towards automated classification of firmware images and
play

Towards Automated Classification of Firmware Images and - PowerPoint PPT Presentation

Jul 02, 2023 •220 likes •577 views

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

  1. IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM)

  2. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 2

  3. Introduction IoT and embedded devices ● Increasingly present in any computing environment – May be vulnerable/exploitable – Rely on network connectivity – Often administered through web interfaces – Depend on and run firmware packages – 30th May 2017 Andrei Costin, IFIP SEC '17 3

  4. Introduction IoT and embedded firmware packages ● Software that runs on intended IoT and embedded devices – Contain many software features and modules – May contain bugs/vulnerabilities – Can yield richer knowledge if analyzed in similar clusters rather than alone – E.g., diffing consecutive versions and patches ● 30th May 2017 Andrei Costin, IFIP SEC '17 4

  5. Introduction The number of IoT devices in 2016 was around 6-7 billions [GAR15] ● The number of IoT firmware packages in 2014 was at least in the range of ● hundreds of thousands [COS14] Manual analysis and triage does not scale ● 30th May 2017 Andrei Costin, IFIP SEC '17 7

  6. Introduction: Research problems We formulate the following research problems ● How to automatically label the brand and the model of the device for which – the firmware is intended How to automatically identify the vendor, the model, and the firmware – version of an arbitrary web-enabled online device 30th May 2017 Andrei Costin, IFIP SEC '17 8

  7. Introduction: Real-world attacks "DNSChanger EK" (Dec 2016) [PRO16] ● Also "CSRF (Cross-Site Request Forgery) SOHO Pharming" (2015) – 30th May 2017 Andrei Costin, IFIP SEC '17 9

  8. Introduction: Real-world attacks 30th May 2017 Andrei Costin, IFIP SEC '17 10

  9. Introduction: Real-world digital investigations „Mapping Mirai: A Botnet Case Study“ (Oct 2016) [MAL16] ● Mirai – perhaps the most disruptive and well-known DDoS botnet – 30th May 2017 Andrei Costin, IFIP SEC '17 11

  10. Introduction: Real-world CVE management CVE-2013-5637, CVE-2013-5638 – Consecutive/similar firmware clustering ● allows proper identification of impacted components [COS14] 30th May 2017 Andrei Costin, IFIP SEC '17 12

  11. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 13

  12. Contributions We propose and study the firmware features and the ML algorithms in the ● context of firmware classification We research the fingerprinting and identification of web-enabled embedded ● devices and their firmware version We present and discuss direct practical applications for both techniques ● 30th May 2017 Andrei Costin, IFIP SEC '17 14

  13. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 15

  14. Firmware Classification: Related Work Clemens [CLE15] ● Context focused on ● Explosion of different types of devices and myriad of executable code – (firmware, mobile apps, etc.) Automating digital forensic for forensic analysis, reverse engineering, or – malware detection Their dataset over 16000 code samples from 20 (embedded) architectures ● Their classifiers achieve very high accuracy with relatively small sample sizes ● 30th May 2017 Andrei Costin, IFIP SEC '17 16

  15. Firmware Classification: Dataset Total Firmware Vendors: 13 ● Total Firmware Files: 215 ● Firmwares Per Vendor: 5(min)/54(max)/16(avg) ● Dataset: www.firmware.re/ml/ ● 30th May 2017 Andrei Costin, IFIP SEC '17 17

  16. Firmware Classification: Features Firmware File Size ● Firmware File Content Properties (output of „ent“ , except bytes frequency) ● Firmware File Strings (class strings, class unique strings) ● Fuzzy Hash Similarity (threshold-based binary value feature) ● 30th May 2017 Andrei Costin, IFIP SEC '17 18

  17. Firmware Classification: Evaluation ML: Decission Tree (DT) and Random Forests (RF) from sklearn ● Training/Evaluation points ● Training sets size 10% and 90% of each firmware class – Training sets increment 10% at each evaluation point – At each training/evaluation point ● Runs 100 times with new random choice of training set data – Runs both DT and RF – Runs four different sets of features – 30th May 2017 Andrei Costin, IFIP SEC '17 19

  18. Firmware Classification: Evaluation 30th May 2017 Andrei Costin, IFIP SEC '17 20

  19. Firmware Classification: Results In summary: ● RF with „best“ features-set and 50% training reaches 93.5% accuracy – „Best“ features-set was [size, entropy, entropy extended, category strings, – category unique strings] Using only basic features [size, entropy] do not even reach 90% accuracy – (either RF or DT) As expected – Increased training set results in increased accuracy ● RF more accurate than DT ● 30th May 2017 Andrei Costin, IFIP SEC '17 21

  20. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 22

  21. Device Fingerprinting: Related Work Samarasinghe and Mannan [SAM16] ● Context focused on the study of weak SSL/TLS in IoT/embedded devices ● Performed IoT/embedded device fingerprinting ● Used HTTPS web-interface and certificates of IoT/embedded devices ● 30th May 2017 Andrei Costin, IFIP SEC '17 23

