technology is too valuable to ignore. Entire industries will be revolutionized by it, and any firm refusing to use the technology will find itself at a significant competitive disadvantage. That being done, I'll continue by demonstrating just how easy it is to subvert this technology, using a few items from my bag of tricks that haven't made it into other conferences.
My Notacon lecture, Building Things with the MSP430, is also a departure from my previous topics, in that I won't mention security. Instead, I'll provide some helpful tips on how to build belt buckles, toys, and other other neighborly things. Attend if you're new to electronic design or the MSP430 microcontroller, or if you're sick of security and want to be a belt buckle engineer.
As always, email me if you'd like to meet at either conference.
--Travis Goodspeed
<travis at radiantmachines.com>
Rabu, 14 Januari 2009
Shmoocon and Black Hat, DC
Howdy y'all,
I'll be presenting two new lectures in DC next month. The first, at Shmoocon, is on the construction of wireless sensors. Beginning with a product idea, Josh Gourneau and I will step you through the design of a modern sensor node's hardware and software. Then we walk you through the design of a brand new node: hardware design, fabrication, porting an operating system, writing an application, maintaining power efficiency, and proper use of the radio. Who knows, we might even make radio version of our neighborly Party Mode Belt Buckle?
At Shmoocon, be sure to catch Off the Shelf Security - Meeting Crime with an Open Source Mind, which immediately follows my talk in the same room.
My second lecture, at Black Hat DC, will describe the reverse engineering and exploitation of wireless sensors. You will learn how to take a wireless sensor apart, reverse engineer its firmware, sniff the various buses it contains, craft an embedded stack overflow, and some interesting techniques with radio jamming.
--Travis Goodspeed
<travis at radiantmachines.com>
I'll be presenting two new lectures in DC next month. The first, at Shmoocon, is on the construction of wireless sensors. Beginning with a product idea, Josh Gourneau and I will step you through the design of a modern sensor node's hardware and software. Then we walk you through the design of a brand new node: hardware design, fabrication, porting an operating system, writing an application, maintaining power efficiency, and proper use of the radio. Who knows, we might even make radio version of our neighborly Party Mode Belt Buckle?
At Shmoocon, be sure to catch Off the Shelf Security - Meeting Crime with an Open Source Mind, which immediately follows my talk in the same room.
My second lecture, at Black Hat DC, will describe the reverse engineering and exploitation of wireless sensors. You will learn how to take a wireless sensor apart, reverse engineer its firmware, sniff the various buses it contains, craft an embedded stack overflow, and some interesting techniques with radio jamming.
--Travis Goodspeed
<travis at radiantmachines.com>
Jumat, 14 November 2008
Speaking at 25C3
At the 25th Chaos Communications Congress in Berlin this December, I'll be presenting some new research in the security of the MSP430's serial bootstrap loader (BSL) as well as a nice little lecture/workshop combo on reverse-engineering the TI EZ430 development tool.
I intend to travel through France and England, returning in late January for S4, Miami. Please email me if you'd like to meet.
Cracking the MSP430 BSL
Day 1 (2008-12-27), 20h30 (8:30 pm) in Saal 3.
The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. When its JTAG fuse is blown, the device's firmware is kept private only a serial bootstrap loader (BSL), certain revisions of which are vulnerable to a side-channel timing analysis attack. This talk continues that from Black Hat USA by describing the speaker's adventures in creating a hardware device for exploiting this vulnerability.
While the previous part focused on the discovery of the timing vulnerability and its origin, this lecture will focus on the exploitation. Topics include a brief review of the vulnerability itself, PCB design and fabrication, the malicious stretching of timing in a bit-banged serial port, observation of timing differences on the order of a microsecond, and the hell of debugging such a device.
Repurposing the TI EZ430U
Lecture: Day 3 (2008-12-29), 12h45 (pm) in Saal 3
Workshop: Not yet scheduled.
USB devices are sometimes composed of little more than a microcontroller and a USB device controller. This lecture describes how to reprogram one such device, greatly expanding its potential.
At only twenty dollars, the Texas Instruments EZ430U is a bargain of an in-circuit debugger for the MSP430 microcontroller. The board itself is composed of little more than an MSP430 and a USB to Serial controller. The board's JTAG fuse is unblown, and full schematics are included in public documentation. This lecture will discuss the use of the EZ430U, not as a debugging tool, but as a development platform in and of itself. Topics will include the writing of replacement firmware, analysis of the default firmware, reprogramming the USB to Serial controller, and potential target applications.
