REcon 2016: HARDWARE-ASSISTED ROOTKITS & INSTRUMENTATION

Endgame's Matt Spisak,Vulnerability Researcher talked about "Hardware-assisted Rootkits & Instrumentation" at REcon 2016 in Montreal. 
Security researchers have limited options when it comes to debuggers and dynamic binary instrumentation tools for ARM-based devices. This presentation explores a common but often ignored feature of the ARM debug architecture, and delves into the unique use case that this hardware component affords researchers spanning instrumentation, rootkits, and exploit prevention.

In addition, Spisak’s presentation:

  • Introduced a prototype toolkit with IDA plugin that can perform real-time tracing, code coverage analysis, and more, of the Android kernel on COTS smartphones without requiring virtualization extensions or special hardware.
  • Compared implementations of this hardware unit across multiple chipset vendors, and discuss applicability to other ARM CPUs found in smartphones like WiFi and cellular basebands.
  • Demonstrated how this debug interface can be turned into a hardware-assisted rootkit, with a prototype kernel-level Android rootkit.
  • Detailed a specific use-case for exploit mitigations on embedded systems.