More Web Proxy on the site http://driver.im/

research-article

ECMO: Peripheral Transplantation to Rehost Embedded Linux Kernels

Authors:

Kui RenAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 734 - 748

https://doi.org/10.1145/3460120.3484753

Published: 13 November 2021 Publication History

Abstract

Dynamic analysis based on the full-system emulator QEMU is widely used for various purposes.However, it is challenging to run firmware images of embedded devices in QEMU, especially the process to boot the Linux kernel (we call this process rehosting the Linux kernel in this paper). That's because embedded devices usually use different system-on-chips (SoCs) from multiple vendors and only a limited number of SoCs are currently supported in QEMU.

In this work, we propose a technique called peripheral transplantation. The main idea is to transplant the device drivers of designated peripherals into the Linux kernel binary. By doing so, it can replace the peripherals in the kernel that are currently unsupported in QEMU with supported ones, thus making the Linux kernel rehostable. After that, various applications can be built.

We implemented this technique inside a prototype system called ECMO and applied it to 815 firmware images, which consist of 20 kernel versions and 37 device models. The result shows that ECMO can successfully transplant peripherals for all the 815 Linux kernels. Among them, 710 kernels can be successfully rehosted, i.e., launching a user-space shell (87.1% success rate). The failed cases are mainly because the root file system format (ramfs) is not supported by the kernel. Meanwhile, we are able to inject rather complex drivers (i.e., NIC driver) for all the rehosted Linux kernels by installing kernel modules. We further build three applications, i.e., kernel crash analysis, rootkit forensic analysis, and kernel fuzzing, based on the rehosted kernels to demonstrate the usage scenarios of ECMO.

References

[1]

angr. https://angr.io/.

[2]

ARM Dual-Timer Module (SP804). https://developer.arm.com/documentation/ddi0271/d/.

[3]

Capstone. https://www.capstone-engine.org/.

[4]

CVE-2016--9793. https://nvd.nist.gov/vuln/detail/CVE-2016--9793.

[5]

CVE-2017--18344. https://nvd.nist.gov/vuln/detail/CVE-2017--18344.

[6]

ECMO Online Service. https://blocksecteam.org/ecmo/.

[7]

IoT Devices Market. https://www.zionmarketresearch.com/requestbrochure/iot-devices-market.

[8]

Linux Test Project. http://linux-test-project.github.io/.

[9]

Linux Test Project test case timer_create03. https://github.com/linux-test-project/ltp/blob/master/testcases/kernel/syscalls/timer_create/timer_create03.c.

[10]

LuaJIT. http://luajit.org/luajit.html.

[11]

LuaQEMU. https://github.com/Comsecuris/luaqemu.

[12]

Netgear. https://www.netgear.com/.

[13]

OpenWRT. https://openwrt.org/.

[14]

PrimeCell Vectored Interrupt Controller (PL190). https://developer.arm.com/documentation/ddi0181/e/introduction/about-the-vic.

[15]

PrimeCell Vectored Interrupt Controller (PL190) Source Code. https://elixir.bootlin.com/linux/v3.18.20/source/drivers/irqchip/irq-vic.c#L445.

[16]

QEMU. https://www.qemu.org/.

[17]

The Roadshow of ARM. https://group.softbank/system/files/pdf/ir/presentations/2019/arm-roadshow-slides_q4fy2019_01_en.pdf.

[18]

SMC91X Source Code. https://elixir.bootlin.com/linux/v3.18.20/source/drivers/irqchip/irq-vic.c#L445.

[19]

SoC (System on a Chip). https://openwrt.org/docs/techref/hardware/soc.

[20]

suterusu. https://github.com/mncoppola/suterusu.

[21]

TriforceAFL. https://github.com/nccgroup/TriforceAFL.

[22]

Vulnerability Statistics of Linux Kernel. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html.

[23]

Dennis Andriesse, Asia Slowinska, and Herbert Bos. 2017. Compiler-agnostic function detection in binaries. In Proceedings of the 2nd IEEE European Symposium on Security and Privacy.

