A Large Scale Analysis of the Security of Embedded Firmwares A. - - PowerPoint PPT Presentation

a large scale analysis of the security of embedded
SMART_READER_LITE
LIVE PREVIEW

A Large Scale Analysis of the Security of Embedded Firmwares A. - - PowerPoint PPT Presentation

Jan 07, 2023 295 likes •1.04k views

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

slide-1
SLIDE 1

A Large Scale Analysis of the Security

  • f Embedded Firmwares
  • A. Costin, J. Zaddach, A. Francillon, D. Balzarotti

EURECOM, France 20th August 2014 USENIX Security '14 – San Diego, USA

slide-2
SLIDE 2

Andrei Costin 2

Embedded Systems Are Everywhere

By Wilgengebroed on Flickr [CC-BY-2.0]

slide-3
SLIDE 3

Andrei Costin 3

Smarter & More Complex

By Wilgengebroed on Flickr [CC-BY-2.0]

slide-4
SLIDE 4

Andrei Costin 4

Heavily Interconnected

By Wilgengebroed on Flickr [CC-BY-2.0]

slide-5
SLIDE 5

Andrei Costin 5

Many Examples of Insecure Embedded Systems

  • Routers
slide-6
SLIDE 6

Andrei Costin 6

Many Examples of Insecure Embedded Systems

  • Routers
  • Printers
slide-7
SLIDE 7

Andrei Costin 7

Many Examples of Insecure Embedded Systems

  • Routers
  • Printers
  • VoIP
slide-8
SLIDE 8

Andrei Costin 8

Many Examples of Insecure Embedded Systems

  • Routers
  • Printers
  • VoIP
  • Cars
slide-9
SLIDE 9

Andrei Costin 9

Many Examples of Insecure Embedded Systems

  • Routers
  • Printers
  • VoIP
  • Cars
  • Drones
slide-10
SLIDE 10

Andrei Costin 10

Many Examples of Insecure Embedded Systems

  • Routers
  • Printers
  • VoIP
  • Cars
  • Drones
  • ...
slide-11
SLIDE 11

Andrei Costin 11

Many Examples of Insecure Embedded Systems

  • Routers
  • Printers
  • VoIP
  • Cars
  • Drones
  • ...
  • Each of above is a result of an individual analysis
  • Manual and tedious efforts, Does not scale
slide-12
SLIDE 12

Andrei Costin 12

The Goal

Perform a large scale analysis to provide a better undestanding of the problem

slide-13
SLIDE 13

Andrei Costin 13

The Problem With Large Scale Analysis

  • Heterogeneity of
  • Hardware, architectures, OSes
  • Users, requirements
  • Security goals
slide-14
SLIDE 14

Andrei Costin 14

The Problem With Large Scale Analysis

  • Heterogeneity of
  • Hardware, architectures, OSes
  • Users, requirements
  • Security goals
  • Manual analysis does not scale, it requires
  • Finding and downloading the firmwares
  • Unpacking and performing initial analysis
  • Re-discovering the same or similar bug in other

firmwares

slide-15
SLIDE 15

Andrei Costin 15

Previous Approaches

  • Test on real devices [Bojinov09CCS]
  • Accurate results
  • Does not scale well
slide-16
SLIDE 16

Andrei Costin 16

Previous Approaches

  • Test on real devices [Bojinov09CCS]
  • Accurate results
  • Does not scale well
  • Scan devices on the Internet
  • Large scale testing [Cui10ACSAC]

– Can only test for known vulnerabilities – Blackbox approach

  • More is too intrusive [Census2012]
slide-17
SLIDE 17

Andrei Costin 17

Our Approach to The Large Scale Analysis

  • Collect a large number of firmware images
slide-18
SLIDE 18

Andrei Costin 18

Our Approach to The Large Scale Analysis

  • Collect a large number of firmware images
  • Perform broad but simple static analysis
slide-19
SLIDE 19

Andrei Costin 19

Our Approach to The Large Scale Analysis

  • Collect a large number of firmware images
  • Perform broad but simple static analysis
  • Correlate across firmwares
slide-20
SLIDE 20

Andrei Costin 20

Our Approach to The Large Scale Analysis

  • Collect a large number of firmware images
  • Perform broad but simple static analysis
  • Correlate across firmwares
  • Advantages
  • No intrusive online testing, no devices involved
  • Scalable
slide-21
SLIDE 21

Andrei Costin 21

Our Approach to The Large Scale Analysis

  • Collect a large number of firmware images
  • Perform broad but simple static analysis
  • Correlate across firmwares
  • Advantages
  • No intrusive online testing, no devices involved
  • Scalable
  • But many challenges
slide-22
SLIDE 22

Andrei Costin 22

Mainstream Systems Have Centralized Updates

slide-23
SLIDE 23

Andrei Costin 23

Challenge: Embedded Systems Have No Centralized Updates

slide-24
SLIDE 24

Andrei Costin 24

Collecting a Dataset

  • No large scale firmware dataset yet
  • As opposed to existing datasets in security or other

CS research areas

slide-25
SLIDE 25

Andrei Costin 25

Collecting a Dataset

  • No large scale firmware dataset yet
  • As opposed to existing datasets in security or other

CS research areas

  • We collected a subset of the firmwares

available for download

slide-26
SLIDE 26

Andrei Costin 26

Collecting a Dataset

  • No large scale firmware dataset yet
  • As opposed to existing datasets in security or other

CS research areas

  • We collected a subset of the firmwares

available for download

  • Many firmwares are not publicly available
  • Not intended to have an upgrade
  • Require product purchase and registration
slide-27
SLIDE 27

Andrei Costin 27

Collecting a Dataset

  • No large scale firmware dataset yet
  • As opposed to existing datasets in security or other

CS research areas

  • We collected a subset of the firmwares

available for download

  • Many firmwares are not publicly available
  • Not intended to have an upgrade
  • Require product purchase and registration
  • www.firmware.re project
slide-28
SLIDE 28

Andrei Costin 28

Challenge: Firmware Identification

Clearly a Firmware

slide-29
SLIDE 29

Andrei Costin 29

Challenge: Firmware Identification

Clearly a Firmware Clearly not a Firmware

slide-30
SLIDE 30

Andrei Costin 30

Challenge: Firmware Identification

Clearly a Firmware Clearly not a Firmware Uncertain

slide-31
SLIDE 31

Andrei Costin 31

Challenge: Firmware Identification

  • E.g., upgrade by printing a PS document
slide-32
SLIDE 32

Andrei Costin 32

Challenge: Unpacking & Custom Formats

  • How to reliably unpack and learn formats?
slide-33
SLIDE 33

Andrei Costin 33

Challenge: Unpacking & Custom Formats

  • How to reliably unpack and learn formats?
  • E.g., vendor provides a .ZIP 'firmware package'
  • .ZIP→.EXE+.PS

– .EXE→self-extracting archive

  • Extract more or not?
  • Turns out to contain a printer driver inside
slide-34
SLIDE 34

Andrei Costin 34

Challenge: Unpacking & Custom Formats

  • How to reliably unpack and learn formats?
  • E.g., vendor provides a .ZIP 'firmware package'
  • .ZIP→.EXE+.PS

– .EXE→self-extracting archive

  • Extract more or not?
  • Turns out to contain a printer driver inside

– .PS→ASCII85 stream→ELF file that could be:

  • A complete embedded system software
  • An executable performing the firmware upgrade
  • A firmware patch
slide-35
SLIDE 35

Andrei Costin 35

Challenge: Unpacking & Custom Formats

  • How to reliably unpack and learn formats?
  • E.g., vendor provides a .ZIP 'firmware package'
  • .ZIP→.EXE+.PS

– .EXE→self-extracting archive

  • Extract more or not?
  • Turns out to contain a printer driver inside

– .PS→ASCII85 stream→ELF file that could be:

  • A complete embedded system software
  • An executable performing the firmware upgrade
  • A firmware patch
  • Often, a firmware image→just 'data' binary blob
slide-36
SLIDE 36

Andrei Costin 36

Our Approach to Unpacking & Custom Formats

  • We compared existing tools
  • Used BAT (Binary Analysis Toolkit)
  • Extended it with multiple custom unpackers
  • Continuous development effort
slide-37
SLIDE 37

Andrei Costin 37

Our Approach to Unpacking & Custom Formats

  • We compared existing tools
  • Used BAT (Binary Analysis Toolkit)
  • Extended it with multiple custom unpackers
  • Continuous development effort
  • Often, a firmware image→just 'data' binary blob
  • File carving required
  • Bruteforce at every offset with all known unpackers
slide-38
SLIDE 38

