firmfuzz automated iot firmware introspection and analysis
play

FirmFuzz: Automated IoT Firmware Introspection and Analysis - PowerPoint PPT Presentation

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer Internet of Things 2 Internet of Things 3 Internet of Things - 233 CVEs assigned from Jan


  1. FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer

  2. Internet of Things 2

  3. Internet of Things 3

  4. Internet of Things - 233 CVE’s assigned from Jan 2018 - Nov 2019 4

  5. Internet of Things - 233 CVE’s assigned from Jan 2018 - Nov 2019 5

  6. Fuzz Target Linux-based Firmware Image Open-source Vendor-written Linux kernel software software 6

  7. Fuzz Target Linux-based Firmware Image Open-source Vendor-written Linux kernel software software Can be independently analyzed 7

  8. Fuzz Target Linux-based Firmware Image Open-source Vendor-written Linux kernel software software Open-source Can be independently analyzed 8 Openly analyzed

  9. Deep Analysis Challenges Solutions 9

  10. Deep Analysis Challenges Solutions Syntactically legal input generation 10

  11. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API 11

  12. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring 12

  13. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring Monitor injection into runtime environment 13

  14. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring Monitor injection into runtime environment Device-independent dynamic analysis 14

  15. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring Monitor injection into runtime environment Device-independent dynamic analysis Full-system emulation of firmware image 15

  16. FirmFuzz Design Firmware 16

  17. FirmFuzz Design 🔎 Information Gathering Firmware Phase 17

  18. FirmFuzz Design 🔎 Information Gathering Firmware Phase Preparation Phase 18

  19. FirmFuzz Design 🔎 Information Gathering Firmware Phase Fuzzing Phase Preparation Phase 19

  20. FirmFuzz Design 🔎 Information Gathering Firmware Phase Bugs Fuzzing Phase Preparation Phase 20

  21. Information Gathering Phase Firmware 🔎 - Discover authentication credentials - Increase fuzzer coverage - Static analysis of PHP scripts - Find inputs for vulnerable code paths - Perform taint analysis to build input constraints Credentials ********** Attack Surface Mapping 21

  22. Preparation Phase - Helper injection ฀ Helper - Allows FirmFuzz to perform fine-grained vulnerability monitoring Injection - CI — Helper binaries - BO, NPD — Exception handling mechanism of the kernel - XSS — Host-side monitoring Device - Peripheral mapping Mapping Network - Firmware may require unsupported peripherals during runtime Configuration - FirmFuzz automatically creates mappings to a fake peripheral - Network configuration - FirmFuzz logs interactions with the kernel networking interface - Creates an appropriate virtual network configuration 22

  23. Fuzzing Phase - Syntactically legal input generation - Use headless browser for interaction with web API - Deterministic vulnerability detection - Leverage runtime monitors for vulnerability detection CI BO NPD XSS - Fuzzing side-effects elimination - Use snapshots to revert firmware to a consistent state Firmware - Payload delivery - Bypass web API validation checks by generating raw requests 23

  24. Fuzzing Workflow 24

  25. Fuzzing Workflow 25

  26. Fuzzing Workflow 26

  27. Fuzzing Workflow 27

  28. Evaluation - Analyzed 6427 firmware images scraped from three vendors - Found 7 vulnerabilities across 6 different devices - Average runtime for the fuzzing phase was 16.7 minutes 28

  29. Firmware Image Breakdown Vendor Network Inferred Fuzzed Unique (Unique Devices) Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 29

  30. Firmware Image Breakdown Vendor Network Inferred Fuzzed Unique (Unique Devices) Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 Sharp drop-off between network inferred and fuzzed images 30

  31. Firmware Image Breakdown Vendor Network Inferred Fuzzed Unique (Unique Devices) Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 High reusability of web interfaces between different devices 31

  32. Comparison Against Existing Work Number Vulnerability CVE-ID FirmFuzz Web vulnerability Firmadyne scanners ⨯ ⨯ ✔ 1 CI CVE-2018-19239 ⨯ 2 XSS - ✔ ✔ ⨯ ⨯ 3 BO CVE-2018-19242 ✔ ⨯ ⨯ 4 BO - ✔ ⨯ ⨯ 5 BO CVE-2018-19240 ✔ ⨯ ⨯ 6 BO CVE-2018-19241 ✔ ⨯ ⨯ 7 NPD - ✔ 32

  33. Conclusion - We presented FirmFuzz, an automated dynamic analysis framework for finding deep vulnerabilities - A generational fuzzer that leverages runtime monitors to aid the vulnerability discovery - We found seven unknown vulnerabilities across six different devices 33

  34. Questions ? ฀฀ Information Gathering Firmware Phase Bugs Fuzzing Phase Preparation Phase Source code: https://github.com/Hexhive/Firmfuzz 34

Recommend


More recommend