Tutorials on Wireless Research Frameworks and Tools

Virtual, July 2, 2021

While there are many open-source research tools, it is hard to distinguish between well-working projects and paperware. Papers claim to solve many interesting problems. However, when trying to build upon those papers’ artifacts, researchers will often face limitations not mentioned before. This situation makes it hard for new researchers to start in practical fields like wireless research, because it complicates setting up experimental environments and building proof of concepts.

Tutorial Format

This tutorial session aims to close this gap by providing short tutorials on elaborated frameworks and tools. Project maintainers or highly advanced users will show a quick walkthrough example, discuss features and limitations, and give an outlook on planned features in upcoming releases. With this, it facilitates jump-starting your research.

Each tutorial will be limited to a maximum of 42 minutes, followed by a Q&A session. This time limit does not allow showing each and every specialty of a tool. However, it is sufficient to provide the gist of each tool to let newcomers decide if this tool is helpful for their research. Recordings will be made public after the workshop.

Programming Software Defined Radios with GNU Radio

Bastian Bloessl
Secure Mobile Networking Lab
TU Darmstadt, Germany

The broad availability of Software Defined Radios (SDRs) makes accessing the wireless spectrum easier than ever before. The ability to send and receive arbitrary signals makes them an interesting tool also for security researchers, in particular to interact with devices, using proprietary physical layers and protocols.

In this session, we walk through a complete example, decoding a wireless car key fob. This provides an overview of the most relevant open source tools in the domain and shows how they can be combined to decode an undocumented proprietary signal. In this example, we will be using Fosphor, Inspectrum, and GNU Radio.

Instrumenting Bluetooth Firmware with InternalBlue

Jiska Classen
Secure Mobile Networking Lab
TU Darmstadt, Germany

Bluetooth is a protocol with a sophisticated physical layer and even more complex stack building on top of it. Tools building on top of software-defined radios have many limitations and do not integrate the behavior of proprietary mobile device stacks.

InternalBlue solves this problem by modifying the Bluetooth firmware. This allows implementing non-compliant lower-layer functionality to test the Bluetooth specification, which enabled various researchers to uncover severe issues affecting pairing and encryption recently. Moreover, InternalBlue enables researching a chip’s hardware and firmware security. It runs on all jailbroken iPhones and MacBooks, selected rooted Android phones, Raspberry Pis, and evaluation kits.

Fuzzing Basebands with BaseSAFE

Dominik Maier
Security in Telecommunications
TU Berlin, Germany

Wireless firmware is susceptible to over-the-air attacks that do not require any user interaction. Simple actions such as scanning for available networks, cells, or devices, which happens in the background, could allow an attacker to take over a baseband chip. This, in turn, allows access to traffic processed by a wireless chip and opens the doors for escalations into the main mobile operating system.

BaseSAFE supports partial emulation of baseband firmware, bringing coverage-guided fuzzing to basebands. The underlying design, built on top of AFL++’s unicornafl, can be applied to all kinds of devices. In this example, you will learn how to instrument a parser in the MediaTek baseband firmware.

In-Process Fuzzing with Frida

Dennis Heinze
Heidelberg, Germany

Fuzzing wireless protocols on the application layer is often difficult to achieve due to the vast amount of components involved. Most approaches cannot reach complex, realistic states in the target—a problem that even applies to very common protocols such as Bluetooth data exchange. Especially if the targeted platform is proprietary and source code is not available, it gets even harder. Dynamic binary instrumentation, and more specifically, the instrumentation toolkit Frida, can be of great help for analyzing, intercepting, and fuzzing such application-layer protocols.

In this session, we will take a look at how Frida can be used to analyze and fuzz protocols in a proprietary environment. As an example, we will take a look at iOS’s Bluetooth daemon bluetoothd. We will use Frida to dynamically explore and fuzz application-layer protocols within this daemon.

How to Publish Open Research Tools for Reproducibility

Milan Stute
Secure Mobile Networking Lab
TU Darmstadt, Germany

Have you ever read a good research paper but struggled to use – let alone find – the authors’ tools? Or have you ever tried to re-run your own couple-of-months-old code for an extended journal paper and realized that it no longer works? Reproducible research is en vogue – and for a good reason. Reproducibility makes your results credible and enables others (and yourself) to cite and build upon your work. Recently, several high-profile venues introduced an optional artifact evaluation review (e.g., USENIX Security, PoPETs, ACM WiSec) – which will likely become a mandatory part of the publication process in the future.

This session will explore actionable steps towards publishing your research tools, using accepted methods from the software engineering discipline. We’ll cover the spectrum from the ancient make to modern continuous integration/deployment pipelines (e.g., GitHub Actions) to produce high-quality research artifacts, based on the example of a real-world research project.

Firmware Reverse Engineering with Ghidra

Thomas Roth
leveldown security
Esslingen, Germany

Firmware is everywhere: Basebands, SoC Bootroms, Microcontrollers & co. In this workshop you will learn the basics of using Ghidra to reverse-engineer bare metal firmware, and how to reverse in the world where no automatic analysis, debug symbols and shared libraries exist.

We will start by understanding how firmware actually talks to the different hardware peripherals, and then learn a variety of tricks and strategies to quickly navigate through a firmware binary: Discovering the base address, finding interrupt tables, automatically mapping peripherals using SVD-Loader and automatically locating crypto functions by looking for signatures.

Firmware Rehosting with avatar2

Marius Muench
Vrije Universiteit Amsterdam
Amsterdam, The Netherlands

Rehosting, the art of creating execution environments for specific firmware samples, has gained significant traction in recent years. By now, multiple approaches for rehosting have been proposed and state-of-the-art systems targeting a variety of firmware types, including firmware for Bluetooth chipsets and baseband modems.

This tutorial will highlight the main motivation for, and core challenges of rehosting, while putting existing work briefly into context. Furthermore, we will elaborate the topic in-depth via practical examples using the avatar2 framework, a python-based orchestration and rehosting system which interconnects emulators, debuggers, and physical embedded devices.

Real World 5G Campus Network as Testbed

Jennifer Gabriel
Technische Universität Dresden
Dresden, Germany
Andreas Ingo Grohmann
Technische Universität Dresden
Dresden, Germany

Research in the 5G environment is currently limited to simulations and working with Software Defined Radios. All of these technologies provide us with first insights into how the 5G systems work, but all of them have various limitations compared to real-world setups.

In our tutorial, we introduce you to our 5G Campus Test Network. We tell you which setup we use and which tests we already ran successfully as well as an outlook on what we are planning to do. We also have a call to action: If you have any interesting research ideas for our network, please feel free to contact us with your proposal and if it fits, we are happy to cooperate.