Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Zaddach, Jonas ^a   Bruno, Luca ^a   Francillon, Aurélien ^a   Balzarotti, Davide ^a  

^a EURECOM   (France)

Author keywords

[No Author keywords available]

Indexed keywords

FIRMWARE; MOBILE SECURITY; REVERSE ENGINEERING; SECURITY SYSTEMS; SENSOR NODES; STATIC ANALYSIS;

ACCURATE ANALYSIS; DEDICATED TOOLS; DYNAMIC SECURITY ANALYSIS; DYNAMIC TAINT TRACINGS; DYNAMICS ANALYSIS; EMBEDDED DEVICE; EMBEDDED-SYSTEM; SECURITY ANALYSIS; SOURCE CODES; SYSTEM FIRMWARE;

EMBEDDED SYSTEMS;

EID: 84977858742     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23229     Document Type: Conference Paper

References (60)

1. Anubis: Analyzing Unknown Binaries. http://anubis.iseclab.org/.
2. OsmocomBB. http://bb.osmocom.org/trac/.
3. IEEE Standard Test Access Port and Boundary-Scan Architecture, 1990. IEEE Standard. 1149.1-1990.
4. IEEE-ISTO 5001 - 2003 the nexus 5001 forum standard for a global embedded processor debug interface. IEEE - Industry Standards and Technology Organization, December 2003.
5. CWSandbox, 2008. http://www.cwsandbox.org.
6. AVGERINOS, T., CHA, S. K., HAO, B. L. T., AND BRUMLEY, D. AEG: Automatic exploit generation. In Network and Distributed System Security Symposium (Feb. 2011), pp. 283–300.
7. BELLARD, F. QEMU, a fast and portable dynamic translator. In ATEC ’05: Proceedings of the annual conference on USENIX Annual Technical Conference (Berkeley, CA, USA, 2005), USENIX Association, pp. 41–41.
8. BOJINOV, H., BURSZTEIN, E., AND BONEH, D. Embedded management interfaces: Emerging massive insecurity. In Blackhat 2009 Technical Briefing / whitepaper (2009).
9. CABALLERO, J., YIN, H., LIANG, Z., AND SONG, D. Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the 14th ACM conference on Computer and communications security (New York, NY, USA, 2007), CCS’07, ACM, pp. 317–329.
10. CADAR, C., DUNBAR, D., AND ENGLER, D. KLEE unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI (2008).
11. CARNA BOTNET. Internet census 2012, port scanning /0 using insecure embedded devices, 2012. http://internetcensus2012.bitbucket.org/paper. html.
12. CHECKOWAY, S., MCCOY, D., ANDERSON, D., KANTOR, B., SAVAGE, S., KOSCHER, K., CZESKIS, A., ROESNER, F., AND KOHNO, T. Comprehensive Experimental Analysis of Automototive Attack Surfaces. In Proceedings of the USENIX Security Symposium (San Francisco, CA, August 2011).
13. CHING, P. C., CHENG, Y., AND KO, M. H. An in-circuit emulator for TMS320C25. IEEE Transactions on Education 37, 1 (1994), 51–56.
14. CHIPOUNOV, V., AND CANDEA, G. Reverse Engineering of Binary Device Drivers with RevNIC. In Proceedings of the 5th ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys), Paris France, April 2010 (Paris, France, 2010).
15. CHIPOUNOV, V., KUZNETSOV, V., AND CANDEA, G. The S2E Platform: Design, Implementation, and Applications. ACM Trans. Comput. Syst. 30, 1 (Feb. 2012), 2:1–2:49.
16. CLARK, C., FRASER, K., HAND, S., HANSEN, J. G., JUL, E., LIMPACH, C., PRATT, I., AND WARFIELD, A. Live migration of virtual machines. In Proceedings of the 2nd conference on Symposium on Networked Systems Design & Implementation - Volume 2 (Berkeley, CA, USA, 2005), NSDI’05, USENIX Association, pp. 273–286.
17. COZZIE, A., STRATTON, F., XUE, H., AND KING, S. T. Digging for data structures. In Proceedings of the 8th USENIX conference on Operating systems design and implementation (Berkeley, CA, USA, 2008), OSDI’08, USENIX Association, pp. 255–266.
18. CRISTIAN, F. Exception handling and software fault tolerance. IEEE Transactions on Computers C-31, 6 (1982), 531–540.
19. CUI, A., COSTELLO, M., AND STOLFO, S. J. When firmware modifications attack: A case study of embedded exploitation. In 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013 (2013), The Internet Society.