--
Travis Goodspeed
<travis at radiantmachines.com>
Minggu, 02 November 2008
Speaking at S4 in Miami
On Thursday, January 22nd, I'll be presenting at Digital Bond’s SCADA Security Scientific Symposium (S4) a paper authored with Brad Singletary and Darren Highfill of Enernex on the topic of Low-Level Design Vulnerabilities in Wireless Control Systems Hardware. As 802.15.4 sensors and similar hardware are subject to theft by an attacker, we demonstrate several practical attacks that we've been cooking up for the past year. We include plenty of schematic diagrams, logic analyzer recordings, oscilloscope photographs, and code fragments to keep things interesting. Attendance is strictly limited to fifty-five, and registration is expected to sell-out this year.
Please email me if you'd like to meet up while I'm in town. As always, I'll bring some of my equipment for a show and tell.
Cheers,
--Travis Goodspeed
<travis at utk.edu>
Senin, 29 September 2008
Speaking at PumpCon 2008 in Philly
Howdy Y'all,
I'll be driving to Philadelphia on Friday, October 24th to speak at this year's PumpCon. This lecture continues that of Black Hat USA, focusing on the exploitation--rather than the origin--of timing vulnerabilities that I've found in certain revisions of the MSP430's serial bootstrap loader.
--Travis Goodspeed
<travis at utk.edu>
I'll be driving to Philadelphia on Friday, October 24th to speak at this year's PumpCon. This lecture continues that of Black Hat USA, focusing on the exploitation--rather than the origin--of timing vulnerabilities that I've found in certain revisions of the MSP430's serial bootstrap loader.
--Travis Goodspeed
<travis at utk.edu>
Selasa, 02 September 2008
Speaking at Toorcon 10 in San Diego
I'll be giving a 75-minute Deep Knowledge Seminar at Toorcon X in San Diego on Friday, September 26th regarding my efforts to repurpose the TI EZ430U in-circuit debugger. This seminar will cover both of the presently published articles, as well as details on writing custom replacement firmware that will be published as a third (and perhaps fourth) installment. More generally, it will provide a thorough introduction to the reverse engineering of microcontroller-based USB peripheral boards.
Note that the seminars are not included with general conference admission. Seminar registration is $750 until September 12th, $950 at the door.
Please email me if you'd like to meet up.
--Travis Goodspeed
<travis at utk.edu>
Sabtu, 16 Agustus 2008
Post-Vegas
Black Hat and Defcon were both a blast. My Black Hat slides and paper are available. See here for the book of which I spoke at Defcon.
Chris Tarnovsky of Flylogic Engineering let me photograph a run-through of the workshop that he later gave at Defcon. I've been locked out of my Flickr account, but you'll find most of those photos tagged with flylogic. I'll post the others if and when I recall my password.
It'll take me a while to send all the emails that I've promised. Please email me first if you have the time.
Cheers,
--Travis
<travis at utk.edu>
Senin, 04 Agustus 2008
Vegas or Bust! Three talks in three days.
Howdy y'all,
I'm leaving Knoxville for Las Vegas in eight hours. I'll be speaking Thursday, Friday, and Saturday. Three talks, on three different topics.
Thursday/13h30 at Palace 1 in the Hardware track of Black Hat, I'll be speaking at Black Hat USA regarding a timing vulnerability of the MSP430FG4618's serial bootstrap loader. This is just after the lunch break. Come early to get a good seat, then keep it for talks by Karsten Nohl and Chris Tarnovsky.
Friday/16h00, I'll be speaking at Defcon 16 in the Breakout room regarding not my own work, but the historic work of Paul Courbis and Sébastien Lalande. In 1990, they published «Voyage au centre de la HP28C/S» detailing the initial reverse engineering of the Hewlett Packard 28 graphing calculator. For the past year, I've been translating it as a hobby.
Saturday/18h00, I'll be giving a Defcon Skytalk on the topic of reverse-engineering an 802.15.4/Zigbee wireless sensor node using msp430static. This is a revision of my talk from Last Hope, with new content to reflect my Black Hat talk. I was added to the line-up at the last minute, so you won't find this in the conference booklet or the poster.
Please email me at the address below if you'd like to meet up.
Cheers,
--Travis Goodspeed
<travis at utk.edu>
I'm leaving Knoxville for Las Vegas in eight hours. I'll be speaking Thursday, Friday, and Saturday. Three talks, on three different topics.
Thursday/13h30 at Palace 1 in the Hardware track of Black Hat, I'll be speaking at Black Hat USA regarding a timing vulnerability of the MSP430FG4618's serial bootstrap loader. This is just after the lunch break. Come early to get a good seat, then keep it for talks by Karsten Nohl and Chris Tarnovsky.
Friday/16h00, I'll be speaking at Defcon 16 in the Breakout room regarding not my own work, but the historic work of Paul Courbis and Sébastien Lalande. In 1990, they published «Voyage au centre de la HP28C/S» detailing the initial reverse engineering of the Hewlett Packard 28 graphing calculator. For the past year, I've been translating it as a hobby.