[24]

Sina Bahram, Xuxian Jiang, Zhi Wang, Mike Grace, Jinku Li, Deepa Srinivasan, Junghwan Rhee, and Dongyan Xu. 2010. Dksm: Subverting virtual machine introspection for fun and profit. In Proceedings of the 29th IEEE symposium on reliable distributed systems.

Digital Library

[25]

Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation.

Digital Library

[26]

Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium.

[27]

Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Proceedings of the 25th Annual Network and Distributed System Security Symposium.

[28]

Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation. In Proceedings of the 29th USENIX Security Symposium.

[29]

Nassim Corteggiani, Giovanni Camurati, and Aurélien Francillon. 2018. Inception: System-wide security testing of real-world embedded systems software. In Proceedings of the 27th USENIX Security Symposium.

[30]

Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A Large Scale Analysis of the Security of Embedded Firmwares. In Proceedings of the 23rd USENIX Security Symposium.

[31]

Weidong Cui, Xinyang Ge, Baris Kasikci, Ben Niu, Upamanyu Sharma, Ruoyu Wang, and Insu Yun. 2018. REPT: Reverse Debugging of Failures in Deployed Software. In Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation.

[32]

Yaniv David, Nimrod Partush, and Eran Yahav. 2018. FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware. In Proceedings of the 23rd International Conference on Architectural Support for Programming Languages and Operating Systems.

Digital Library

[33]

Brendan Dolan-Gavitt, Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee. 2011. Virtuoso: Narrowing the semantic gap in virtual machine introspection. In Proceedings of the 32nd IEEE symposium on security and privacy.

Digital Library

[34]

Pavel Dovgalyuk, Natalia Fursova, Ivan Vasiliev, and Vladimir Makarov. 2017. QEMU-based framework for non-intrusive virtual machine instrumentation and introspection. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering.

Digital Library

[35]

Ruian Duan, Ashish Bijlani, Meng Xu, Taesoo Kim, and Wenke Lee. 2017. Identifying open-source license violation and 1-day security risk at large scale. In Proceedings of the 2017 ACM SIGSAC Conference on computer and communications security.

Digital Library

[36]

Manuel Egele, Christopher Kruegel, Engin Kirda, Heng Yin, and Dawn Song. 2007. Dynamic spyware analysis. In Proceedings of the 2007 USENIX Annual Technical Conference.

Digital Library

[37]

Bo Feng, Alejandro Mera, and Long Lu. 2019. P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling. In Proceedings of the 29th USENIX Security Symposium.

[38]

Qian Feng, Rundong Zhou, Chengcheng Xu, Yao Cheng, Brian Testa, and Heng Yin. 2016. Scalable graph-based bug search for firmware images. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[39]

Yangchun Fu and Zhiqiang Lin. 2013. Bridging the semantic gap in virtual machine introspection via online kernel data redirection. ACM Transactions on Information and System Security (2013).

[40]

Tal Garfinkel, Mendel Rosenblum, et al. 2003. A virtual machine introspection based architecture for intrusion detection. In Proceedings of the 2003 Annual Network and Distributed System Security Symposium.

[41]

Xinyang Ge, Ben Niu, and Weidong Cui. 2020. Reverse Debugging of Kernel Failures in Deployed Systems. In Proceedings of the 2020 USENIX Annual Technical Conference.

Digital Library

[42]

Daniel M German and Jesús M González-Barahona. 2009. An empirical study of the reuse of software licensed under the GNU General Public License. In IFIP International Conference on Open Source Systems. Springer.

[43]

Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurélien Francillon, Yung Ryn Choe, Christophe Kruegel, and Giovanni Vigna. 2019. Toward the Analysis of Embedded Firmware through Automated Re-hosting. In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses.

[44]

Lee Harrison, Hayawardh Vijayakumar, Rohan Padhye, Koushik Sen, and Michael Grace. 2020. PARTEMU: Enabling dynamic analysis of real-world trustzone software using emulation. In Proceedings of the 29th USENIX Security Symposium.

