Exploiting Real Time Operating Systems
CPE/ECE Credits: 40 Course Description This course will teach students how to analyze, reverse, debug, and exploit embedded RTOS firmware. Hands-on experience with a variety of real-world devices, RTOS’s, and architectures equip students with the practical knowledge and skills necessary to be proficient in RTOS vulnerability analysis and exploitation. Prerequisites Due to the nature of the material, we do expect students to already have experience with: basic overflows and ROP be comfortable in IDA’s user interface some prior knowledge of MIPS and ARM (a plus, but not required) This course is a natural progression for students already familiar with embedded Linux/firmware exploitation. If you attended IoT Firmware Exploitation, then you meet the criteria! Course Length 5 days Day 1 Basic introduction to the concept of Real Time Operating Systems Overview of MIPS architecture and design Firmware analysis of our first target device Debugging our first target device Augmenting IDA’s auto analysis Searching for backdoors Day 2 Searching for stack overflows Exploiting RTOS overflows How not to crash your target Practical exploitation of LAN services from the WAN Day 3 Hardware & firmware analysis Identifying functions without a symbol table Debugging without a debugger Searching for stack overflows Writing stack overflows with limited debugging Write stack overflow exploits for our second target device Day 4 Parsing bugs Dynamic call path identification Complex ROP chains Re-programming RTOS kernel code on-the-fly Low-hanging crypto Breaking custom crypto Finding WPS crypto bugs Practical exploitation of WPS crypto bugs Day 5 More firmware analysis Augmenting IDA’s auto analysis V-Chip backdoors Hidden manufacturer menus Instructor Bio Craig Heffner is a Vulnerability Researcher and has 15 years experience analyzing embedded systems – 10 actually paid while 5 were just “exploring” on his own. He’s also the creator of binwalk, and he operates the /dev/ttyS0 blog which is dedicated to firmware hacking topics. He has presented at events including Blackhat and DEFCON. His skin has never been exposed to sunlight and is bioluminescent at 200 meters (656 feet) below sea level. Private, on-site training is available. Call +1 (443) 276–6990 or email us at firstname.lastname@example.org.