Saturday/18h00, I'll be giving a Defcon Skytalk on the topic of reverse-engineering an 802.15.4/Zigbee wireless sensor node using msp430static. This is a revision of my talk from Last Hope, with new content to reflect my Black Hat talk. I was added to the line-up at the last minute, so you won't find this in the conference booklet or the poster.
Please email me at the address below if you'd like to meet up.
Cheers,
--Travis Goodspeed
<travis at utk.edu>
Kamis, 19 Juni 2008
Speaking at Last Hope
I'll be speaking at Last Hope in Manhattan next month. My abstract follows.
Introduction to MCU Firmware Analysis and Modification with MSP430static
The Texas Instruments MSP430 is a low-power, 16-bit microcontroller which is rapidly gaining in popularity in the embedded world. MSP430static is a tool for reverse engineering the MSP430's firmware. Following a quick tour under the hood of this tool, this lecture will demonstrate how to analyze, modify, and reflash a black-box firmware image.
Introduction to MCU Firmware Analysis and Modification with MSP430static
The Texas Instruments MSP430 is a low-power, 16-bit microcontroller which is rapidly gaining in popularity in the embedded world. MSP430static is a tool for reverse engineering the MSP430's firmware. Following a quick tour under the hood of this tool, this lecture will demonstrate how to analyze, modify, and reflash a black-box firmware image.
Kamis, 29 Mei 2008
Speaking at Defcon 16
After Black Hat, I'll be speaking at Defcon 16 regarding an entirely different subject. The abstract follows.
In 1990, a wire-bound book was published in Paris by the title of «Voyage au centre de la HP28 c/s». It presents a very thorough account of the inner workings of the Hewlett Packard 28 series of graphing calculators. Designed before the days of prepackaged microprocessors, the series uses the Saturn architecture, which HP designed in-house. This architecture is very different from today's homogeneous RISC chips, with registers of 1, 4, 12, 16, 20, and 64 bits in width. The fundamental unit of addressing is the nibble, rather than the byte. Floats are represented as binary-coded decimal, and a fundamental object in the operating system is an algebraic expression.
This architecture is still used, albeit in emulation, in the modern HP50g. With this talk, I intend to call attention to a fascinating, professional, and well-documented feat of reverse engineering. Using little more than their ingenuity and an Apple ][e, Paul Courbis and Sebastien Lalande reverse engineered a black box calculator into a real computer, one which became user-programmable in machine language as a result. More than that, they documented the hack in such exquisite detail that their book is not just a fascinating read, but also veritable holy scripture for anyone trying to write custom software for this machine.
Expect a thorough review, in English, of the contents of the book. This is not a sales pitch; electronic copies of both the translation and the original are free to all interested readers. Topics include the datatypes of the computer algebra system, hacking an upgrade into the memory bus, bootstrapping an assembler, writing in machine language by tables, and adding an I/O port for software backups.
If you'd like a copy of the book in advance, grab the original French from the site of Paul Courbis or email me for a rough draft of the English translation.
--Travis Goodspeed
<travis at utk.edu>
In 1990, a wire-bound book was published in Paris by the title of «Voyage au centre de la HP28 c/s». It presents a very thorough account of the inner workings of the Hewlett Packard 28 series of graphing calculators. Designed before the days of prepackaged microprocessors, the series uses the Saturn architecture, which HP designed in-house. This architecture is very different from today's homogeneous RISC chips, with registers of 1, 4, 12, 16, 20, and 64 bits in width. The fundamental unit of addressing is the nibble, rather than the byte. Floats are represented as binary-coded decimal, and a fundamental object in the operating system is an algebraic expression.
This architecture is still used, albeit in emulation, in the modern HP50g. With this talk, I intend to call attention to a fascinating, professional, and well-documented feat of reverse engineering. Using little more than their ingenuity and an Apple ][e, Paul Courbis and Sebastien Lalande reverse engineered a black box calculator into a real computer, one which became user-programmable in machine language as a result. More than that, they documented the hack in such exquisite detail that their book is not just a fascinating read, but also veritable holy scripture for anyone trying to write custom software for this machine.
Expect a thorough review, in English, of the contents of the book. This is not a sales pitch; electronic copies of both the translation and the original are free to all interested readers. Topics include the datatypes of the computer algebra system, hacking an upgrade into the memory bus, bootstrapping an assembler, writing in machine language by tables, and adding an I/O port for software backups.
If you'd like a copy of the book in advance, grab the original French from the site of Paul Courbis or email me for a rough draft of the English translation.
--Travis Goodspeed
<travis at utk.edu>
Jumat, 16 Mei 2008
Speaking at Black Hat USA 2008
I'll be speaking at BlackHat USA 2008 in Vegas this August. My abstract follows:
The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. It may be programmed by JTAG, Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.
