Presentation Title Closer to Metal: Reverse-Engineering the Broadcom NetExtreme Firmware
Presentation Abstract
In 2010, French researchers Loic Duflot and Yves-Alexis Perez discovered a major security flaw in the firmware of Broadcom network cards. The vulnerability is a buffer overflow leading to remote code execution on the device, which can then lead to OS corruption through DMA accesses. This raises the following question: How much can you trust your hardware when you don’t even know how it operates nor what the firmware code is actually doing?
Given the lack of details from manufacturers about their device internals, the best thing we can do is to retrieve this information by ourselves using reverse engineering techniques. Fortunately, Broadcom released part of their Ethernet card specifications. Nevertheless some details are still obscure, and firmware source code is not available… This presentation will focus on the reverse engineering study case of the Broadcom Ethernet NetExtreme family firmwares.
Firstly, I detail a simplified view of the device architecture needed for further understanding : the embedded MIPS CPU, registers, internal memory layout, and the firmware bootstrap sequence. Developing our own Linux kernel module then allows us to quickly communicate with the device through PCI transactions, and offers read/write primitives on the device memory to userland processes. On top of that are built two home-made firmware debuggers:
- InVitroDbg, a Qemu-based firmware emulator, dynamically interacting with device internal memory.
- InVivoDbg, a complete MIPS code debugger, making use of dedicated device debug registers.
InVivoDbg is strongly integrated with Metasm, the assembly manipulation suite, and has been extended to perform advanced code analysis, tracing the execution flow, call-graph visualization, playing and recording of memory accesses, and so forth. The firmware code can be executed and debugged in real-time in the Metasm IDA-like graphical interface. Using this robust instrumentation toolset, we were able to easily observe the firmware’s behavior in its natural environment. This is aimed at multiple purposes, such as:
- Firmware reversing, in order to uncover undocumented features.
- Vulnerability research inside the firmware code.
- Development of a “hostile” firmware.
- Development of an alternative firmware for the open-source community.
We will discuss the feasibility of a rootkit firmware, especially DMA capabilities, and some other ideas like turning a network card into a high-speed forensics analysis tool for dumping RAM memory. Time permitting we will present a demonstration of such a tool.
About Guillaume Delugré
Guillaume Delugré is a security researcher working at Sogeti ESEC R&D lab. His work currently deals with reverse engineering embedded devices. He has previously been working on the PDF file format for two years and published Origami, a framework for the manipulation of PDF files.