a large scale analysis of the security of embedded
play

A Large Scale Analysis of the Security of Embedded Firmwares A. - PowerPoint PPT Presentation

Jan 07, 2023 •295 likes •1.03k views

A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 San Diego, USA Embedded Systems Are Everywhere Andrei Costin 2 By

  1. A Large Scale Analysis of the Security of Embedded Firmwares A. Costin , J. Zaddach, A. Francillon, D. Balzarotti EURECOM, France 20th August 2014 USENIX Security '14 – San Diego, USA

  2. Embedded Systems Are Everywhere Andrei Costin 2 By Wilgengebroed on Flickr [CC-BY-2.0]

  3. Smarter & More Complex Andrei Costin 3 By Wilgengebroed on Flickr [CC-BY-2.0]

  4. Heavily Interconnected Andrei Costin 4 By Wilgengebroed on Flickr [CC-BY-2.0]

  5. Many Examples of Insecure Embedded Systems ● Routers Andrei Costin 5

  6. Many Examples of Insecure Embedded Systems ● Routers ● Printers Andrei Costin 6

  7. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP Andrei Costin 7

  8. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars Andrei Costin 8

  9. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars ● Drones Andrei Costin 9

  10. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars ● Drones ● ... Andrei Costin 10

  11. Many Examples of Insecure Embedded Systems ● Routers ● Printers ● VoIP ● Cars ● Drones ● ... ● Each of above is a result of an individual analysis ● Manual and tedious efforts, Does not scale Andrei Costin 11

  12. The Goal Perform a large scale analysis to provide a better undestanding of the problem Andrei Costin 12

  13. The Problem With Large Scale Analysis ● Heterogeneity of ● Hardware, architectures, OSes ● Users, requirements ● Security goals Andrei Costin 13

  14. The Problem With Large Scale Analysis ● Heterogeneity of ● Hardware, architectures, OSes ● Users, requirements ● Security goals ● Manual analysis does not scale, it requires ● Finding and downloading the firmwares ● Unpacking and performing initial analysis ● Re -discovering the same or similar bug in other firmwares Andrei Costin 14

  15. Previous Approaches ● Test on real devices [Bojinov09CCS] ● Accurate results ● Does not scale well Andrei Costin 15

  16. Previous Approaches ● Test on real devices [Bojinov09CCS] ● Accurate results ● Does not scale well ● Scan devices on the Internet ● Large scale testing [Cui10ACSAC] – Can only test for known vulnerabilities – Blackbox approach ● More is too intrusive [Census2012] Andrei Costin 16

  17. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images Andrei Costin 17

  18. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis Andrei Costin 18

  19. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis ● Correlate across firmwares Andrei Costin 19

  20. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis ● Correlate across firmwares ● Advantages ● No intrusive online testing, no devices involved ● Scalable Andrei Costin 20

  21. Our Approach to The Large Scale Analysis ● Collect a large number of firmware images ● Perform broad but simple static analysis ● Correlate across firmwares ● Advantages ● No intrusive online testing, no devices involved ● Scalable ● But many challenges Andrei Costin 21

  22. Mainstream Systems Have Centralized Updates Andrei Costin 22

  23. Challenge: Embedded Systems Have No Centralized Updates Andrei Costin 23

  24. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas Andrei Costin 24

  25. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas ● We collected a subset of the firmwares available for download Andrei Costin 25

  26. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas ● We collected a subset of the firmwares available for download ● Many firmwares are not publicly available ● Not intended to have an upgrade ● Require product purchase and registration Andrei Costin 26

  27. Collecting a Dataset ● No large scale firmware dataset yet ● As opposed to existing datasets in security or other CS research areas ● We collected a subset of the firmwares available for download ● Many firmwares are not publicly available ● Not intended to have an upgrade ● Require product purchase and registration ● www.firmware.re project Andrei Costin 27

  28. Challenge: Firmware Identification Clearly a Firmware Andrei Costin 28

  29. Challenge: Firmware Identification Clearly a Firmware Clearly not a Firmware Andrei Costin 29

  30. Challenge: Firmware Identification Clearly a Firmware Clearly not a Firmware Uncertain Andrei Costin 30

  31. Challenge: Firmware Identification ● E.g., upgrade by printing a PS document Andrei Costin 31

  32. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? Andrei Costin 32

  33. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? ● E.g., vendor provides a .ZIP 'firmware package' ● .ZIP→.EXE+.PS – .EXE→self-extracting archive ● Extract more or not? ● Turns out to contain a printer driver inside Andrei Costin 33

  34. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? ● E.g., vendor provides a .ZIP 'firmware package' ● .ZIP→.EXE+.PS – .EXE→self-extracting archive ● Extract more or not? ● Turns out to contain a printer driver inside – .PS→ASCII85 stream→ELF file that could be: ● A complete embedded system software ● An executable performing the firmware upgrade ● A firmware patch Andrei Costin 34

  35. Challenge: Unpacking & Custom Formats ● How to reliably unpack and learn formats? ● E.g., vendor provides a .ZIP 'firmware package' ● .ZIP→.EXE+.PS – .EXE→self-extracting archive ● Extract more or not? ● Turns out to contain a printer driver inside – .PS→ASCII85 stream→ELF file that could be: ● A complete embedded system software ● An executable performing the firmware upgrade ● A firmware patch ● Often, a firmware image→just 'data' binary blob Andrei Costin 35

  36. Our Approach to Unpacking & Custom Formats ● We compared existing tools ● Used BAT (Binary Analysis Toolkit) ● Extended it with multiple custom unpackers ● Continuous development effort Andrei Costin 36

  37. Our Approach to Unpacking & Custom Formats ● We compared existing tools ● Used BAT (Binary Analysis Toolkit) ● Extended it with multiple custom unpackers ● Continuous development effort ● Often, a firmware image→just 'data' binary blob ● File carving required ● Bruteforce at every offset with all known unpackers Andrei Costin 37

  38. Our Approach to Unpacking & Custom Formats ● We compared existing tools ● Used BAT (Binary Analysis Toolkit) ● Extended it with multiple custom unpackers ● Continuous development effort ● Often, a firmware image→just 'data' binary blob ● File carving required ● Bruteforce at every offset with all known unpackers ● Heuristics for detecting when to stop Andrei Costin 38

  39. Challenge: Scalability & Computational Limits ● Unpacking and file carving is very CPU intensive Andrei Costin 39

  40. Challenge: Scalability & Computational Limits ● Unpacking and file carving is very CPU intensive ● Results in millions of unpacked files ● Manual analysis infeasible ● One-to-one fuzzy hash comparison is CPU intensive Andrei Costin 40

  41. Challenge: Results Confirmation ● An issue found statically ● May not apply to a real-device ● Cannot guarantee exploitability ● E.g., vulnerable daemon present but never started Andrei Costin 41

  42. Challenge: Results Confirmation ● An issue found statically ● May not apply to a real-device ● Cannot guarantee exploitability ● E.g., vulnerable daemon present but never started ● Issue confirmation is difficult ● Requires advanced analysis (static & dynamic) ● Often requires real embedded devices ● Does not scale well in heterogeneous environments Andrei Costin 42

  43. Architecture Firmware Datastore Internet Crawl Andrei Costin 43

  44. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Andrei Costin 44

  45. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Andrei Costin 45

  46. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Master Andrei Costin 46

  47. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Master Distribute Password Hash Cracker Unpacking Static Analysis Fuzzy Hashing Workers Andrei Costin 47

  48. Architecture Firmware Datastore Internet Public Web Interface Crawl Submit Firmware Analysis Cloud Master Distribute Firmware Password Analysis & Hash Cracker Reports DB Unpacking Static Analysis Fuzzy Hashing Workers Andrei Costin 48

Recommend

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien

A Large-Scale Analysis of the Security of Embedded Firmwares Andrei Cos+n, Jonas Zaddach, Aurlien Francillon, and Davide Balzaro:, Eurecom h;ps://www.usenix.org/conference/usenixsecurity14/technical-sessions/presenta+on/ cos+n Saeid Mofrad

1.14k views • 22 slides
A"Large(Scale"Analysis"of"the"

A"Large(Scale"Analysis"of"the"

A"Large(Scale"Analysis"of"the" Security"of"Embedded"Firmwares Presented(by(Zhenyu Ning 1 Contents 1.(Background 2.(Motivation(&(Challenges 3.(Architecture 4.(Analysis(Result(&(Case(study

784 views • 23 slides
A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex

A Scalable Processor with Embedded Software for Large- Scale Scientific Applications Daniel Alex Finkelstein and Haldun Hadimioglu Polytechnic University, Brooklyn, NY, USA Outline 1. Motivation/Goals and Related Work 2. Peripheral Context

887 views • 29 slides
Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra Distributed Real- -time & Embedded time & Embedded Distributed Real (DRE) Systems (DRE) Systems Wednesday, May 30, 2007, ISORC, , ISORC,

730 views • 49 slides
Granula: Toward Fine-grained Performance Analysis of Large-scale Graph Processing Platforms Wing

Granula: Toward Fine-grained Performance Analysis of Large-scale Graph Processing Platforms Wing

Granula: Toward Fine-grained Performance Analysis of Large-scale Graph Processing Platforms Wing Lung Ngai, Tim Hegeman, Stijn Heldens, and Alexandru Iosup @Large Research Massivizing Computer Systems Large-scale Graph Processing 2 OpenG

266 views • 13 slides
Introduction to Performance Analysis Visualization and Analysis of Performance on Large-scale

Introduction to Performance Analysis Visualization and Analysis of Performance on Large-scale

Introduction to Performance Analysis Visualization and Analysis of Performance on Large-scale Software VAPLS 2013 Todd Gamblin Katherine Isaacs UC Davis, LLNL LLNL Why does my code run slowly? Bad algorithm 1. Poor computational

2.17k views • 12 slides
robust control for analysis and design of large-scale optimization algorithms Laurent Lessard

robust control for analysis and design of large-scale optimization algorithms Laurent Lessard

robust control for analysis and design of large-scale optimization algorithms Laurent Lessard University of WisconsinMadison Joint work with Ben Recht and Andy Packard LCCC Workshop on Large-Scale and Distributed Optimization Lund

435 views • 32 slides
Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand,

Introduction Multi-scale Analysis Approach Experimental Framework Results and Analysis Conclusion Multi-scale Analysis of Large Distributed Computing Systems Lucas M. Schnorr, Arnaud Legrand, Jean-Marc Vincent INRIA Mescal, CNRS LIG

583 views • 27 slides
Using CellProfiler for Biological Image Analysis Quantitative Analysis of Large-Scale Biological

Using CellProfiler for Biological Image Analysis Quantitative Analysis of Large-Scale Biological

Using CellProfiler for Biological Image Analysis Quantitative Analysis of Large-Scale Biological Image Data Mark-Anthony Bray, Ph.D Imaging Platform, Broad Institute Cambridge, Massachusetts, USA mbray@broadinstitute.org 0.4233 54,454

701 views • 52 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra

Meeting the Challenges of Ultra- -Large Large- -Scale Scale Meeting the Challenges of Ultra Distributed Real- -time & Embedded Systems time & Embedded Systems Distributed Real with QoS- -enabled Middleware & enabled

682 views • 50 slides
Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles

Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles

Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles Institutionen fr Datavetenskap (IDA) Linkpings Universitet email: petru.eles@liu.se http://www.ida.liu.se/~petel71/ phone: 28 1396 B building,

1.52k views • 128 slides
Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and

Automatic Detection of Performance Deviations in Load Testing of Large Scale Systems Haroon Malik Software Analysis and Intelligence Lab (SAIL) Queens University, Kingston, Canada Large scale systems need to satisfy performance constraints