[45]

Grant Hernandez, Farhaan Fowze, Dave Tian, Tuba Yavuz, and Kevin RB Butler. 2017. FirmUSB: Vetting USB device firmware using domain informed symbolic execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[46]

Muhui Jiang, Yajin Zhou, Xiapu Luo, Ruoyu Wang, Yang Liu, and Kui Ren. 2020. An empirical study on ARM disassembly tools. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis.

Digital Library

[47]

Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. 2007. Stealthy malware detection through vmm-based" out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security.

Digital Library

[48]

Xuxian Jiang, Xinyuan Wang, and Dongyan Xu. 2010. Stealthy malware detection and monitoring through VMM-based ?out-of-the-box" semantic view reconstruction. ACM Transactions on Information and System Security (2010).

[49]

Evan Johnson, Maxwell Bland, YiFei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, and Kirill Levchenko. 2021. Jetset: Targeted Firmware Rehosting for Embedded Systems. In Proceedings of the 30th USENIX Security Symposium.

[50]

Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae Kim. 2020. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis. In Proceedings of the 2020 Annual Computer Security Applications Conference.

Digital Library

[51]

Dominik Maier, Benedikt Radtke, and Bastian Harren. 2019. Unicorefuzz: On the viability of emulation for kernelspace fuzzing. In Proceedings of the 13rd USENIX Workshop on Offensive Technologies (WOOT 19).

[52]

Alejandro Mera, Bo Feng, Long Lu, Engin Kirda, and William Robertson. 2021. DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis. In Proceedings of the 42nd IEEE Symposium on Security and Privacy.

[53]

Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring multiple execution paths for malware analysis. In Proceedings of the 28th IEEE Symposium on Security and Privacy.

Digital Library

[54]

Marius Muench, Dario Nisi, Aurelien Francillon, and Davide Balzarotti. 2018. Avatar2: A Multi-target Orchestration Platform. In Workshop on Binary Analysis Research.

[55]

Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware. In Proceedings of the 41st IEEE Symposium on Security & Privacy.

[56]

Ryan Riley, Xuxian Jiang, and Dongyan Xu. 2008. Guest-transparent prevention of kernel rootkits with vmm-based memory shadowing. In Proceedings of the 11st International Workshop on Recent Advances in Intrusion Detection.

[57]

Ryan Riley, Xuxian Jiang, and Dongyan Xu. 2009. Multi-aspect profiling of kernel rootkit behavior. In Proceedings of the 4th ACM European conference on Computer systems. 47--60.

Digital Library

[58]

Rusty Russell. 2008. virtio: towards a de-facto standard for virtual I/O devices. ACM SIGOPS Operating Systems Review (2008).

Digital Library

[59]

Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kafl: Hardware-assisted feedback fuzzing for OS kernels. In Proceedings of the 26th USENIX Security Symposium.

[60]

Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the 31st IEEE symposium on Security and privacy.

Digital Library

[61]

Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In Proceedings of the 22nd Annual Network and Distributed System Security Symposium.

[62]

Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, Ardalan Amiri Sani, and Zhiyun Qian. 2018. Charm: Facilitating dynamic analysis of device drivers of mobile systems. In Proceedings of the 27th USENIX Security Symposium.

[63]

Xueqiang Wang, Yuqiong Sun, Susanta Nanda, and XiaoFeng Wang. 2019. Looking from the mirror: evaluating IoT device security through mobile companion apps. In Proceedings of the 28th USENIX Security Symposium.

[64]

Zhi Wang, Xuxian Jiang, Weidong Cui, and Xinyuan Wang. 2008. Countering persistent kernel rootkits through systematic hook discovery. In Proceedings of the 11st International Workshop on Recent Advances in Intrusion Detection.

Digital Library

[65]

Xiaojun Xu, Chang Liu, Qian Feng, Heng Yin, Le Song, and Dawn Song. 2017. Neural network-based graph embedding for cross-platform binary code similarity detection. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[66]

Lok-Kwong Yan, Manjukumar Jayachandra, Mu Zhang, and Heng Yin. 2012. V2e: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis. In Proceedings of the 8th ACM SIGPLAN/SIGOPS conference on Virtual Execution Environments.

