SLIDE 1
FirmFuzz: Automated IoT Firmware Introspection and Analysis
Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer
Internet of Things
2
FirmFuzz: Automated IoT Firmware Introspection and Analysis - - PowerPoint PPT Presentation
FirmFuzz: Automated IoT Firmware Introspection and Analysis - - PowerPoint PPT Presentation
FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer Internet of Things 2 Internet of Things 3 Internet of Things - 233 CVEs assigned from Jan
SLIDE 2
SLIDE 3
Internet of Things
3
SLIDE 4
Internet of Things
4
- 233 CVE’s assigned from Jan 2018 - Nov 2019
SLIDE 5
Internet of Things
5
- 233 CVE’s assigned from Jan 2018 - Nov 2019
SLIDE 6
Fuzz Target
Linux-based Firmware Image Vendor-written software Open-source software Linux kernel
6
SLIDE 7
Fuzz Target
Linux-based Firmware Image Vendor-written software Open-source software Linux kernel Can be independently analyzed
7
SLIDE 8
Fuzz Target
Linux-based Firmware Image Vendor-written software Open-source software Linux kernel Can be independently analyzed Open-source Openly analyzed
8
SLIDE 9
Deep Analysis
9
Challenges Solutions
SLIDE 10
Deep Analysis
10
Challenges Solutions Syntactically legal input generation
SLIDE 11
Deep Analysis
11
Challenges Solutions Utilize the web API Syntactically legal input generation
SLIDE 12
Deep Analysis
12
Challenges Solutions Utilize the web API Syntactically legal input generation Fine-grained vulnerability monitoring
SLIDE 13
Deep Analysis
13
Challenges Solutions Monitor injection into runtime environment Utilize the web API Syntactically legal input generation Fine-grained vulnerability monitoring
SLIDE 14
Deep Analysis
14
Challenges Solutions Monitor injection into runtime environment Utilize the web API Syntactically legal input generation Fine-grained vulnerability monitoring Device-independent dynamic analysis
SLIDE 15
Deep Analysis
15
Challenges Solutions Monitor injection into runtime environment Utilize the web API Syntactically legal input generation Fine-grained vulnerability monitoring Device-independent dynamic analysis Full-system emulation of firmware image
SLIDE 16
FirmFuzz Design
16
Firmware
SLIDE 17
FirmFuzz Design
17
Firmware
🔎
Information Gathering Phase
SLIDE 18
FirmFuzz Design
18
Firmware
🔎
Information Gathering Phase Preparation Phase
SLIDE 19
FirmFuzz Design
19
Firmware
🔎
Information Gathering Phase Preparation Phase Fuzzing Phase
SLIDE 20
FirmFuzz Design
20
Firmware
🔎
Information Gathering Phase Preparation Phase Fuzzing Phase Bugs
SLIDE 21
Information Gathering Phase
- Discover authentication credentials
- Increase fuzzer coverage
- Static analysis of PHP scripts
- Find inputs for vulnerable code paths
- Perform taint analysis to build input constraints
21
Firmware 🔎
**********
Credentials Attack Surface Mapping
SLIDE 22
Preparation Phase
- Helper injection
- Allows FirmFuzz to perform fine-grained vulnerability monitoring
- CI — Helper binaries
- BO, NPD — Exception handling mechanism of the kernel
- XSS — Host-side monitoring
- Peripheral mapping
- Firmware may require unsupported peripherals during runtime
- FirmFuzz automatically creates mappings to a fake peripheral
- Network configuration
- FirmFuzz logs interactions with the kernel networking interface
- Creates an appropriate virtual network configuration
22
฀
Helper Injection Network Configuration Device Mapping
SLIDE 23
Fuzzing Phase
- Syntactically legal input generation
- Use headless browser for interaction with web API
- Deterministic vulnerability detection
- Leverage runtime monitors for vulnerability detection
- Fuzzing side-effects elimination
- Use snapshots to revert firmware to a consistent state
- Payload delivery
- Bypass web API validation checks by generating raw requests
23
Firmware
CI NPD BO XSS
SLIDE 24
Fuzzing Workflow
24
SLIDE 25
Fuzzing Workflow
25
SLIDE 26
Fuzzing Workflow
26
SLIDE 27
Fuzzing Workflow
27
SLIDE 28
Evaluation
- Analyzed 6427 firmware images scraped from three vendors
- Found 7 vulnerabilities across 6 different devices
- Average runtime for the fuzzing phase was 16.7 minutes
28
SLIDE 29
Firmware Image Breakdown
29
Vendor Network Inferred Fuzzed (Unique Devices) Unique Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6
SLIDE 30
Firmware Image Breakdown
30
Vendor Network Inferred Fuzzed (Unique Devices) Unique Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 Sharp drop-off between network inferred and fuzzed images
SLIDE 31
Firmware Image Breakdown
31
Vendor Network Inferred Fuzzed (Unique Devices) Unique Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 High reusability of web interfaces between different devices
SLIDE 32
Comparison Against Existing Work
32
Number Vulnerability CVE-ID FirmFuzz Web vulnerability scanners Firmadyne 1 CI CVE-2018-19239
✔ ⨯ ⨯
2 XSS
- ✔
✔ ⨯
3 BO CVE-2018-19242
✔ ⨯ ⨯
4 BO
- ✔
⨯ ⨯
5 BO CVE-2018-19240
✔ ⨯ ⨯
6 BO CVE-2018-19241
✔ ⨯ ⨯
7 NPD
- ✔
⨯ ⨯
SLIDE 33
Conclusion
- We presented FirmFuzz, an automated dynamic analysis framework for
finding deep vulnerabilities
- A generational fuzzer that leverages runtime monitors to aid the vulnerability
discovery
- We found seven unknown vulnerabilities across six different devices
33
SLIDE 34
Questions ?
34
Firmware
฀฀
Information Gathering Phase Preparation Phase Fuzzing Phase Bugs Source code: https://github.com/Hexhive/Firmfuzz