Agenda

Day 1: Introduction, initial analysis and debugging

• Introduction to communication processors (CP):
  • The evolution and challenges of communication systems
  • Baseband processors: An architecture overview
  • CP architectures: Broadcom, Qualcomm, MediaTek, Samsung
• Code extraction and initial analysis:
  • Challenges of baseband code extraction
  • Getting the firmware
  • Initial analysis: Parsing the firmware header
  • Loading into IDA: Base addresses and program segmentation
• Understanding baseband Real Time Operating Systems (RTOS)
  • Data structures and IPC
  • Memory permissions and mappings
  • Mapping the attack surface
  • Identifying functions and symbols in the code and writing a function mapping
    script
  • Extracting debug strings and parsing them to name functions in the IDB
• Debugging:
  • Obtaining memory dumps
  • Getting RWX permissions
  • Building a debugger

Day 2: Cellular protocols and static analysis

• Introduction to GSM, GPRS and UMTS:
  • Guide to the relevant 3GPP protocols
  • Working with the specs
  • Determining the protocol attack surface
  • Real time packet captures, analysing a sample PCAP
• Shannon: Static analysis and an architecture overview:
  • Tasks, memory management and code structure
  • Debugging functionality
  • Samsung IPC: Talking to the Application Processor
  • The Platform Abstraction Layer and the HAL
• MediaTek: A comparison with Shannon:
  • Nucleus OS: implementation in MediaTek
  • Debugging the MediaTek baseband
  • Interaction with the AP
• Setting up a rogue BTS:
  • Getting started with YateBTS
  • Making phone calls and sending SMS over your own network

Day 3: Finding bugs in Shannon and MediaTek

• 2G and 3G sub-protocols:
  • Full reversing of a CC handler function in Shannon and in MediaTek
  • Adapting YateBTS to run with GPRS and a primer on the protocol
• Vulnerability research in LTE and 5G:
  • The additional complexities of setting up an eNodeB
  • Working with mutual authentication
  • Enumerating pre-authentication attack surfaces
• Finding Shannon bugs
  • Guiding the students towards finding a Shannon bug presented at Pwn2Own
    2018
  • Guiding the students towards finding a recent Shannon bug that was silently
    patched
  • Enumerating related parsers
• Finding MediaTek bugs:
  • Guiding the students towards finding a GPRS bug in MediaTek (DoS)
  • Analysing the bug using the adapted hooking framework
  • Opening related attack surfaces in MediaTek

Day 4: Exploiting a Shannon n-day

• Modifying YateBTS code to deliver the exploit payload
• Exploit primitives
  • Restoring execution after a Shannon stack overflow – resuming the message
    parsing loop
  • Exploiting heap overflows in Shannon OS
  • Analysing the stack and heap for secondary exploitation primitives
  • Challenges/exploit mitigations
• Achieving code execution:
  • Developing a proof of concept (PoC)
  • Using ROP for a full exploit
  • Loading the initial shellcode stub into global memory
  • Building a custom bridgehead – receiving the main payload over the air
  • Second stage: Modifying the system’s behaviour in order to capture traffic or
    escalate to the AP
• Baseband emulation for vulnerability research
• Escalating to the Application Processor (AP) and Android - an introduction

Pre-requisites

• C and Python
• Good reverse engineering knowledge
• Recommended: Familiarity with ARM assembly

Hardware Requirements

• A working laptop
• 40 GB free Hard disk space

Software Requirements

• IDA Pro or IDA Home with ARM Architecture is a must
• 32-bit ARM Decompiler is OPTIONAL, but highly recommended:
  • IDA Pro users can use the accompanying Hex Rays ARM decompiler
  • Ghidra’s ARM decompiler can be used as a standalone decompiler for students with IDA Home (only if you really can’t get the Hex-Rays decompiler)
• Linux / Windows / Mac OS X desktop operating systems
• VMWare Player / VMWare Workstation / VMWare Fusion MANDATORY
• Administrator / root access MANDATORY