Digital Library

[67]

Lok Kwong Yan and Heng Yin. 2012. Droidscope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX Security Symposium.

[68]

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda. 2007. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM conference on Computer and communications security.

Digital Library

[69]

Jonas Zaddach, Luca Bruno, Aurélien Francillon, and Davide Balzarotti. 2014. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares. In Proceedings of the 21st Annual Network and Distributed System Security Symposium.

[70]

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRMAFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In Proceedings of the 28th USENIX Security Symposium.

Cited By

Zhou WShen SLiu P(2025)IoT Firmware Emulation and Its Security Application in Fuzzing: A Critical RevisitFuture Internet10.3390/fi1701001917:1(19)Online publication date: 6-Jan-2025
https://doi.org/10.3390/fi17010019
Asmita Oliinyk YScott MTsang RFang CHomayoun HBalzarotti DXu W(2024)Fuzzing BusyBoxProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698950(883-900)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698950
Wang YYang CHan RLi XMa J(2024)Dvatar: Simulating the Binary Firmware of DronesIEEE Internet of Things Journal10.1109/JIOT.2024.341644911:19(30661-30675)Online publication date: 1-Oct-2024
https://doi.org/10.1109/JIOT.2024.3416449
Show More Cited By

Index Terms

ECMO: Peripheral Transplantation to Rehost Embedded Linux Kernels
1. Security and privacy
  1. Systems security
    1. Operating systems security
      1. Virtualization and security

Recommendations

Hotswapping Linux kernel modules

Contemporary operating system kernels are able to improve their functionality by installing kernel extensions at runtime. However, when an existing kernel extension needs to be upgraded, it must be completely removed before the new kernel extension is ...
Linux: The Complete Reference
Linux: The Complete Reference

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

HK RGC Project
Fundamental Research Funds for the Central Universities
Leading Innovative and Entrepreneur Team Introduction Program of Zhejiang
National Natural Science Foundation of China

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
472
Total Downloads

Downloads (Last 12 months)72
Downloads (Last 6 weeks)14

Reflects downloads up to 06 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhou WShen SLiu P(2025)IoT Firmware Emulation and Its Security Application in Fuzzing: A Critical RevisitFuture Internet10.3390/fi1701001917:1(19)Online publication date: 6-Jan-2025
https://doi.org/10.3390/fi17010019
Asmita Oliinyk YScott MTsang RFang CHomayoun HBalzarotti DXu W(2024)Fuzzing BusyBoxProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3698950(883-900)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3698950
Wang YYang CHan RLi XMa J(2024)Dvatar: Simulating the Binary Firmware of DronesIEEE Internet of Things Journal10.1109/JIOT.2024.341644911:19(30661-30675)Online publication date: 1-Oct-2024
https://doi.org/10.1109/JIOT.2024.3416449
Wei YWang YZhou LZhou XJiang Z(2024)IEmu: Interrupt modeling from the logic hidden in the firmwareJournal of Systems Architecture10.1016/j.sysarc.2024.103237154(103237)Online publication date: Sep-2024
https://doi.org/10.1016/j.sysarc.2024.103237
Xin MWen HDeng LLi HLi QSun L(2024)FirmPorter: Porting RTOSes at the Binary Level for Firmware Re-hostingInformation and Communications Security10.1007/978-981-97-8801-9_16(310-331)Online publication date: 25-Dec-2024
https://doi.org/10.1007/978-981-97-8801-9_16
Zhou XWang PZhou LXun PLu K(2023)A Survey of the Security Analysis of Embedded DevicesSensors10.3390/s2322922123:22(9221)Online publication date: 16-Nov-2023
https://doi.org/10.3390/s23229221
Feng XZhu XHan QZhou WWen SXiang Y(2023)Detecting Vulnerability on IoT Device Firmware: A SurveyIEEE/CAA Journal of Automatica Sinica10.1109/JAS.2022.10586010:1(25-41)Online publication date: Jan-2023
https://doi.org/10.1109/JAS.2022.105860

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents