Help creating a Honeypot for an AVR architecture

Go To Last Post

13 posts / 0 new

Author

Message

lucaslo

Level: New Member

Joined: Thu. Apr 26, 2018

Posts: 2 View posts

Posted by lucaslo: Thu. Apr 26, 2018 - 08:25 PM

I'm talking a class that it composed mostly by masters students in computer security. The grade is based on a group project and my grup is compsed by four computer science students

We were tasked with creating a Honeypot for an avr32 archtecture. The goal is to not only capture the malware but to also see what it does to the system.

The only solution that we could think of was finding an linux distro and altering it , so the syscalls are somewhat transparent and we can understand what the malware does. I did some research and BuildRoots seems to be the way to go, as it's somewhat simple, flexible and it has a lot of sources in the web(specially avr related).

Do you guys have any input to give me? Is this a good Idea or there are other options that i'm not seeing?

Any tips about what to study is pretty welcome.

Tags:

Tools, Compilers and General Programming, #avr #avr32 #buildroots, buildroot, ATSAMA5D27-SOM1, PIC32MZ EF, LiteBSD, ATSAMA5D27

Last Edited: Thu. Apr 26, 2018 - 09:56 PM

jgmdesign

Level: Moderator

Joined: Mon. Mar 19, 2007

Posts: 18819 View posts

Location: Long Island New York

Posted by jgmdesign: Thu. Apr 26, 2018 - 09:05 PM

Hello!

Look at the ARM devices as the 32U devices are not a popular choice.

There are others here far better qualified than I to advise you on the other parts of your questions so I will leave that to them

Jim

I would rather attempt something great and fail, than attempt nothing and succeed - Fortune Cookie

"The critical shortage here is not stuff, but time." - Johan Ekdahl

"Step N is required before you can do step N+1!" - ka7ehk

"If you want a career with a known path - become an undertaker. Dead people don't sue!" - Kartman

"Why is there a "Highway to Hell" and only a "Stairway to Heaven"? A prediction of the expected traffic load?" - Lee "theusch"

Speak sweetly. It makes your words easier to digest when at a later date you have to eat them ;-) - Source Unknown

Please Read: Code-of-Conduct

Atmel Studio6.2/AS7, DipTrace, Quartus, MPLAB, RSLogix user

awneil

Level: 10k+ Postman

Joined: Fri. Jul 1, 2005

Posts: 25563 View posts

Location: Basingstoke, Hampshire, UK

Posted by awneil: Thu. Apr 26, 2018 - 09:23 PM

lucaslo wrote:

avr32 archtecture ... linux distro

See: https://www.avrfreaks.net/forum/avr32-support-dropped-linux-kernel

can't imagine there's anyone putting much effort into malware for such obscure systems ... ?

Top Tips:

How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
"Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
Difference between a crystal, and a crystal oscillator: https://www.avrfreaks.net/comment...
When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...

gchapman

Level: 10k+ Postman

Joined: Tue. Jan 9, 2007

Posts: 16782 View posts

Location: Clay County, Texas, u.S.A.

Posted by gchapman: Thu. Apr 26, 2018 - 10:36 PM

lucaslo wrote:

I did some research and BuildRoots seems to be the way to go, as it's somewhat simple, flexible and it has a lot of sources in the web(specially avr related).

Is OpenWrt based on buildroot?

fyi, AVR32 is in OpenWrt version 10 (current is 17)

lucaslo wrote:

... or there are other options that i'm not seeing?

Does it have to be AVR32?

Reasons :

MIPS routers are ubiquitous
SAMA5 may be one Microchip follow-on to AVR32

https://openwrt.org/start?do=search&id=start&q=AT32AP7000

http://www.at91.com/linux4sam/bin/view/Linux4SAM/BuildRoot via http://www.at91.com/linux4sam/bin/view/Linux4SAM/Sama5d27Som1EKMainPage#Demo_archives

"Dare to be naïve." - Buckminster Fuller

Kartman

Level: 10k+ Postman

Joined: Thu. Dec 30, 2004

Posts: 24979 View posts

Location: Melbourne,Australia

Posted by Kartman: Thu. Apr 26, 2018 - 10:45 PM

The AVR32 application processors are well EOL (end of life). As Awneil mentions, most wifi routers are MIPS based, so you can purchase at low cost suitable hardware and put OpenWRT on them. The benefit of OpenWRT is that it has a mature build system ( probably buildroot based) and a lot of prebuilt applications and utilities.

