Type of work: Master thesis

Technical Background:

In forensic analyses, the firmware of embedded devices shall be examined in the context of Operational Technologies. For this purpose, the firmware is extracted from internal or external flash memory, for example, or can be found in firmware update files.

The firmware is then disassembled and analyzed in more detail. Since the hardware is usually addressed directly, it is often difficult to identify the peripheral devices addressed and to understand the subsequent input and output. This thesis is intended to support this process.

Task description:

In this work, we will investigate how to trace the interaction with peripherals in embedded devices.

The following questions are to be answered:

• What are the possibilities for addressing peripherals (at lower level) in embedded devices (e.g. Memory Mapped IO).
• What tools are available for disassembling firmware? What level of support do they offer? Are they suitable for the tasks required here?
• How can access to IO devices (e.g. GPIO) be tracked?

Possible steps:

• Familiarization with embedded devices and general concepts of them
• Consideration of interfaces for obtaining firmware and debugging (JTAG, SWD, SPI, I2C, ONFi etc.)
• Consideration of tools for analyzing firmware on embedded devices
  • Entropy based memory block analyses
  • Graphical procedure analyses
• Research of the state of the art in the field of forensics of embedded devices (JTAG tools, disassemblers, triage tools, library search, on- and off-chip debuggers, emulators, simulation tools etc.)
  • gdb
  • openocd
  • urJTAG
  • BusPirate
  • BusBlaster
• Building a system that monitors GPIO pins and steps through code to learn the IO mapping (at least for ARM Cortex M0 based µ controllers)
  • Work with Logic Analyzer, Oscilloscope, on-chip debugger, disassembler
  • Find relevant parts of the code where IO is addressed
  • Automate the process of stepping through code and monitor the output in parallel
• Evaluation of own research

The exact definition of the topic is done in consultation with the supervisors, taking into account any topics already assigned to other students. Joint processing of different sub-topics by several students is possible under certain circumstances. 

Literature and resources:

• Chantzis, Fotios, et al. Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things. No Starch Press, 2021.
• van Woudenberg, Jasper, and Colin O'Flynn. The Hardware Hacking Handbook: Breaking Embedded Security with Hardware Attacks. No Starch Press, 2021.
• Seal, David, ed. ARM architecture reference manual. Pearson Education, 2001.
• Beneder, Roman. Development of an OpenOCD compatible debugger for ARM-CMARMJTAG. na, 2011.
• Gay, Warren. "Beginning STM32." Beginning STM32 (2018).
• Ning, Zhenyu, and Fengwei Zhang. "Ninja: Towards Transparent Tracing and Debugging on {ARM}." 26th USENIX Security Symposium (USENIX Security 17). 2017.
• Jiang, Muhui, et al. "An empirical study on arm disassembly tools." Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 2020.
• 段富刚, and 施展. "基于 Openocd 的嵌入式软件开发平台的研究和设计." 计算机测量与控制 2 (2010): 470-472.

Supervisor: Dr. Thomas Mundt (thomas.mundt@uni-rostock.de). 

Prerequisites: None in particular, programming knowledge in a higher programming language is an advantage. A basic understanding of the electrical properties of networks is helpful.