towards automated dynamic analysis for
play

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware - PowerPoint PPT Presentation

May 29, 2023 •180 likes •404 views

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

  1. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu

  2. 2

  3. FIRMADYNE • First system for full-system emulation of embedded Linux-based firmware • Provides large-scale automated dynamic analysis – Built-in vulnerability detection – Tested on 9.5k extracted firmware images • Objective: Continuous integration for firmware 3

  4. Background • Embedded devices are important – Low visibility by end-users – Critical network infrastructure – Software rarely upgraded • Difficult to analyze – RISC-based architectures: MIPS, ARM, etc. – No direct interface into device firmware – Fixed hardware peripherals; no ‘Plug and Play’ – Significant variety; hard to scale 4

  5. Firmware Architectures 5000 * 4500 4000 Number of Firmware Images * 3500 3000 2500 2000 1500 * 1000 500 0 MIPS ARM Unknown x86-64 PPC MIPS-64 x86 Other Big Endian Little Endian Unknown 5

  6. Related Work • Zaddach et al ., “ Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares ”, NDSS 2014 – Software emulation with partial offload to hardware – Doesn’t scale: requires hardware and connection to debug port • Costin et al., “ A large-scale analysis of the security of embedded firmwares ”, USENIX 2014 – Static extraction and analysis of firmware – Relatively cursory analysis and can’t verify results; classic trade-offs of false positives vs. false negatives 6

  7. Dynamic Approaches • Application-level – Extract webpages and perform analysis – Custom interpreter modifications • Process-level – Emulate original applications in user-mode – Different hardware and execution environment • System-level – Boots entire filesystem with modified kernel – Supports all applications using original environment 7

  8. FTP Sites Support Filesystem Kernel Websites MIPS Little-Endian Initial Architecture Emulation Identification eth0: 192.168.1.100 “ && cat 0 xDEADBEEF” eth1: 10.0.0.1 eth2: 128.2.42.52 Network Network Exploit Reachable Identification Verification 8

  9. Filesystem Recovery • Firmware format is not standardized – Can be compressed, include photos, etc. • Solution : Develop custom extractor for filesystems – Searches for UNIX-like filesystems – Includes heuristics to avoid recursive extraction • Improved existing unpacking tools – jefferson: User-mode extractor for JFFS2 – sasquatch: Heuristic-based extractor for SquashFS 9

  10. Device Configuration • Firmware requires NVRAM peripheral to boot – Used as volatile configuration store • Solution : Emulate NVRAM peripheral with userspace library – Compatible with different C runtime libraries – Self-initializes with default NVRAM values used during factory reset 10

  11. Network Inference • Devices expect different network configuration – eth0 vs. lan0, wlan0, wan0, vs. ath0, br0, etc. • Solution : Use custom kernel with software instrumentation to infer networking – Parse kernel log to infer expected configuration – Track IP addresses, bridges, and VLANs – Restart with new configuration 11

  12. Automated Analyses • Accessible Webpages – Checks for unauthenticated webpages – Command injection/information disclosure • SNMP Information – Dumps public SNMP data – Information disclosure • Vulnerability Detection – Checks for presence of vulnerabilities 12

  13. Firmware Analysis Progress by Vendor 6000 Number of Firmware Images 5000 4000 3000 2000 1000 0 Downloaded Extracted Architecture Initial Network Network Exploited Identified Emulation Inferred Reachable Other QNAP Polycom TRENDnet TP-Link OpenWrt ZyXEL Synology Tomato by Shibby D-Link Netgear 13

  14. Vulnerability Analysis • Discovered 14 previously-unknown vulnerabilities – New vulnerabilities can be automatically tested across entire dataset – Selected 60 applicable vulnerabilities from Metasploit • Of 1,971 firmware images that were network reachable, 43%* (846) were vulnerable to at least one exploit – Estimated to affect 89+ different products * Corrected 14

  15. Unknown Vulnerabilities • Discovered 14 unknown vulnerabilities that affect 69 firmware images across 12+ products using our analyses – Command Injection (Netgear) – Buffer Overflow (D-Link) – Information Disclosure (D-Link & Netgear) • Responsible disclosure to vendors and CERT – VU#548680: Affected D-Link devices – VU#615808: Affected Netgear devices • Fix is expected by end of February/mid-March 15

  16. Netgear Command Injection (CVE-2016- 1555) • Unauthenticated webpages with debug functionality were accidentally included – Used to write manufacturing data, e.g. MAC addresses, firmware region, and serial number – Can detect with our instrumentation • Form input is passed directly as command- line argument to shell – Affects 65 firmware images across 7+ products 16

  17. D-Link Buffer Overflow (CVE-2016-1558) • Web server sets dlink_uid cookie to track sessions for authenticated users – Value is passed to strlen() then memcpy() • Setting the cookie to a long string crashes the web server at e.g. 0x41414141 – Affects 13 firmware images across 5+ products 17

  18. D-Link & Netgear Information Disclosure • Unauthenticated services provide sensitive information – Web pages (CVE-2016-1556) – SNMP queries (CVE-2016-1557, CVE-2016- 1559) • Insecure default configuration – Affects 54 firmware images across 10+ products 18

  19. Code Reuse • Sercomm Backdoor (CVE-2014-0659) – Unauthenticated remote attackers can dump configuration – Affects 282 firmware images across 16+ products from our dataset – Our results show On Networks and TRENDnet are also affected • MiniUPnPd Denial of Service (CVE-2013-0229) – Parsing flaws in open-source internet-facing UPnP daemon – Affects 169 firmware images across 14+ products from our dataset • OpenSSL ChangeCipherSpec (CVE-2014-0224) – TLS implementation allows attacker to downgrade cipher – Affects 169 firmware images across 27+ products from our dataset 19

  20. Classification of Tested Vulnerabilities 5% 4% 33% Authentication Bypass 16% Backdoor Buffer Overflow Command Execution Cryptographic Flaw Denial of Service File Upload Information Disclosure 1% 7% 1% 33% 20

  21. Conclusion • FIRMADYNE allows full-system emulation and dynamic analysis of Linux-based firmware – Infers network configuration of firmware – Emulates hardware peripherals, e.g. NVRAM – Automatically checks for vulnerabilities across dataset • 43% of all network reachable firmware images are vulnerable to at least one exploit – Future work in investigating code sharing among OEM’s • Open-source and available today – https://github.com/firmadyne – Patches welcome! 21

  22. Questions • Dominic Chen (ddchen@cmu.edu) 22

Recommend

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

684 views • 33 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu,

Introduction to Dynamic Analysis Reference material Introduction to dynamic analysis Zhu, Hong, Patrick A. V. Hall, and John H. R. May, "Software Unit Test Coverage and Adequacy," ACM Computing Surveys, vol. 29, no.4, pp.

1.03k views • 58 slides
Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring

Management Strategies and Dynamic Financial Analysis Dynamic Financial Analysis CAS Spring Meeting Martin Eling, University of Ulm Thomas Parnitzke, Baloise Holding San Diego, May 23-26, 2010 Hato Schmeiser, University of St. Gallen Hato

639 views • 30 slides
Finding and proving new geometry theorems in regular polygons with dynamic geometry and automated

Finding and proving new geometry theorems in regular polygons with dynamic geometry and automated

Finding and proving new geometry theorems in regular polygons with dynamic geometry and automated reasoning tools Zolt an Kov acs The Private University College of Education of the Diocese of Linz CICM Hagenberg, Calculemus August 16,

730 views • 68 slides
Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay

Today Amortized analysis Dynamic tables Amortized Analysis and Splay Trees Splay trees Inge Li Grtz CLRS Chapter 17 Je ff Erickson notes Dynamic tables Dynamic tables Problem. Have to assign size of table at initialization.

365 views • 11 slides
Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic

Supporting PHP Dynamic Analysis in PHP AiR Mark Hills 13th International Workshop on Dynamic Analysis (WODA 2015) October 26, 2015 Pittsburgh, Pennsylvania, USA http://www.rascal-mpl.org 1 PHP AiR: PHP Analysis in Rascal PHP AiR: a framework

528 views • 16 slides
my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA

my.SWISSTRAFFIC Automated Traffic Collection & Analysis FULLY AUTOMATED TRAFFIC DATA COLLECTION AND ANALYTICS There is a high demand for reliable Traffic Data but Static data single-purpose data Invasive costly deployment &

404 views • 18 slides
Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of

Dyna Dynamic mic Analysis Analysis of the of the Co-evo Co evoluti lution on of Ex of Exac act t Cove Covers rs EVOLVE 2011, Luxembourg Jeffrey Horn GECCO June 28, 2005 IEEE SSCI FOCI 2007 Northern Nort hern Mi Michigan Univer

981 views • 46 slides
RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message

RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message

RWIS Automated Advisory System Centralized advisory system for the control of Dynamic Message Signs Presented by: Jeremy Duensing Product Manager Schneider Electric Presentation Learning Outcomes Weather can have large impacts on small

785 views • 30 slides
DYNAMIC ODME FOR AUTOMATED VEHICLES MODELING USING BIG DATA Dr. Jaume Barcel, Professor

DYNAMIC ODME FOR AUTOMATED VEHICLES MODELING USING BIG DATA Dr. Jaume Barcel, Professor

