Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
Emulation Background
Related Vulnerability Discovery Techniques
Questions and Challenges
Questions of Purpose and Value
Key Research Questions
Finding Entry Point
Disassembly, Initial Analysis, and CFG Recovery
Finding Vulnerabilities
Analysis
Summary and Conclusion
References
All Topics
Computer Science

Challenges in Firmware Re-Hosting, Emulation, and Analysis

Profile image of Saurabh BagchiSaurabh Bagchi

2022, ACM Computing Surveys

https://doi.org/10.1145/3423167
visibility

description

35 pages

link

1 file

Abstract

System emulation and firmware re-hosting have become popular techniques to answer various security and performance related questions, such as determining whether a firmware contain security vulnerabilities or meet timing requirements when run on a specific hardware platform. While this motivation for emulation and binary analysis has previously been explored and reported, starting to either work or research in the field is difficult. To this end, we provide a comprehensive guide for the practitioner or system emulation researcher. We layout common challenges faced during firmware re-hosting, explaining successive steps and surveying common tools used to overcome these challenges. We provide classification techniques on five different axes, including emulator methods, system type, fidelity, emulator purpose, and control. These classifications and comparison criteria enable the practitioner to determine the appropriate tool for emulation. We use our classifications to categorize popul...

Related papers

DECAF: Automatic, Adaptive De-bloating and Hardening of COTS Firmware
Rob Taglang

2020

Once compromised, server firmware can surreptitiously and permanently take over a machine and any stack running thereon, with no hope for recovery, short of hardware-level intervention. To make things worse, modern firmware contains millions of lines of unnecessary code and hundreds of unnecessary modules as a result of a long firmware supply chain designed to optimize time-to-market and cost, but not security. As a result, off-the-shelf motherboards contain large, unnecessarily complex, closed-source vulnerability surfaces that can completely and irreversibly compromise systems. In this work, we address this problem by dramatically and automatically reducing the vulnerability surface. DECAF is an extensible platform for automatically pruning a wide class of commercial UEFI firmware. DECAF intelligently runs dynamic iterative surgery on UEFI firmware to remove a maximal amount of code with no regressive effects on the functionality and performance of higher layers in the stack (OS, ...

View PDFchevron_right
A large scale analysis of the security of embedded firmwares
Aurélien Francillon

As embedded systems are more than ever present in our society, their security is becoming an increasingly important issue. However, based on the results of many recent analyses of individual firmware images, embedded systems acquired a reputation of being insecure. Despite these facts, we still lack a global understanding of embedded systems' security as well as the tools and techniques needed to support such general claims.

View PDFchevron_right
CASTLE: Architecting Assured System-on-Chip Firmware Integrity
kshitij raj

2021 Design, Automation & Test in Europe Conference & Exhibition (DATE), 2021

Modern System-on-Chip (SoC) designs include a large number of embedded microcontrollers that execute custom firmware. Firmware provides the flexibility of updating security features, i.e., it enables patching or in-field update, in response to an emerging security threat, bug, or changing requirements. Unfortunately, current firmware update mechanisms are complex, manual, and error-prone. In this paper we present CASTLE, an architectural framework to enable systematic and assured updates to SoC firmware. The main workhorse of CASTLE is a centralized, dedicated IP in the SoC that is responsible for receiving, authenticating, and installing a patch. The architecture works with off-chip firmware validation flows, e.g., cloud-based service for validating a proposed patch, and identifying compatibility constraints on other resident firmware in the SoC. The result is a comprehensive infrastructure that works seamlessly across architectures, vendors, and service providers, while meeting deployment and usability requirements. We demonstrate the application of proposed framework in addressing functional and security flaws of existing firmware patching mechanisms including firmware incompatibility, inadequate authentication, and time-ofcheck vs. time-of-use (TOCTOU) constraints.

View PDFchevron_right
Randomized instruction set emulation
Dino A Dai Zovi

ACM Transactions on Information and System Security, 2005

Injecting binary code into a running program is a common form of attack. Most defenses employ a "guard the doors" approach, blocking known mechanisms of code injection. Randomized instruction set emulation (RISE) is a complementary method of defense, one that performs a hidden randomization of an application's machine code. If foreign binary code is injected into a program running under RISE, it will not be executable because it will not know the proper randomization. The paper describes and analyzes RISE, describing a proof-of-concept implementation built on the open-source Valgrind IA32-to-IA32 translator. The prototype effectively disrupts binary code injection attacks, without requiring recompilation, linking, or access to application source code. Under RISE, injected code (attacks) essentially executes random code sequences. Empirical studies and a theoretical model are reported which treat the effects of executing random code on two different architectures (IA32 and PowerPC). The paper discusses possible extensions and applications of the RISE technique in other contexts.

View PDFchevron_right
When Firmware Modifications Attack: A Case Study of Embedded Exploitation
Ang Cui

NDSS 2013, 2013

The ability to update firmware is a feature that is found in nearly all modern embedded systems. We demonstrate how this feature can be exploited to allow attackers to inject malicious firmware modifications into vulnerable embedded devices. We discuss techniques for exploiting such vulnerable functionality and the implementation of a proof of concept printer malware capable of network reconnaissance, data exfiltration and propagation to general purpose computers and other embedded device types. We present a case study of the HP-RFU (Remote Firmware Update) LaserJet printer firmware modification vulnerability, which allows arbitrary injection of malware into the printer's firmware via standard printed documents. We show vulnerable population data gathered by continuously tracking all publicly accessible printers discovered through an exhaustive scan of IPv4 space. To show that firmware update signing is not the panacea of embedded defense, we present an analysis of known vulnerabilities found in third-party libraries in 373 LaserJet firmware images. Prior research has shown that the design flaws and vulnerabilities presented in this paper are found in other modern embedded systems. Thus, the exploitation techniques presented in this paper can be generalized to compromise other embedded systems.

View PDFchevron_right
Evaluating Assisted Emulation for Legacy Executables
Enrique Areyan

2012

Access to many born-digital materials can only be accomplished economically through the use of emulation where contemporaneous software is executed on an emulated machine. For example, many thousands of CD-ROMs have been published containing proprietary software that cannot be reasonably recreated. While emulation is proven technology and is widely used to run both current and obsolete versions of Windows and Unix operating systems, it suffers a fatal flaw as a preservation strategy by requiring future users to be facile with today’s operating systems and software. We have previously advocated “assisted emulation” as a strategy to alleviate this shortcoming. With assisted emulation, a preserved object is stored along with scripts designed to control a legacy software environment and access to the object enabled through a “helper” application. In this paper we significantly extend this work by examining, for a large data set, both the cost of creating such scripts and the common prob...

View PDFchevron_right
Emulation-based Software Protection
BLACK HAT

This document provides an overview of two emulation-based software protection schemes which pro- vide protection from reverse code engineering (RCE) and software exploitation using encrypted code execution and page-granularity code signing, respectively. The two protection mechanisms execute within trusted emulators while remaining out-of-band of untrusted systems being emulated. The integrity and reliability of the protection mechanisms depend upon attackers remaining sandboxed within the emulated environments. The three sections below provide an overview of emulation sandboxing, emulation-based encrypted code execution and emulation-based page granularity code signing.

View PDFchevron_right
Embedded Execution Environment for Modular Firmware Structures
Martin Melik Merkumians

2009

I want to thank my advisors Ao. Univ.-Prof. Dipl.-Ing. Dr.techn. Markus Vincze for supervising my diploma-thesis, and Dipl.-Ing Dr.techn. Alois Zoitl for his helpful suggestions and discussion, his patience while correcting my diploma-thesis, and his ongoing support the whole time during this work. I also want to thank Dipl-Ing. Reinhard Hametner and Dipl.-Ing. Ingo Hegny for their helpful hints, cheering words and the many coffee breaks we shared. My thanks also go to my friends and fellow students René Paris, Dipl.-Ing. Maria Klonner and Irina Barnay for their support and friendship. Special thanks goes to my girlfriend Anita, who supported me always during my studies and endured me when I had to learn for my exams. Above all, I want to thank my parents Dipl.-Ing. (FH) Edwart Melik-Merkumians and Christa Melik-Merkumians who have supported me throughout my entire life. They have always encouraged me to do my best no matter what it was, and enabled my to study. Without them I wouldn't be where I am today. I dedicate my diploma-thesis to my mother Christa Melik-Merkumians, who passed away this year, which was much too soon. We all love and miss you.

View PDFchevron_right
SECURING THE EDGE: EMBEDDED FIRMWARE ENGINEERING IN THE AGE OF EDGE COMPUTING
IAEME Publication

IAEME PUBLICATION, 2024

The rapid proliferation of Internet of Things (IoT) devices has propelled the growth of edge computing, where data processing and decision-making are performed closer to the data source. Embedded firmware, the software that resides within edge devices, plays a pivotal role in determining their functionality and security posture. This article explores the unique security challenges presented by edge computing environments, including resource constraints, physical accessibility, and distributed architecture. It then examines the crucial responsibilities of embedded firmware engineers in mitigating these vulnerabilities. By delving into secure coding practices, hardware-based security features, and secure boot processes, the article presents a comprehensive approach to fortifying embedded firmware and safeguarding the integrity of edge computing systems. Furthermore, the article discusses the evolving threat landscape targeting edge devices and proposes future research directions for embedded firmware security in the context of edge computing advancements.

View PDFchevron_right
Karonte: Detecting Insecure Multi-binary Interactions in Embedded Firmware
Chad Spensky

2020 IEEE Symposium on Security and Privacy (SP)

Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of users' lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Many of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this paper, we present KARONTE, a static analysis approach capable of analyzing embedded-device firmware by modeling and tracking multi-binary interactions. Our approach propagates taint information between binaries to detect insecure interactions and identify vulnerabilities. We first evaluated KARONTE on 53 firmware samples from various vendors, showing that our prototype tool can successfully track and constrain multi-binary interactions. This led to the discovery of 46 zero-day bugs. Then, we performed a large-scale experiment on 899 different samples, showing that KARONTE scales well with firmware samples of different size and complexity.

View PDFchevron_right

References (205)

