a large scale analysis of the security of embedded
play

A Large Scale Analysis of the Security of Embedded Firmwares A. - PowerPoint PPT Presentation

Jan 07, 2023 •295 likes •1.03k views

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

  1. A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 – San Diego, USA

  2. Embedded Systems Are Everywhere Andrei Costin 2 By Wilgengebroed on Flickr [CC-BY-2.0]

  3. Smarter & More Complex Andrei Costin 3 By Wilgengebroed on Flickr [CC-BY-2.0]

  4. Heavily Interconnected Andrei Costin 4 By Wilgengebroed on Flickr [CC-BY-2.0]

  5. Many Examples of Insecure Embedded Systems ● Routers Andrei Costin 5

  6. Many Examples of Insecure Embedded Systems ● Routers ● Printers Andrei Costin 6

  7. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP Andrei Costin 7

  8. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars Andrei Costin 8

  9. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars ● Drones Andrei Costin 9

  10. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars ● Drones ● ... Andrei Costin 10

  11. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars ● Drones ● ... ● Each of above is a result of an individual analysis ● Manual and tedious efforts, Does not scale Andrei Costin 11

  12. The Goal Perform a large scale analysis to provide a better undestanding of the problem Andrei Costin 12

  13. The Problem With Large Scale Analysis ● Heterogeneity of ● Hardware, architectures, OSes ● Users, requirements ● Security goals Andrei Costin 13

  14. The Problem With Large Scale Analysis ● Heterogeneity of ● Hardware, architectures, OSes ● Users, requirements ● Security goals ● Manual analysis does not scale, it requires ● Finding and downloading the firmwares ● Unpacking and performing initial analysis ● Re -discovering the same or similar bug in other firmwares Andrei Costin 14

  15. Previous Approaches ● Test on real devices [Bojinov09CCS] ● Accurate results ● Does not scale well Andrei Costin 15

  16. Previous Approaches ● Test on real devices [Bojinov09CCS] ● Accurate results ● Does not scale well ● Scan devices on the Internet ● Large scale testing [Cui10ACSAC] – Can only test for known vulnerabilities – Blackbox approach ● More is too intrusive [Census2012] Andrei Costin 16

  17. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images Andrei Costin 17

  18. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis Andrei Costin 18

  19. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis ● Correlate across firmwares Andrei Costin 19

  20. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis ● Correlate across firmwares ● Advantages ● No intrusive online testing, no devices involved ● Scalable Andrei Costin 20

  21. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis ● Correlate across firmwares ● Advantages ● No intrusive online testing, no devices involved ● Scalable ● But many challenges Andrei Costin 21

  22. Mainstream Systems Have Centralized Updates Andrei Costin 22

  23. Challenge: Embedded Systems Have No Centralized Updates Andrei Costin 23

  24. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas Andrei Costin 24

  25. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas ● We collected a subset of the firmwares available for download Andrei Costin 25

  26. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas ● We collected a subset of the firmwares available for download ● Many firmwares are not publicly available ● Not intended to have an upgrade ● Require product purchase and registration Andrei Costin 26

  27. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas ● We collected a subset of the firmwares available for download ● Many firmwares are not publicly available ● Not intended to have an upgrade ● Require product purchase and registration ● www.firmware.re project Andrei Costin 27

  28. Challenge: Firmware Identification Clearly a Firmware Andrei Costin 28

  29. Challenge: Firmware Identification Clearly a Firmware Clearly not a Firmware Andrei Costin 29

  30. Challenge: Firmware Identification Clearly a Firmware Clearly not a Firmware Uncertain Andrei Costin 30

  31. Challenge: Firmware Identification ● E.g., upgrade by printing a PS document Andrei Costin 31

  32. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? Andrei Costin 32

  33. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? ● E.g., vendor provides a .ZIP 'firmware package' ● .ZIP→.EXE+.PS – .EXE→self-extracting archive ● Extract more or not? ● Turns out to contain a printer driver inside Andrei Costin 33

  34. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? ● E.g., vendor provides a .ZIP 'firmware package' ● .ZIP→.EXE+.PS – .EXE→self-extracting archive ● Extract more or not? ● Turns out to contain a printer driver inside – .PS→ASCII85 stream→ELF file that could be: ● A complete embedded system software ● An executable performing the firmware upgrade ● A firmware patch Andrei Costin 34

  35. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? ● E.g., vendor provides a .ZIP 'firmware package' ● .ZIP→.EXE+.PS – .EXE→self-extracting archive ● Extract more or not? ● Turns out to contain a printer driver inside – .PS→ASCII85 stream→ELF file that could be: ● A complete embedded system software ● An executable performing the firmware upgrade ● A firmware patch ● Often, a firmware image→just 'data' binary blob Andrei Costin 35

  36. Our Approach to Unpacking & Custom Formats ● We compared existing tools ● Used BAT (Binary Analysis Toolkit) ● Extended it with multiple custom unpackers ● Continuous development effort Andrei Costin 36