DYNAMIC ODME FOR AUTOMATED VEHICLES MODELING USING BIG DATA Dr. Jaume Barcel, Professor Emeritus, UPC- Barcelona Tech, Strategic Advisor to PTV Group Shaleen Srivastava, Vice-President/Regional www.ptvgroup.com Director (PTV Group

439 views • 24 slides
Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some

Static Analysis Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Prevention: Program Analysis Any automated analysis at compile or dynamic time to find potential bugs

798 views • 61 slides
Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an

Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an

Automated determination of isoptics with dynamic geometry Thierry Dana-Picard 1 acs 2 Zolt an Kov 1 Jerusalem College of Technology 2 The Private University College of Education of the Diocese of Linz CICM Hagenberg, Calculemus August 15,

728 views • 56 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS Spectrum Monitoring Explore real-world signals Easy access for beginners Live demodulation Batch processing of signals TASKS OF RECEIVING UNKNOWN

626 views • 16 slides
EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic

EPICREALM DYNAMIC WEBSITE PATENTS CLAIM CONSTRUCTION ANALYSIS Dan Ravicher What is a Dynamic Website? Produces a Customized Response to User Input Examples Google, Yahoo and other seach engines Online banking E-Tailors

437 views • 26 slides
CELLENGER CELLENGER Automated High Automated High Content Content Analysis of Analysis of

CELLENGER CELLENGER Automated High Automated High Content Content Analysis of Analysis of

CELLENGER CELLENGER Automated High Automated High Content Content Analysis of Analysis of Biomedical Biomedical Imagery Imagery Dr. Maria Athelogou the cognitive computing company the cognitive computing company Founded in 1994 as

308 views • 19 slides
Towards Safety Analysis of Interactions Between Human Users and Automated Driving Systems

Towards Safety Analysis of Interactions Between Human Users and Automated Driving Systems

10th European Congress on Embedded Real-Time Systems - ERTS 2020 Towards Safety Analysis of Interactions Between Human Users and Automated Driving Systems Fredrik Warg Stig Ursing Martin Kaalhus Richard Wiik Safety of Automated Driving

763 views • 19 slides
Trace Level Automated Mercury Speciation Analysis Vivien Taylor, 1 Brian Jackson, 1 Annie

Trace Level Automated Mercury Speciation Analysis Vivien Taylor, 1 Brian Jackson, 1 Annie

Trace Level Automated Mercury Speciation Analysis Vivien Taylor, 1 Brian Jackson, 1 Annie Carter, 2 Colin Davies 2 1. Trace Element Core, Dartmouth College 2. Brooks Rand Labs Background Trace Level Automated Mercury Analysis EPA 1630

549 views • 25 slides
EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last

EDA045F: Program Analysis LECTURE 8: DYNAMIC ANALYSIS 1 Christoph Reichenbach In the last lecture. . . More Points-to Analysis Memory Errors 2 / 44 Challenges to Static Analysis Static analysis is far from solved Very active

574 views • 42 slides
Automated High-dimensional Cytometric Data Analysis Cytometric Data Analysis Philip L. De Jager,

Automated High-dimensional Cytometric Data Analysis Cytometric Data Analysis Philip L. De Jager,

Automated High-dimensional Cytometric Data Analysis Cytometric Data Analysis Philip L. De Jager, M.D. Ph.D. Director, Program in Translational NeuroPsychiatric Genomics Brigham & Womens Hospital Assistant Professor of Neurology Harvard

477 views • 46 slides
Automated embedding of dynamic libraries into iOS applications from GNU/Linux Marwin Baumann 1

Automated embedding of dynamic libraries into iOS applications from GNU/Linux Marwin Baumann 1

Automated embedding of dynamic libraries into iOS applications from GNU/Linux Marwin Baumann 1 & Leandro Velasco 1 1 Systems and Network Engineering MSc. University of Amsterdam Research Project 2, 2017 Marwin Baumann & Leandro Velasco

677 views • 36 slides
AUTOMATED ANALYSIS OF URINE SEDIMENT GIOVANNI BATTISTA FOGAZZI CLINICAL AND RESEARCH LABORATORY

AUTOMATED ANALYSIS OF URINE SEDIMENT GIOVANNI BATTISTA FOGAZZI CLINICAL AND RESEARCH LABORATORY

AUTOMATED ANALYSIS OF URINE SEDIMENT GIOVANNI BATTISTA FOGAZZI CLINICAL AND RESEARCH LABORATORY ON URINARY SEDIMENT U.O. DI NEFROLOGIA E DIALISI FONDAZIONE IRCCS CA GRANDA OSPEDALE MAGGIORE POLICLINICO MILANO- ITALY 1985: THE FIRST AUTOMATED

918 views • 34 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides

More recommend