towards automated dynamic analysis for
play

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware - PowerPoint PPT Presentation

May 29, 2023 •180 likes •404 views

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

  1. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu

  2. 2

  3. FIRMADYNE • First system for full-system emulation of embedded Linux-based firmware • Provides large-scale automated dynamic analysis – Built-in vulnerability detection – Tested on 9.5k extracted firmware images • Objective: Continuous integration for firmware 3

  4. Background • Embedded devices are important – Low visibility by end-users – Critical network infrastructure – Software rarely upgraded • Difficult to analyze – RISC-based architectures: MIPS, ARM, etc. – No direct interface into device firmware – Fixed hardware peripherals; no ‘Plug and Play’ – Significant variety; hard to scale 4

  5. Firmware Architectures 5000 * 4500 4000 Number of Firmware Images * 3500 3000 2500 2000 1500 * 1000 500 0 MIPS ARM Unknown x86-64 PPC MIPS-64 x86 Other Big Endian Little Endian Unknown 5

  6. Related Work • Zaddach et al ., “ Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares ”, NDSS 2014 – Software emulation with partial offload to hardware – Doesn’t scale: requires hardware and connection to debug port • Costin et al., “ A large-scale analysis of the security of embedded firmwares ”, USENIX 2014 – Static extraction and analysis of firmware – Relatively cursory analysis and can’t verify results; classic trade-offs of false positives vs. false negatives 6

  7. Dynamic Approaches • Application-level – Extract webpages and perform analysis – Custom interpreter modifications • Process-level – Emulate original applications in user-mode – Different hardware and execution environment • System-level – Boots entire filesystem with modified kernel – Supports all applications using original environment 7

  8. FTP Sites Support Filesystem Kernel Websites MIPS Little-Endian Initial Architecture Emulation Identification eth0: 192.168.1.100 “ && cat 0 xDEADBEEF” eth1: 10.0.0.1 eth2: 128.2.42.52 Network Network Exploit Reachable Identification Verification 8

  9. Filesystem Recovery • Firmware format is not standardized – Can be compressed, include photos, etc. • Solution : Develop custom extractor for filesystems – Searches for UNIX-like filesystems – Includes heuristics to avoid recursive extraction • Improved existing unpacking tools – jefferson: User-mode extractor for JFFS2 – sasquatch: Heuristic-based extractor for SquashFS 9

  10. Device Configuration • Firmware requires NVRAM peripheral to boot – Used as volatile configuration store • Solution : Emulate NVRAM peripheral with userspace library – Compatible with different C runtime libraries – Self-initializes with default NVRAM values used during factory reset 10

  11. Network Inference • Devices expect different network configuration – eth0 vs. lan0, wlan0, wan0, vs. ath0, br0, etc. • Solution : Use custom kernel with software instrumentation to infer networking – Parse kernel log to infer expected configuration – Track IP addresses, bridges, and VLANs – Restart with new configuration 11

  12. Automated Analyses • Accessible Webpages – Checks for unauthenticated webpages – Command injection/information disclosure • SNMP Information – Dumps public SNMP data – Information disclosure • Vulnerability Detection – Checks for presence of vulnerabilities 12

  13. Firmware Analysis Progress by Vendor 6000 Number of Firmware Images 5000 4000 3000 2000 1000 0 Downloaded Extracted Architecture Initial Network Network Exploited Identified Emulation Inferred Reachable Other QNAP Polycom TRENDnet TP-Link OpenWrt ZyXEL Synology Tomato by Shibby D-Link Netgear 13

  14. Vulnerability Analysis • Discovered 14 previously-unknown vulnerabilities – New vulnerabilities can be automatically tested across entire dataset – Selected 60 applicable vulnerabilities from Metasploit • Of 1,971 firmware images that were network reachable, 43%* (846) were vulnerable to at least one exploit – Estimated to affect 89+ different products * Corrected 14

  15. Unknown Vulnerabilities • Discovered 14 unknown vulnerabilities that affect 69 firmware images across 12+ products using our analyses – Command Injection (Netgear) – Buffer Overflow (D-Link) – Information Disclosure (D-Link & Netgear) • Responsible disclosure to vendors and CERT – VU#548680: Affected D-Link devices – VU#615808: Affected Netgear devices • Fix is expected by end of February/mid-March 15