By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled by setting a value in flash memory. When enabled, the BSL is protected by a 32-byte password. If these access controls are circumvented, a device's firmware may be extracted or replaced.
After a thorough introduction, this talk will discuss in excruciating detail the results of an effort to reverse engineer the BSL code. Once the BSL's function has been covered, a timing attack will be discussed which might be used to guess the password without brute force under certain conditions.
Cheers,
Travis Goodspeed
<travis at utk.edu>
The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. It may be programmed by JTAG, Spy-Bi-Wire, or a serial BootStrap Loader (BSL) which resides in masked ROM.
By design, JTAG may be disabled by blowing a fuse. The BSL may be disabled by setting a value in flash memory. When enabled, the BSL is protected by a 32-byte password. If these access controls are circumvented, a device's firmware may be extracted or replaced.
After a thorough introduction, this talk will discuss in excruciating detail the results of an effort to reverse engineer the BSL code. Once the BSL's function has been covered, a timing attack will be discussed which might be used to guess the password without brute force under certain conditions.
Cheers,
Travis Goodspeed
<travis at utk.edu>
Rabu, 26 Maret 2008
Speaking at Toorcon Seattle, Twice
On April 18th, I'll be speaking at Toorcon Seattle at 8:35pm regarding a traffic light controller's firmware.
Inside a Traffic Light Controller's Firmware
The Econolite ASC/3 is a black-box device that manages traffic and pedestrian cross-walk lights. Having been given a unit and instructions to make it programmable from Matlab, I did what any self-respecting engineer would do. Namely, I disassembled its firmware, identified its checksumming algorithm, and mapped the relevant bytes of its file format. A bit of XML magic later, and I had a library for reading, writing, and signing configurations. This brief talk will discuss my adventure. It will not discuss forcing a green light or similar tomfoolery.
The following afternoon at 2:40, I'll be speaking at the same conference regarding msp430static.
Homegrown Analysis Tools for 16-bit Microcontroller Firmware
16-bit architectures are a playground for analysis tool developers. This talk will cover the author's development of a reverse-engineering tool for the MSP430. Both the tool and this talk feature function isolation, recovery of stripped symbol information, call-graph generation, simulation, and scripting. Rather than focusing on the usage of the tool, the intent of this talk is to demonstrate how members of the audience might write their own. Source code will be available online, and a personal walkthrough of the code will be performed during the Q&A session for those that are interested.
Inside a Traffic Light Controller's Firmware
The Econolite ASC/3 is a black-box device that manages traffic and pedestrian cross-walk lights. Having been given a unit and instructions to make it programmable from Matlab, I did what any self-respecting engineer would do. Namely, I disassembled its firmware, identified its checksumming algorithm, and mapped the relevant bytes of its file format. A bit of XML magic later, and I had a library for reading, writing, and signing configurations. This brief talk will discuss my adventure. It will not discuss forcing a green light or similar tomfoolery.
The following afternoon at 2:40, I'll be speaking at the same conference regarding msp430static.
Homegrown Analysis Tools for 16-bit Microcontroller Firmware
16-bit architectures are a playground for analysis tool developers. This talk will cover the author's development of a reverse-engineering tool for the MSP430. Both the tool and this talk feature function isolation, recovery of stripped symbol information, call-graph generation, simulation, and scripting. Rather than focusing on the usage of the tool, the intent of this talk is to demonstrate how members of the audience might write their own. Source code will be available online, and a personal walkthrough of the code will be performed during the Q&A session for those that are interested.
Rabu, 19 Maret 2008
Speaking April 4th at UT, Knoxville
I'll be repeating my Texas Instruments Developer Conference talk in room 206 of Claxton Hall at the University of Tennessee, Knoxville on Friday, April 4th from five to seven o'clock for the local chapter of the ACM. The abstract follows:
Stack Overflow Exploits for Wireless Sensor Networks Over 802.15.4Please email me, travis at utk.edu, if you are interested in attending a hands-on workshop later that evening.
Stack overflows have been a threat to security since the early 1980s,
but developers consistently leave such vulnerabilities open to attackers
because of mistakes in boundary checking. These mistakes are quickly
found and either fixed or exploited on servers and personal computers.
In industrial embedded systems, however, they are often left in deployed
products because of high replacement costs and the perceived difficulty
level of an attacker reaching the deployed system. IEEE 802.15.4,
Zigbee (R), ISA100 and wireless sensor networks using these protocols
are fertile ground for such exploits. This presentation presents an
application-layer protocol implementation that is vulnerable to a buffer
overflow, showing step-by-step how an attacker could write an exploit
that injects and executes arbitrary machine code over the air -- and how
you can prevent such an attack. The target system is a Telos B wireless
sensor node running TinyOS 2.x on the TI MSP430 microcontroller with a
TI/Chipcon CC2420 radio.
Langganan:
Postingan (Atom)