This training is geared towards offensive security researchers, penetration testers or red teamer's who want to dip their toes into the field of OT/IOT Applications security. The basis of this training are developments boards that give the attendees a practical introduction to OT/IOT Applications via the FreeRTOS environment. After the students have learned about common security architectures and vulnerabilities we will define how FreeRTOS OT/IOT Applications and built. We then switch to an offensive security perspective and take apart and analyse an ECU image step by step until we will have (a) working exploit(s) against that system at the end of the week.
- Introduction to OT/IOT and the application domains for FreeRTOS
- Software development models/methods for real-time applications
- The FreeRTOS development tool chain for an ARM Core
- A quick introduction to programming in C
- Exercise #0: Installing and Testing the Tool Chain
- The FreeRTOS Architecture
- The ARM Core Architecture
- Emulation of ARM Core and FreeRTOS
- Interrupt Handling in FreeRTOS
- Exercise #1: Test communications with Development Board and the Tool Chain for FreeRTOS
- Q&A / Wrap-up Session 0
- Task Management within FreeRTOS and Direct Task Communication
- Task Scheduling, Context Switching and Multi-Tasking
- Queues, Mutexes and Semaphores for Interface Task Communication
- Exercise #2: Getting Tasks to communicate with each other and debugging communication task
- Exercise #3: Using Inter-Task Communication using Mutexes and Semaphores
- Memory Management and Memory Protection
- The STACK and the HEAP
- Exercise #4: Using Memory Management Constructs
- Exercise #5: Identifying and Exploiting Stack Vulnerabilities in RTOS
- Q&A / Wrap-up Session 1
- JTAG/SWD and Debugging a FreeRTOS application with JTAG/SWD and GDB
- Exercise #6: Debugging a RTOS application using JTAG(SWD) and GDB
- Exercise #7: Using JTAG/SWD to dump the firmware
- Reverse Engineering the RTOS firmware/application using static and dynamic techniques
- Exercises #8: Reverse engineering a RTOS application and identify vulnerabilities
- Q&A / Wrap-up Session 2
- Communicating with the Outside World (GPIO, Ethernet, etc)
- FreeRTOS and the Cloud (AWS)
- Exercises #9: Building an FreeRTOS Application
- Bring it all together and building an Application
- Source Code Reviews and Security Auditing
- Exercise #10: Source Code Reviews and Security Auditing
- Q&A / Wrap-up Session 3
The following books are recommended in support of this course.
- Brian Amos, Hands-On: RTOS with Microcontrollers, Packt, 2020.
- Joseph Yiu, Definitive Guide To ARM Cortex M23 and Cortex M33 Processors, Newnes, 2021.
- Al Kelley and Ira Pohl, Book on C, A: Programming in C, Addison-Wesley, 4th edition, 1998.
The development board that we are going to be using for this class is the NXP LPCXpresso55S69 Development Board. Information about this board can be located at the following URL:
The following is an image of the LPCXpresso55S69 Development board that we are going to use in this class.
It is expected that all students have a laptop/computer running an up to date version of the Microsoft Windows 10 Operating System.
For further information and questions please contact Dr Andrew Blyth, PhD. [email protected]