FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution

Proceedings of the 22nd USENIX Security Symposium

Volumn , Issue , 2013, Pages 463-478

  Davidson, Drew ^a   Moench, Benjamin ^a   Jha, Somesh ^a   Ristenpart, Thomas ^a  

^a UNIVERSITY OF WISCONSIN MADISON   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

C (PROGRAMMING LANGUAGE); EMBEDDED SYSTEMS; FIRMWARE; MODEL CHECKING; OPEN SOURCE SOFTWARE;

ARCHITECTURAL FEATURES; DESIGN AND IMPLEMENTS; DETECTING BUGS; LOW POWER MICROPROCESSORS; SECURITY PROPERTIES; SECURITY-CRITICAL; SOURCE CODE ANALYSIS; SYMBOLIC EXECUTION;

PROGRAM DEBUGGING;

EID: 85075533110     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (36)

1. Amazon. Amazon elastic compute cloud. http://aws.amazon.com/ec2, 2013. Last accessed Jun 2013.
2. T. Avgerinos, S. K. Cha, B. L. T. Hao, and D. Brumley. AEG: Automatic exploit generation. In Network and Distributed System Security Symposium (NDSS), 2011.
3. T. Ball, V. Levin, and S. K. Rajamani. A decade of software model checking with SLAM. Commun. ACM, 54(7):68-76, July 2011.
4. A. Bessey, K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. A few billion lines of code later: using static analysis to find bugs in the real world. Commun. ACM, 53(2):66-75, Feb. 2010.
5. D. Beyer, T. A. Henzinger, R. Jhala, and R. Majumdar. The software model checker Blast: Applications to software engineering. Int. J. Softw. Tools Technol. Transf., 9(5):505-525, Oct. 2007.
6. P. Boonstoppel, C. Cadar, and D. Engler. RWset: Attacking path explosion in constraint-based test generation. In C. Ramakrishnan and J. Rehof, editors, Tools and Algorithms for the Construction and Analysis of Systems, Volume 4963 of Lecture Notes in Computer Science, pages 351-366. Springer Berlin Heidelberg, 2008.
7. D. Brumley, C. Hartwig, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, D. Song, and H. Yin. BitScope: Automatically dissecting malicious binaries. Technical report, In CMU-CS-07-133, 2007.
8. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of vulnerability-based signatures. In Proceedings of the 2006 IEEE Symposium on Security and Privacy (SP), pages 2-16. IEEE Computer Society, 2006.
9. S. Bucur, V. Ureche, C. Zamfir, and G. Candea. Parallel symbolic execution for automated real-world software testing. In EuroSys, pages 183-198, 2011.
10. C. Cadar, D. Dunbar, and D. Engler. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation (OSDI), pages 209-224. USENIX Association, 2008.
11. C. Cadar, V. Ganesh, P. M. Pawlowski, D. L. Dill, and D. R. Engler. EXE: automatically generating inputs of death. In ACM Conference on Computer and Communications security, pages 322-335. ACM, 2006.
12. S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, S. Savage, K. Koscher, A. Czeskis, F. Roesner, and T. Kohno. Comprehensive experimental analyses of automotive attack surfaces. In Proceedings of USENIX Security, 2011.
13. V. Chipounov and G. Candea. Reverse engineering of binary device drivers with RevNIC. In EuroSys, pages 167-180, 2010.
14. V. Chipounov, V. Kuznetsov, and G. Candea. S2E: a platform for in-vivo multi-path analysis of software systems. SIGPLAN Not., 46(3):265-278, Mar. 2011.
15. L. Ciortea, C. Zamfir, S. Bucur, V. Chipounov, and G. Candea. Cloud9: a software testing service. SIGOPS Oper. Syst. Rev., 43(4):5-10, Jan. 2010.
16. Codenomicon. Codenomicon defensics. http://www.codenomicon.com, 2013. Last accessed Jun 2013.
17. M. Costa, M. Castro, L. Zhou, L. Zhang, and M. Peinado. Bouncer: securing software by blocking bad input. In Symposium on Operating System Principles (SOSP), pages 117-130, 2007.
18. A. Cui, M. Costello, and S. J. Stolfo. When firmware modifications attack: A case study of embedded exploitation. In Network and Distributed System Security Symposium (NDSS), 2013.
19. A. Cui and S. J. Stolfo. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan. In Annual Computer Security Applications Conference (ACSAC), pages 97-106. ACM, 2010.
20. W. Frisby, B. Moench, B. Recht, and T. Ristenpart. Security analysis of smartphone point-of-sale systems. In Proceedings of the 6th USENIX conference on Offensive Technologies (WOOT), pages 3-3, 2012.
21. D. Halperin, T. Heydt-Benjamin, B. Ransford, S. Clark, B. Defend, W. Morgan, K. Fu, T. Kohno, and W. Maisel. Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses. In IEEE Symposium on Security and Privacy (SP), pages 129-142, 2008.
22. D. Halperin, T. Kohno, T. Heydt-Benjamin, K. Fu, and W. Maisel. Security and privacy for implantable medical devices. Pervasive Computing, IEEE, 7(1):30-39, 2008.
23. T. Hansen, P. Schachte, and H. Søndergaard. State joining and splitting for the symbolic execution of binaries. In Runtime Verification, 9th International Workshop, RV 2009, pages 76-92, 2009.
24. K. Koscher, A. Czeskis, F. Roesner, S. Patel, T. Kohno, S. Checkoway, D. McCoy, B. Kantor, D. Anderson, H. Shacham, et al. Experimental security analysis of a modern automobile. In 2010 IEEE Symposium on Security and Privacy, pages 447-462. IEEE, 2010.
25. V. Kuznetsov, J. Kinder, S. Bucur, and G. Candea. Efficient state merging in symbolic execution. In PLDI, pages 193-204, 2012.
26. M. J. Renzelmann, A. Kadav, and M. M. Swift. Symdrive: testing drivers without devices. In Proceedings of the 10th USENIX conference on Operating Systems Design and Implementation, pages 279-292. USENIX Association, 2012.
27. I. Rouf, R. Miller, H. Mustafa, T. Taylor, S. Oh, W. Xu, M. Gruteser, W. Trappe, and I. Seskar. Security and privacy vulnerabilities of in-car wireless networks: a tire pressure monitoring system case study. In Proceedings of the 19th USENIX conference on Security, 2010.
28. R. Sasnauskas, O. Landsiedel, M. H. Alizai, C. Weise, S. Kowalewski, and K. Wehrle. Kleenet: Discovering insidious interaction bugs in wireless sensor networks before deployment. In ACM/IEEE International Conference on Information Processing in Sensor Networks (IPSN), Stockholm, Sweden, April 2010.
29. P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended symbolic execution on binary programs. In International Symposium in Software Testing and Analysis (ISSTA), pages 225-236, 2009.
30. K. Sen, D. Marinov, and G. Agha. CUTE: A concolic unit testing engine for C. In Proceedings of the 10th European software engineering conference held jointly with 13th ACM SIGSOFT international symposium on Foundations of software engineering, ESEC/FSE-13, pages 263-272, New York, NY, USA, 2005. ACM.
31. A. Slowinska, T. Stancescu, and H. Bos. Howard: A dynamic excavator for reverse engineering data structures. In Network and Distributed System Security Symposium (NDSS), 2011.
32. U. Stern and D. L. Dill. Improved probabilistic verification by hash compaction. In In Advanced Research Working Conference on Correct Hardware Design and Verification Methods, pages 206-224. Springer-Verlag, 1995.
33. Texas Instruments. Microcontroller projects website. http://e2e.ti.com/group/microcontrollerprojects/m/msp430microcontrollerprojects/default.aspx. Last accessed Jun 2013.
34. Texas Instruments. MSP430 for security applications. http://www.ti.com/mcu/docs/mcuorphan.tsp?contentId=33485&DCMP=MSP430&HQS=Other+OT+430security, January 2012.
35. The Contiki Project. Contiki. http://www.contiki-os.org/. Last accessed Jun 2013.
36. C. Zamfir and G. Candea. Execution synthesis: a technique for automated software debugging. In EuroSys, pages 321-334, 2010.