822 views • 37 slides
SMALL SCALE EFFECT ON THE BUCKLING ANALYSIS OF DOUBLE-LAYER GRAPHENE NANORIBBONS EMBEDDED IN AN

SMALL SCALE EFFECT ON THE BUCKLING ANALYSIS OF DOUBLE-LAYER GRAPHENE NANORIBBONS EMBEDDED IN AN

18 TH INTERNATIONAL CONFERENCE ON COMPOSITE MATERIALS SMALL SCALE EFFECT ON THE BUCKLING ANALYSIS OF DOUBLE-LAYER GRAPHENE NANORIBBONS EMBEDDED IN AN ELASTIC MATRIX J.X. Shi 1 , T. Natsuki 2 , X.W. Lei 1 , Q.Q. Ni 2 * 1 Interdisciplinary Graduate

328 views • 6 slides
Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

752 views • 54 slides
The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion

The Picnic Post-Quantum Signature Scheme and its Security Analysis Itai Dinur Ben-Gurion University Credit for some slides: Melissa Chase and Picnic team Post-Quantum Cryptography Large-scale quantum computer could efficiently factor large

533 views • 34 slides
Analysis Algorithms for Large-Scale Networks Dan Meehan meehan.49@osu.edu Table of Contents

Analysis Algorithms for Large-Scale Networks Dan Meehan meehan.49@osu.edu Table of Contents

Analysis Algorithms for Large-Scale Networks Dan Meehan meehan.49@osu.edu Table of Contents Algorithm analysis overview Degree distribution Characteristic path length Betweenness centrality Exact Approximate

585 views • 23 slides
Scalable performance analysis of large-scale parallel applications Brian Wylie & Markus

Scalable performance analysis of large-scale parallel applications Brian Wylie & Markus

Scalable performance analysis of large-scale parallel applications Brian Wylie & Markus Geimer J lich Supercomputing Centre scalasca@fz-juelich.de September 2010 Performance analysis, tools & techniques Profile analysis

582 views • 24 slides
embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt

embedded security October 2015 The Old Model (simplified view) Embedded Security Benedikt Gierlichs KU Leuven, COSIC IACR Summer school 2015 Chia Laguna, Italy Attack on channel between communicating parties Encryption and

412 views • 6 slides
Analysis of large-scale variability of the surface air chemical composition in the Northern

Analysis of large-scale variability of the surface air chemical composition in the Northern

Analysis of large-scale variability of the surface air chemical composition in the Northern Eurasia K. B. Moiseenko, N.F. Elansky, A. I. Skorokhod, I.B. Belikov, A.I. Safronov, N.V. Pankratova, A.V. Vivchar, E.V. Beresina Obukhov Institute for

471 views • 27 slides
Going Na)ve: Using a Large-Scale Analysis of Android Apps to Create a Prac)cal Na)ve-Code

Going Na)ve: Using a Large-Scale Analysis of Android Apps to Create a Prac)cal Na)ve-Code

Going Na)ve: Using a Large-Scale Analysis of Android Apps to Create a Prac)cal Na)ve-Code Sandboxing Policy Vitor Afonso, Antonio Bianchi, Yanick Fratantonio, Adam Doupe, Mario Polino, Paulo de Geus , Christopher Kruegel, and Giovanni Vigna

557 views • 30 slides
Analysis of Large Scale Visual Recogni4on Fei-Fei Li and

Analysis of Large Scale Visual Recogni4on Fei-Fei Li and

Analysis of Large Scale Visual Recogni4on Fei-Fei Li and Olga Russakovsky Olga Russakovsky, Jia Deng, Zhiheng Huang, Alex Berg, Li Fei-Fei Detec4ng

848 views • 60 slides
Large Scale Complex Network Analysis using Large Scale Complex Network Analysis using the Hybrid

Large Scale Complex Network Analysis using Large Scale Complex Network Analysis using the Hybrid

Large Scale Complex Network Analysis using Large Scale Complex Network Analysis using the Hybrid Combination of a the Hybrid Combination of a MapReduce Cluster and MapReduce Cluster and a Highly Multithreaded System a Highly Multithreaded

449 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides

More recommend