Firmware Cartography: Charting the Course for Modern Server Compromise

The modern server is the Matryoshka doll of computers, computers inside computers, a giant, undocumented mess. Undocumented devices have made homes at undocumented addresses, on buses, and in protocols most server owners don't know exist. With few exceptions, however, they and their secrets can't really stay hidden -- you just have to know how to look.

In this talk, we'll cover our methodology for vulnerability hunting in undocumented server components, mapping the paths laid out in binary firmware images. Tracking the interactions between software, hardware, and everything in-between exposes the permeable (or missing!) security controls that attempt to block you from opening these new worlds to explore. Through PoC helper libraries and chaining useful primitives together, oh, the places you'll go.

In addition to showing how to find new vulnerabilities, we'll use case studies of public vulns found by ourselves and others, explaining what makes them unique, or common, and other unreleased exploitation details. We'll release initial versions of Binary Ninja plugins we're working on at Atredis Partners, bringing UEFI coverage to the new platform and its hot MLIL. And who knows, we might disclose some new bugs or useful post exploitation details if we're able.

Presented by