CSAW'19 EUROPE Third Place RetEx¶
This year, we decided to challenge ourselves by participating in the CSAW ESC (Embedded Security Challenge).
" CSAW is the most comprehensive student-run cyber security event in the world, featuring nine competitions, 6 global hosts, workshops, and industry events. "
The official CSAW Website : https://csaw.engineering.nyu.edu/
The ESC is a hardware oriented competition and the 2019 year's topic was Radio Frequency Identification (RFID). This challenge was a good opportunity for us to improve our Reverse Engineering skills as well as our knowledge about embedded architectures and firmware analysis.
!! SPOILER ALERT !!
The four team members are : Romain Brenaget, Jerome Blanchard, Mathieu Dolmen and Pierre Fontaine.
In this phase, the goal was to reverse engineer a provided vulnerable binary using Ghidra and develop exploits using different approaches and techniques. A write-up of four pages that outlines approaches and techniques utilized to reverse engineer the provided binary was asked. At the end of the paper, an opening about existing techniques of firmware exploitation and RFID hacking was appreciable.
The Qualification was somewhat confusing because of the lack of difficulty (Yes, you read correctly !). Indeed, the flag was very easy to find ! But this was the main challenge... The most important was also to explore other ways to find the flag (e.g. highlighting Ghidra's capabilities) and to be able to synthesize our work in a Technical Article. Please note that the qualification had nothing to do with RFID.
If you are curious, the qualification.out binary file is available here : https://github.com/TrustworthyComputing/csaw_esc_2019
This Technical Article, limited to four pages and following the standard IEEE conference format, describes our different approaches to solve this challenge (evaluation, static analysis with Ghidra and dynamic analysis with Angr). We added some techniques to dump a firmware at the end of the document but we did not talk about RFID here.
After the qualification round, all qualified teams received a custom RFID board and original firmwares that are provided by the organizers. 18 Challenges were released on GitHub by the organizers during this phase of competition. The goal was to solve as many challenges as possible before the end of deliverables submission. We received the board the 2019-10-08 and the final phase was planned the 2019-11-08, so one month of hard work !
The custom board provided by the CSAW organizers consists of four distinct parts:
- A Teensy 3.2 embedding a 32-bit ARM processor (MK20DX256VLH7 with Cortex-M4 core) which constitutes our main target for RE.
- A contactless MFRC522 RFID reader/writer and two tags (one white card and one blue token). The card is fully programmable using the provided system. The blue token must be only used when specifically required by a challenge.
- An OLED I2C display module and 4 push buttons, which constitutes the Human Machine Interface (HMI) to select the challenge to be started.
- An 8-bit AVR RISC-based ATMega1284P microcontroller controlling the board peripherals.
In the Final Phase, qualified teams are invited to the CSAW event of their region (EUROPE for us) to present and demonstrate their attack implementations on the custom systems provided by the organizers.
During this phase of competition, we worked both on Static and Dynamic Analysis to solve all the challenges. You can find here our repo detailing our solution and approach for each challenge. A solution.md file is provided for each challenge, we encourage you to read it if you do not have a lot of time to go further.
For the resolution of several challenges, we used the Unicorn CPU emulator framework. If you are mainly interested about this topic, we created a Jupyter Notebook demonstrating the use of Unicorn for the resolution of the Break challenge (Set C).
For the Final, several deliverables have been demanded, a short description of each is done here as well as a download link is provided.
This Technical Article, limited to eight pages and following the standard IEEE conference format, describes our exploratory phase of the different system components of the board, collaboration tools and combined static and dynamic analysis that we used to solve all the challenges.
A 24inx36in (vertical orientation) Poster was demanded a few days before the end of deliverables submission. We are rather proud of our Poster because this job was done in LaTeX in a few days and we did not experiment Poster edition in LaTeX before ! Furthermore, this kind of exercise can be difficult but we seen that deliverable like a support and a visual aid for discussion with visitors and judges.
Up to eight slides and with a duration of five minutes max, this deliverable is very important because it must be presented to the judges. We decided that each member of the team was going to speak during this presentation, it was not always the case for others teams. This exercise is very instructive but the presentation should be done in an amphiteater in front of the judges and the public and not around a computer only with the judges as it was the case. We brought this detail to the organizers.
A Video was asked, for us it represents a teaser about our approach and solutions for solving the different challenges. We were running out of time and our knowledge on video editing are limited so this deliverable is the least finalized. but for a video made in a few hours, we are rather satisfied with the result.
Detailed informations about deliverables specifications are available here : https://github.com/TrustworthyComputing/csaw_esc_2019/blob/master/Deliverables.md
CSAW Europe is hosted by INP-Grenoble Esisar (Valence, France). The live phase, spread over two days, consists mainly on conferences and discussions with competitors, organizers and judges. We had rich discussions and we made ourselves some valuable contacts in the area of cyber.
Moreover, on the day of the final, a last challenge was given by the organizers. The goal was to solve it in one hour maximum (first team won 150 extra points, second and third respectively 100 and 50 points). We did not succeed to find the solution during this time, but just after the end. During this CSAW competition (not only on the live event), we sometimes looked too complicated and it made us waste time. Unfortunately, on the day of the live event, we looked so far again. A good lesson for us !
All Winners by Region are listed here : https://csaw.engineering.nyu.edu/esc/finalists