Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525.
Let’s secure the IoT! 2 Pretender
....but there’s all this crazy hardware... 3 Pretender
Our Analysis Goals: ● Fuzzing ○ Feed the program with lots of inputs until something bad happens ○ Make lots of copies of the code and its environment to make it feasible ● Symbolic Execution ○ Used to understand how data affects program behavior, and detect possible invalid behaviors ○ Needs a strong model of the code’s environment (software and hardware) to be tractable. 4 Pretender
What if... 5 Pretender
What if... 01010101 01010100 10101000 Extract! 6 Pretender
What if... 01010101 01010100 Virtualize! 10101000 QEMU 7 Pretender
What if... 01010101 01010101 01010100 Fuzz all the 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU things!!! 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010101 01010100 10101000 QEMU 01010100 10101000 QEMU 10101000 QEMU 8 Pretender
Re-hosting to the Rescue? “ Re-hosting” : the act of transferring a piece of software from one execution environment into another, such as from a hardware device to a software emulator 9 Pretender
....but there’s all this crazy hardware... 10 Pretender
Uh oh... 11 Pretender
Firmware is hard! Device-specific code S Y S C Device-specific code A L L S Operating System Libraries (HALs, libc) M M M M I I O O Hardware Peripherals Hardware Peripherals OS-based firmware Blobs 12 Pretender
Peripherals are Hard! FLASH MEMORY RAM M E M O R CPU Y B On-chip U Peripherals S (MMIO) 13 Pretender
Peripherals are Hard! FLASH On- Off- chip MEMORY chip RAM M E M O R CPU Timers Y I2C I2C Bus Interface B U Power Cfg S Serial USART / UART interface 14 Pretender
Peripherals are Hard! 15 Pretender
Peripherals are Hard! 16 Pretender
Peripherals are Hard! Offset Register Name Offset Register Name 0x0 Control 1 0x0 Status 0x4 Control 2 0x4 Data (RX and TX) 0x8 Control 3 0x8 Baud Rate 0xC Baud Rate 0xC Control 1 0x10 GTPR 0x10 Control 2 0x14 RTOR 0x14 Control 3 … ... … … ... 0x18 GTPR 0x20 Data RX 0x24 Data TX STM32L152 Serial port STM32F072 Serial port 17 Pretender
Peripherals are Hard! ● Obtained a dataset of Cortex-M memory layouts as used by debuggers (SVD files) ● Data self-published by vendors (and is therefore extremely incomplete) ● 463 distinct chip models, 13 vendors, 1592 unique peripherals ● Mainline QEMU supports 3 Cortex-M CPUs, and zero of the above dataset! 18 Pretender
Emulation is Hard! ● Hardware-in-the-loop isn’t sufficient ○ One thread per device ○ One device reboot per execution ● Replay is not sufficient! ○ Can’t do fuzzing without input 19 Pretender
Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation 20 Pretender
Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program 21 Pretender
Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would 22 Pretender
Four Attributes of Ideal Re-Hosting ● Virtual ○ Does not require hardware at the time of emulation ● Abstraction-less ○ Does not rely on any aspect of the program ● Interactive ○ Responds to stimulus as the original hardware would ● Automatic ○ Requires a minimum of human intervention 23 Pretender
Re-hosting is hard! But are we doomed? Not yet.
Can we observe the real hardware, to build models for an emulator?
Pretender 26 Pretender
Recording Inside the Device-specific code CPU Libraries (HALs, libc) M We want to record this, M but it’s inside the CPU! I O B Internal Peripherals u s s External Peripherals e s 27 Pretender
Recording Now we just Inside the record here. CPU Device-specific code Problem solved? Libraries (HALs, libc) M M MMIO I B O Internal Peripherals QEMU u s R s P External Peripherals e AVATAR C s 28 Pretender
Interrupts ● The current version of Avatar does not handle interrupts at all, but almost every firmware requires them ● Previous approaches leverage chip-specific hardware to observe interrupts ● Timing, masking, ordering, …. Cause extreme complications 29 Pretender
Interrupt Recording QEMU Hardware RUNNING RUNNING Normal code Normal code MMIO… MMIO… MMIO... 30 Pretender
Interrupt Recording QEMU Hardware INTERRUPT 0x2F!!! RUNNING STOPPED Normal code Interrupt Routine 31 Pretender
Interrupt Recording Hardware QEMU STOPPED RUNNING Fake Interrupt Normal code Routine 32 Pretender
Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine OK! Taking Interrupt 0x2F!! 33 Pretender
Interrupt Recording Hardware QEMU RUNNING RUNNING Fake Interrupt Interrupt Routine Routine 34 Pretender
Interrupt Recording QEMU Hardware RUNNING RUNNING Normal Code Normal Code OK! Done with Interrupt 0x2F!! 35 Pretender
Modeling 1. Figure out which groups of memory locations are distinct “peripherals” 2. Figure out which interrupts those peripherals fire, and under which conditions 3. Assign a model to each location within the peripheral 36 Pretender
Grouping Peripherals Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 37 Pretender
Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 38 Pretender
Grouping Peripherals 0x40000000 Op. Address Value READ 0x40000004 0x1000 WRITE 0x40010024 0x0 READ 0x40002000 0x8000 WRITE 0x40020004 0x1 Clustering: READ 0x40000008 0x8 READ 0x40003000 0x10 … … … … … … ... 0x50000000 39 Pretender
Associating Interrupts Offset Value 0x0 ???????? 0x4 ???????? 0x8 ???????? 0xC ???????? 0x10 ???????? 40 Pretender
Associating Interrupts Offset Value 0x0 ???????? 0x4 0xDEADBEEF 0x8 ???????? 0xC ???????? 0x10 ???????? 41 Pretender
Associating Interrupts Offset Value Interrupt 0x2F! 0x0 ???????? Interrupt 0x2F! Interrupt 0x2F! 0x4 0xDEADBEEF Interrupt 0x2F! 0x8 ???????? 0xC ???????? 0x10 ???????? 42 Pretender
Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 43 Pretender
Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 READ Peripheral 4 WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 44 Pretender
Associating Interrupts ISR ENTER 0x2F READ Peripheral 1 WRITE Peripheral 4 Peripheral 4 READ Peripheral 4 generates Interrupt 0x2F! WRITE Peripheral 1 READ Peripheral 4 READ Peripheral 4 READ Peripheral 4 WRITE Peripheral 4 WRITE Peripheral 1 ISR EXIT 0x2F 45 Pretender
Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xDEADBEEF ... ... … … ... ENTER 0x2F 46 Pretender
Interrupt Trigger Inference Op. Offset Value WRITE 0x4 0xFACEBEEF WRITE 0x4 0xDEADBEEF … ... ... … … ... ... ... … … ... ISR ENTER 0x2F ISR ENTER 0x2F WRITE 0x4 0x0000BEEF ISR EXIT 0x2F … ... ... … … ... … ... ... … … ... ISR ENTER 0x2F WRITE 0x4 0xDEAD0000 47 Pretender
Recommend
More recommend