About  Contact
Aurélien Francillon
PhD student, Inria Planete Team

News

  • 03/2009 giving a talk at University of Limoges on code injection on embedded systems




Links

I support:

Random Thoughts



Moving to ETH Zurich

From the 1st November 2009 I am a post-doc in the system securiy group at ETH Zurich I have a new homepage but it's still under construction
My papers are therfore still available here

Nov 1 10:00:00 CET 2009


Worms on embedded systems

Looks like Travis Goodspeed actually created one on smart meters
this is somehow related to my previous research although it seems to have been performed on an MSP430 based platform. Very few technical details are available yet.

Edit: Turns out that the press overreacted and missinterpreted the actual facts. It was only stated that worm could be created for such devices and that they are not designed with security in mind.

Mon Mar 23 10:57:06 CET 2009


Embedded Systems (In)Security Workshop

We organize a small workshop on embedded systems attacks, It will take place the 7th of January on the university campus of Grenoble, this workshop will feature the 3 following talks:

  • 2pm-3pm: "Code Injection in Smart Cards" Jean-Louis Lanet, Universite de Limoges, FR.
  • 3:15pm-4:15pm: "Practical Attacks on low power microcontroller", Travis Goodspeed, University of Tennessee, Knoxville, USA.
  • 4:30pm-5:30pm: "Code Injection in Sensor Networks" Aurelien Francillon, INRIA Rhone-Alpes, projet PLANETE, FR.

Don't hesitate to contact me for more information!
Summary of the talks:
  • "Code Injection in Smart Cards" Jean-Louis Lanet:
    We present a method to create an hostile ill-formed applet in Javacard if an attacker has the rights to download applet in the smart card and the card has no bytecode verifier. For this we use two weakness in the Java card specifications 3.0 (the classic edition) : one about static fields not checked by firewall under certain conditions, and another one about the on-board linking process. Once downloaded, our malicious applet is able to search for pattern in other applets (even if they are not in the same package and we have no rights on them) and replace bytecodes to bypass important security checks.

  • "Practical Attacks on low power microcontroller", Travis Goodspeed :
    The Texas Instruments MSP430 low-power microcontroller is used in many medical, industrial, and consumer devices. When its JTAG fuse is blown, the device's firmware is kept private by a serial bootstrap loader (BSL), certain revisions of which are vulnerable to a side-channel timing analysis attack. This lecture concerns the attack in both theory and implementation, including the non-standard serial traffic necessary to expose the password by timing.

  • "Code Injection in Sensor Networks" Aurelien Francillon:
    We will present different code injection attacks on wireless sensors networks. We will see in more details how to exploit program vulnerabilities to permanently inject code into the program memory of an Atmel AVR-based sensor (micaz) . AVR microcontrollers use an Harvard based architecture, it was believed that code injection were impossible on such an architecture. We also show that this attack can be used to inject a worm that can propagate through the wireless sensor network and possibly create a sensor botnet. Our attack combines different techniques such as return oriented programming and fake stack injection. We present implementation details and suggest some counter-measures.

    • Access information at http://ensimag.grenoble-inp.fr follow "Plan d'acces" and "Le plan d'acces l'Ensimag sur le campus" or a google maps view of the building

    Thu Dec 11 12:47:58 CET 2008


    Worm on WSN?

    Quite some time ago I was wondering whether worms were a realistic threat to wireless sensor networks. The main obstacle was to overcome the limitations of the Harvard architecture commonly used on sensor nodes such as Micaz. A CPU with a Harvard architecture makes a strong distinction between data memory and program memory. The program memory is therefore usually read only and the cpu core is unable to load instruction form data memory, you can think of it as a "noexec" patch such as the one of GrSecurity.
    During my work on this topic I found the works of T. Goodspeed ( Memory-Constrained Code Injection on Telosb, a sensor node based on Von Neumann Architecture) and latter of Gu and Norani (Towards self-propagate mal-packets in sensor networks, in which they basically abuse of buffer overflow on mica2, but without actually performing code injection). That was motivating to find other people working on a similar topic, on the other hand they did rise the bar quite high ;) .
    I eventually managed to achieve my objective, showing that code injection is actually possible on Harvard architecture devices. A fact is that such a device has to include a bootloader in order to make software updates possible. The idea is to use Shacham's return oriented programming in order to somehow "call" the bootloader with the appropriate parameters. Well making this work on an actual TinyOS program for Micaz is not straight forward, you can find the the actual details are the paper.

    Thu Oct 2 17:43:29 CEST 2008


    OOXML ?

    Looks like OOXML got "accepted" as an iso standard.
      Benjamin Henrion, initiator of the OOXML campaign, is furious about the tactics he followed over several months: "Committee stuffing is a standard practice for Microsoft. Microsoft raped ISO with their office file formats, leaving the organization in limbo. The whole campaign against the format have raised an army of people, which are furious about the dirty tactics used by Microsoft to get the broken standard through ISO. This anger won't go away, and I wish good luck to Microsoft to get it adopted by governments. The reputation of Microsoft went down below zero with this process."
    A 6000 pages "standard" with plenty of inconsistencies and black areas ?
    I'm waiting to see the stack of security vulnerabilities in the application who are going to implement it !

    Wed Apr 2 15:25:39 CEST 2008


    Surprise Me !

    Amazon online reader proposed a link: "Surprise Me!"
    Well I clicked on it and got the obscure message:
    [...]"To protect this copyrighted material, books are subject to viewing controls."[..]"Your account has not made an eligible"[...]
    Well Of course i'm really not surprised ...
    I woudl even expect it ...but well, is this really necessary anyway?

    Wed Nov 28 17:05:14 CET 2007


    Tinyos overlay update

    I made quite a big update on my tinyos overlay for gentoo mostly big cleanup of ebuilds with creation of an eclass see the stuff page to get the overlay

    Tue Feb 20 16:15:27 CET 2007


    Patents on drugs

    A very interesting point of view from Joseph E. Stiglitz Nobel prize in economics 2001.

    Tue Dec 26 16:36:45 CET 2006


not CSS and nor XHTML compliant yet...