Sunday, September 23, 2007

Memory-Constrained Code Injection

by Travis Goodspeed <travis at utk.edu>
at the Extreme Measurement Communications Center
of the Oak Ridge National Laboratory

Introduction


When injecting code into an embedded system, as has demonstrated in the prior article, entitled MSP430 Buffer Overflow Exploit for Wireless Sensor Nodes, the limitation of code size frequently comes up. The following will explain how a 128-byte packet can be used to inject an exploit much longer than itself. This method would also work in workstation and server attacks, but is less valuable in such environments because such platforms lack the prohibitive memory constraints that are to be found in embedded systems.

It is assumed that the reader is familiar with the previously referenced article, and it is further assumed that a method for injecting short fragments of machine code exists. These examples are specific to TinyOS 2.x on the MSP430, but the principles in question should be of relevance for any resource-constrained target over a datagram channel of limited packet size.

General


The method which will be presented makes use of unallocated memory as a buffer into which a large payload, one that is larger than any individual packet, is populated by a series of code injections, each of which loads a short piece of the larger payload before returning to normal execution.

Each packet will set a single word of memory to a word from its payload, thus copying as many words as are required from the attacker to the victim, loading them at whatever address is specified. So long as the target address lies beneath the stack and above the heap, it will not interfere with the operation of the victim's firmware and will not be damaged or overwritten by another subroutine.

The memory layout looks something like this:

(Top of Memory, 0xFFFF)
Internal Flash{
Interrupt Vector Table
Data/Code
}
Internal Ram{
Stack (grows down)
Unused (between heap and stack)
Heap (grows up, often empty)
Globals
Memory-mapped I/O
}
(Bottom of Memory, 0x0000)


The payload will be housed in the unused region between the stack, which grows downward from the top of memory, and the heap, which grows upward from the bottom of memory.

Specific


Suppose that an attacker is capable of broadcasting packets which allow for a six-byte payload to be executing on a victim. Further, suppose that the attacker wishes to execute a single block PB of 256 bytes of machine code at address TA, within a contiguous region and without interruption.

The attacker can craft a memory-injection (MI) packet which sets an address to a value. In MSP430 assembly, this is expressed as
MOV.W #val, &addr
which sets the word at memory location addr to val. To place the value DEAD at the memory location BEEF, one would use
MOV.W #0xdead, &0xbeef
As machine language using absolute addressing, this would be
{0x40b2, 0xdead, 0xbeef}
The latter two words may be substituted as required, making it trivial to have a function write injection code on the fly, such as


/*! Takes a pointer to a six-byte region which is populated
* with machine code for setting the value at the address.
*/
void attackcode_set(uint16_t *code,
uint16_t address,
uint16_t value){
code[0]=0x40b2;
code[1]=value;
code[2]=address;
}


Thus to copy an expanse of code to the victim, the attacker would compose 128 injection attacks by composing payloads with the following loop:

//Populate the buffer MI with memory injections to place all of PB at TA
for(int i=0;i<0x50;i++)
attackcode_set(MI[i], TA+2*i, PB[i]);


Each packet of MI[] is then broadcast in any order whatsoever. As each packet is received, another two bytes near TA, the target address, are set. Thus, two bytes at a time, the whole payload is transfered to the victim. Once they've been delivered, a new injection is passed but one that doesn't execute itself. Rather, it jumps to TA to begin the previously loaded code, all 256 bytes of it.

Injection of Complete Firmware


Once this longer payload has been installed, it can be used to copy a portion of itself to external flash. This can be repeated until a complete firmware--that is to say software which resides in internal flash--exists on external flash. Then a short loader routine could copy it from external to internal flash, thereby replacing the victim's firmware with the attacker's. If this new firmware were to begin broadcasting its own installation routine, the result would be a self-propagating worm.

Conclusion


One should never assume that an embedded platform is safe from a sophisticated injection behavior because of the limitations imposed by a datagram networking framework, such as 802.15.4. Even without streaming or the buffering of prior packets, it's possible--in fact rather trivial--to inject a payload significantly larger than the packet size.

