-
A forensic analysis of the Google Home: repairing compressed data without error correction
Authors:
Hadrien Barral,
Georges-Axel Jaloyan,
Fabien Thomas-Brans,
Matthieu Regnery,
Rémi Géraud-Stewart,
Thibaut Heckmann,
Thomas Souvignet,
David Naccache
Abstract:
This paper provides a detailed explanation of the steps taken to extract and repair a Google Home's internal data. Starting with reverse engineering the hardware of a commercial off-the-shelf Google Home, internal data is then extracted by desoldering and dumping the flash memory. As error correction is performed by the CPU using an undisclosed method, a new alternative method is shown to repair a…
▽ More
This paper provides a detailed explanation of the steps taken to extract and repair a Google Home's internal data. Starting with reverse engineering the hardware of a commercial off-the-shelf Google Home, internal data is then extracted by desoldering and dumping the flash memory. As error correction is performed by the CPU using an undisclosed method, a new alternative method is shown to repair a corrupted SquashFS filesystem, under the assumption of a single or double bitflip per gzip-compressed fragment. Finally, a new method to handle multiple possible repairs using three-valued logic is presented.
△ Less
Submitted 29 September, 2022;
originally announced October 2022.
-
Return-Oriented Programming on RISC-V
Authors:
Georges-Axel Jaloyan,
Konstantinos Markantonakis,
Raja Naeem Akram,
David Robin,
Keith Mayes,
David Naccache
Abstract:
This paper provides the first analysis on the feasibility of Return-Oriented Programming (ROP) on RISC-V, a new instruction set architecture targeting embedded systems. We show the existence of a new class of gadgets, using several Linear Code Sequences And Jumps (LCSAJ), undetected by current Galileo-based ROP gadget searching tools. We argue that this class of gadgets is rich enough on RISC-V to…
▽ More
This paper provides the first analysis on the feasibility of Return-Oriented Programming (ROP) on RISC-V, a new instruction set architecture targeting embedded systems. We show the existence of a new class of gadgets, using several Linear Code Sequences And Jumps (LCSAJ), undetected by current Galileo-based ROP gadget searching tools. We argue that this class of gadgets is rich enough on RISC-V to mount complex ROP attacks, bypassing traditional mitigation like DEP, ASLR, stack canaries, G-Free, as well as some compiler-based backward-edge CFI, by jumping over any guard inserted by a compiler to protect indirect jump instructions. We provide examples of such gadgets, as well as a proof-of-concept ROP chain, using C code injection to leverage a privilege escalation attack on two standard Linux operating systems. Additionally, we discuss some of the required mitigations to prevent such attacks and provide a new ROP gadget finder algorithm that handles this new class of gadgets.
△ Less
Submitted 15 March, 2021;
originally announced March 2021.
-
LIRA-V: Lightweight Remote Attestation for Constrained RISC-V Devices
Authors:
Carlton Shepherd,
Konstantinos Markantonakis,
Georges-Axel Jaloyan
Abstract:
This paper presents LIRA-V, a lightweight system for performing remote attestation between constrained devices using the RISC-V architecture. We propose using read-only memory and the RISC-V Physical Memory Protection (PMP) primitive to build a trust anchor for remote attestation and secure channel creation. Moreover, we show how LIRA-V can be used for trusted communication between two devices usi…
▽ More
This paper presents LIRA-V, a lightweight system for performing remote attestation between constrained devices using the RISC-V architecture. We propose using read-only memory and the RISC-V Physical Memory Protection (PMP) primitive to build a trust anchor for remote attestation and secure channel creation. Moreover, we show how LIRA-V can be used for trusted communication between two devices using mutual attestation. We present the design, implementation and evaluation of LIRA-V using an off-the-shelf RISC-V microcontroller and present performance results to demonstrate its suitability. To our knowledge, we present the first remote attestation mechanism suitable for constrained RISC-V devices, with applications to cyber-physical systems and Internet of Things (IoT) devices.
△ Less
Submitted 22 March, 2022; v1 submitted 17 February, 2021;
originally announced February 2021.
-
RISC-V: #AlphanumericShellcoding
Authors:
Hadrien Barral,
Rémi Géraud-Stewart,
Georges-Axel Jaloyan,
David Naccache
Abstract:
We explain how to design RISC-V shellcodes capable of running arbitrary code, whose ASCII binary representation use only letters a-zA-Z, digits 0-9, and either of the three characters: #, /, '.
We explain how to design RISC-V shellcodes capable of running arbitrary code, whose ASCII binary representation use only letters a-zA-Z, digits 0-9, and either of the three characters: #, /, '.
△ Less
Submitted 10 August, 2019;
originally announced August 2019.
-
Borrowing Safe Pointers from Rust in SPARK
Authors:
Georges-Axel Jaloyan,
Yannick Moy,
Andrei Paskevich
Abstract:
In the field of deductive software verification, programs with pointers present a major challenge due to pointer aliasing. In this paper, we introduce pointers to SPARK, a well-defined subset of the Ada language, intended for formal verification of mission-critical software. Our solution uses a permission-based static alias analysis method inspired by Rust's borrow-checker and affine types, and en…
▽ More
In the field of deductive software verification, programs with pointers present a major challenge due to pointer aliasing. In this paper, we introduce pointers to SPARK, a well-defined subset of the Ada language, intended for formal verification of mission-critical software. Our solution uses a permission-based static alias analysis method inspired by Rust's borrow-checker and affine types, and enforces the Concurrent Read, Exclusive Write policy. This analysis has been implemented in the GNAT Ada compiler and tested against a number of challenging examples. In the paper, we give a formal presentation of the analysis rules for a miniature version of SPARK and prove their soundness. We discuss the implementation and compare our solution with Rust.
△ Less
Submitted 15 May, 2018;
originally announced May 2018.
-
Safe Pointers in SPARK 2014
Authors:
Georges-Axel Jaloyan
Abstract:
In the context of deductive software verification, programs with pointers present a major challenge due to pointer aliasing. In this paper, we introduce pointers to SPARK, a well-defined subset of the Ada language, intended for formal verification of mission-critical software. Our solution is based on static alias analysis inspired by Rust's borrow-checker and affine types, and enforces the Concur…
▽ More
In the context of deductive software verification, programs with pointers present a major challenge due to pointer aliasing. In this paper, we introduce pointers to SPARK, a well-defined subset of the Ada language, intended for formal verification of mission-critical software. Our solution is based on static alias analysis inspired by Rust's borrow-checker and affine types, and enforces the Concurrent Read, Exclusive Write principle. This analysis has been implemented in the GNAT Ada compiler and tested against a number of challenging examples including parts of real-life applications. Our tests show that only minor changes in the source code are required to fit the idiomatic Ada code into SPARK extended with pointers, which is a significant improvement upon the previous state of the art. The proposed extension has been approved by the Language Design Committee for SPARK for inclusion in a future version of SPARK, and is being discussed by the Ada Rapporteur Group for inclusion in the next version of Ada. In the report, we give a formal presentation of the analysis rules for a miniature version of SPARK and prove their soundness. We discuss the implementation and the case studies, and compare our solution with Rust.
△ Less
Submitted 19 October, 2017;
originally announced October 2017.
-
ARMv8 Shellcodes from 'A' to 'Z'
Authors:
Hadrien Barral,
Houda Ferradi,
Rémi Géraud,
Georges-Axel Jaloyan,
David Naccache
Abstract:
We describe a methodology to automatically turn arbitrary ARMv8 programs into alphanumeric executable polymorphic shellcodes. Shellcodes generated in this way can evade detection and bypass filters, broadening the attack surface of ARM-powered devices such as smartphones.
We describe a methodology to automatically turn arbitrary ARMv8 programs into alphanumeric executable polymorphic shellcodes. Shellcodes generated in this way can evade detection and bypass filters, broadening the attack surface of ARM-powered devices such as smartphones.
△ Less
Submitted 22 June, 2019; v1 submitted 11 August, 2016;
originally announced August 2016.