  37. Our Approach to Unpacking & Custom Formats ● We compared existing tools ● Used BAT (Binary Analysis Toolkit) ● Extended it with multiple custom unpackers ● Continuous development effort ● Often, a firmware image→just 'data' binary blob ● File carving required ● Bruteforce at every offset with all known unpackers Andrei Costin 37

  38. Our Approach to Unpacking & Custom Formats ● We compared existing tools ● Used BAT (Binary Analysis Toolkit) ● Extended it with multiple custom unpackers ● Continuous development effort ● Often, a firmware image→just 'data' binary blob ● File carving required ● Bruteforce at every offset with all known unpackers ● Heuristics for detecting when to stop Andrei Costin 38

  39. Challenge: Scalability & Computational Limits ● Unpacking and file carving is very CPU intensive Andrei Costin 39

  40. Challenge: Scalability & Computational Limits ● Unpacking and file carving is very CPU intensive ● Results in millions of unpacked files ● Manual analysis infeasible ● One-to-one fuzzy hash comparison is CPU intensive Andrei Costin 40

  41. Challenge: Results Confirmation ● An issue found statically ● May not apply to a real-device ● Cannot guarantee exploitability ● E.g., vulnerable daemon present but never started Andrei Costin 41

  42. Challenge: Results Confirmation ● An issue found statically ● May not apply to a real-device ● Cannot guarantee exploitability ● E.g., vulnerable daemon present but never started ● Issue confirmation is difficult ● Requires advanced analysis (static & dynamic) ● Often requires real embedded devices ● Does not scale well in heterogeneous environments Andrei Costin 42

  43. Architecture Firmware Datastore Internet Crawl Andrei Costin 43

  44. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Andrei Costin 44

  45. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Andrei Costin 45

  46. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Master Andrei Costin 46

  47. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Master Distribute Password Hash Cracker Unpacking Static Analysis Fuzzy Hashing Workers Andrei Costin 47

  48. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Master Distribute Firmware Password Analysis & Hash Cracker Reports DB Unpacking Static Analysis Fuzzy Hashing Workers Andrei Costin 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien Francillon, and Davide Balzaro:, Eurecom h;ps://www.usenix.org/conference/usenixsecurity14/technical-sessions/presenta+on/ cos+n Saeid Mofrad

1.14k views • 22 slides
A"Large(Scale"Analysis"of"the"

A"Large(Scale"Analysis"of"the"

A"Large(Scale"Analysis"of"the" Security"of"Embedded"Firmwares Presented(by(Zhenyu Ning 1 Contents 1.(Background 2.(Motivation(&(Challenges 3.(Architecture 4.(Analysis(Result(&(Case(study

784 views • 23 slides
A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex Finkelstein and Haldun Hadimioglu Polytechnic University, Brooklyn, NY, USA Outline 1. Motivation/Goals and Related Work 2. Peripheral Context

887 views • 29 slides
Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra Distributed Real- -time & Embedded time & Embedded Distributed Real (DRE) Systems (DRE) Systems Wednesday, May 30, 2007, ISORC, , ISORC,

730 views • 49 slides
Granula: Toward Fine-grained Performance Analysis of Large-scale Graph Processing Platforms Wing

Granula: Toward Fine-grained Performance Analysis of Large-scale Graph Processing Platforms Wing

Granula: Toward Fine-grained Performance Analysis of Large-scale Graph Processing Platforms Wing Lung Ngai, Tim Hegeman, Stijn Heldens, and Alexandru Iosup @Large Research Massivizing Computer Systems Large-scale Graph Processing 2 OpenG

266 views • 13 slides
Introduction to Performance Analysis Visualization and Analysis of Performance on Large-scale

Introduction to Performance Analysis Visualization and Analysis of Performance on Large-scale

Introduction to Performance Analysis Visualization and Analysis of Performance on Large-scale Software VAPLS 2013 Todd Gamblin Katherine Isaacs UC Davis, LLNL LLNL Why does my code run slowly? Bad algorithm 1. Poor computational

2.17k views • 12 slides
robust control for analysis and design of large-scale optimization algorithms Laurent Lessard

robust control for analysis and design of large-scale optimization algorithms Laurent Lessard

robust control for analysis and design of large-scale optimization algorithms Laurent Lessard University of WisconsinMadison Joint work with Ben Recht and Andy Packard LCCC Workshop on Large-Scale and Distributed Optimization Lund

435 views • 32 slides
Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Introduction Multi-scale Analysis Approach Experimental Framework Results and Analysis Conclusion Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand, Jean-Marc Vincent INRIA Mescal, CNRS LIG

583 views • 27 slides
Using CellProfiler for Biological Image Analysis Quantitative Analysis of Large-Scale Biological

Using CellProfiler for Biological Image Analysis Quantitative Analysis of Large-Scale Biological

