#HITBCyberWeek D1 LAB - Writing Bare-Metal ARM Shellcode

The great power of the Internet Of Things comes with the great responsibility of security”. Being the hottest technology, the developments and innovations are happening at a stellar speed, but the security of IoT is yet to catch up. Almost all of the IoT devices are driven by the ARM processor. Since the safety and security repercussions are serious and at times life-threatening, there is no way you can afford to neglect the security of IoT products.

“The art & craft of writing ARM shellcode” is a unique hands-on Labs which offers security professionals, a comprehensive understanding of the ARM Architecture and helps in reversing the ARM binaries and find vulnerabilities and exploit it.

We will start with a brief discussion of ARM architecture and instruction set and then discuss various system calling convention and using this knowledge we will start with our first hands-on labs on Shellcoding. In this lab, participants will write ARM Linux shell code to spawn a shell. We will also discuss a few tips on how to make your shellcode smaller and reliable so that it could be executed even in a very stringent environment where there is a restriction on the payload size and we will later do the hands-on on those concepts.

At the end of the workshop, I will demo an attack on a vulnerable ARM-based IoT Device running a Bare-Metal firmware. In the demo, I will exploit a buffer overflow vulnerability and control the GPIO pins of the hardware. Writing a shellcode for Bare-metal system is very different from writing it for Operating System like Linux or Windows. I explain in detail how this shell code different and how it is injected in the device, and I will also explain how this payload manages to control the hardware component connected to the device.

===