Please contact me if you know of any prior implementation or discussion of this technique. I would be much obliged.

14 comments:

Darren Demers said...

Once this longer payload has been installed, it can be used to copy a portion of itself to external flash. This can be repeated until a complete firmware--that is to say software which resides in internal flash--exists on external flash. antique gold earrings designs with price , flapper head pieces , cardboard jewelry boxes , nishat linen scarf Then a short loader routine could copy it from external to internal flash, thereby replacing the victim's firmware with the attacker's. If this new firmware were to begin broadcasting its own installation routine, the result would be a self-propagating worm.

GRSoft Developers said...

Great Research Solutions Pvt. Ltd. ( GRSoft ) is an IT company with no geographical boundaries and provides all that you can think of around IT including consulting, solutions, applications and outsourcing services.

We are a combination of unmatched capabilities, experiences and jobs that serve across the industries. We knit closely with the clients to deliver high quality solutions with latest technologies and every growing business model approach. With the solutions provided by our professional staff our vision is to help our clients always reach new heights.

Software Development Company India | Software Development Company | Software Development Company usa | Software Development Consulting Services India

GRSoft Developers said...

GRSoft Gaming is an honor winning, Live Casino game advancement organization of India. We offer curiosity and inventive game development with an exceptionally talented group of developer. Our bleeding edge gaming innovation creates esteem included gaming arrangements. Quality is our real worry for club game development. We offer tweaked Casino game development benefits over the globe and help you furnish with customized development. With our Casino game, individuals couldn't imagine anything better than to chance their gaining and appreciate the advantages. We have created numerous effective games like the video poker game, Sports wagering game, online club game, lottery games, and numerous other common games.

Casino Game Development Companies in India | Hire Poker Game Developers | Casino Game Developer | Casino Games Development Companies | Hire Poker Developers | Gaming Software Companies in India Rummy Game Software | Rummy Game Development

Amy Bella said...

Some facts I agree to your points but some I don't. Yes, I want to appreciate your hardwork for sharing this information but at my part I have to research more. Though there are some interesting view angle I could find in your remark. Thanks for sharing.
App development
software developers

Uday pawar said...

Some of your recent posts are quite useful. All of your technical posts are impressive. Your theme is also good and easy to understand! Thanks for sharing, you can also go through this - Dream about someone meaning and Tricky This or That Questions

Harry Thomas said...

Wondering “ why is my computer so slow?” Running too many programs altogether can be one of the causes of this issue, making your life troublesome and too slow.

Harry Thomas said...


Yahoo will send you a reset link in your phone number or email address. In case if you are not accessing to the phone number anymore, click on I don’t have access to this phone option. It will then send you the link to your alternative mail address. Check your mail and do the procedure as suggested.





Steven Smith said...

I like to do coding and this gonna help me a lot. Thanks for this article. Take My Class Online For Me have a look of my service.

Unknown said...

Kit 100% algodón fácil y cómodo de llevar.
Lo mejor para el invierno
Cada kit está envuelto individualmente

El kit contiene:
1 pantalón
1 camiseta de manga larga
1 par de calcetines
1 toalla

Tamaño: XXL
Embalaje: 25 kits / caja
Precio: Euro 3.50 / set "Kit de ropa interior de algodón de invierno con toalla
"

Frank Herny said...

Please look at my services CAR SERVICES PAISLEY

Frank Herny said...

Amazing Blog Great thanks for sharing Resin Vs Tarmac Driveways

Anonymous said...

Fantastic Blog Thank you very much for sharing.Our rooftops are constructed from the highest-quality roofing materials available. To ensure that our clients are entirely happy, we give a free quotation for the installation of new roofing. Our materials are high-quality and long-lasting.

Billy Kimber said...

Thanks for sharing Memory-Constrained Code with us. That would be a big help for me. Keep sharing informative blogs like this. Now, it's time to get the services of Digital Consultancy click for more information.

Jewel Galore said...

Explore the charm of traditional elegance with Jewel Galore's jhumka earrings . Our collection pays homage to the timeless beauty of Indian jewelry, offering a stunning range of designs.