Using CellProfiler for Biological Image Analysis Quantitative Analysis of Large-Scale Biological Image Data Mark-Anthony Bray, Ph.D Imaging Platform, Broad Institute Cambridge, Massachusetts, USA mbray@broadinstitute.org 0.4233 54,454

701 views • 52 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra Distributed Real- -time & Embedded Systems time & Embedded Systems Distributed Real with QoS- -enabled Middleware & enabled

682 views • 50 slides
Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles

Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles

Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles Institutionen fr Datavetenskap (IDA) Linkpings Universitet email: petru.eles@liu.se http://www.ida.liu.se/~petel71/ phone: 28 1396 B building,

1.52k views • 128 slides
Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Automatic Detection of Performance Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and Intelligence Lab (SAIL) Queens University, Kingston, Canada Large scale systems need to satisfy performance constraints

822 views • 37 slides
SMALL SCALE EFFECT ON THE BUCKLING ANALYSIS OF DOUBLE-LAYER GRAPHENE NANORIBBONS EMBEDDED IN AN

SMALL SCALE EFFECT ON THE BUCKLING ANALYSIS OF DOUBLE-LAYER GRAPHENE NANORIBBONS EMBEDDED IN AN

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS SMALL SCALE EFFECT ON THE BUCKLING ANALYSIS OF DOUBLE-LAYER GRAPHENE NANORIBBONS EMBEDDED IN AN ELASTIC MATRIX J.X. Shi 1 , T. Natsuki 2 , X.W. Lei 1 , Q.Q. Ni 2 * 1 Interdisciplinary Graduate

328 views • 6 slides
Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

752 views • 54 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai

A Simple (Leveled) Fully Homomorphic Encryption Scheme And Thoughts on Bootstrapping The FHE scheme is joint work with Amit Sahai (UCLA) and Brent Waters (UT Austin) Supported by IARPA contract number D11PC20202 August 15, 2013 Workshop on

719 views • 32 slides
Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of

Overview Network and Server Goal of Security Control Attacks and Penetration Phases of Control Methods of Taking Control Common Points of Attack Multifront Attacks Chapter 12 Auditing to Recognize Attacks Malicious

535 views • 7 slides
C-Style Strings CS2253 Owen Kaser, UNBSJ Strings In C and some other low-level languages,

C-Style Strings CS2253 Owen Kaser, UNBSJ Strings In C and some other low-level languages,

C-Style Strings CS2253 Owen Kaser, UNBSJ Strings In C and some other low-level languages, strings are just consecutive memory locations that contain characters. A special null character (ASCII code 0) terminates the string.

813 views • 17 slides
Security Summer 2013 Cornell University 1 Today How does the OS provide security?

Security Summer 2013 Cornell University 1 Today How does the OS provide security?

CS 4410 Operating Systems Security Summer 2013 Cornell University 1 Today How does the OS provide security? Secure System Security Violations Security Measures Threats User Authentication Protection 2 Secure

381 views • 14 slides
Craig Gentry IBM Watson Bar-Ilan University Dept. of Computer Science Optimizations of

Craig Gentry IBM Watson Bar-Ilan University Dept. of Computer Science Optimizations of

Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Dept. of Computer Science Craig Gentry IBM Watson Bar-Ilan University Dept. of Computer Science

1.08k views • 85 slides
DTTF/NB479: Dszquphsbqiz Day 14 Announcements: Homework 3 due now Homework 4 posted

DTTF/NB479: Dszquphsbqiz Day 14 Announcements: Homework 3 due now Homework 4 posted

DTTF/NB479: Dszquphsbqiz Day 14 Announcements: Homework 3 due now Homework 4 posted Today: Attacks on DES Questions? DES has been showing signs of weakness from the beginning 1975 1987 1993 2000 2013 1977 1992 Only 2 56 =

573 views • 15 slides
MDO6 Multiple Destination Option on IPv6 dra ft- ima i- mdo6- 01.txt Yuji IMAI FUJITSU

MDO6 Multiple Destination Option on IPv6 dra ft- ima i- mdo6- 01.txt Yuji IMAI FUJITSU

MDO6 Multiple Destination Option on IPv6 dra ft- ima i- mdo6- 01.txt Yuji IMAI FUJITSU LABORATORIES LTD. Contents Peculiar points IPv6 based bitmap gradual deployment tractable list anti-smurfing protection

338 views • 13 slides
DOE Phase II SBIR Project: Diagnostics of Chlorine Induced Stress Corrosion Cracking Using Laser

DOE Phase II SBIR Project: Diagnostics of Chlorine Induced Stress Corrosion Cracking Using Laser

DOE Phase II SBIR Project: Diagnostics of Chlorine Induced Stress Corrosion Cracking Using Laser Ultrasonics SFWST Working Group Meeting May 22-24, 2018 Max Wiedmann and Marvin Klein Intelligent Optical Systems Torrance, CA 90505

584 views • 22 slides

More recommend