From experience, you don't need to do too much apart from having your device on the internet to get hacking attempts. I (stupidly) set up a 3G node as a server. I was attacked by some people from China (or so the ip addresses would indicate). Whilst they didn't gain access, they did manage to chew up a lot of the data via 3G I was paying for.

awneil

Level: 10k+ Postman

Joined: Fri. Jul 1, 2005

Posts: 25563 View posts

Location: Basingstoke, Hampshire, UK

Posted by awneil: Fri. Apr 27, 2018 - 07:34 AM (Reply to #5)

Kartman wrote:

The AVR32 application processors are well EOL (end of life).

As Cliff points out in the thread I linked earlier, the currently-available UC3 are not application processors - so not a basis for Linux:

https://www.avrfreaks.net/commen...

As Awneil mentions, most wifi routers are MIPS based

Actually, that was gchapman

EDIT

typo

Top Tips:

How to properly post source code - see: https://www.avrfreaks.net/comment... - also how to properly include images/pictures
"Garbage" characters on a serial terminal are (almost?) invariably due to wrong baud rate - see: https://learn.sparkfun.com/tutorials/serial-communication
Wrong baud rate is usually due to not running at the speed you thought; check by blinking a LED to see if you get the speed you expected
Difference between a crystal, and a crystal oscillator: https://www.avrfreaks.net/comment...
When your question is resolved, mark the solution: https://www.avrfreaks.net/comment...
Beginner's "Getting Started" tips: https://www.avrfreaks.net/comment...

Kartman

Level: 10k+ Postman

Joined: Thu. Dec 30, 2004

Posts: 24979 View posts

Location: Melbourne,Australia

Posted by Kartman: Fri. Apr 27, 2018 - 07:57 AM (Reply to #6)

Mea culpa! Must’ve scrolled too fast on the phone.

clawson

Level: Moderator

Joined: Mon. Jul 18, 2005

Posts: 105098 View posts

Location: (using avr-gcc in) Finchingfield, Essex, England

Posted by clawson: Fri. Apr 27, 2018 - 08:40 AM

If one wants to play the "Linux game" then apart from the obvious choice of actually doing it on a PC - running the Linux in a Virtual Machine - is the next most obvious these days not simply to buy a Raspberry Pi and work with that?

Why would you choose some obsolete old Atmel for such experiments? If you do want to stick with the Atmel (well Microchip) brand then I'm sure they have Cortex A CPUs and boards - but I bet you find they are considerably more expensive than RPis.

lucaslo

Level: New Member

Joined: Thu. Apr 26, 2018

Posts: 2 View posts

Posted by lucaslo: Fri. Apr 27, 2018 - 01:07 PM

A lot of helpful answers.

I should have clarified a little better what the assignment was. There are no hard lines or a pdf with an specification, the professor just told us that we should make a Honeypot for an PLC, and not to just capture malware but to also see what it does to a system.

It needs to look like it's operating something in a factory floor and it's not a PC.

The professor is always open for dialogue and not at all strict. If i can make my case to him and my group I'm pretty sure I'm allowed to divert from the original idea.

The avr32 is the only piece of hardware that is used in Manufacturing that we could get our hands on.

I was open to find a way to emulate a PLC, but my group partners insist that if we emulate one we would never be able to see what the malware does in real life, just infer it from the code.

gchapman wrote:

Reasons :

MIPS routers are ubiquitous

SAMA5 may be one Microchip follow-on to AVR32

OpenWRT seems to be great and we do have money to a router, but even If i spend a lot of time making a custom firmware will it look like a PLC for the malware? I'm familiar with MIPS instructions and some architectures but I have no Idea how this intersects with PLC.

awneil wrote:

lucaslo wrote:
avr32 archtecture ... linux distro

See: https://www.avrfreaks.net/forum/avr32-support-dropped-linux-kernel

can't imagine there's anyone putting much effort into malware for such obscure systems ... ?

I've been told many times that anything you put online gets attacked , but I definitely don't want to spend energy and time learning about a technology with no practical use.

clawson wrote:

If one wants to play the "Linux game" then apart from the obvious choice of actually doing it on a PC - running the Linux in a Virtual Machine - is the next most obvious these days not simply to buy a Raspberry Pi and work with that?