20. CUI, A., AND STOLFO, S. J. Defending embedded systems with software symbiotes. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection (Berlin, Heidelberg, 2011), RAID’11, Springer-Verlag, pp. 358–377.
21. CUI, W., PEINADO, M., CHEN, K., WANG, H. J., AND IRUN-BRIZ, L. Tupni: automatic reverse engineering of input formats. In CCS ’08: Proceedings of the 15th ACM conference on Computer and communications security (New York, NY, USA, 2008), ACM, pp. 391–402.
22. DAVIDSON, D., MOENCH, B., JHA, S., AND RISTENPART, T. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In Proceedings of the USENIX Security Symposium (Washington, DC, August 2013).
23. DELUGRÉ, G. Closer to metal: Reverse engineering the broadcom netextreme’s firmware. HACK.LU 2010.
24. EGELE, M., SCHOLTE, T., KIRDA, E., AND KRUEGEL, C. A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44, 2 (Mar. 2008), 6:1–6:42.
25. FALLIERE, N., MURCHU, L. O., AND CHIEN, E. W32.Stuxnet Dossier, 2011.
26. FREESCALE SEMICONDUCTOR, INC. MC1322x Simple Media Access Controller Demonstration Applications User’s Guide, 9 2011. Rev. 1.3.
27. FREESCALE SEMICONDUCTOR, INC. MC1322x Simple Media Access Controller (SMAC) Reference Manual, 09 2011. Rev. 1.7.
28. GODEFROID, P., LEVIN, M. Y., AND MOLNAR, D. Automated White-box Fuzz Testing. In Network Distributed Security Symposium (NDSS) (2008), Internet Society.
29. GODEFROID, P., LEVIN, M. Y., AND MOLNAR, D. SAGE: whitebox fuzzing for security testing. Communications of The ACM (2012), 40–44.
30. HALLER, I., SLOWINSKA, A., NEUGSCHWANDTNER, M., AND BOS, H. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of USENIX Security’13 (Washington, DC, August 2013), USENIX.
31. HAN, Y., LIU, S., SU, X., AND HU, Z. A dynamic analysis system for Cisco IO based on virtualization. In Multimedia Information Networking and Security (MINES), 2011 Third International Conference on (2011), pp. 330–332.
32. IEEE COMPUTER SOCIETY. IEEE 802.15.4, Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (WPANs), June 2006. ISBN 0-7381-4996-9.
33. KANG, M. G., MCCAMANT, S., POOSANKAM, P., AND SONG, D. DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (San Diego, CA, Feb. 2011).
34. KANG, M. G., POOSANKAM, P., AND YIN, H. Renovo: a hidden code extractor for packed executables. In Proceedings of the 2007 ACM workshop on Recurring malcode (New York, NY, USA, 2007), WORM ’07, ACM, pp. 46–53.
35. KAO, C.-F., HUANG, I.-J., AND CHEN, H.-M. Hardware-software approaches to in-circuit emulation for embedded processors. Design Test of Computers, IEEE 25, 5 (2008), 462–477.
36. KIRCHNER, A. Data Leak Detection in Smartphone Applications. Master thesis, Vienna University of Technology.
37. KUZNETSOV, V., CHIPOUNOV, V., AND CANDEA, G. Testing closed-source binary device drivers with DDT. In Proceedings of the 2010 USENIX conference on USENIX annual technical conference (Berkeley, CA, USA, 2010), USENIXATC’10, USENIX Association, pp. 12–12.
38. KUZNETSOV, V., KINDER, J., BUCUR, S., AND CANDEA, G. Efficient state merging in symbolic execution. In Proceedings of the 33rd ACM SIGPLAN Conference on Programming Language Design and Implementation (New York, NY, USA, 2012), PLDI’12, ACM, pp. 193–204.
39. LATTNER, C., AND ADVE, V. LLVM: A compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004. (2004), IEEE, pp. 75–86.
40. LEE, Y.-H., SONG, Y. W., GIRME, R., ZAVERI, S., AND CHEN, Y. Replay debugging for multi-threaded embedded software. In Embedded and Ubiquitous Computing (EUC), 2010 IEEE/IFIP 8th International Conference on (2010), pp. 15–22.
41. LI, L., AND WANG, C. Dynamic analysis and debugging of binary code for security applications. In 4th International Conference on Runtime Verification (RV) 2013, Rennes, France, September 24-27, 2013. Proceedings (2013), vol. 8174 of Lecture Notes in Computer Science, Springer, pp. 403–423.
42. MELEAR, C. Emulation techniques for microcontrollers. In Wescon/97. Conference Proceedings (1997), pp. 532–541.
43. MONTENEGRO, G., KUSHALNAGAR, N., HUI, J., AND CULLER, D. Transmission of IPv6 packets over IEEE 802.15.4 networks (RFC 4944). Tech. rep., IETF, September 2007. http://www.ietf.org/rfc/rfc4944.txt.
44. MULLINER, C., GOLDE, N., AND SEIFERT, J.-P. SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale. In Proceedings of the 20th USENIX Security Symposium (San Francisco, CA, USA, August 2011).
45. NOHL, K., EVANS, D., STARBUG, S., AND PLÖTZ, H. Reverse-engineering a cryptographic RFID tag. In Proceedings of the 17th conference on Security symposium (Berkeley, CA, USA, 2008), USENIX Association, pp. 185–193.
46. PEREZ, Y.-A., AND DUFLOT, L. Can you still trust your network card? CanSecWest 2010.
47. REDWIRE LLC. Econotag: MC13224V development board w/ on-board debugging. http://www.redwirellc.com/store/node/1.
48. RENZELMANN, M. J., KADAV, A., AND SWIFT, M. M. SymDrive: testing drivers without devices. In Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation (Berkeley, CA, USA, 2012), OSDI’12, USENIX Association, pp. 279–292.
49. SCHLICH, B. Model checking of software for microcontrollers. ACM Trans. Embed. Comput. Syst. 9, 4 (Apr. 2010), 36:1–36:27.
50. SCHMITT, P. H., AND WEISS, B. Inferring invariants by symbolic execution. In Proceedings, 4th International Verification Workshop (VERIFY’07) (2007), B. Beckert, Ed., vol. 259 of CEUR Workshop Proceedings, CEUR-WS.org, pp. 195–210.
51. SCHWARTZ, E. J., AVGERINOS, T., AND BRUMLEY, D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the 2010 IEEE Symposium on Security and Privacy (Washington, DC, USA, 2010), SP’10, IEEE Computer Society, pp. 317–331.
52. SLOWINSKA, A., STANCESCU, T., AND BOS, H. Howard: A dynamic excavator for reverse engineering data structures. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2011, San Diego, California, USA, 6th February - 9th February 2011 (2011).
53. SONG, D., BRUMLEY, D., CABALLERO, J., JAGER, I., KANG, M. G., LIANG, Z., NEWSOME, J., POOSANKAM, P., AND SAXENA, P. Bit-blaze: A new approach to computer security via binary analysis. In In Proceedings of the 4th International Conference on Information Systems Security (2008).
54. TRIULZI, A. A SSH server in your NIC. PacSec 2008.
55. WANG, T., WEI, T., GU, G., AND ZOU, W. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. In IEEE Symposium on Security and Privacy (2010), pp. 497–512.
56. WEINMANN, R.-P. Baseband attacks: remote exploitation of memory corruptions in cellular protocol stacks. In Proceedings of the 6th USENIX conference on Offensive Technologies (Berkeley, CA, USA, 2012), WOOT’12, USENIX Association, pp. 2–2.
57. WELTE, H. Anatomy of Contemporary GSM Cellphone Hardware.
58. WILLIAMS, M. ARMV8 debug and trace architectures. In System, Software, SoC and Silicon Debug Conference (S4D), 2012 (2012), pp. 1–6.
59. XU, M., BODIK, R., AND HILL, M. D. A”flight data recorder” for enabling full-system multiprocessor deterministic replay. In Proceedings of the 30th annual international symposium on Computer architecture (New York, NY, USA, 2003), ISCA’03, ACM, pp. 122–135.
60. ZADDACH, J., KURMUS, A., BALZAROTTI, D., BLASS, E. O., FRANCILLON, A., GOODSPEED, T., GUPTA, M., AND KOLTSIDAS, I. Implementation and implications of a stealth hard-drive backdoor. In ACSAC 2013, 29th Annual Computer Security Applications Conference, December 9-13, 2013, New Orleans, Louisiana, USA (New orleans, UNITED STATES, 12 2013).