Emulating Samsung's Baseband for Security Testing

The presentation discusses the reverse engineering of the Samsung Shannon baseband processor and the discovery of potential vulnerabilities.

• The team did not have access to the source code when they started the project
• They focused on reverse engineering custom peripherals and standard peripherals
• The emulator is not extensible to Qualcomm-based basebands
• The team is releasing their reverse engineering tools and code
• The release date for Shannon EE is uncertain due to the disclosure process

The team discovered a heap-based buffer workflow vulnerability that could potentially lead to full chain remote code execution exploit, but they did not attempt it as getting to the crash was far enough for their purposes.

The most crucial interface between modern mobile phones and cellular networks are baseband processors. Basebands are responsible for processing the complicated 2G thru 5G protocols, which gives them a large attack surface. Unfortunately, exploring this surface is cumbersome: finding flaws over-the-air is not scalable, crashes are difficult to reproduce, and devices typically lack even basic debugging interfaces.To address these concerns, we designed and built an emulation environment for Samsung's "Shannon" baseband (ShannonEE). We leverage and combine the strengths of two existing frameworks, avatar2 & PANDA, to provide a flexible and extensible platform geared towards vulnerability research. We are able to load and run ARMv7-R Shannon firmware images, which typically exceed 30MB in size and have 65K+ functions. We emulate the custom Shannon RTOS and its peripherals accurately enough to enable task switching and timer interrupts, leading to powerful dynamic analysis platform. We also support different versions of Shannon SoCs, spanning multiple generation of Samsung Galaxy phones.To take full advantage of ShannonEE, we ported TriforceAFL, allowing for targeted, coverage guided, task or protocol, fuzzing. Unlike over-the-air fuzzing, our platform allows for in-depth introspection of the baseband's internal state when triggering crashes and gdb-based memory examination providing backtraces and detailed task information. We demonstrate how our emulator can be used to investigate and understand the impact of n-days and how you would go about finding new vulnerabilities.