firmfuzz automated iot firmware introspection and analysis
play

FirmFuzz: Automated IoT Firmware Introspection and Analysis - PowerPoint PPT Presentation

Sep 26, 2022 •577 likes •922 views

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer Internet of Things 2 Internet of Things 3 Internet of Things - 233 CVEs assigned from Jan

  1. FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer

  2. Internet of Things 2

  3. Internet of Things 3

  4. Internet of Things - 233 CVE’s assigned from Jan 2018 - Nov 2019 4

  5. Internet of Things - 233 CVE’s assigned from Jan 2018 - Nov 2019 5

  6. Fuzz Target Linux-based Firmware Image Open-source Vendor-written Linux kernel software software 6

  7. Fuzz Target Linux-based Firmware Image Open-source Vendor-written Linux kernel software software Can be independently analyzed 7

  8. Fuzz Target Linux-based Firmware Image Open-source Vendor-written Linux kernel software software Open-source Can be independently analyzed 8 Openly analyzed

  9. Deep Analysis Challenges Solutions 9

  10. Deep Analysis Challenges Solutions Syntactically legal input generation 10

  11. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API 11

  12. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring 12

  13. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring Monitor injection into runtime environment 13

  14. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring Monitor injection into runtime environment Device-independent dynamic analysis 14

  15. Deep Analysis Challenges Solutions Syntactically legal input generation Utilize the web API Fine-grained vulnerability monitoring Monitor injection into runtime environment Device-independent dynamic analysis Full-system emulation of firmware image 15

  16. FirmFuzz Design Firmware 16

  17. FirmFuzz Design 🔎 Information Gathering Firmware Phase 17

  18. FirmFuzz Design 🔎 Information Gathering Firmware Phase Preparation Phase 18

  19. FirmFuzz Design 🔎 Information Gathering Firmware Phase Fuzzing Phase Preparation Phase 19

  20. FirmFuzz Design 🔎 Information Gathering Firmware Phase Bugs Fuzzing Phase Preparation Phase 20

  21. Information Gathering Phase Firmware 🔎 - Discover authentication credentials - Increase fuzzer coverage - Static analysis of PHP scripts - Find inputs for vulnerable code paths - Perform taint analysis to build input constraints Credentials ********** Attack Surface Mapping 21

  22. Preparation Phase - Helper injection ฀ Helper - Allows FirmFuzz to perform fine-grained vulnerability monitoring Injection - CI — Helper binaries - BO, NPD — Exception handling mechanism of the kernel - XSS — Host-side monitoring Device - Peripheral mapping Mapping Network - Firmware may require unsupported peripherals during runtime Configuration - FirmFuzz automatically creates mappings to a fake peripheral - Network configuration - FirmFuzz logs interactions with the kernel networking interface - Creates an appropriate virtual network configuration 22

  23. Fuzzing Phase - Syntactically legal input generation - Use headless browser for interaction with web API - Deterministic vulnerability detection - Leverage runtime monitors for vulnerability detection CI BO NPD XSS - Fuzzing side-effects elimination - Use snapshots to revert firmware to a consistent state Firmware - Payload delivery - Bypass web API validation checks by generating raw requests 23

  24. Fuzzing Workflow 24

  25. Fuzzing Workflow 25

  26. Fuzzing Workflow 26

  27. Fuzzing Workflow 27

  28. Evaluation - Analyzed 6427 firmware images scraped from three vendors - Found 7 vulnerabilities across 6 different devices - Average runtime for the fuzzing phase was 16.7 minutes 28

  29. Firmware Image Breakdown Vendor Network Inferred Fuzzed Unique (Unique Devices) Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 29

  30. Firmware Image Breakdown Vendor Network Inferred Fuzzed Unique (Unique Devices) Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 Sharp drop-off between network inferred and fuzzed images 30

  31. Firmware Image Breakdown Vendor Network Inferred Fuzzed Unique (Unique Devices) Web UI TRENDnet 26 6 (5) 2 Netgear 162 20 (17) 3 D-Link 15 6 (5) 1 Total 203 32 (27) 6 High reusability of web interfaces between different devices 31

  32. Comparison Against Existing Work Number Vulnerability CVE-ID FirmFuzz Web vulnerability Firmadyne scanners ⨯ ⨯ ✔ 1 CI CVE-2018-19239 ⨯ 2 XSS - ✔ ✔ ⨯ ⨯ 3 BO CVE-2018-19242 ✔ ⨯ ⨯ 4 BO - ✔ ⨯ ⨯ 5 BO CVE-2018-19240 ✔ ⨯ ⨯ 6 BO CVE-2018-19241 ✔ ⨯ ⨯ 7 NPD - ✔ 32

  33. Conclusion - We presented FirmFuzz, an automated dynamic analysis framework for finding deep vulnerabilities - A generational fuzzer that leverages runtime monitors to aid the vulnerability discovery - We found seven unknown vulnerabilities across six different devices 33

  34. Questions ? ฀฀ Information Gathering Firmware Phase Bugs Fuzzing Phase Preparation Phase Source code: https://github.com/Hexhive/Firmfuzz 34

Recommend

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia

963 views • 71 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

577 views • 34 slides
Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David

Introspection and Consciousness: Wrap-Up Talk David Chalmers Introspection for Great Apes David Chalmers Four Issues The Power of Introspection 1. Doubts about Introspection 2. Mechanisms of Introspection 3. Introspection and Consciousness

733 views • 26 slides
Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples

avatar 2 Marius Muench 34c3 - December 29, 2017 Contents 1. Binary firmware analysis 2. Tooling landscape 3. The avatar 2 framework 4. Examples 5. Conclusion 1 Binary Firmware Analysis Motivation Amount of embedded devices steadily

3.29k views • 51 slides
Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with hardware innovations. Tom Melham University of Oxford Problem Firmware today facing greater complexity and shorter schedules coded at low

478 views • 14 slides
Robustification through introspection and analysis tools. (Avoiding developer taxes)

Robustification through introspection and analysis tools. (Avoiding developer taxes)

Robustification through introspection and analysis tools. (Avoiding developer taxes) Stephen.Kennedy @ havok.com Principal Engineer Developer Taxes It's something you do, not because it actually benefits you specifically, but because it

642 views • 62 slides
Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura University of Hawaii December 14, 2012 US Firmware Meeting 1 v2 Firmware Version 2 firmware is largely done: New interface to the DAQ

273 views • 5 slides
Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration

CRYPTACUS Workshop Nijmegen, 16 - 18 November 2017 Avatar - Enhancing Binary Firmware Security Analysis with Dynamic Multi-Target Orchestration Marius Muench <marius.muench@eurecom.fr> PART I Avatar - Enhancing Binary Firmware

1.04k views • 26 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook <keescook@chromium.org> (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal Demonstrate upstream DAQ functions in firmware before design review - Have implementation ready before May 2020 10-second buffer Hit

466 views • 13 slides
Reversing and Exploiting an Apple Firmware Update K. Chen Black Hat USA, July 30th, 2009 K.

Reversing and Exploiting an Apple Firmware Update K. Chen Black Hat USA, July 30th, 2009 K.

Introduction Firmware Update Analysis Exploitation Reversing and Exploiting an Apple Firmware Update K. Chen Black Hat USA, July 30th, 2009 K. Chen Reversing and Exploiting an Apple Firmware Update Introduction Motivation Firmware Update

2.09k views • 190 slides
Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda

Rustifying the VM Introspection Ecosystem FOSDEM 2020 Dorian Eikenberg Mathieu Tarral Agenda What is VM Introspection ? VMI ecosystem today Rustifying the VM Introspection ecosystem Future work Virtualization

718 views • 33 slides
WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background ProtoDUNE WIB operated (and continuing) successfully FPGA was an Altera Aria V All-firmware design, included different firmware sets for

843 views • 47 slides
Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS alternative (coreboot, OpenEC) Figure out possible attack vectors via firmware trojans We will take only case of modern PC/Laptop/Server firmware(s).

747 views • 46 slides
OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware

OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware

OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware OpenPower System architecture Development collaboration Linux platform openpowerfoundation.org POWER8 Machine State Register (MSR) PR PR=1

496 views • 36 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA COLLECTION AND ANALYTICS There is a high demand for reliable Traffic Data but Static data single-purpose data Invasive costly deployment &

404 views • 18 slides
OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org

GSM/3G Network Security Introduction Security Problems and the Baseband OsmocomBB Project Summary OsmocomBB Free Software GSM baseband firmware for security analysis Harald Welte gnumonks.org gpl-violations.org OpenBSC airprobe.org

830 views • 37 slides
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
Status of DUNE DAQ Hardware/Firmware Development Status David Cussans DUNE DAQ Meeting 15 th

Status of DUNE DAQ Hardware/Firmware Development Status David Cussans DUNE DAQ Meeting 15 th

Status of DUNE DAQ Hardware/Firmware Development Status David Cussans DUNE DAQ Meeting 15 th October, 2018 Introduction Concentrating on firmware Agnostic of where it is implemented For TDR firmware will be demonstrated on

661 views • 14 slides
Software/firmware activities @ MZ Working concurrently on support of existent hardware and

Software/firmware activities @ MZ Working concurrently on support of existent hardware and

Software/firmware activities @ MZ Working concurrently on support of existent hardware and pre-phase1 circuitry Software (Jan) and firmware (Uli) for JEM processors Software (Jan, Christian) and firmware (Christian, Patric, Stephan)

645 views • 7 slides
Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The

Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The

Intelligence, Introspection Intelligence, Introspection and Intervention and Intervention The Vancouver Island Regional The Vancouver Island Regional Approach to Traffic Crashes Approach to Traffic Crashes Richard Stanwick Stanwick MD,

443 views • 26 slides

More recommend