Workshop Title:

Using Symbolic Execution for IoT Bug Hunting

Abstract:

IoT devices are becoming a more and more important part of peoples’ lives, but they're not being secured properly. This makes them a good target for vulnerability research. Have you considered taking a new approach to firmware binary analysis and vulnerability research besides gdb and fuzzing? Wouldn’t it be interesting to analyze firmware binaries that you can’t debug dynamically (if you don’t have physical access to the device, or have no available UART). Is it still possible to confirm vulnerabilities, or even write an exploit for them?

This presentation will answer all these questions and arm researchers with new ideas how to deal with firmware analysis, providing ideas and tools that every researcher could include in their vulnerability discovery process. Come learn to write your own python angr plugin for Binary Ninja and allow symbolic execution to mark the path to a vulnerable sink in the UI graph for you. Let’s hook binary functions, inject arguments, and evaluate our results!

Toy examples? Not this time! See a real 0day vulnerability discovered using the presented ideas and learn how an exploit was created without dynamic analysis or memory snapshots.

Speaker Bio:

Grzegorz Wypych is an IBM Security Researcher from Poland, he loves to work with MIPS/ARM assembly code and hunt for 0-days in IoT devices. He is targeting network protocols and applications. He’s trying to bring new ideas in the vulnerability research field to deal with different problems during IoT binary analysis. He is an invited speaker for Security PWNing Conference 2019 in Poland. He has 15 years' experience in IT field, and formerly worked as a Network Security Engineer in a financial institution. In his free time, he enjoys building fishing rods and fishing out on the water.