Embed Size (px)
Citation preview
CODEBLUE 2014.12.18-19
Takahiro Matsuki (FFRI) Dennis Kengo Oka (ETAS)
!
! ECU
! TriCore
!
!
!
! ECU CAN
ECU ?
! ECU PC ?
! ECU ?
! ECU ECU ?
! ECU◦ ECU I/O◦
! ECU◦ ◦
! ECU◦ ◦ ◦
ECU
!
! 70 ECU
! ECU 2000
! 2015 50
! 50 3010 10
! ◦
···
! ◦ ···
! ◦ ···
! ABS/ESP ◦ ···
!
! 1. CAN
! 2.
! 3.
! 完全にカスタムなプロプライエタリなソフトウェア
! Unixベースの独自のソフトウェア
! 標準化されたソフトウェア、例えば、AUTOSAR
TriCore
! ECU ! Infineon ◦
! TriCore ECU ◦ Bosch EDC17 & MED17, Siemens
! TriCore ECU ◦ Audi, BMW, Citroen, Ford, Honda, Hyundai,
Mercedes-Benz, Nissan, Opel, Peugeot, Porsche, Renault, Seat, Toyota, Volkswagen, Volvo
! ◦ 32 RISC
! ◦ ◦ A0~A16, D0~D16
! ◦ TC1797 (AUDO Future) ! TriCore 1.3.1 ! 180 MHz
! Web ◦ User’s Manual ! ! !
! security, protection, password
◦ TriCore Architecture Overview ! User’s Manual
! ◦ TriCore ! QEMU TriCore ◦ Linux Kernel TriCore
! ECU ◦ TASKING VX-toolset for TriCore ! IDE ◦ Infineon Starter Kit TC1797 ◦ FlexECU development platform
! ◦ IDA Pro !
ELF for Siemens TriCore
!
◦
◦
◦
◦
◦
◦ etc.
ECU
!
◦
◦
◦ Use After Free
◦ Null Pointer Dereference
◦
◦ etc.
!
◦ ◦
! ◦
! ◦
! Use After Free ◦ TriCore C++
! Null Pointer Dereference ◦ 0
! ◦ TriCore x86
(A11)
! ◦ TriCore
! ◦
main() check(f_ptr)receive()
compare()success()
failure()f_ptr = &compare()
failure() { ... }
success() { .... }
compare() { ... }
receive() { // receive input value input = … char buffer[10]; strcpy( buffer, input );
}
check( f_ptr ) { // call receive() to receive incoming value receive(); // call compare() using function pointer f_ptr(); }
main () { function_ptr = &compare; … check( function_ptr );
}
!
!
Address
0x8000 010C
0x8000 013C
0x8000 0170
0x8000 017C
0x8000 0188
…
0xD000 8FC8
0xD000 8FE0
Variable
check()
receive()
compare()
success()
failure()
…
buffer[]
function_ptr
main() check(f_ptr)receive()
compare()success()
Failure()
check() compare() success() f_ptr()
! ◦
◦ ECU
TriCore
! ◦
◦
! TriCore
◦
◦
!
◦ CSA (Context Save Area) TriCore
!
◦ Upper context Lower context 2
◦ Upper context
! call
◦ Lower context !
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
! CSA ◦ CSA (PCX) CSA (FCX) ◦ PCX, FCX !
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
! 1 CSA Overwriting ◦ CSA
Upper context
! 2 CSA Injection ◦ CSA Link word
Upper context
! func1func2func3
! func2 CSA (*ret) func3 (0x80000360)
! func1 return A11 func3 (0x80000360)
! func1 return func3
! CSA
◦ CSA
◦ ECU
!
IVT (PIPN)
ISR
! IVT ◦ BIV (Begin Interrupt
Vector)
! ISR ◦ BIV | (ICR.PIPN << 5)
! ICR (Interrupt Control Register)
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
ISR PIPN 0~255
!
◦ !
!
TVT(TCN)
TSR
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
! 1: IVT ◦ IVT ISR
! 2: TVT ◦ TVT TSR
! BIV 0xa00f0000
! __interrupt(3) hoge_isr() ISR
0xa00f0060 (0xa00f00+ 32*3) hoge_isr()
! ◦
◦ 0xA Flash
! TVT
! BIV BTV ◦ BIT @ 0xF7E1FE20, BTV @ 0xF7E1FE24
!
!
! 2
! ECU
! HP EliteBook 2530p, Win7, Centrino2 ◦ HIGHTEC Free TriCore Entry Tool Chain ◦ BUSMASTER
! Infineon TriBoard TC1797 V5.0
! ETAS ES592.1
ES592.1 TriBoard Notebook
Ethernet
CAN USB
! ECU
! ◦
◦ CSA
◦
! ECU
!
ECU
! ◦
! ◦ ECU
◦ ECU
! ◦ ECU◦
Thank you
0x8000 0000 Code…
0xA000 F000 BIV…
0xD000 4FC0 CSA…
0xD000 9004(?) Heap…
0xD000 8FF8 Stack
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
! TriCore ◦ ! ! ◦ ! ◦
! ◦ DEP ◦ ◦ ECU exploit
! CSA ◦ CSA (FCX: Free Context List ) ◦ CSA (PCX: Previous Context List ) ◦ FCX, PCX
!
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
! ISR EntryPoint (JLA) ! JLA 24bit ◦
24bit 32bit
: Tricore Architeture Overview http://www.infineon-ecosystem.org/download/schedule.php?act=detail&item=44
!
! mtcr CSFR
◦
◦
! Memory Integrity Error Mitigation (TriCore 1.3.1)
◦
