Emulating Samsung's Baseband for Security Testing
0Grant Hernandez | Security Researcher, University of Florida
Marius Muench | Postdoctoral Researcher, Vrije Universiteit Amsterdam
Date: Wednesday, August 5 | 10:00am-10:40am
Format: 40-Minute Briefings
Tracks: Mobile, Hardware/Embedded
The most crucial interface between modern mobile phones and cellular networks are baseband processors. Basebands are responsible for processing the complicated 2G thru 5G protocols, which gives them a large attack surface. Unfortunately, exploring this surface is cumbersome: finding flaws over-the-air is not scalable, crashes are difficult to reproduce, and devices typically lack even basic debugging interfaces.
To address these concerns, we designed and built an emulation environment for Samsung's "Shannon" baseband (ShannonEE). We leverage and combine the strengths of two existing frameworks, avatar2 & PANDA, to provide a flexible and extensible platform geared towards vulnerability research. We are able to load and run ARMv7-R Shannon firmware images, which typically exceed 30MB in size and have 65K+ functions. We emulate the custom Shannon RTOS and its peripherals accurately enough to enable task switching and timer interrupts, leading to powerful dynamic analysis platform. We also support different versions of Shannon SoCs, spanning multiple generation of Samsung Galaxy phones.
To take full advantage of ShannonEE, we ported TriforceAFL, allowing for targeted, coverage guided, task or protocol, fuzzing. Unlike over-the-air fuzzing, our platform allows for in-depth introspection of the baseband's internal state when triggering crashes and gdb-based memory examination providing backtraces and detailed task information. We demonstrate how our emulator can be used to investigate and understand the impact of n-days and how you would go about finding new vulnerabilities.
Black Hat - USA - 2020 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security