  22. Device Fingerprinting: Dataset Total Devices: 31 ● Emulated Devices: 27 – Vendors: 3 ● Functional categories: 7 ● Physical Devices: 4 – Vendors: 2 ● Functional categories: 4 ● 30th May 2017 Andrei Costin, IFIP SEC '17 24

  23. Device Fingerprinting: Features Total Features: 6 ● HTTP Web Sitemap ● HTTP Finite-State Machine (FSM) ● Model able to learn the headers’ order of an HTTP response – Use this order to classify an unknown HTTP conversation – Cryptographic Hashing and Fuzzy Hashing for each sitemap entry ● HTML Content – HTTP Headers – 30th May 2017 Andrei Costin, IFIP SEC '17 25

  24. Device Fingerprinting: Evaluation Feature ranking/scoring ● „Majority voting“ – „Uniform weights“ – „Non-uniform weights“ (empirical weights) – „Score fusion“ – Future work: use (un)supervised ML – 30th May 2017 Andrei Costin, IFIP SEC '17 26

  25. Device Fingerprinting: Results In summary: ● On average 89.4% identification accuracy – Cryptographic hash of HTML content most „stable“ feature – Fuzzy hash of HTTP headers least „stable“ feature – „Majority voting“ yielded most accurate matching – 30th May 2017 Andrei Costin, IFIP SEC '17 27

  26. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 28

  27. Conclusions We presented two complementary techniques for IoT firmware/devices ● Embedded firmware supervised learning and classification – Embedded web interface fingerprinted identification – We achieved average accuracies of 93.5% and 89.4% respectively ● We presented practical use-cases for our techniques ● Our scripts and datasets will be updated at: www.firmware.re/ml/ ● 30th May 2017 Andrei Costin, IFIP SEC '17 29

  28. Future Work Larger and more varied datasets for both techniques ● Unsupervised automated firmware emulation and vulnerability discovery ● [COS16] Unsupervised and more scalable ML for both techniques ● Evaluation of more ML algorithms with more parameters and features ● 30th May 2017 Andrei Costin, IFIP SEC '17 30

  29. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 31

  30. Acknowledgements IFIP SEC '17 organizers, and reviewers for valuable comments ● Prof. Pietro Michiardi for insightful discussions and feedback ● Ala Raddaoui for his early contributions to this study ● 30th May 2017 Andrei Costin, IFIP SEC '17 32

  31. Q&A Questions, suggestions, ideas? ● www.firmware.re/ml/ ancostin@jyu.fi andrei@firmware.re Twitter: @costinandrei 30th May 2017 Andrei Costin, IFIP SEC '17 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia

963 views • 71 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with hardware innovations. Tom Melham University of Oxford Problem Firmware today facing greater complexity and shorter schedules coded at low

478 views • 14 slides
An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing Marcelo dAmorim (UIUC) Carlos Pacheco (MIT) Tao Xie (NCSU) Darko Marinov (UIUC) Michael D. Ernst (MIT) Automated Software

513 views • 33 slides
FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer Internet of Things 2 Internet of Things 3 Internet of Things - 233 CVEs assigned from Jan

922 views • 34 slides
Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura University of Hawaii December 14, 2012 US Firmware Meeting 1 v2 Firmware Version 2 firmware is largely done: New interface to the DAQ

273 views • 5 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook <keescook@chromium.org> (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal Demonstrate upstream DAQ functions in firmware before design review - Have implementation ready before May 2020 10-second buffer Hit

466 views • 13 slides
Automated Management of More than One Million LifeLog Images Aiden R. Doherty Supervisor: Prof.

Automated Management of More than One Million LifeLog Images Aiden R. Doherty Supervisor: Prof.

D UBLIN C ITY U NIVERSITY A DAPTIVE I NFORMATION C LUSTER C ENTRE FOR D IGITAL V IDEO P ROCESSING Automated Management of More than One Million LifeLog Images Aiden R. Doherty Supervisor: Prof. Alan F. Smeaton Centre for Digital Video

903 views • 66 slides
Automated Gene Classification using Nonnegative Matrix Factorization on Biomedical Literature

Automated Gene Classification using Nonnegative Matrix Factorization on Biomedical Literature

Automated Gene Classification using Nonnegative Matrix Factorization on Biomedical Literature Kevin Heinrich PhD Dissertation Defense Department of Computer Science, UTK March 19, 2007 2/1 Kevin Heinrich Using NMF for Gene Classification

862 views • 61 slides
Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 ,

Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 ,

Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 , Moises Goldszmidt 3 , Armando Fox 1 , Dawn Woodard 4 , Hans Andersen 2 1 RAD Lab, UC Berkeley 2 Microsoft 3 Research 4 Cornell University Crisis

664 views • 19 slides
WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background ProtoDUNE WIB operated (and continuing) successfully FPGA was an Altera Aria V All-firmware design, included different firmware sets for

843 views • 47 slides
APPION: an automated pipeline for the processing of images Neil Voss AMI: Carragher & Potter

APPION: an automated pipeline for the processing of images Neil Voss AMI: Carragher & Potter

Workshop on Advanced Topics in EM Structure Determination November 14, 2007 APPION: an automated pipeline for the processing of images Neil Voss AMI: Carragher & Potter lab The Scripps Research Institute 1 Appion: simple, but transparent

646 views • 8 slides
SketchNet: Sketch Classification with Web Images[CVPR `16] CS688 Paper Presentation 1 Doheon Lee

SketchNet: Sketch Classification with Web Images[CVPR `16] CS688 Paper Presentation 1 Doheon Lee

SketchNet: Sketch Classification with Web Images[CVPR `16] CS688 Paper Presentation 1 Doheon Lee 20183398 2018. 10. 23 Table of Contents Introduction Background SketchNet Result 2 Introduction Properties of Sketch Images

500 views • 27 slides
Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods

Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods

MAnET Meeting, Helsinki, 8-9 Dec. 2015 Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods Samaneh Abbasi-Sureshjani, Prof. Bart ter Haar Romeny RetinaCheck-MAnET Project, Eindhoven University of

476 views • 19 slides
Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben

Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben

Biology Image Processing Algorithm Methods Analytics Results Error Metrics Conclusion Questions References Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben Gross, Hannah Kastein Mentors:

1.07k views • 22 slides
All Along the Ring Tower Algebraic Structures for Fun and Profit Thomas Prest joint work w/

All Along the Ring Tower Algebraic Structures for Fun and Profit Thomas Prest joint work w/

All Along the Ring Tower Algebraic Structures for Fun and Profit Thomas Prest joint work w/ {Lo Ducas} {Thomas Pornin} {Lo Ducas, Steven Galbraith, Yang Yu} RISC PROMETHEUS Seminar, 03/05/2019 Introducon I Three Case Studies

635 views • 41 slides
Adverbs & Numerals M&R 135, 8286 ENG240Y Old English / Wed 13 Oct 2010 Adverbs

Adverbs & Numerals M&R 135, 8286 ENG240Y Old English / Wed 13 Oct 2010 Adverbs

Adverbs & Numerals M&R 135, 8286 ENG240Y Old English / Wed 13 Oct 2010 Adverbs An adverb is a word modifying a verb, adjective, or other adverb. Adverbs divide into: - adverbs of time (now, then, tomorrow, forever) -

469 views • 11 slides
GENERAL BODY MEETING ISLAMIC CENTER OF MARYLAND (ICM) June 1, 2013 ISLAMIC CENTER OF MARYLAND

GENERAL BODY MEETING ISLAMIC CENTER OF MARYLAND (ICM) June 1, 2013 ISLAMIC CENTER OF MARYLAND

GENERAL BODY MEETING ISLAMIC CENTER OF MARYLAND (ICM) June 1, 2013 ISLAMIC CENTER OF MARYLAND MEETING GROUND RULES This is the General Body meeting called by the Board of Trustees (BOT) as required by the ICM By-laws. Attendees need to

644 views • 49 slides
How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux

How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux

How to Design a Blacklist (for a Password Meter) L. Jacquin A. Kumar C. Lauradoux December 4, 2014 Blacklist in practice The backbone of security ! Traffic analysis : Firewall : iptables , netfilter IDS : l7-filter

319 views • 15 slides
The Great Struggle Accretions Sunday rest Satans agency in the serpents actions

The Great Struggle Accretions Sunday rest Satans agency in the serpents actions

The Great Struggle Accretions Sunday rest Satans agency in the serpents actions The type of fruit eaten The date/time of year of Christs birth The number of magi Mary Magdalens profession Doctrine Orthodox

380 views • 18 slides
Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara Schmid Institute of Information Security Recap Security Protocols We have defined the Dolev-Yao adversary communicating agents that follow a

618 views • 51 slides
Differential Attacks on PIN Processing APIs Graham Steel LSV Overview Photo: redspotted/Flickr

Differential Attacks on PIN Processing APIs Graham Steel LSV Overview Photo: redspotted/Flickr

Differential Attacks on PIN Processing APIs Graham Steel LSV Overview Photo: redspotted/Flickr 1/15 Verizon Breach Report 2008 Released April 2009 2/15 Verizon Breach Report 2008 Released April 2009 While statistically not a large

409 views • 29 slides
Strategy & Leadership From social media to social customer relationship management Carolyn

Strategy & Leadership From social media to social customer relationship management Carolyn

Strategy & Leadership From social media to social customer relationship management Carolyn Heller Baird, Gautam Parasnis, Article information: To cite this document: Carolyn Heller Baird, Gautam Parasnis, (2011) "From social media to

438 views • 17 slides

More recommend