Advances in binary analysis and forensics over the past two years have been astonishing. A new era has begun which consists of semi-automated, closed-source analysis on every conceivable software target. There is one relatively untouched area that deserves to be cracked like a nut, namely software loaded on hardware targets such as microcontrollers, complex programmable logic devices (CLPD), field programmable gate arrays (FPGA) and more capable microprocessor cores. We will survey a number of techniques, all of which are accessible given a minimal budget and share a common goal: extraction of executable code and program data which can be loaded into the same tool chains used by modern software reverse engineers. The progression begins with a simple eavesdropping attack against a license EPROM and then progresses to compromise of a full-fledged microprocessor core via loading a general purpose operating system to replace a locked down operating system, then finishes up with a data remanence attack against a secure security device. The goal of this talk is more than a survey of techniques; it is a collection of specific examples which serve as both a gentle introduction to a brave new world and a call to arms to the security community.
Marc Eisenbarth recently noticed the word “Architect” has been appended to his business cards, and while not entirely sure what that means, he has continued to just do what he has been doing for the last five years, namely improving the HP TippingPoint Intrusion Prevention System (IPS) as a member of DVLabs’ Advanced Security Intelligence team. Prior to this, he managed cyber liability at a US defense contractor for five years and completed a graduate program at Columbia University in Computer Science. Off the clock, he is a “hardware guy” who enjoys releasing various do-it-yourself projects to the general public.