toward the analysis of embedded firmware through
play

Toward the Analysis of Embedded Firmware through Automated - PowerPoint PPT Presentation

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia


  1. Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525.

  2. Let’s secure the IoT! 2 Pretender

  3. ....but there’s all this crazy hardware... 3 Pretender

  4. Our Analysis Goals: ● Fuzzing ○ Feed the program with lots of inputs until something bad happens ○ Make lots of copies of the code and its environment to make it feasible ● Symbolic Execution ○ Used to understand how data affects program behavior, and detect possible invalid behaviors ○ Needs a strong model of the code’s environment (software and hardware) to be tractable. 4 Pretender

  5. What if... 5 Pretender

  6. What if... 01010101 01010100 10101000 Extract! 6 Pretender

  7. What if... 01010101 01010100 Virtualize! 10101000 QEMU 7 Pretender

  8. What if... 01010101 01010101 01010100 Fuzz all the 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU things!!! 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010100 10101000 QEMU 10101000 QEMU 8 Pretender

  9. Re-hosting to the Rescue? “ Re-hosting” : the act of transferring a piece of software from one execution environment into another, such as from a hardware device to a software emulator 9 Pretender

  10. ....but there’s all this crazy hardware... 10 Pretender

  11. Uh oh... 11 Pretender

  12. Firmware is hard! Device-specific code S Y S C Device-specific code A L L S Operating System Libraries (HALs, libc) M M M M I I O O Hardware Peripherals Hardware Peripherals OS-based firmware Blobs 12 Pretender

  13. Peripherals are Hard! FLASH MEMORY RAM M E M O R CPU Y B On-chip U Peripherals S (MMIO) 13 Pretender

  14. Peripherals are Hard! FLASH On- Off- chip MEMORY chip RAM M E M O R CPU Timers Y I2C I2C Bus Interface B U Power Cfg S Serial USART / UART interface 14 Pretender

  15. Peripherals are Hard! 15 Pretender

  16. Peripherals are Hard! 16 Pretender

  17. Peripherals are Hard! Offset Register Name Offset Register Name 0x0 Control 1 0x0 Status 0x4 Control 2 0x4 Data (RX and TX) 0x8 Control 3 0x8 Baud Rate 0xC Baud Rate 0xC Control 1 0x10 GTPR 0x10 Control 2 0x14 RTOR 0x14 Control 3 … ... … … ... 0x18 GTPR 0x20 Data RX 0x24 Data TX STM32L152 Serial port STM32F072 Serial port 17 Pretender

  18. Peripherals are Hard! ● Obtained a dataset of Cortex-M memory layouts as used by debuggers (SVD files) ● Data self-published by vendors (and is therefore extremely incomplete) ● 463 distinct chip models, 13 vendors, 1592 unique peripherals ● Mainline QEMU supports 3 Cortex-M CPUs, and zero of the above dataset! 18 Pretender

  19. Emulation is Hard! ● Hardware-in-the-loop isn’t sufficient ○ One thread per device ○ One device reboot per execution ● Replay is not sufficient! ○ Can’t do fuzzing without input 19 Pretender

  20. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation 20 Pretender

  21. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program 21 Pretender

  22. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would 22 Pretender

  23. Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would ● Automatic ○ Requires a minimum of human intervention 23 Pretender

  24. Re-hosting is hard! But are we doomed? Not yet.

  25. Can we observe the real hardware, to build models for an emulator?

  26. Pretender 26 Pretender

  27. Recording Inside the Device-specific code CPU Libraries (HALs, libc) M We want to record this, M but it’s inside the CPU! I O B Internal Peripherals u s s External Peripherals e s 27 Pretender

  28. Recording Now we just Inside the record here. CPU Device-specific code Problem solved? Libraries (HALs, libc) M M MMIO I B O Internal Peripherals QEMU u s R s P External Peripherals e AVATAR C s 28 Pretender

  29. Interrupts ● The current version of Avatar does not handle interrupts at all, but almost every firmware requires them ● Previous approaches leverage chip-specific hardware to observe interrupts ● Timing, masking, ordering, …. Cause extreme complications 29 Pretender

  30. Interrupt Recording QEMU Hardware RUNNING RUNNING Normal code Normal code MMIO… MMIO… MMIO... 30 Pretender

  31. Interrupt Recording QEMU Hardware INTERRUPT 0x2F!!! RUNNING STOPPED Normal code Interrupt Routine 31 Pretender

  32. Interrupt Recording Hardware QEMU STOPPED RUNNING Fake Interrupt Normal code Routine 32 Pretender

  33. Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine OK! Taking Interrupt 0x2F!! 33 Pretender

  34. Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine 34 Pretender

  35. Interrupt Recording QEMU Hardware RUNNING RUNNING Normal Code Normal Code OK! Done with Interrupt 0x2F!! 35 Pretender

  36. Modeling 1. Figure out which groups of memory locations are distinct “peripherals” 2. Figure out which interrupts those peripherals fire, and under which conditions 3. Assign a model to each location within the peripheral 36 Pretender

  37. Grouping Peripherals Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 37 Pretender

  38. Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 38 Pretender

  39. Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 Clustering: READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 39 Pretender

  40. Associating Interrupts Offset Value 0x0 ???????? 0x4 ???????? 0x8 ???????? 0xC ???????? 0x10 ???????? 40 Pretender

  41. Associating Interrupts Offset Value 0x0 ???????? 0x4 0xDEADBEEF 0x8 ???????? 0xC ???????? 0x10 ???????? 41 Pretender

  42. Associating Interrupts Offset Value Interrupt 0x2F! 0x0 ???????? Interrupt 0x2F! Interrupt 0x2F! 0x4 0xDEADBEEF Interrupt 0x2F! 0x8 ???????? 0xC ???????? 0x10 ???????? 42 Pretender

  43. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 43 Pretender

  44. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 44 Pretender

  45. Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 Peripheral 4 READ Peripheral 4 generates Interrupt 0x2F! WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 45 Pretender

  46. Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xDEADBEEF ... ... … … ... ENTER 0x2F 46 Pretender

  47. Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xFACEBEEF WRITE 0x4 0xDEADBEEF … ... ... … … ... ... ... … … ... ISR ENTER 0x2F ISR ENTER 0x2F WRITE 0x4 0x0000BEEF ISR EXIT 0x2F … ... ... … … ... … ... ... … … ... ISR ENTER 0x2F WRITE 0x4 0xDEAD0000 47 Pretender

Recommend


More recommend