  1. $20M in Bounties Paid and $100M In Sight. https://www.hackerone.com/blog/20M-in-bounties-paid-and- 100M-in-sight
  2. AFL-Fuzz. [n.d.]. afl-fuzz. https://github.com/google/AFL
  3. Irfan Ahmed, Sebastian Obermeier, Martin Naedele, and Golden G. Richard III. 2012. SCADA Systems: Challenges for Forensic Investigators. Computer 45, 12 (Dec 2012), 44-51. https://doi.org/10.1109/MC.2012.325
  4. Saed Alrabaee, Paria Shirani, Lingyu Wang, and Mourad Debbabi. 2018. FOSSIL: A Resilient and Efficient System for Identifying FOSS Functions in malware binaries. ACM Transactions on Privacy and Security 21, 2 (2018), 8.
  5. Roberto Baldoni, Emilio Coppa, Daniele Cono D'elia, Camil Demetrescu, and Irene Finocchi. 2018. A Survey of Symbolic Execution Techniques. Comput. Surveys 51, 3, Article 50 (May 2018), 39 pages. https://doi.org/10.1145/3182657
  6. Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to Recognize Functions in Binary Code. In 23rd USENIX Security Symposium. 845-860.
  7. Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, and David Brumley. 2017. Your Exploit is Mine: Automatic Shellcode Transplant for Remote Exploits. In IEEE Symposium on Security and Privacy.
  8. BE-PUM. [n.d.].
  9. BE-PUM. https://github.com/NMHai/BE-PUM
  10. Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, USA, 41-41. http://dl.acm.org/citation. cfm?id=1247360.1247401
  11. Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib, Nilay Vaish, Mark D. Hill, and David A. Wood. 2011. The Gem5 Simulator. SIGARCH Computer Architecture News 39, 2 (Aug 2011), 1-7. https://doi.org/10.1145/2024716.2024718
  12. BitBlaze. [n.d.].
  13. FuzzBALL. https://github.com/bitblaze-fuzzball/fuzzball
  14. Pietro Braione, Giovanni Denaro, and Mauro Pezzè. 2013. Enhancing Symbolic Execution with Built-in Term Rewriting and Constrained Lazy Initialization. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, New York, NY, USA, 411-421. https://doi.org/10.1145/2491411.2491433
  15. Pietro Braione, Giovanni Denaro, and Mauro Pezzè. 2015. Symbolic Execution of Programs with Heap Inputs. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. ACM, New York, NY, USA, 602-613. https://doi.org/10.1145/2786805.2786842
  16. Jonathan Broome and David Marx. 2000. Method and Iimplementation for Intercepting and Processing System Calls in Programmed Digital Computer to Emulate Retrograde operating System. US Patent 6,086,623.
  17. David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J Schwartz. 2011. BAP: A Binary Analysis Platform. In International Conference on Computer Aided Verification. Springer, 463-469.
  18. Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and Automatic Generation of High- coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association, Berkeley, CA, USA, 209-224. http://dl.acm.org/citation.cfm?id= 1855741.1855756
  19. Cristian Cadar, Patrice Godefroid, Sarfraz Khurshid, Corina S. Păsăreanu, Koushik Sen, Nikolai Tillmann, and Willem Visser. 2011. Symbolic Execution for Software Testing in Practice: Preliminary Assessment. In Proceedings of the 33rd International Conference on Software Engineering. Association for Computing Machinery, New York, NY, USA, 1066-1071. https://doi.org/10.1145/1985793.1985995
  20. Joan Calvet, José M Fernandez, and Jean-Yves Marion. 2012. Aligot: Cryptographic Function Identification in Obfuscated Binary Programs. In ACM Conference on Computer and Communications Security. ACM, 169-182.
  21. Capstone. [n.d.].
  22. Capstone Disassembler. http://www.capstone-engine.org/
  23. Dan Caselden, Alex Bazhanyuk, Mathias Payer, Laszlo Szekeres, Stephen McCamant, and Dawn Song. 2013. Transformation-aware Exploit Generation using a HI-CFG. Technical Report UCB/EECS-2013-85. EECS Department, University of California, Berkeley. http://www2.eecs.berkeley.edu/Pubs/TechRpts/2013/EECS-2013-85.html
  24. Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing Mayhem on Binary Code. In IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 380-394. https: //doi.org/10.1109/SP.2012.31
  25. Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In 23rd Annual Network and Distributed System Security Symposium, 2016, San Diego, California, USA, February 21-24, 2016. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/ 09/towards-automated-dynamic-analysis-linux-based-embedded-firmware.pdf
  26. Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint: Detecting the Taint-Style Vulnerability in Embedded Device Firmware. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 430-441. https://doi.org/10.1109/DSN.2018.00052
  27. Anton Chernoff, Mark Herdeg, Ray Hookway, Chris Reeve, Norman Rubin, Tony Tye, S. Bharadwaj Yadavalli, and John Yates. 1998. FX!32 A Profile-Directed Binary Translator. IEEE Micro 18, 2 (March 1998), 56-64. https: //doi.org/10.1109/40.671403
  28. Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A Platform for In-vivo Multi-path Analysis of Software Systems. SIGARCH Computer Architecture News 39, 1 (Mar 2011), 265-278. https://doi.org/10.1145/ 1961295.1950396
  29. Zheng Leong Chua, Shiqi Shen, Prateek Saxena, and Zhenkai Liang. 2017. Neural Nets Can Learn Function Type Signatures From Binaries. In 26th USENIX Security Symposium. 99-116.
  30. Catalin Cimpanu. 2019. Android Exploits Are Now Worth More Than iOS Exploits For The First Time. https: //www.zdnet.com/article/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time/
  31. Cisco. [n.d.]. Joy. https://github.com/cisco/joy
  32. Cisomag. 2020. Tesla Offers US$1 Million and a Car to Hack its Model 3 Car. https://www.cisomag.com/tesla-offers- us1-million-and-a-car-as-bug-bounty-reward/
  33. James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: A Generic Dynamic Taint Analysis Framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis. ACM, New York, NY, USA, 196-206. https://doi.org/10.1145/1273463.1273490
  34. John Clemens. 2015. Automatic Classification of Object Code Using Machine Learning. Digital Investigation 14, S1 (Aug 2015), S156-S162. https://doi.org/10.1016/j.diin.2015.05.007
  35. Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware Re-hosting through Abstraction Layer Emulation. (2020).
  36. Lucian Cojocar, Jonas Zaddach, Roel Verdult, Herbert Bos, Aurélien Francillon, and Davide Balzarotti. 2015. PIE: Parser Identification in Embedded Systems. In Proceedings of the 31st Annual Computer Security Applications Conference. Association for Computing Machinery, New York, NY, USA, 251-260. https://doi.org/10.1145/2818000.2818035
  37. Comsecuris. [n.d.].
  38. GDB Ghidra. https://github.com/Comsecuris/gdbghidra
  39. ConsenSys. [n.d.].
  40. Mythril. https://github.com/ConsenSys/mythril
  41. Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. Difuze: Interface Aware Fuzzing for Kernel Drivers. In ACM SIGSAC Conference on Computer and Communications Security. ACM, 2123-2138.
  42. Nassim Corteggiani, Giovanni Camurati, and Aurélien Francillon. 2018. Inception: System-Wide Security Testing of Real-World Embedded Systems Software. In 27th USENIX Security Symposium. USENIX Association, Baltimore, MD, 309-326. https://www.usenix.org/conference/usenixsecurity18/presentation/corteggiani
  43. Andrei Costin and Jonas Zaddach. 2013. Embedded Devices Security and Firmware Reverse Engineering.
  44. Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. [n.d.]. firmware.re. http://firmware.re/ usenixsec14/
  45. Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, 95-110. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin
  46. Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2016. Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, New York, NY, USA, 437-448. https://doi.org/10.1145/2897845.2897900
  47. Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2017. Towards Automated Classification of Firmware Images and Identification of Embedded Devices. In ICT Systems Security and Privacy Protection, Sabrina De Capitani di Vimercati and Fabio Martinelli (Eds.). Springer International Publishing, Cham, 233-247.
  48. Craig. 2012. Emulating NVRAM in Qemu. http://www.devttys0.com/2012/03/emulating-nvram-in-qemu/
  49. Robin David, Sébastien Bardin, Thanh Dinh Ta, Laurent Mounier, Josselin Feist, Marie-Laure Potet, and Jean-Yves Marion. 2016. BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis. In IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering. IEEE Computer Society, Los Alamitos, CA, USA, 653-656. https://doi.org/10.1109/SANER.2016.43
  50. Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on Firmware: Finding Vulnerabil- ities in Embedded Systems Using Symbolic Execution. In 22nd USENIX Security Symposium. USENIX Association, Washington, D.C., 463-478. https://www.usenix.org/conference/usenixsecurity13/technical-sessions/paper/davidson
  51. Pietro De Nicolao, Marcello Pogliani, Mario Polino, Michele Carminati, Davide Quarta, and Stefano Zanero. 2018. ELISA: ELiciting ISA of Raw Binaries for Fine-Grained Code and Data Separation. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, Sébastien Bardin, and Gregory Blanc (Eds.). Springer International Publishing, Cham, 351-371.
  52. Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, and Ryan Whelan. 2015. Repeatable Reverse Engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop. ACM, New York, NY, USA, Article 4, 11 pages. https://doi.org/10.1145/2843859.2843867
  53. Christopher Domas. 2017. Breaking the x86 ISA.
  54. DOSBox. [n.d.].
  55. DOSBox. https://www.dosbox.com/
  56. DroidSniff. [n.d.]. DroidSniff. https://github.com/evozi/DroidSniff
  57. Thomas Dullien and Sebastian Porst. 2009. REIL: A platform-independent intermediate representation of disassembled code for static code analysis.
  58. EtherApe. [n.d.].
  59. EtherApe. https://etherape.sourceforge.io/
  60. FaceDancer. [n.d.].
  61. FaceDancer. https://github.com/usb-tools/Facedancer
  62. Bo Feng, Alejandro Mera, and Long Lu. 2019. P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version). ArXiv abs/1909.06472 (2019).
  63. Firmadyne. 2018. firmadyne/libnvram. https://github.com/firmadyne/libnvram
  64. firmware-mod-kit. [n.d.]. firmware-mod-kit. https://github.com/rampageX/firmware-mod-kit
  65. José Fragoso Santos, Petar Maksimović, Gabriela Sampaio, and Philippa Gardner. 2019. JaVerT 2.0: Compositional Symbolic Execution for JavaScript. Proceedings of the ACM on Principles of Programming Languages 3, Article 66 (Jan 2019), 31 pages. https://doi.org/10.1145/3290379
  66. Prashant Gandhi, Somesh Khanna, and Sree Ramaswamy. 2017. Which Industries Are the Most Digital (and Why)? https://hbr.org/2016/04/a-chart-that-shows-which-industries-are-the-most-digital-and-why
  67. Patrice Godefroid, Michael Y. Levin, and David Molnar. 2008. Automated whitebox fuzz testing. In Network and Distributed Systems Security Symposium.
  68. Google. [n.d.]. clusterfuzz. https://github.com/google/clusterfuzz
  69. Google. [n.d.]. domato. https://github.com/googleprojectzero/domato
  70. Google. [n.d.]. fuzzilli. https://github.com/googleprojectzero/fuzzilli
  71. Google. [n.d.]. gofuzz. https://github.com/google/gofuzz
  72. Google. [n.d.]. honggfuzz. https://github.com/google/honggfuzz
  73. Google. [n.d.]. syzkaller. https://github.com/google/syzkaller
  74. Google. [n.d.]. winafl. https://github.com/googleprojectzero/winafl
  75. Gustavo Grieco, Martín Ceresa, and Pablo Buiras. 2016. QuickFuzz: An Automatic Random Fuzzer for Common File Formats. In Proceedings of the 9th International Symposium on Haskell. ACM, New York, NY, USA, 13-20. https: //doi.org/10.1145/2976002.2976017
  76. Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurelien Francillon, Yung Ryn Choe, Christophe Kruegel, et al. 2020. Toward the Analysis of Embedded Firmware through Automated Re-hosting. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses.
  77. Jim Hall. [n.d.].
  78. HP LaserJet The Early History. http://hparchive.com/seminar_notes/HP_LaserJet_The_Early_ History_by_Jim_Hall_110512.pdf
  79. Armijn Hemel and Shane Coughlan. [n.d.]. Binary Analysis Toolkit. http://www.binaryanalysis.org/old/home
  80. Hemel, Armijn. [n.d.]. BANG -Binary Analysis Next Generation. https://github.com/armijnhemel/binaryanalysis-ng
  81. Grant Hernandez, Farhaan Fowze, Dave Tian, Tuba Yavuz, and Kevin Butler. 2017. FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution. (Aug 2017). https://doi.org/10.1145/3133956.3134050
  82. Brendan Hesse. 2019. Earn Up to $1 Million from Apple's Expanded Bug Bounty Program. https://lifehacker.com/earn- up-to-1-million-from-apples-expanded-bug-bounty-p-1837106598
  83. Emily R Jacobson, Nathan Rosenblum, and Barton P Miller. 2011. Labeling Library Functions in Stripped Binaries. In 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools. ACM, 1-8.
  84. Janala2. [n.d.].
  85. Janala2. https://github.com/ksen007/janala2
  86. Dave Jones. 2011. Trinity: A system call fuzzer. In Proceedings of the 13th Ottawa Linux Symposium.
  87. Sami Kairajärvi, Andrei Costin, and Timo Hämäläinen. 2020. ISAdetect: Usable Automated Detection of CPU Architecture and Endianness for Executable Binary Files and Object Code. In Tenth ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, New York, NY, USA, 376-380. https: //doi.org/10.1145/3374664.3375742
  88. Sushma Kalle, Nehal Ameen, Hyunguk Yoo, and Irfan Ahmed. 2019. CLIK on PLCs! Attacking Control Logic with Decompilation and Virtual PLC. https://doi.org/10.14722/bar.2019.23xxx
  89. Aaron Kaluszka. [n.d.].
  90. Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. 2014. Prospect: Peripheral Proxying Supported Embedded Code Testing. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. ACM, New York, NY, USA, 329-340. https://doi.org/10.1145/2590296.2590301
  91. Stamatis Karnouskos. 2011. Stuxnet Worm Impact on Industrial Cyber-Physical System Security. In 37th Annual Conference of the IEEE Industrial Electronics Society. 4490-4494. https://doi.org/10.1109/IECON.2011.6120048
  92. Anastasis Keliris and Michail Maniatakos. 2019. ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries. In Network and Distributed Systems Security Symposium.
  93. M. Ammar Ben Khadra, Dominik Stoffel, and Wolfgang Kunz. 2016. Speculative Disassembly of Binary Code. In Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems. ACM, New York, NY, USA, Article 16, 10 pages. https://doi.org/10.1145/2968455.2968505
  94. Kismet. [n.d.].
  95. Kismet. https://www.kismetwireless.net/
  96. George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating Fuzz Testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, USA, 2123-2138. https://doi.org/10.1145/3243734.3243804
  97. Karl Koscher, Tadayoshi Kohno, and David Molnar. 2015. SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems. In 9th USENIX Workshop on Offensive Technologies. USENIX Association, Washington, D.C. https://www.usenix.org/conference/woot15/workshop-program/presentation/koscher
  98. Christopher Kruegel. [n.d.]. Full system emulation: Achieving successful automated dynamic analysis of evasive malware.
  99. Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. 2005. Automating mimicry attacks using static binary analysis. In 14th USENIX Security Symposium, Vol. 14. 11-11.
  100. Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static Disassembly of Obfuscated Binaries. In 13th USENIX Security Symposium, Vol. 13. 18-18.
  101. Christopher Kruegel, William Robertson, and Giovanni Vigna. 2004. Detecting Kernel-Level Rootkits Through Binary Analysis. In 20th Annual Computer Security Applications Conference. IEEE, 91-100.
  102. C. Lattner and V. Adve. 2004. LLVM: a compilation framework for lifelong program analysis transformation. In International Symposium on Code Generation and Optimization. 75-86.
  103. Kevin P. Lawton. 1996. Bochs: A Portable PC Emulator for Unix/X. Linux J. 1996, 29es, Article 7 (Sep 1996). http://dl.acm.org/citation.cfm?id=326350.326357
  104. Leveldown Security. [n.d.]. SVD-Loader-Ghidra. https://github.com/leveldown-security/SVD-Loader-Ghidra
  105. R. Li, Z. Zhao, X. Zhou, G. Ding, Y. Chen, Z. Wang, and H. Zhang. 2017. Intelligent 5G: When Cellular Networks Meet Artificial Intelligence. IEEE Wireless Communications 24, 5 (2017), 175-183.
  106. Yanlin Li, Jonathan M. McCune, and Adrian Perrig. 2011. VIPER: Verifying the Integrity of PERipherals' Firmware. In 18th ACM Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, USA, 3-16. https://doi.org/10.1145/2046707.2046711
  107. Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, and Kang Li. 2018. Mobilefindr: Function Similarity Identification For Reversing Mobile Binaries. In European Symposium on Research in Computer Security. Springer, 66-83.
  108. Ulf Lindqvist and Peter G. Neumann. 2017. The Future of the Internet of Things. Commun. ACM 60, 2 (Jan 2017), 26-30. https://doi.org/10.1145/3029589
  109. Peng Liu, Chunchang Xiang, Xiaohang Wang, Binjie Xia, Yangfan Liu, Weidong Wang, and Qingdong Yao. 2009. A NoC Emulation/Verification Framework. In Sixth International Conference on Information Technology: New Generations. IEEE, 859-864.
  110. Blake Loring, Duncan Mitchell, and Johannes Kinder. 2017. ExpoSE: Practical Symbolic Execution of Standalone JavaScript. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software. ACM, New York, NY, USA, 196-199. https://doi.org/10.1145/3092282.3092295
  111. Aravind Machiry, Eric Gustafson, Chad Spensky, Christopher Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. 2017. BOOMERANG: Exploiting the Semantic Gap in Trusted Execution Environments. In Proceedings of the 2017 Network and Distributed System Security Symposium.
  112. Peter S Magnusson, Magnus Christensson, Jesper Eskilson, Daniel Forsgren, Gustav Hallberg, Johan Hogberg, Fredrik Larsson, Andreas Moestedt, and Bengt Werner. 2002. Simics: A Full System Simulation Platform. Computer 35, 2 (2002), 50-58.
  113. Malcolm. [n.d.].
  114. Malcolm. https://github.com/idaholab/Malcolm
  115. James Manyika, Sree Ramaswamy, Somesh Khanna, Hugo Sarrazin, Gary Pinkus, Guru Sethupathy, and Andrew Yaffe. 2015. Digital America: A tale of the haves and have-mores. https://www.mckinsey.com/industries/technology- media-and-telecommunications/our-insights/digital-america-a-tale-of-the-haves-and-have-mores
  116. Xavi Mendez. [n.d.]. wfuzz. https://github.com/xmendez/wfuzz
  117. Gaurav Mittal, David Zaretsky, Gokhan Memik, and Prith Banerjee. 2005. Automatic Extraction of Function Bodies From Software Binaries. In Proceedings of the ASP-DAC 2005. Asia and South Pacific Design Automation Conference, 2005., Vol. 2. IEEE, 928-931.
  118. Harish Mohanan, Perraju Bendapudi, Abishek Kumarasubramanian, Rajesh Jalan, and Ramarathnam Venkatesan. 2012. Function Matching in Binaries. US Patent 8,166,466.
  119. Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. arXiv:cs.SE/1907.03890
  120. Marius Muench, Dario Nisi, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar 2 : A Multi-Target Orchestration Platform. In Workshop on Binary Analysis Research, colocated with Network and Distributed Systems Security Symposium, San Diego, USA. San Diego, UNITED STATES. http://www.eurecom.fr/publication/5437
  121. Marius Muench, Jan Stijohann, Frank Kargl, Aurelien Francillon, and Davide Balzarotti. 2018. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices. In Network and Distributed System Security Symposium.
  122. NationalSecurityAgency. [n.d.].
  123. NationalSecurityAgency/ghidra. https://github.com/NationalSecurityAgency/ghidra/ wiki/Frequently-asked-questions
  124. Nicholas Nethercote and Julian Seward. 2007. Valgrind: A Framework for Heavyweight Dynamic Binary Instrumen- tation. ACM SIGPLAN Conference on Programming Language Design and Implementation 42, 6 (Jun 2007), 89-100. https://doi.org/10.1145/1273442.1250746
  125. Netresec. [n.d.]. NetworkMiner. https://www.netresec.com/?page=NetworkMiner
  126. NetWorkPacketCapture. [n.d.]. NetWorkPacketCapture. https://github.com/huolizhuminh/NetWorkPacketCapture
  127. Lily Hay Newman. 2018. Facebook Bug Bounty Program Makes Biggest Reward Payout Yet. https://www.wired. com/story/facebook-bug-bounty-biggest-payout/
  128. NSA. [n.d.].
  129. Ghidra. https://ghidra-sre.org/
  130. U.S. Department of Energy. [n.d.]. The Smart Grid. https://www.smartgrid.gov/the_smart_grid/smart_grid.html
  131. OWASP. [n.d.].
  132. IoTGoat. https://github.com/OWASP/IoTGoat
  133. PAGalaxyLab. [n.d.]. vxhunter. https://github.com/PAGalaxyLab/vxhunter
  134. Dorottya Papp, Zhendong Ma, and Levente Buttyan. 2015. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In 2015 13th Annual Conference on Privacy, Security and Trust. 145-152. https://doi.org/10.1109/PST. 2015.7232966
  135. Riyad Parvez, Paul A. S. Ward, and Vijay Ganesh. 2016. Combining Static Analysis and Targeted Symbolic Execution for Scalable Bug-finding in Application Binaries. In 26th Annual International Conference on Computer Science and Software Engineering. IBM Corp., Riverton, NJ, USA, 116-127. http://dl.acm.org/citation.cfm?id=3049877.3049889
  136. PcapPlusPlus. [n.d.]. PcapPlusPlus. https://github.com/seladb/PcapPlusPlus
  137. PCem. [n.d.].
  138. PCem. https://github.com/Anamon/pcem
  139. Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-Fuzz: Fuzzing by Program Transformation. In IEEE Symposium on Security and Privacy. IEEE, 697-710.
  140. Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, and Thorsten Holz. 2015. Cross-Architecture Bug Search in Binary Executables. In IEEE Symposium on Security and Privacy. IEEE, 709-724.
  141. Richard Phillips and Bonnie Montalvo. 2010. Using emulation to debug control logic code. Proceedings of the 2010 Winter Simulation Conference (2010). https://doi.org/10.1109/wsc.2010.5678904
  142. PixelCyber. [n.d.].
  143. Thor. https://github.com/PixelCyber/Thor
  144. Praetorian. [n.d.]. The Damn Vulnerable Router Firmware Project. https://github.com/praetorian-code/DVRF
  145. Rui Qiao and R Sekar. 2016. Effective Function Recovery for COTS Binaries Using Interface Verification. Technical Report. Technical report, Secure Systems Lab, Stony Brook University.
  146. Rui Qiao and R Sekar. 2017. Function Interface Analysis: A Principled Approach For Function Recognition in COTS Binaries. In 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 201-212.
  147. Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware Evolutionary Fuzzing.. In Network and Distributed Systems Security Symposium, Vol. 17. 1-14.
  148. Hex Rays. [n.d.]. https://hex-rays.com/products/ida/
  149. Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware. In Proceedings of the IEEE Symposium on Security and Privacy.
  150. Corinne Reichert. 2019. Google's Android Bug Bounty Program Will Now Pay Out $1.5 Million. https://www.cnet. com/news/googles-android-bug-bounty-program-will-now-pay-out-1-5-million/
  151. Samsung. [n.d.].
  152. Jalangi2. https://github.com/Samsung/jalangi2
  153. Chase Schultz. [n.d.]. firmware_collection. https://github.com/f47h3r/firmware_collection
  154. Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, USA, 317-331. https://doi.org/10.1109/SP.2010.26
  155. Sen, Koushik. [n.d.]. jCUTE. https://github.com/osl/jcute
  156. Kostya Serebryany. 2017. OSS-Fuzz-Google's Continuous Fuzzing Service for Open Source Software.
  157. Saumil Shah. [n.d.].
  158. The ARM-X Firmware Emulation Framework. https://github.com/therealsaumil/armx
  159. Asankhaya Sharma. 2014. Exploiting Undefined Behaviors for Efficient Symbolic Execution. In Companion Proceedings of the 36th International Conference on Software Engineering. ACM, New York, NY, USA, 727-729. https://doi.org/10. 1145/2591062.2594450
  160. Shellphish. 2017. Cyber Grand Shellphish. http://phrack.org/papers/cyber_grand_shellphish.html
  161. Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing Functions in Binaries With Neural Networks. In 24th USENIX Security Symposium. 611-626.
  162. Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the 2015 Network and Distributed System Security Symposium.
  163. Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy.
  164. Sibyl. [n.d.].
  165. Sibyl. https://github.com/cea-sec/Sibyl
  166. Sickendick, Karl. [n.d.]. pcode-emulator. https://github.com/kc0bfv/pcode-emulator
  167. Slack. https://angr.slack.com
  168. Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A New Approach to Computer Security Via Binary Analysis. In International Conference on Information Systems Security. Springer, 1-25.
  169. Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, and Mathias Payer. 2019. FirmFuzz: Automated IoT Firmware Introspection and Analysis. Proceedings Of The 2nd International ACM Workshop On Security And Privacy For The Internet-Of-Things (2019), 15-21. https://doi.org/10.1145/3338507.3358616
  170. SSRFmap. [n.d.].
  171. SSRFmap. https://github.com/swisskyrepo/SSRFmap
  172. Nick Stephens, John Grosen, Christopher Salls, Audrey Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Execution. In Proceedings of the 2016 Network and Distributed System Security Symposium.
  173. Vinaitheerthan Sundaram, Patrick Eugster, and Xiangyu Zhang. 2010. Efficient Diagnostic Tracing for Wireless Sensor Networks. In Proceedings of the 8th ACM Conference on Embedded Networked Sensor Systems. ACM, 169-182.
  174. Florin Dragos Tanasache, Mara Sorella, Silvia Bonomi, Raniero Rapone, and Davide Meacci. 2019. Building an emulation environment for cyber security analyses of complex networked systems. Proceedings of the 20th International Conference on Distributed Computing and Networking (2019). https://doi.org/10.1145/3288599.3288618
  175. Matthew Tancreti, Mohammad Sajjad Hossain, Saurabh Bagchi, and Vijay Raghunathan. 2011. Aveksha: A Hardware- Software Approach for Non-Intrusive Tracing and Profiling of Wireless Embedded Systems. In Proceedings of the 9th ACM Conference on Embedded Networked Sensor Systems. ACM, 288-301.
  176. Matthew Tancreti, Vinaitheerthan Sundaram, Saurabh Bagchi, and Patrick Eugster. 2015. TARDIS: Software-Only System-Level Record and Replay in Wireless Sensor Networks. In Proceedings of the 14th International Conference on Information Processing in Sensor Networks. ACM, 286-297.
  177. TCPDump. [n.d.].
  178. TCPDump. http://www.tcpdump.org/
  179. Radare2 Team. 2017. Radare2 Book. GitHub.
  180. Telerik. [n.d.]. Fiddler. https://www.telerik.com/fiddler
  181. Keen Security Lab Tencent. 2016. Car Hacking Research: Remote Attack Tesla Motors. https://keenlab.tencent.com/ en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/
  182. Sam Thomas, Flavio Garcia, and Tom Chothia. 2017. HumIDIFy: A Tool for Hidden Functionality Detection in Firmware. 279-300. https://doi.org/10.1007/978-3-319-60876-1_13
  183. Michael F. Thompson and Timothy Vidas. 2018. CGC monitor: A vetting system for the DARPA cyber grand challenge. https://calhoun.nps.edu/handle/10945/59209
  184. Brian Van Leeuwen, Vincent Urias, John Eldridge, Charles Villamarin, and Ron Olsberg. 2010. Cyber security analysis testbed: Combining real, emulation, and simulation. In 44th Annual 2010 IEEE International Carnahan Conference on Security Technology. 121-126. https://doi.org/10.1109/CCST.2010.5678720
  185. Sebastian Vasile, David Oswald, and Tom Chothia. 2019. Breaking All the Things-A Systematic Survey of Firmware Extraction Techniques for IoT Devices. In Smart Card Research and Advanced Applications, Begül Bilgin and Jean- Bernard Fischer (Eds.). Springer International Publishing, Cham, 171-185.
  186. Marek Vasut. 2017. Adding New Architecture to QEMU. https://events17.linuxfoundation.org/sites/events/files/ slides/ossj-2017.pdf
  187. Trygve Vea. [n.d.]. firmwaredb. https://github.com/kvisle/firmwaredb
  188. Vector 35. [n.d.].
  189. Binary Ninja. https://binary.ninja/
  190. John Viega and Hugh Thompson. 2012. The State of Embedded-Device Security (Spoiler Alert: It's Bad). IEEE Symposium on Security and Privacy 10, 5 (Sep 2012), 68-70. https://doi.org/10.1109/MSP.2012.134
  191. Sebastian Vogl, Robert Gawlik, Behrad Garmany, Thomas Kittel, Jonas Pfoh, Claudia Eckert, and Thorsten Holz. 2014. Dynamic Hooks: Hiding Control Flow Changes Within Non-Control Data. In 23rd USENIX Security Symposium. 813-328.
  192. Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Machiry Aravind, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making Reassembly Great Again. In Proceedings of the 2017 Network and Distributed System Security Symposium.
  193. Xiajing Wang, Rui Ma, Bowen Dou, Zefeng Jian, and Hongzhou Chen. 2018. OFFDTAN: A New Approach of Offline Dynamic Taint Analysis for Binaries. Security and Communication Networks 2018 (2018), 13. 10.1155/2018/7693861
  194. Kayla Wiles. 2019. First all-digital nuclear reactor system in the U.S. installed at Purdue Univer- sity. https://www.purdue.edu/newsroom/releases/2019/Q3/first-all-digital-nuclear-reactor-control-system-in- the-u.s.-installed-at-purdue-university.html
  195. Wireshark. [n.d.].
  196. Wireshark. https://www.wireshark.org/
  197. Dongpeng Xu, Jiang Ming, and Dinghao Wu. 2017. Cryptographic Function Detection in Obfuscated Binaries Via Bit-Precise Symbolic Loop Mapping. In IEEE Symposium on Security and Privacy. IEEE, 921-937.
  198. Hongfa Xue, Shaowen Sun, Guru Venkataramani, and Tian Lan. 2019. Machine Learning-Based Analysis of Program Binaries: A Comprehensive Study. IEEE Access 7 (2019), 65889-65912.
  199. Seung Jei Yang, Jung Ho Choi, Ki Bom Kim, and Taejoo Chang. 2015. New Acquisition Method Based on Firmware Update Protocols for Android Smartphones. Digital Investigation 14 (2015), S68 -S76. https://doi.org/10.1016/j.diin. 2015.05.008 The Proceedings of the Fifteenth Annual DFRWS Conference.
  200. Miao Yu, Jianwei Zhuge, Ming Cao, Zhiwei Shi, and Lin Jiang. 2020. A Survey of Security Vulnerability Analysis, Discovery, Detection, and Mitigation on IoT Devices. Future Internet 12, 2 (Feb 2020), 27. https://doi.org/10.3390/ fi12020027
  201. Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing. In 27th USENIX Security Symposium. 745-761.
  202. Jonas Zaddach, Luca Bruno, AurÃľlien Francillon, and Davide Balzarotti. 2014. Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares. In Network and Distributed Systems Security Symposium. https://doi.org/10.14722/ndss.2014.23229
  203. Jonas Zaddach, Anil Kurmus, Davide Balzarotti, Erik-Oliver Blass, Aurélien Francillon, Travis Goodspeed, Moitrayee Gupta, and Ioannis Koltsidas. 2013. Implementation and Implications of a Stealth Hard-Drive Backdoor. In Proceedings of the 29th Annual Computer Security Applications Conference. Association for Computing Machinery, New York, NY, USA, 279-288. https://doi.org/10.1145/2523649.2523661
  204. Ruijin Zhu, Yu-an Tan, Quanxin Zhang, Yuanzhang Li, and Jun Zheng. 2016. Determining Image Base of Firmware for ARM Devices by Matching Literal Pools. Digital Investigation 16 (2016), 19 -28. https://doi.org/10.1016/j.diin. 2016.01.002
  205. Ruijin Zhu, Baofeng Zhang, Junjie Mao, Quanxin Zhang, and Yu-an Tan. 2017. A Methodology for Determining the Image Base of ARM-Based Industrial Control System Firmware. International Journal of Critical Infrastructure Protection 16 (2017), 26 -35. https://doi.org/10.1016/j.ijcip.2016.12.002

Related papers

Toward the Analysis of Embedded Firmware through Automated Re-hosting
Chad Spensky

2019

Author(s): Gustafson, Eric; Muench, Marius; Spensky, Chad; Redini, Nilo; Machiry, Aravind; Fratantonio, Yanick; Balzarotti, Davide; Francillon, Aurelien; Choe, Yung Ryn; Kruegel, Christopher; Vigna, Giovanni

View PDFchevron_right
Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares
Aurélien Francillon

Proceedings 2014 Network and Distributed System Security Symposium, 2014

To address the growing concerns about the security of embedded systems, it is important to perform accurate analysis of firmware binaries, even when the source code or the hardware documentation are not available. However, research in this field is hindered by the lack of dedicated tools. For example, dynamic analysis is one of the main foundations of security analysis, e.g., through dynamic taint tracing or symbolic execution. Unlike static analysis, dynamic analysis relies on the ability to execute software in a controlled environment, often an instrumented emulator. However, emulating firmwares of embedded devices requires accurate models of all hardware components used by the system under analysis. Unfortunately, the lack of documentation and the large variety of hardware on the market make this approach infeasible in practice. In this paper we present Avatar, a framework that enables complex dynamic analysis of embedded devices by orchestrating the execution of an emulator together with the real hardware. We first introduce the basic mechanism to forward I/O accesses from the emulator to the embedded device, and then describe several techniques to improve the system's performance by dynamically optimizing the distribution of code and data between the two environments. Finally, we evaluate our tool by applying it to three different security scenarios, including reverse engineering, vulnerability discovery and hardcoded backdoor detection. To show the flexibility of Avatar, we perform this analysis on three completely different devices: a GSM feature phone, a hard disk bootloader, and a wireless sensor node.

View PDFchevron_right
Is Your Firmware Real or Re-Hosted? A case study in re-hosting VxWorks control system firmware
Logan Carpenter

Proceedings 2021 Workshop on Binary Analysis Research

servers. This also allows many instances of the system to be started-with the number of instances only limited by the availability of general purpose computing resources. The primary challenge to re-hosting firmware is providing valid inputs for the hardware that is not implemented in the emulator. Emulators such as QEMU [6] provide the ability to emulate a variety of CPU architectures, but provide very limited support for the huge variety of peripherals (e.g., timers, UARTs, Ethernet controllers) used in commodity embedded systems. Many different approaches have been proposed to address these challenges. One approach is to implement the hardware at low-level memory mapped register interface as done in QEMU-a laborious task that does not scale well. Another approach is hardware-in-the-loop emulation [18], where accesses to peripherals are forwarded to physical hardware-which reduces its scalability. Machine learning [14] is an approach where interactions with peripherals are recorded on hardware and used to build models of peripherals. These models are then used during emulation. Another approach is to use a fuzzer [12] to provide inputs for the peripherals. Both machine learning and fuzzing peripherals limits control over the devices making them unsuitable for high fidelity emulation. A promising approach is High Level Emulation (HLE) [8], [7], [10], [11] where common abstractions within the firmware are utilized to remove the need to provide low-level support for peripherals. Both Firmadyne [7] and Costin et al. [10], [11] utilize the Linux kernel abstractions to enable re-hosting Linux based firmware. HALucinator [8] uses hardware abstraction layers provided by micro-controller manufacturers, enabling re-hosting of simple bare-metal applications. Our goal is to advance the art of re-hosting to enable answering questions about how low-level logic and vulnerabilities in Real-Time Operating Systems (RTOS) impact the larger systems in which they are a part. While we are not yet able to achieve this final end goal we report our current progress here. To achieve this goal we extend HALucinator to work with a commercial RTOS. For a more general review of re-hosting we refer the reader to [34]. RTOSes aim to make the process of writing firmware for embedded systems easier. These RTOSes provide the basic constructs for a real-time system and give the developer abstract mechanisms to define system behavior. These mechanisms are often organized as layers, which hide the working details of the system from higher layers. In addition, these operating systems define an interface-called a Board Support Package (BSP)-to enable portability across a large variety of hardware. These layers, and in particular the BSP, provide a natural place for HALucinator to decouple firmware from its hardware and enable re-hosting in an emulator. Here we focus on VxWorks, a commercial RTOS Abstract-Emulating firmware is increasingly popular for systems research, particularly vulnerability research. In this paper we describe how we extend HALucinator to work with real-world systems that use the popular VxWorks RTOS. We describe the Re-hosting Support Layer (its definition and implementation) with the functions necessary to get a Schneider Electric SCADAPack 350 remote terminal unit, a Schneider Electric Modicon 340 programmable logic controller, and Hughes 9201 BGAN inmarsat terminal up and re-hosted (at least partially). We share the process and our path of performing this work over the last year, and give a retrospective approach for re-hosting other RTOSes. We provide a case study with 3 real devices, and show that we can re-host portions of the firmware and perform analyses to show the success of our approach.

View PDFchevron_right
FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis
Suryeon Kim

Annual Computer Security Applications Conference, 2020

One approach to assess the security of embedded IoT devices is applying dynamic analysis such as fuzz testing to their firmware in scale. To this end, existing approaches aim to provide an emulation environment that mimics the behavior of real hardware/peripherals. Nonetheless, in practice, such approaches can emulate only a small fraction of firmware images. For example, Firmadyne, a state-of-theart tool, can only run 183 (16.28%) of 1,124 wireless router/IP-camera images that we collected from the top eight manufacturers. Such a low emulation success rate is caused by discrepancy in the real and emulated firmware execution environment. In this study, we analyzed the emulation failure cases in a largescale dataset to figure out the causes of the low emulation rate. We found that widespread failure cases often avoided by simple heuristics despite having different root causes, significantly increasing the emulation success rate. Based on these findings, we propose a technique, arbitrated emulation, and we systematize several heuristics as arbitration techniques to address these failures. Our automated prototype, FirmAE, successfully ran 892 (79.36%) of 1,124 firmware images, including web servers, which is significantly (≈4.8x) more images than that run by Firmadyne. Finally, by applying dynamic testing techniques on the emulated images, FirmAE could check 320 known vulnerabilities (306 more than Firmadyne), and also find 12 new 0-days in 23 devices. • Security and privacy → Embedded systems security; • Computer systems organization → Firmware.

View PDFchevron_right
Conware: Automated Modeling of Hardware Peripherals
Chad Spensky

Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, 2021

Emulation is at the core of many security analyses. However, emulating embedded systems is still not possible in most cases. To facilitate this critical analysis, we present Conware, a hardware emulation framework that can automatically generate models for hardware peripherals, which alleviates one of the major challenges currently hindering embedded systems emulation. Conware enables individual peripherals to be modeled, exported, and combined with other peripherals in a pluggable fashion. Conware achieves this by first obtaining a recording of the low-level hardware interactions between the firmware and the peripheral, using either existing methods or our source-code instrumentation technique. These recordings are then used to create high-fidelity automata representations of the peripheral using novel automata-generation techniques. The various models can then be merged to facilitate full-system emulation of any embedded firmware that uses any of the modeled peripherals, even if t...

View PDFchevron_right

Related topics

  • Computer Science
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved