[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3427228.3427294acmotherconferencesArticle/Chapter ViewAbstractPublication PagesacsacConference Proceedingsconference-collections
research-article

FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

Published: 08 December 2020 Publication History

Abstract

One approach to assess the security of embedded IoT devices is applying dynamic analysis such as fuzz testing to their firmware in scale. To this end, existing approaches aim to provide an emulation environment that mimics the behavior of real hardware/peripherals. Nonetheless, in practice, such approaches can emulate only a small fraction of firmware images. For example, Firmadyne, a state-of-the-art tool, can only run 183 (16.28%) of 1,124 wireless router/IP-camera images that we collected from the top eight manufacturers. Such a low emulation success rate is caused by discrepancy in the real and emulated firmware execution environment.
In this study, we analyzed the emulation failure cases in a large-scale dataset to figure out the causes of the low emulation rate. We found that widespread failure cases often avoided by simple heuristics despite having different root causes, significantly increasing the emulation success rate. Based on these findings, we propose a technique, arbitrated emulation, and we systematize several heuristics as arbitration techniques to address these failures. Our automated prototype, FirmAE, successfully ran 892 (79.36%) of 1,124 firmware images, including web servers, which is significantly (≈ 4.8x) more images than that run by Firmadyne. Finally, by applying dynamic testing techniques on the emulated images, FirmAE could check 320 known vulnerabilities (306 more than Firmadyne), and also find 12 new 0-days in 23 devices.

References

[1]
2014. Proceedings of the 23rd USENIX Security Symposium (Security). San Diego, CA.
[2]
2016. Proceedings of the 2016 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[3]
2019. Proceedings of the 28th USENIX Security Symposium (Security). Santa Clara, CA.
[4]
2020. Proceedings of the 29th USENIX Security Symposium (Security). Boston, MA.
[5]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, Deepak Kumar, Chaz Lever, Zane Ma, Joshua Mason, Damian Menscher, Chad Seaman, Nick Sullivan, Kurt Thomas, and Yi Zhou. 2017. Understanding the Mirai Botnet. In Proceedings of the 26th USENIX Security Symposium (Security). Vancouver, BC, Canada.
[6]
Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the FREENIX Track: 2005 USENIX Annual Technical Conference, April 10-15, 2005, Anaheim, CA, USA.
[7]
Roland Bodenheim, Jonathan Butts, Stephen Dunlap, and Barry Mullins. 2014. Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices. International Journal of Critical Infrastructure Protection 7, 2(2014), 114–123.
[8]
Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-adaptive mutational fuzzing. In Proceedings of the 36th IEEE Symposium on Security and Privacy (Oakland). San Jose, CA, 725–741.
[9]
Wang Chunlei, Liu Li, and Liu Qiang. 2014. Automatic fuzz testing of web service vulnerability. In Proceedings of the International Conference on Information and Communications Technologies (ICT 2014). IET, Nanjing, China.
[10]
Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation, See SEC [4].
[11]
Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares, See SEC [1].
[12]
Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2016. Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces. In Proceedings of the 11th ACM Symposium on Information, Computer and Communications Security (ASIACCS). Xi’an, China.
[13]
A Cui. 2012. Embedded Device Firmware Vulnerability Hunting Using FRAK. In Black Hat USA Briefings (Black Hat USA). Las Vegas, NV.
[14]
Ang Cui, Michael Costello, and Salvatore J Stolfo. 2013. When Firmware Modifications Attack: A Case Study of Embedded Exploitation. In Proceedings of the 2013 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[15]
Ang Cui and Salvatore J Stolfo. 2010. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).
[16]
CVE 2014. CVE-2014-3936. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3936.
[17]
Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware, See NDS [2].
[18]
Yaniv David, Nimrod Partush, and Eran Yahav. 2018. FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware. In Proceedings of the International Conference on Architectural Support for Programming Languages and Operating Systems. 392–404.
[19]
R Dawes. 2011. OWASP WebScarab Project.
[20]
Steven HH Ding, Benjamin CM Fung, and Philippe Charland. 2019. Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization. In Proceedings of the 40th IEEE Symposium on Security and Privacy (Oakland). San Francisco, CA.
[21]
Michael Eddington. 2011. Peach fuzzing platform. Peach Fuzzer 34(2011).
[22]
Florian Fainelli. 2008. The OpenWrt embedded development framework. In Proceedings of the Free and Open Source Software Developers European Meeting.
[23]
Bo Feng, Alejandro Mera, and Long Lu. 2020. P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling, See SEC [4].
[24]
NCC Group 2017. A linux system call fuzzer using TriforceAFL. https://github.com/nccgroup/TriforceAFL.
[25]
Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurelien Francillon, Yung Ryn Choe, Christophe Kruegel, and Giovanni Vigna. 2019. Toward the Analysis of Embedded Firmware through Automated Re-hosting. In Proceedings of the 22th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Beijing, China.
[26]
Craig Heffner. 2010. Firmware Analysis Tool. https://github.com/ReFirmLabs/binwalk.
[27]
Craig Heffner, Jeremy Collake, 2011. Firmware Mod Kit. https://github.com/rampageX/firmware-mod-kit.
[28]
Markus Kammerstetter, Daniel Burian, and Wolfgang Kastner. 2016. Embedded security testing with peripheral device caching and runtime program state approximation. In 10th International Conference on Emerging Security Information, Systems and Technologies (SECUWARE).
[29]
Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. 2014. Prospect: peripheral proxying supported embedded code testing. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS). Kyoto, Japan.
[30]
Swati Khandelwal. 2016. Multiple Backdoors found in D-Link DWR-932 B LTE Router. http://thehackernews.com/2016/09/hacking-d-link-wireless-router.html?m=1.
[31]
Swati Khandelwal. 2017. Satori IoT Botnet Exploits Zero-Day to Zombify Huawei Routers. https://thehackernews.com/2017/12/satori-mirai-iot-botnet.html.
[32]
Brian Krebs. 2016. Source Code for IoT Botnet ’Mirai’ Released. https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released.
[33]
Deepak Kumar, Kelly Shen, Benton Case, Deepali Garg, Galina Alperovich, Dmitry Kuznetsov, Rajarshi Gupta, and Zakir Durumeric. 2019. All things considered: an analysis of IoT devices on home networks, See SEC [3].
[34]
Tasos Laskos. 2010. Arachni. http://www.arachni-scanner.com.
[35]
Samuel Litchfield, David Formby, Jonathan Rogers, Sakis Meliopoulos, and Raheem Beyah. 2016. Rethinking the honeypot for cyber-physical systems. IEEE Internet Computing 20, 5 (2016), 9–17.
[36]
Knud Lasse Lueth. 2018. State of the IoT 2018: Number of IoT devices now at 7B – Market accelerating.
[37]
David Maciejak. 2018. Yet Another Crypto Mining Botnet?https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html.
[38]
Denis Makrushin. 2018. Backdoors in D-Link’s backyard. https://securelist.com/backdoors-in-d-links-backyard/85530.
[39]
Xavi Mendez. 2014. wfuzz. https://github.com/xmendez/wfuzz.
[40]
Dirk Merkel. 2014. Docker: lightweight linux containers for consistent development and deployment. Linux Journal 2014, 239 (2014), 2.
[41]
Ryan Mitchell. 2018. Web Scraping with Python: Collecting More Data from the Modern Web. ”O’Reilly Media, Inc.”.
[42]
Bruce Momjian. 2001. PostgreSQL: introduction and concepts. Vol. 192. Addison-Wesley New York.
[43]
HD Moore 2009. The Metasploit project. https://www.metasploit.com.
[44]
Marius Muench, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar2: A multi-target orchestration platform. In Workshop on Binary Analysis Research (BAR).
[45]
Marius Muench, Jan Stijohann, Frank Kargl, Aurélien Francillon, and Davide Balzarotti. 2018. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[46]
Jeong Wook Oh. 2014. Reverse engineering flash memory for fun and benefit. In Black Hat USA Briefings (Black Hat USA). Las Vegas, NV.
[47]
Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2015. IoTPOT: analysing the rise of IoT compromises. In Proceedings of the USENIX Workshop on Offensive Technologies (WOOT). Washington, DC.
[48]
Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan Foote, David Warren, Gustavo Grieco, and David Brumley. 2014. Optimizing seed selection for fuzzing, See SEC [1].
[49]
Lukas Rist, Johnny Vestergaard, Daniel Haslinger, Andrea Pasquale, and John Smith. 2013. Conpot ics/scada honeypot. http://conpot.org.
[50]
Selenium 2004. Selenium. https://www.seleniumhq.org.
[51]
Shodan. 2016. D-Link Internet Report. https://dlink-report.shodan.io/.
[52]
Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In Proceedings of the 2015 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[53]
Anastasios Stasinopoulos, Christoforos Ntantogian, and Christos Xenakis. 2015. Commix: Detecting and exploiting command injection flaws. In Black Hat USA Briefings (Black Hat USA). Las Vegas, NV.
[54]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution., See NDS [2].
[55]
Dafydd Stuttard. 2008. Burp Suite. https://portswigger.net/burp.
[56]
Threat9. 2016. RouterSploit. https://github.com/threat9/routersploit.
[57]
Alexander Vetterl and Richard Clayton. 2019. Honware: A virtual honeypot framework for capturing CPE and IoT zero days. In 2019 APWG Symposium on Electronic Crime Research (eCrime). IEEE, 1–13.
[58]
Wikipedia contributors. 2018. IP aliasing — Wikipedia, The Free Encyclopedia. https://en.wikipedia.org/w/index.php?title=IP_aliasing&oldid=871887325. [Online; accessed 13-August-2019].
[59]
Matt Wilson. 2019. Premium Wireless Routers Market Size, Share, Statistics, Trends, Types, Applications, Analysis and Forecast| Global Industry Research and Forecast 2019-2024. https://marketersmedia.com/premium-wireless-routers-market-size-share-statistics-trends-types-applications-analysis-and-forecast-global-industry-research-and-forecast-2019-2024/520294.
[60]
Heng Yin Xunchao Hu, Yaowen Zheng. 2018. An Extensible Dynamic Analysis Framework for IoT Devices. In Black Hat USA Briefings (Black Hat USA). Las Vegas, NV.
[61]
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium (Security). Baltimore, MD, 745–761.
[62]
Jonas Zaddach, Luca Bruno, Aurelien Francillon, and Davide Balzarotti. 2014. Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares. In Proceedings of the 2014 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.
[63]
Michal Zalewski. 2017. American fuzzy lop (AFL). http://lcamtuf.coredump.cx/afl. (2017).
[64]
Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation, See SEC [3], 1099–1114.

Cited By

View all
  • (2024)Uncovering Hidden Risks in IoT devices: A Post-Pandemic National Study of SOHO Wi-Fi Router SecurityJournal of Internet Services and Applications10.5753/jisa.2024.383415:1(485-495)Online publication date: 16-Oct-2024
  • (2024)DCGFuzz: An Embedded Firmware Security Analysis Method with Dynamically Co-Directional Guidance FuzzingElectronics10.3390/electronics1308143313:8(1433)Online publication date: 10-Apr-2024
  • (2024)A Vulnerability Scanning Method for Web Services in Embedded FirmwareApplied Sciences10.3390/app1406237314:6(2373)Online publication date: 12-Mar-2024
  • Show More Cited By

Index Terms

  1. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis
    Index terms have been assigned to the content through auto-classification.

    Recommendations

    Comments

    Please enable JavaScript to view thecomments powered by Disqus.

    Information & Contributors

    Information

    Published In

    cover image ACM Other conferences
    ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference
    December 2020
    962 pages
    ISBN:9781450388580
    DOI:10.1145/3427228
    Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 08 December 2020

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. Firmware
    2. dynamic analysis
    3. embedded device
    4. emulation

    Qualifiers

    • Research-article
    • Research
    • Refereed limited

    Conference

    ACSAC '20

    Acceptance Rates

    Overall Acceptance Rate 104 of 497 submissions, 21%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)421
    • Downloads (Last 6 weeks)56
    Reflects downloads up to 11 Dec 2024

    Other Metrics

    Citations

    Cited By

    View all
    • (2024)Uncovering Hidden Risks in IoT devices: A Post-Pandemic National Study of SOHO Wi-Fi Router SecurityJournal of Internet Services and Applications10.5753/jisa.2024.383415:1(485-495)Online publication date: 16-Oct-2024
    • (2024)DCGFuzz: An Embedded Firmware Security Analysis Method with Dynamically Co-Directional Guidance FuzzingElectronics10.3390/electronics1308143313:8(1433)Online publication date: 10-Apr-2024
    • (2024)A Vulnerability Scanning Method for Web Services in Embedded FirmwareApplied Sciences10.3390/app1406237314:6(2373)Online publication date: 12-Mar-2024
    • (2024)Automating Side-Channel Testing for Embedded Systems: A Continuous Integration ApproachProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3670436(1-6)Online publication date: 30-Jul-2024
    • (2024)Collapse Like A House of Cards: Hacking Building Automation System Through FuzzingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690216(1761-1775)Online publication date: 2-Dec-2024
    • (2024)Examiner-Pro: Testing Arm Emulators Across Different PrivilegesIEEE Transactions on Software Engineering10.1109/TSE.2024.340690050:11(2786-2806)Online publication date: Nov-2024
    • (2024)A Deep Learning Approach to Discover Router Firmware VulnerabilitiesIEEE Transactions on Industrial Informatics10.1109/TII.2023.326977420:1(691-702)Online publication date: Jan-2024
    • (2024)SaTC: Shared-Keyword Aware Taint Checking for Detecting Bugs in Embedded SystemsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330743021:4(2421-2433)Online publication date: Jul-2024
    • (2024)Labrador: Response Guided Directed Fuzzing for Black-box IoT Devices2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00127(1920-1938)Online publication date: 19-May-2024
    • (2024)Complete Security Analysis on Event-Based Dynamic Protocol for Constrained IoT Device2024 12th International Conference on Information and Communication Technology (ICoICT)10.1109/ICoICT61617.2024.10698059(224-235)Online publication date: 7-Aug-2024
    • Show More Cited By

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    HTML Format

    View this article in HTML Format.

    HTML Format

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media