Andrei Costin 38

Our Approach to Unpacking & Custom Formats

  • We compared existing tools
  • Used BAT (Binary Analysis Toolkit)
  • Extended it with multiple custom unpackers
  • Continuous development effort
  • Often, a firmware image→just 'data' binary blob
  • File carving required
  • Bruteforce at every offset with all known unpackers
  • Heuristics for detecting when to stop
slide-39
SLIDE 39

Andrei Costin 39

Challenge: Scalability & Computational Limits

  • Unpacking and file carving is very CPU

intensive

slide-40
SLIDE 40

Andrei Costin 40

Challenge: Scalability & Computational Limits

  • Unpacking and file carving is very CPU

intensive

  • Results in millions of unpacked files
  • Manual analysis infeasible
  • One-to-one fuzzy hash comparison is CPU

intensive

slide-41
SLIDE 41

Andrei Costin 41

Challenge: Results Confirmation

  • An issue found statically
  • May not apply to a real-device
  • Cannot guarantee exploitability
  • E.g., vulnerable daemon present but never started
slide-42
SLIDE 42

Andrei Costin 42

Challenge: Results Confirmation

  • An issue found statically
  • May not apply to a real-device
  • Cannot guarantee exploitability
  • E.g., vulnerable daemon present but never started
  • Issue confirmation is difficult
  • Requires advanced analysis (static & dynamic)
  • Often requires real embedded devices
  • Does not scale well in heterogeneous environments
slide-43
SLIDE 43

Andrei Costin 43

Architecture

Internet Crawl Firmware Datastore

slide-44
SLIDE 44

Andrei Costin 44

Architecture

Internet Public Web Interface Crawl Submit Firmware Datastore

slide-45
SLIDE 45

Andrei Costin 45

Architecture

Internet Public Web Interface Crawl Submit Firmware Datastore Firmware Analysis Cloud

slide-46
SLIDE 46

Andrei Costin 46

Architecture

Internet Public Web Interface Crawl Submit Firmware Datastore Master Firmware Analysis Cloud

slide-47
SLIDE 47

Andrei Costin 47

Architecture

Internet Public Web Interface Crawl Submit Firmware Datastore Master Workers Distribute Unpacking Static Analysis Fuzzy Hashing Firmware Analysis Cloud Password Hash Cracker

slide-48
SLIDE 48

Andrei Costin 48

Architecture

Internet Public Web Interface Crawl Submit Firmware Datastore Master Workers Distribute Unpacking Static Analysis Fuzzy Hashing Firmware Analysis & Reports DB Firmware Analysis Cloud Password Hash Cracker

slide-49
SLIDE 49

Andrei Costin 49

Architecture

Internet Public Web Interface Crawl Submit Firmware Datastore Master Workers Distribute Unpacking Static Analysis Fuzzy Hashing Firmware Analysis & Reports DB Firmware Analysis Cloud Password Hash Cracker Data Enrichment Correlation Engine

slide-50
SLIDE 50

Andrei Costin 50

Crawler

  • 759 K collected files, 1.8 TB of disk space
slide-51
SLIDE 51

Andrei Costin 51

Crawler

  • 759 K collected files, 1.8 TB of disk space
  • FTP-index engines
slide-52
SLIDE 52

Andrei Costin 52

Crawler

  • 759 K collected files, 1.8 TB of disk space
  • FTP-index engines and GCSE
slide-53
SLIDE 53

Andrei Costin 53

www.Firmware.RE (beta) Will provide Unpacking and Analysis

slide-54
SLIDE 54

Andrei Costin 54

Unpacking

  • 759 K total files collected
  • 172 K filtered interesting files
  • 32 K analyzed
  • 26 K unpacked (fully or partially)
  • 1.7 M resulted files after unpacking

Filter non firmware Random selection Successful unpack Unpacked files

slide-55
SLIDE 55

Andrei Costin 55

Static Analysis

  • Correlation/clustering
  • Fuzzy hashes, Private SSL keys, Credentials
  • Misconfigurations
  • Web-server configs, Credentials, Code repositories
  • Data enrichment
  • Version banners
  • Keywords (e.g., telnet, shell, UART, backdoor)
slide-56
SLIDE 56

Andrei Costin 56

Example: Correlation

  • Correlation via fuzzy-hashes (ssdeep, sdhash)
  • E.g., Vulnerability Propagation

Firmware 1

slide-57
SLIDE 57

Andrei Costin 57

Example: Correlation

  • Correlation via fuzzy-hashes (ssdeep, sdhash)
  • E.g., Vulnerability Propagation

Firmware 1

slide-58
SLIDE 58

Andrei Costin 58

Example: Correlation

  • Correlation via fuzzy-hashes (ssdeep, sdhash)
  • E.g., Vulnerability Propagation

Firmware 1 Firmware 2 Firmware 3

95% 99% 0%

Firmware 4 Firmware 5

slide-59
SLIDE 59

Andrei Costin 59

Example: Correlation

  • Correlation via fuzzy-hashes (ssdeep, sdhash)
  • E.g., Vulnerability Propagation

Firmware 1 Firmware 2 Firmware 3

95% 99% 0%

Firmware 4 Firmware 5

slide-60
SLIDE 60

Andrei Costin 60

Example: Correlation

  • Correlation via fuzzy-hashes (ssdeep, sdhash)
  • E.g., Vulnerability Propagation

Firmware 1 Firmware 2 Firmware 3

95% 99% 0%

Firmware 4 Firmware 5

slide-61
SLIDE 61

Andrei Costin 61

Private RSA keys

  • SSL keys correlation + vulnerability propagation

Example: RSA Keys

slide-62
SLIDE 62

Andrei Costin 62

Analysis & Reports Database Private RSA keys

  • SSL keys correlation + vulnerability propagation

Example: RSA Keys

slide-63
SLIDE 63

Andrei Costin 63

Analysis & Reports Database Private RSA keys VendorA Device1

  • SSL keys correlation + vulnerability propagation

Example: RSA Keys

slide-64
SLIDE 64

Andrei Costin 64

Analysis & Reports Database Private RSA keys VendorA HTTPS Ecosystem Scans 1 key → ~30.000 IPs Device1 Check ZMap IP addresses

  • SSL keys correlation + vulnerability propagation

Example: RSA Keys

slide-65
SLIDE 65

Andrei Costin 65

Analysis & Reports Database Private RSA keys VendorA HTTPS Ecosystem Scans 1 key → ~30.000 IPs VendorB SAME private RSA SAME self-signed SSL certificate DIFFERENT vendor Device1 Device2 Check ZMap IP addresses

  • SSL keys correlation + vulnerability propagation

Example: RSA Keys

slide-66
SLIDE 66

Andrei Costin 66

Analysis & Reports Database Private RSA keys VendorA HTTPS Ecosystem Scans 1 key → ~30.000 IPs VendorB SAME private RSA SAME self-signed SSL certificate DIFFERENT vendor Device1 Device2 Check ZMap IP addresses Common Vulnerable Components

  • SSL keys correlation + vulnerability propagation

Example: RSA Keys

slide-67
SLIDE 67

Andrei Costin 67

Results: Summary

  • 38 new vulnerabilities (CVE)
  • Correlated them to 140 K online devices
  • Affected 693 firmware files by at least one vuln
slide-68
SLIDE 68

Andrei Costin 68

Contributions Summary

  • First large-scale static analysis of firmwares
  • Described the main challenges associated
  • Shown the advantages of performing a large-

scale analysis of firmware images

  • Implemented a framework and several efficient

static techniques

slide-69
SLIDE 69

Andrei Costin 69

Conclusions

  • A broader view on firmwares
  • Not only beneficial
  • But necessary for discovery and analysis of

vulnerabilities

  • Correlation reveals firmware relatioship
  • Shows how vulnerabilities reappear across different

products

  • Could allow seeing how firmwares evolve/get fixed
slide-70
SLIDE 70

Andrei Costin 70

Conclusions

  • There are plenty of latent vulnerabilities
  • Security
  • Tradeoff with cost and time-to-market
  • Clearly not a priority for some vendors
slide-71
SLIDE 71

Andrei Costin 71

Thank You! Questions?

{name.surname}@eurecom.fr

slide-72
SLIDE 72

Andrei Costin 72

References

  • [1] A. Costin, J. Zaddach, A. Francillon, D. Balzarotti,

”A Large-Scale Analysis of the Security of Embedded Firmwares”, In Proceedings of the 23

rd USENIX

Conference on Security (to appear)

  • [2] A. Costin, J. Zaddach, ”Poster: Firmware.RE:

Firmware Unpacking and Analysis as a Service”, In Proceedings of the ACM Conference on Security and Privacy in Wireless Mobile Networks (WiSec) '14

  • [3] A. Costin, A. Francillon, ”Short paper: A Dangerous

'Pyrotechnic Composition': Fireworks, Embedded Wireless and Insecurity-by-Design”, In Proceedings of the ACM Conference on Security and Privacy in Wireless Mobile Networks (WiSec) '14