  16. Netgear Command Injection (CVE-2016- 1555) • Unauthenticated webpages with debug functionality were accidentally included – Used to write manufacturing data, e.g. MAC addresses, firmware region, and serial number – Can detect with our instrumentation • Form input is passed directly as command- line argument to shell – Affects 65 firmware images across 7+ products 16

  17. D-Link Buffer Overflow (CVE-2016-1558) • Web server sets dlink_uid cookie to track sessions for authenticated users – Value is passed to strlen() then memcpy() • Setting the cookie to a long string crashes the web server at e.g. 0x41414141 – Affects 13 firmware images across 5+ products 17

  18. D-Link & Netgear Information Disclosure • Unauthenticated services provide sensitive information – Web pages (CVE-2016-1556) – SNMP queries (CVE-2016-1557, CVE-2016- 1559) • Insecure default configuration – Affects 54 firmware images across 10+ products 18

  19. Code Reuse • Sercomm Backdoor (CVE-2014-0659) – Unauthenticated remote attackers can dump configuration – Affects 282 firmware images across 16+ products from our dataset – Our results show On Networks and TRENDnet are also affected • MiniUPnPd Denial of Service (CVE-2013-0229) – Parsing flaws in open-source internet-facing UPnP daemon – Affects 169 firmware images across 14+ products from our dataset • OpenSSL ChangeCipherSpec (CVE-2014-0224) – TLS implementation allows attacker to downgrade cipher – Affects 169 firmware images across 27+ products from our dataset 19

  20. Classification of Tested Vulnerabilities 5% 4% 33% Authentication Bypass 16% Backdoor Buffer Overflow Command Execution Cryptographic Flaw Denial of Service File Upload Information Disclosure 1% 7% 1% 33% 20

  21. Conclusion • FIRMADYNE allows full-system emulation and dynamic analysis of Linux-based firmware – Infers network configuration of firmware – Emulates hardware peripherals, e.g. NVRAM – Automatically checks for vulnerabilities across dataset • 43% of all network reachable firmware images are vulnerable to at least one exploit – Future work in investigating code sharing among OEM’s • Open-source and available today – https://github.com/firmadyne – Patches welcome! 21

  22. Questions • Dominic Chen (ddchen@cmu.edu) 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring Meeting Martin Eling, University of Ulm Thomas Parnitzke, Baloise Holding San Diego, May 23-26, 2010 Hato Schmeiser, University of St. Gallen Hato

639 views • 30 slides
Finding and proving new geometry theorems in regular polygons with dynamic geometry and automated

Finding and proving new geometry theorems in regular polygons with dynamic geometry and automated

Finding and proving new geometry theorems in regular polygons with dynamic geometry and automated reasoning tools Zolt an Kov acs The Private University College of Education of the Diocese of Linz CICM Hagenberg, Calculemus August 16,

730 views • 68 slides
Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay trees Inge Li Grtz CLRS Chapter 17 Je ff Erickson notes Dynamic tables Dynamic tables Problem. Have to assign size of table at initialization.

365 views • 11 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA COLLECTION AND ANALYTICS There is a high demand for reliable Traffic Data but Static data single-purpose data Invasive costly deployment &

404 views • 18 slides
Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of Exac act t Cove Covers rs EVOLVE 2011, Luxembourg Jeffrey Horn GECCO June 28, 2005 IEEE SSCI FOCI 2007 Northern Nort hern Mi Michigan Univer

981 views • 46 slides
RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message

RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message

RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message Signs Presented by: Jeremy Duensing Product Manager Schneider Electric Presentation Learning Outcomes Weather can have large impacts on small

785 views • 30 slides
DYNAMIC ODME FOR AUTOMATED VEHICLES MODELING USING BIG DATA Dr. Jaume Barcel, Professor

DYNAMIC ODME FOR AUTOMATED VEHICLES MODELING USING BIG DATA Dr. Jaume Barcel, Professor

DYNAMIC ODME FOR AUTOMATED VEHICLES MODELING USING BIG DATA Dr. Jaume Barcel, Professor Emeritus, UPC- Barcelona Tech, Strategic Advisor to PTV Group Shaleen Srivastava, Vice-President/Regional www.ptvgroup.com Director (PTV Group

439 views • 24 slides
Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an

Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an

Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an Kov 1 Jerusalem College of Technology 2 The Private University College of Education of the Diocese of Linz CICM Hagenberg, Calculemus August 15,

728 views • 56 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS Spectrum Monitoring Explore real-world signals Easy access for beginners Live demodulation Batch processing of signals TASKS OF RECEIVING UNKNOWN

626 views • 16 slides
EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic Website? Produces a Customized Response to User Input Examples Google, Yahoo and other seach engines Online banking E-Tailors

437 views • 26 slides
Scale construction Michelle Mazurek (some material from Bilge Mutlu) 1 About scales

Scale construction Michelle Mazurek (some material from Bilge Mutlu) 1 About scales

Scale construction Michelle Mazurek (some material from Bilge Mutlu) 1 About scales Bridging from qual. to quant Using (typically) ordinal questions Sometimes nominal categorical Using them in a repeatable way That is

552 views • 32 slides
Demonstrating impact with standardized national performance measures to elevate school-based

Demonstrating impact with standardized national performance measures to elevate school-based

Demonstrating impact with standardized national performance measures to elevate school-based health and mental health services Erin Ashe, B.S. , School Based Health Alliance Jill Bohnenkamp, Ph.D. , Center for School Mental Health Sabrina

1.47k views • 115 slides
PCOR Lessons from the Field: DARTNet David R. West, PhD Colorado Health Outcomes Program School

PCOR Lessons from the Field: DARTNet David R. West, PhD Colorado Health Outcomes Program School

Workshop to Advance the Use of Electronic Data for Conducting PCOR Lessons from the Field: DARTNet David R. West, PhD Colorado Health Outcomes Program School of Medicine University of Colorado Thanks and acknowledgements to: Wilson D.

224 views • 20 slides
The Real- -Time UML Standard: Time UML Standard: The Real The Real-Time UML Standard: Theory

The Real- -Time UML Standard: Time UML Standard: The Real The Real-Time UML Standard: Theory

The Real- -Time UML Standard: Time UML Standard: The Real The Real-Time UML Standard: Theory and Application Theory and Application Theory and Application Bran Selic Ben Watson Bran Selic Ben Watson Rational Software Canada Tri-

2.15k views • 175 slides
Emulation Outline Emulation Interpretation basic, threaded, directed threaded

Emulation Outline Emulation Interpretation basic, threaded, directed threaded

Emulation Outline Emulation Interpretation basic, threaded, directed threaded other issues Binary translation code discovery, code location other issues Control Transfer Optimizations 1 EECS 768 Virtual Machines

660 views • 63 slides
R/exams: A One-for-All Exams Generator Written Exams, Online Tests, and Live Quizzes with R Achim

R/exams: A One-for-All Exams Generator Written Exams, Online Tests, and Live Quizzes with R Achim

R/exams: A One-for-All Exams Generator Written Exams, Online Tests, and Live Quizzes with R Achim Zeileis http://www.R-exams.org/ R/exams: A One-for-All Exams Generator Written Exams, Online Tests, and Live Quizzes with R Achim Zeileis

1.08k views • 74 slides
Dynamic Programming 11.1 Overview Dynamic Programming is a powerful technique that allows one to

Dynamic Programming 11.1 Overview Dynamic Programming is a powerful technique that allows one to

Lecture 11 Dynamic Programming 11.1 Overview Dynamic Programming is a powerful technique that allows one to solve many different types of problems in time O ( n 2 ) or O ( n 3 ) for which a naive approach would take exponential time. In this

259 views • 7 slides
Practical implementation of k-means clustering Karolis Urbonas Head of Data Science, Amazon

Practical implementation of k-means clustering Karolis Urbonas Head of Data Science, Amazon

DataCamp Customer Segmentation in Python CUSTOMER SEGMENTATION IN PYTHON Practical implementation of k-means clustering Karolis Urbonas Head of Data Science, Amazon DataCamp Customer Segmentation in Python Key steps Data pre-processing

862 views • 37 slides

More recommend