towards automated classification of firmware images and
play

Towards Automated Classification of Firmware Images and - PowerPoint PPT Presentation

Jul 02, 2023 •220 likes •577 views

IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM) Agenda Introduction

  1. IFIP SEC '17 (Rome, Italy) Towards Automated Classification of Firmware Images and Identification of Embedded Devices Andrei Costin (University of Jyvaskyla) Apostolis Zarras (TUM) Aurelien Francillon (EURECOM)

  2. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 2

  3. Introduction IoT and embedded devices ● Increasingly present in any computing environment – May be vulnerable/exploitable – Rely on network connectivity – Often administered through web interfaces – Depend on and run firmware packages – 30th May 2017 Andrei Costin, IFIP SEC '17 3

  4. Introduction IoT and embedded firmware packages ● Software that runs on intended IoT and embedded devices – Contain many software features and modules – May contain bugs/vulnerabilities – Can yield richer knowledge if analyzed in similar clusters rather than alone – E.g., diffing consecutive versions and patches ● 30th May 2017 Andrei Costin, IFIP SEC '17 4

  5. Introduction The number of IoT devices in 2016 was around 6-7 billions [GAR15] ● The number of IoT firmware packages in 2014 was at least in the range of ● hundreds of thousands [COS14] Manual analysis and triage does not scale ● 30th May 2017 Andrei Costin, IFIP SEC '17 7

  6. Introduction: Research problems We formulate the following research problems ● How to automatically label the brand and the model of the device for which – the firmware is intended How to automatically identify the vendor, the model, and the firmware – version of an arbitrary web-enabled online device 30th May 2017 Andrei Costin, IFIP SEC '17 8

  7. Introduction: Real-world attacks "DNSChanger EK" (Dec 2016) [PRO16] ● Also "CSRF (Cross-Site Request Forgery) SOHO Pharming" (2015) – 30th May 2017 Andrei Costin, IFIP SEC '17 9

  8. Introduction: Real-world attacks 30th May 2017 Andrei Costin, IFIP SEC '17 10

  9. Introduction: Real-world digital investigations „Mapping Mirai: A Botnet Case Study“ (Oct 2016) [MAL16] ● Mirai – perhaps the most disruptive and well-known DDoS botnet – 30th May 2017 Andrei Costin, IFIP SEC '17 11

  10. Introduction: Real-world CVE management CVE-2013-5637, CVE-2013-5638 – Consecutive/similar firmware clustering ● allows proper identification of impacted components [COS14] 30th May 2017 Andrei Costin, IFIP SEC '17 12

  11. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 13

  12. Contributions We propose and study the firmware features and the ML algorithms in the ● context of firmware classification We research the fingerprinting and identification of web-enabled embedded ● devices and their firmware version We present and discuss direct practical applications for both techniques ● 30th May 2017 Andrei Costin, IFIP SEC '17 14

  13. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 15

  14. Firmware Classification: Related Work Clemens [CLE15] ● Context focused on ● Explosion of different types of devices and myriad of executable code – (firmware, mobile apps, etc.) Automating digital forensic for forensic analysis, reverse engineering, or – malware detection Their dataset over 16000 code samples from 20 (embedded) architectures ● Their classifiers achieve very high accuracy with relatively small sample sizes ● 30th May 2017 Andrei Costin, IFIP SEC '17 16

  15. Firmware Classification: Dataset Total Firmware Vendors: 13 ● Total Firmware Files: 215 ● Firmwares Per Vendor: 5(min)/54(max)/16(avg) ● Dataset: www.firmware.re/ml/ ● 30th May 2017 Andrei Costin, IFIP SEC '17 17

  16. Firmware Classification: Features Firmware File Size ● Firmware File Content Properties (output of „ent“ , except bytes frequency) ● Firmware File Strings (class strings, class unique strings) ● Fuzzy Hash Similarity (threshold-based binary value feature) ● 30th May 2017 Andrei Costin, IFIP SEC '17 18

  17. Firmware Classification: Evaluation ML: Decission Tree (DT) and Random Forests (RF) from sklearn ● Training/Evaluation points ● Training sets size 10% and 90% of each firmware class – Training sets increment 10% at each evaluation point – At each training/evaluation point ● Runs 100 times with new random choice of training set data – Runs both DT and RF – Runs four different sets of features – 30th May 2017 Andrei Costin, IFIP SEC '17 19

  18. Firmware Classification: Evaluation 30th May 2017 Andrei Costin, IFIP SEC '17 20

  19. Firmware Classification: Results In summary: ● RF with „best“ features-set and 50% training reaches 93.5% accuracy – „Best“ features-set was [size, entropy, entropy extended, category strings, – category unique strings] Using only basic features [size, entropy] do not even reach 90% accuracy – (either RF or DT) As expected – Increased training set results in increased accuracy ● RF more accurate than DT ● 30th May 2017 Andrei Costin, IFIP SEC '17 21

  20. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 22

  21. Device Fingerprinting: Related Work Samarasinghe and Mannan [SAM16] ● Context focused on the study of weak SSL/TLS in IoT/embedded devices ● Performed IoT/embedded device fingerprinting ● Used HTTPS web-interface and certificates of IoT/embedded devices ● 30th May 2017 Andrei Costin, IFIP SEC '17 23

  22. Device Fingerprinting: Dataset Total Devices: 31 ● Emulated Devices: 27 – Vendors: 3 ● Functional categories: 7 ● Physical Devices: 4 – Vendors: 2 ● Functional categories: 4 ● 30th May 2017 Andrei Costin, IFIP SEC '17 24

  23. Device Fingerprinting: Features Total Features: 6 ● HTTP Web Sitemap ● HTTP Finite-State Machine (FSM) ● Model able to learn the headers’ order of an HTTP response – Use this order to classify an unknown HTTP conversation – Cryptographic Hashing and Fuzzy Hashing for each sitemap entry ● HTML Content – HTTP Headers – 30th May 2017 Andrei Costin, IFIP SEC '17 25

  24. Device Fingerprinting: Evaluation Feature ranking/scoring ● „Majority voting“ – „Uniform weights“ – „Non-uniform weights“ (empirical weights) – „Score fusion“ – Future work: use (un)supervised ML – 30th May 2017 Andrei Costin, IFIP SEC '17 26

  25. Device Fingerprinting: Results In summary: ● On average 89.4% identification accuracy – Cryptographic hash of HTML content most „stable“ feature – Fuzzy hash of HTTP headers least „stable“ feature – „Majority voting“ yielded most accurate matching – 30th May 2017 Andrei Costin, IFIP SEC '17 27

  26. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 28

  27. Conclusions We presented two complementary techniques for IoT firmware/devices ● Embedded firmware supervised learning and classification – Embedded web interface fingerprinted identification – We achieved average accuracies of 93.5% and 89.4% respectively ● We presented practical use-cases for our techniques ● Our scripts and datasets will be updated at: www.firmware.re/ml/ ● 30th May 2017 Andrei Costin, IFIP SEC '17 29

  28. Future Work Larger and more varied datasets for both techniques ● Unsupervised automated firmware emulation and vulnerability discovery ● [COS16] Unsupervised and more scalable ML for both techniques ● Evaluation of more ML algorithms with more parameters and features ● 30th May 2017 Andrei Costin, IFIP SEC '17 30

  29. Agenda Introduction ● Contributions ● Firmware Classification ● Device Fingerprinting ● Conclusions and Future Work ● Acknowledgements and Q&A ● 30th May 2017 Andrei Costin, IFIP SEC '17 31

  30. Acknowledgements IFIP SEC '17 organizers, and reviewers for valuable comments ● Prof. Pietro Michiardi for insightful discussions and feedback ● Ala Raddaoui for his early contributions to this study ● 30th May 2017 Andrei Costin, IFIP SEC '17 32

  31. Q&A Questions, suggestions, ideas? ● www.firmware.re/ml/ ancostin@jyu.fi andrei@firmware.re Twitter: @costinandrei 30th May 2017 Andrei Costin, IFIP SEC '17 33

Recommend

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius

Toward the Analysis of Embedded Firmware through Automated Re-hosting Eric Gustafson , Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, Giovanni Vigna Sandia

963 views • 71 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with

Effective Validation of Firmware Enabling firmware development and validation to keep pace with hardware innovations. Tom Melham University of Oxford Problem Firmware today facing greater complexity and shorter schedules coded at low

478 views • 14 slides
An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for

An Empirical Comparison of Automated Generation and Classification Techniques for Object-Oriented Unit Testing Marcelo dAmorim (UIUC) Carlos Pacheco (MIT) Tao Xie (NCSU) Darko Marinov (UIUC) Michael D. Ernst (MIT) Automated Software

513 views • 33 slides
FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao

FirmFuzz: Automated IoT Firmware Introspection and Analysis Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer Internet of Things 2 Internet of Things 3 Internet of Things - 233 CVEs assigned from Jan

922 views • 34 slides
Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura

Front-end Firmware Transition and Documentation Status/Plans/Proposals Kurtis Nishimura University of Hawaii December 14, 2012 US Firmware Meeting 1 v2 Firmware Version 2 firmware is largely done: New interface to the DAQ

273 views • 5 slides
Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago

Component Firmware http://outflux.net/slides/2014/lss/firmware.pdf Linux Security Summit, Chicago 2014 Kees Cook <keescook@chromium.org> (pronounced Case) Overview Wait, which firmware? Threats Update methods

311 views • 20 slides
DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal

DUNE DAQ Firmware David Cussans Firmware Meeting 16/Jan/20 You Inst Logo You Inst Logo Goal Demonstrate upstream DAQ functions in firmware before design review - Have implementation ready before May 2020 10-second buffer Hit

466 views • 13 slides
Automated Management of More than One Million LifeLog Images Aiden R. Doherty Supervisor: Prof.

Automated Management of More than One Million LifeLog Images Aiden R. Doherty Supervisor: Prof.

D UBLIN C ITY U NIVERSITY A DAPTIVE I NFORMATION C LUSTER C ENTRE FOR D IGITAL V IDEO P ROCESSING Automated Management of More than One Million LifeLog Images Aiden R. Doherty Supervisor: Prof. Alan F. Smeaton Centre for Digital Video

903 views • 66 slides
Automated Gene Classification using Nonnegative Matrix Factorization on Biomedical Literature

Automated Gene Classification using Nonnegative Matrix Factorization on Biomedical Literature

Automated Gene Classification using Nonnegative Matrix Factorization on Biomedical Literature Kevin Heinrich PhD Dissertation Defense Department of Computer Science, UTK March 19, 2007 2/1 Kevin Heinrich Using NMF for Gene Classification

862 views • 61 slides
Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 ,

Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 ,

Fingerprinting the datacenter: automated classification of performance crises Peter Bodk 1,3 , Moises Goldszmidt 3 , Armando Fox 1 , Dawn Woodard 4 , Hans Andersen 2 1 RAD Lab, UC Berkeley 2 Microsoft 3 Research 4 Cornell University Crisis

664 views • 19 slides
WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background

WIB Firmware and Software Requirements Josh Klein CE Review March 10, 2020 Background ProtoDUNE WIB operated (and continuing) successfully FPGA was an Altera Aria V All-firmware design, included different firmware sets for

843 views • 47 slides
APPION: an automated pipeline for the processing of images Neil Voss AMI: Carragher & Potter

APPION: an automated pipeline for the processing of images Neil Voss AMI: Carragher & Potter

Workshop on Advanced Topics in EM Structure Determination November 14, 2007 APPION: an automated pipeline for the processing of images Neil Voss AMI: Carragher & Potter lab The Scripps Research Institute 1 Appion: simple, but transparent

646 views • 8 slides
SketchNet: Sketch Classification with Web Images[CVPR `16] CS688 Paper Presentation 1 Doheon Lee

SketchNet: Sketch Classification with Web Images[CVPR `16] CS688 Paper Presentation 1 Doheon Lee

SketchNet: Sketch Classification with Web Images[CVPR `16] CS688 Paper Presentation 1 Doheon Lee 20183398 2018. 10. 23 Table of Contents Introduction Background SketchNet Result 2 Introduction Properties of Sketch Images

500 views • 27 slides
Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods

Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods

MAnET Meeting, Helsinki, 8-9 Dec. 2015 Automated Analysis of Retinal Images for Early Diabetes Detection with Sub-Riemannian Methods Samaneh Abbasi-Sureshjani, Prof. Bart ter Haar Romeny RetinaCheck-MAnET Project, Eindhoven University of

476 views • 19 slides
Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben

Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben

Biology Image Processing Algorithm Methods Analytics Results Error Metrics Conclusion Questions References Automated Detection of Chondrocytes in Growth Plate Images Emily Beylerian, Brian de Silva, Ben Gross, Hannah Kastein Mentors:

1.07k views • 22 slides
Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS

Reversing firmware using radare2 [H2HC] A. Kochkov October, 2014 Motives Implement FOSS alternative (coreboot, OpenEC) Figure out possible attack vectors via firmware trojans We will take only case of modern PC/Laptop/Server firmware(s).

747 views • 46 slides
Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy

Automated Segmentation of Suspicious Breast Masses from Ultrasound Images Viksit Kumar, Jeremy Webb, Adriana Gregory, Mostafa Fatemi, Azra Alizad GTC 2018, San Jose, USA SIGNIFICANCE Breast cancer is most common and leading cause of death in

303 views • 13 slides
Automated Reliability Classification of Queueing Models for Streaming Computation Jonathan

Automated Reliability Classification of Queueing Models for Streaming Computation Jonathan

Automated Reliability Classification of Queueing Models for Streaming Computation Jonathan Beard, Cooper Epstein, and Roger Chamberlain SBS Stream Based Supercomputing Lab http://sbs.wustl.edu Work also supported by: 1 Stream Processing

260 views • 25 slides
Source Artefact Classification in Interferometric Images using Machine Learning Arun Aniyan SKA

Source Artefact Classification in Interferometric Images using Machine Learning Arun Aniyan SKA

Source Artefact Classification in Interferometric Images using Machine Learning Arun Aniyan SKA SA & Rhodes University Cape Town , South Africa Motivation The field around 3C147, at 5 million dynamic range using 21cm JVLA data. Smirnov

142 views • 13 slides
OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware

OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware

OpenPower Jeremy Kerr Firmware developer IBM Linux Technology Center jk@ozlabs.org Firmware OpenPower System architecture Development collaboration Linux platform openpowerfoundation.org POWER8 Machine State Register (MSR) PR PR=1

496 views • 36 slides
Augmentation Introduction ImageNet Classification with Deep Convolutional Neural Networks,

Augmentation Introduction ImageNet Classification with Deep Convolutional Neural Networks,

Day 2 Lecture 2 Augmentation Introduction ImageNet Classification with Deep Convolutional Neural Networks, Krizhevsky A., 2012 ImageNet Large-Scale Visual Recognition Challenge (ILSVRC) 1.2 million training images , 50,000 validation images, and

537 views • 14 slides
Classification of Epithelial Ovarian Carcinoma Whole-Slide Pathology Images Using Deep Transfer

Classification of Epithelial Ovarian Carcinoma Whole-Slide Pathology Images Using Deep Transfer

Classification of Epithelial Ovarian Carcinoma Whole-Slide Pathology Images Using Deep Transfer Learning Yiping Wang, David Farnell, Hossein Farahani, Mitchell Nursey, Basile Tessier-Cloutier, Steven J.M. Jones, David G. Huntsman, C. Blake Gilks,

81 views • 5 slides
Classification of Remotely Sensed Images for Landuse Information Prof. Krishna Mohan Buddhiraju

Classification of Remotely Sensed Images for Landuse Information Prof. Krishna Mohan Buddhiraju

Classification of Remotely Sensed Images for Landuse Information Prof. Krishna Mohan Buddhiraju Centre of Studies in Resources Engineering IIT Bombay INDIA bkmohan@csre.iitb.ac.in Todays Presentation (Very brief) Introduction to Remote

986 views • 67 slides

More recommend