Why would you choose some obsolete old Atmel for such experiments? If you do want to stick with the Atmel (well Microchip) brand then I'm sure they have Cortex A CPUs and boards - but I bet you find they are considerably more expensive than RPis.

I believe that A raspberry pi is also in our budget.

We are not interested in linux per se, that was the only way that I could think of to see what the malware does, by monitoring the syscalls, and altering a linux distro seemed like the easiest way to do this.

We really need to focus in hardware used to control manufacturing, as there are already tons of work being done with PC in our department.

Thanks everyone

clawson

Level: Moderator

Joined: Mon. Jul 18, 2005

Posts: 105098 View posts

Location: (using avr-gcc in) Finchingfield, Essex, England

#10

Posted by clawson: Fri. Apr 27, 2018 - 01:22 PM

If you are particularly focussing on Syscalls in Linux then clearly you need some hardware that runs Linux?

If you are thinking more of external attacks on "industrial controllers" I think you first need to specify exactly what you mean by "industrial controller". Sure there may be some high level ones that run Linux but the majority are more likely going to be 8 or 16 bit micros not specifically running an "OS" but some dedicated embedded software tailored to the task. There's not going to be a "standard" security solution for such devices. It's going to completely depend on their external comms channels and how they are handled. Also note that many such devices (and certainly AVR8 based ones) are Harvard not von Neumann so they don't keep their code in the same memory space as "exploitable" data. So concepts such as over-running buffers to corrupt return stacks and embed additional executable sequences just isn't going to work because they won't run code out of RAM.

It's going to tend to be "bigger processors" that share DRAM for code and data that can be subject to such exploits.

lfmorrison

Level: Raving Lunatic

Joined: Wed. Dec 8, 2004

Posts: 4647 View posts

Location: Nova Scotia, Canada

#11

Posted by lfmorrison: Wed. May 23, 2018 - 05:37 PM

lucaslo wrote:

I've been told many times that anything you put online gets attacked , but I definitely don't want to spend energy and time learning about a technology with no practical use.

Malware which attacks the system at a shell scripting level could be used to target machines in a CPU-agnostic way. (I'm thinking about vulnerabilities similar to ShellShock, for example.) So one of the old AVR32-based AP7 processors running Linux might be affected by a certain subset of malware even though nobody was deliberately targeting them.

But anyway, it would be difficult for you to get your hands on an AP7-based AVR32 system today. (Although, the outdated state of the Linux kernel and userspace utilities for those devices would make them prime candidates to contain unpatched vulnerabilities.)

I've found evidence of at least one Master's thesis project which claims to have successfully patched the MMU-less variant of Linux to run on a AT32UC3A0512 device with loads of external SRAM, a patched version of GCC (and associated utilities) to produce binaries for such a platform, and a patched version of U-Boot to fire it all up... But now we're talking about the extreme fringes of esoteric platforms, and certainly not a good example of any real-world scenario.

ki0bk

Level: 10k+ Postman

Joined: Mon. Sep 8, 2014

Posts: 10649 View posts

Location: Over the rainbow

#12

Posted by ki0bk: Wed. May 23, 2018 - 05:48 PM

lucaslo wrote:

the professor just told us that we should make a Honeypot for an PLC, and not to just capture malware but to also see what it does to a system.

Then he should have suggested where to find or provided the target PLC!

FF = PI > S.E.T

gchapman

Level: 10k+ Postman

Joined: Tue. Jan 9, 2007

Posts: 16782 View posts

Location: Clay County, Texas, u.S.A.

#13

Posted by gchapman: Wed. May 23, 2018 - 06:26 PM (Reply to #11)

lfmorrison wrote:

[one's masters thesis on UC3A0 uClinux]... But now we're talking about the extreme fringes of esoteric platforms, and certainly not a good example of any real-world scenario.

Cool!

A possible follow-on effort could leverage LiteBSD on PIC32MZ.

Some PIC32MZ boards have Ethernet PHY so could be an Internet honeypot.

But, a PIC32MZ for PLC would more likely run and/or

RTOS
WebSocket server (careful design to separate real-time from server-side)

https://github.com/sergev/LiteBSD/wiki (LiteBSD)

https://www.microchip.com/design-centers/32-bit/pic-32-bit-mcus/pic32mz-ef-family

https://realtimelogic.com/products/sharkssl/minnow-server/

"Dare to be naïve." - Buckminster Fuller

Jump To

Search form

Help creating a Honeypot for an AVR architecture

Tags: