Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Background
System Design
Dataset and Experimental Setup
Related Work
Limitations and Future Work
Conclusion
References
All Topics
Computer Science

Conware: Automated Modeling of Hardware Peripherals

Profile image of Chad SpenskyChad Spensky

2021, Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

https://doi.org/10.1145/3433210.3437532
visibility

description

15 pages

link

1 file

Abstract

Emulation is at the core of many security analyses. However, emulating embedded systems is still not possible in most cases. To facilitate this critical analysis, we present Conware, a hardware emulation framework that can automatically generate models for hardware peripherals, which alleviates one of the major challenges currently hindering embedded systems emulation. Conware enables individual peripherals to be modeled, exported, and combined with other peripherals in a pluggable fashion. Conware achieves this by first obtaining a recording of the low-level hardware interactions between the firmware and the peripheral, using either existing methods or our source-code instrumentation technique. These recordings are then used to create high-fidelity automata representations of the peripheral using novel automata-generation techniques. The various models can then be merged to facilitate full-system emulation of any embedded firmware that uses any of the modeled peripherals, even if t...

Related papers

On Generating Security Implementations from Models of Embedded Systems
Mehrdad Saadatmand

ICSEA 2011, The Sixth …, 2011

Designing secure embedded systems is a challenging task. Many of the challenges unique to embedded systems in this regard are due to the constraints that these systems have and thus impacts that security features will have on other properties of the system. Therefore, security decisions should be considered from early phases of development and together with other requirements. In model-driven methods, this means including security features in the design models. On the other hand, code generation from models is one of the promises of model-driven approaches. In this paper, by discussing the impacts of security design decisions on timing properties, we present the idea of automatic security code generation. We identify what issues a model for an embedded system should be able to answer and cover so that the security implementations that are later generated from it, will be consistent with the timing constraints and specifications of the system.

View PDFchevron_right
Proceedings of the WESS'15: Workshop on Embedded Systems Security
Stavros Koubias

2015

View PDFchevron_right
Proceedings of the WESS'15: Workshop on Embedded Systems Security - WESS'15
Stavros Koubias

2015

View PDFchevron_right
A framework for testing hardware-software security architectures
Mahadevan Gomathisankaran

2010

New security architectures are difficult to prototype and test at the design stage. Fine-grained monitoring of the interactions between hardware, the operating system and applications is required. We have designed and prototyped a testing framework, using virtualization, that can emulate the behavior of new hardware mechanisms in the virtual CPU and can perform a wide range of hardware and software attacks on the system under test.

View PDFchevron_right
SAFE-OPS: An approach to embedded software security
Amir Choudhary

ACM Transactions on Embedded Computing Systems, 2005

The new-found ubiquity of embedded processors in consumer and industrial applications brings with it an intensified focus on security, as a strong level of trust in the system software is crucial to their widespread deployment. The growing area of software protection attempts to address the key steps used by hackers in attacking a software system. In this paper, we introduce a unique approach to embedded software protection that utilizes a hardware/software codesign methodology. Results demonstrate that this framework can be the successful basis for the development of embedded applications that meet a wide range of security and performance requirements.

View PDFchevron_right
Industrial Applications of Emulation Techniques for the Early Evaluation of Secure Low-Power Embedded Systems
Holger Bock

Embedded systems that follow a secure and low-power design methodology are, besides keeping strict design constraints, heavily dependent on comprehensive test and verification procedures. The large set of possible test vectors and the increasing density of System-on-Chip designs call for the introduction of hardware-accelerated techniques to solve the verification time problem. As already described earlier, emulation-based methodologies based on FPGA evaluation platforms prove capable of providing a solution compared to traditional system simulation. This chapter gives an introduction into a multidisciplinary emulation-based design evaluation and verification methodology that is based on various techniques that have been presented in chapter 5. Test and verification capabilities are enhanced by the augmentation of this approach using model-based analysis units: gate-level-based power consumption models, power supply network models, event-based performance monitors, and high-level fault modes. The feasible usage of this verification methodology in the field of contactlessly powered smart cards is finally demonstrated using several industrial case studies.

View PDFchevron_right
A model-based approach to integrating security policies for embedded devices
Michael McDougall

2004

Embedded devices like smartcards can now run multiple interacting applications. A particular challenge in this domain is to dynamically integrate diverse security policies. In this paper we show how a framework based on a concise formal model lets us securely customize a payment card equipped with a programmable chip. We present policy automata, a formal model of computations that grant or deny access to a resource. This model combines defeasible logic with state machines, representing complex policies as combinations of simpler modular policies. We use the model in a framework for specifying, merging and analyzing modular policies. This framework is implemented as Polaris, a tool which analyzes policy automata to reveal potential conflicts or redundancies, and compiles automata into Java Card applets.

View PDFchevron_right
Secure Embedded Systems: The Threat of Reverse Engineering
Ian McLoughlin

2008

Companies releasing newly designed embedded products typically recoup the cost of development through initial sales, and thus are unlikely to welcome early competition based around rapid reverse engineering of their products. By contrast, competitors able to shorten time-to-market though reverse engineering will gain design cost and market share advantages. Reverse engineering for nefarious purposes appears to be commonplace, and has significant cost impact on industry sales and profitability.

View PDFchevron_right
Modeling Requirements for Security-enhanced Design of Embedded Systems
Jelena Milosevic

Proceedings of the 11th International Conference on Security and Cryptography, 2014

Designing an embedded system is a complex process that involves working on both hardware and software. The first step in the design process is defining functional and non-functional requirements; among them, it is fundamental to also consider security. We propose an effective way for designers to specify security requirements starting from User Security Requirements. User Security Requirements are high-level requirements related to security attacks that the system should be able to withstand. We also provide a mechanism to automatically translate these User Requirements into System Security Requirements, that include a detailed description of security solutions. For expressing requirements we use Unified Modeling Language (UML); specifically, we create a UML profile to describe user requirements and we use model-to-model transformation to automatically generate system requirements. We show the effectiveness of the modeling scheme and of the translation mechanism by applying our methodology to a case study based on wearable devices for e-health monitoring.

View PDFchevron_right
On the difficulty of software-based attestation of embedded devices
Aurélien Francillon

Proceedings of the 16th ACM conference on Computer and communications security, 2009

Device attestation is an essential feature in many security protocols and applications. The lack of dedicated hardware and the impossibility to physically access devices to be attested, makes attestation of embedded devices, in applications such as Wireless Sensor Networks, a prominent challenge. Several software-based attestation techniques have been proposed that either rely on tight time constraints or on the lack of free space to store malicious code. This paper investigates the shortcomings of existing software-based attestation techniques. We first present two generic attacks, one based on a return-oriented rootkit and the other on code compression. We further describe specific attacks on two existing proposals, namely SWATT and ICE-based schemes, and argue about the difficulty of fixing them. All attacks presented in this paper were implemented and validated on commodity sensors.

View PDFchevron_right

References (39)

  1. Open Review Mobicomm 2020. [n.d.]. Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation. https: //openreview.net/pdf?id=rylaZ6iIDr.
  2. Altium. 2017. NEC Infrared Transmission Protocol. https://techdocs.altium.com/ display/FPGA/NEC+Infrared+Transmission+Protocol.
  3. Atmel. 2015. SAM3X/ SAM3A Series (DATASHEET). https://ww1.microchip.com/ downloads/en/DeviceDoc/Atmel-11057-32-bit-Cortex-M3-Microcontroller- SAM3X-SAM3A_Datasheet.pdf.
  4. BARRAGAN. 2013. Sweep. https://www.arduino.cc/en/Tutorial/Sweep.
  5. Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator.. In USENIX Annual Technical Conference, FREENIX Track, Vol. 41. 46.
  6. Jacob Beningo. 2016. Prototype to production: Arduino for the professional. https://www.edn.com/prototype-to-production-arduino-for-the-professional/.
  7. Duane Benson. 2015. Arduino as a rapid prototyping system. https://www. embedded.com/arduino-as-a-rapid-prototyping-system/.
  8. Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. To- wards Automated Dynamic Analysis for Linux-based Embedded Firmware.. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol. 16. 1-16.
  9. Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware Re-hosting through Abstraction Layer Emulation. Proceedings of the 29th USENIX Security Symposium (USENIX '20) (2020).
  10. Furkan Comert and Tolga Ovatman. 2015. Attacking state space explosion prob- lem in model checking embedded TV software. IEEE Transactions on Consumer Electronics 61, 4 (2015), 572-579.
  11. Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, and Ryan Whelan. 2015. Repeatable reverse engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop. 1-11.
  12. Bo Feng, Alejandro Mera, and Long Lu. 2020. P 2 IM: Scalable and Hardware- independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version). Proceedings of the 29th USENIX Security Symposium (USENIX '20) (2020).
  13. Jack Ganssle. 2004. Reentrancy. In The Firmware Handbook. Elsevier, 231-244.
  14. Geeetech. 2012. Arduino IR Remote Control. http://www.geeetech.com/wiki/ index.php/Arduino_IR_Remote_Control.
  15. Giovani Gracioli and Sebastian Fischmeister. 2012. Tracing and recording in- terrupts in embedded software. Journal of Systems Architecture 58, 9 (2012), 372-385.
  16. Joe Grand and July Friday. 2004. Advanced hardware hacking techniques. DEF- CON 12 (2004), 59.
  17. Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurelien Francillon, Yung Ryn Choe, Christophe Kruegel, et al. 2019. Toward the Analysis of Embedded Firmware through Automated Re-hosting. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). 135-150.
  18. Lee Harrison, Hayawardh Vijayakumar, Rohan Padhye, Koushik Sen, Michael Grace, Rohan Padhye, Caroline Lemieux, Koushik Sen, Laurent Simon, Hayawardh Vijayakumar, et al. 2020. Partemu: Enabling dynamic analysis of real-world trustzone software using emulation. In Proceedings of the 29th USENIX Security Symposium (USENIX '20).
  19. John Hopcroft. 1971. An n log n algorithm for minimizing states in a finite automaton. In Theory of machines and computations. Elsevier, 189-196.
  20. Markus Kammerstetter, Daniel Burian, and Wolfgang Kastner. 2016. Embedded security testing with peripheral device caching and runtime program state ap- proximation. In 10th International Conference on Emerging Security Information, Systems and Technologies (SECUWARE).
  21. Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. 2014. Prospect: peripheral proxying supported embedded code testing. In Proceedings of the 9th ACM symposium on Information, computer and communications security. 329-340.
  22. Karl Koscher, Tadayoshi Kohno, and David Molnar. 2015. SURROGATES: Enabling near-real-time dynamic analyses of embedded systems. In 9th USENIX Workshop on Offensive Technologies (WOOT '15).
  23. Chris Lattner. 2008. LLVM and Clang: Next generation compiler technology. In The BSD conference, Vol. 5.
  24. Chris Lattner and Vikram Adve. 2004. LLVM: A compilation framework for lifelong program analysis & transformation. In International Symposium on Code Generation and Optimization, 2004. CGO 2004. IEEE, 75-86.
  25. ARM Limited. 2010. Cortex-M3 Technical Reference Manual (Revision
  26. Peter S Magnusson, Magnus Christensson, Jesper Eskilson, Daniel Forsgren, Gustav Hallberg, Johan Hogberg, Fredrik Larsson, Andreas Moestedt, and Bengt Werner. 2002. Simics: A full system simulation platform. Computer 35, 2 (2002), 50-58.
  27. Marius Muench, Dario Nisi, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar2: A multi-target orchestration platform. In Workshop on Binary Analysis Research (Colocated with NDSS Symposium), Vol. 18. 1-11.
  28. Marius Muench, Jan Stijohann, Frank Kargl, Aurélien Francillon, and Davide Balzarotti. 2018. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices.. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
  29. Osbourne, Paul. [n.d.].
  30. CMSIS-SVD Repository and Parsers. https://github.com/ posborne/cmsis-svd.
  31. Ivan Pustogarov, Qian Wu, and David Lie. [n.d.].
  32. Ex-vivo dynamic analysis framework for Android device drivers. ([n. d.]).
  33. Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware. In 2020 IEEE Symposium on Security and Privacy (SP). 431-448.
  34. Miro Samek. 2016. State Machines for Event-Driven Systems. https://barrgroup. com/embedded-systems/how-to/state-machines-event-driven-systems.
  35. Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, et al. 2016. Sok:(state of) the art of war: Offensive techniques in binary analysis. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 138-157.
  36. Dokyung Song, Felicitas Hetzelt, Dipanjan Das, Chad Spensky, Yeoul Na, Stijn Volckaert, Giovanni Vigna, Christopher Kruegel, Jean-Pierre Seifert, and Michael Franz. 2019. PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary.. In Proceedings of the Network and Distributed System Security Symposium (NDSS).
  37. Seyed Mohammadjavad Seyed Talebi, Hamid Tavakoli, Hang Zhang, Zheng Zhang, Ardalan Amiri Sani, and Zhiyun Qian. 2018. Charm: Facilitating dynamic analysis of device drivers of mobile systems. In 27th USENIX Security Symposium (USENIX '18). 291-307.
  38. LLC. Where Labs. 2019. Bus Pirate. http://dangerousprototypes.com/docs/Bus_ Pirate.
  39. Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti, et al. 2014. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares.. In Proceedings of the Network and Distributed System Security Symposium (NDSS), Vol. 14. 1-16.

Related papers

Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares
Aurélien Francillon

Proceedings 2014 Network and Distributed System Security Symposium, 2014

To address the growing concerns about the security of embedded systems, it is important to perform accurate analysis of firmware binaries, even when the source code or the hardware documentation are not available. However, research in this field is hindered by the lack of dedicated tools. For example, dynamic analysis is one of the main foundations of security analysis, e.g., through dynamic taint tracing or symbolic execution. Unlike static analysis, dynamic analysis relies on the ability to execute software in a controlled environment, often an instrumented emulator. However, emulating firmwares of embedded devices requires accurate models of all hardware components used by the system under analysis. Unfortunately, the lack of documentation and the large variety of hardware on the market make this approach infeasible in practice. In this paper we present Avatar, a framework that enables complex dynamic analysis of embedded devices by orchestrating the execution of an emulator together with the real hardware. We first introduce the basic mechanism to forward I/O accesses from the emulator to the embedded device, and then describe several techniques to improve the system's performance by dynamically optimizing the distribution of code and data between the two environments. Finally, we evaluate our tool by applying it to three different security scenarios, including reverse engineering, vulnerability discovery and hardcoded backdoor detection. To show the flexibility of Avatar, we perform this analysis on three completely different devices: a GSM feature phone, a hard disk bootloader, and a wireless sensor node.

View PDFchevron_right
FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis
Suryeon Kim

Annual Computer Security Applications Conference, 2020

One approach to assess the security of embedded IoT devices is applying dynamic analysis such as fuzz testing to their firmware in scale. To this end, existing approaches aim to provide an emulation environment that mimics the behavior of real hardware/peripherals. Nonetheless, in practice, such approaches can emulate only a small fraction of firmware images. For example, Firmadyne, a state-of-theart tool, can only run 183 (16.28%) of 1,124 wireless router/IP-camera images that we collected from the top eight manufacturers. Such a low emulation success rate is caused by discrepancy in the real and emulated firmware execution environment. In this study, we analyzed the emulation failure cases in a largescale dataset to figure out the causes of the low emulation rate. We found that widespread failure cases often avoided by simple heuristics despite having different root causes, significantly increasing the emulation success rate. Based on these findings, we propose a technique, arbitrated emulation, and we systematize several heuristics as arbitration techniques to address these failures. Our automated prototype, FirmAE, successfully ran 892 (79.36%) of 1,124 firmware images, including web servers, which is significantly (≈4.8x) more images than that run by Firmadyne. Finally, by applying dynamic testing techniques on the emulated images, FirmAE could check 320 known vulnerabilities (306 more than Firmadyne), and also find 12 new 0-days in 23 devices. • Security and privacy → Embedded systems security; • Computer systems organization → Firmware.

View PDFchevron_right
A large scale analysis of the security of embedded firmwares
Aurélien Francillon

As embedded systems are more than ever present in our society, their security is becoming an increasingly important issue. However, based on the results of many recent analyses of individual firmware images, embedded systems acquired a reputation of being insecure. Despite these facts, we still lack a global understanding of embedded systems' security as well as the tools and techniques needed to support such general claims.

View PDFchevron_right
Challenges in Firmware Re-Hosting, Emulation, and Analysis
Saurabh Bagchi

ACM Computing Surveys, 2022

System emulation and firmware re-hosting have become popular techniques to answer various security and performance related questions, such as determining whether a firmware contain security vulnerabilities or meet timing requirements when run on a specific hardware platform. While this motivation for emulation and binary analysis has previously been explored and reported, starting to either work or research in the field is difficult. To this end, we provide a comprehensive guide for the practitioner or system emulation researcher. We layout common challenges faced during firmware re-hosting, explaining successive steps and surveying common tools used to overcome these challenges. We provide classification techniques on five different axes, including emulator methods, system type, fidelity, emulator purpose, and control. These classifications and comparison criteria enable the practitioner to determine the appropriate tool for emulation. We use our classifications to categorize popul...

View PDFchevron_right
Karonte: Detecting Insecure Multi-binary Interactions in Embedded Firmware
Chad Spensky

2020 IEEE Symposium on Security and Privacy (SP)

Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of users' lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Many of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this paper, we present KARONTE, a static analysis approach capable of analyzing embedded-device firmware by modeling and tracking multi-binary interactions. Our approach propagates taint information between binaries to detect insecure interactions and identify vulnerabilities. We first evaluated KARONTE on 53 firmware samples from various vendors, showing that our prototype tool can successfully track and constrain multi-binary interactions. This led to the discovery of 46 zero-day bugs. Then, we performed a large-scale experiment on 899 different samples, showing that KARONTE scales well with firmware samples of different size and complexity.

View PDFchevron_right

Related topics

  • Computer Science
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved