Firmware is an important part of the attack surface for the Internet of Things. Attackers typically inject malicious data through the peripherals. Understanding the impact of attacker-controlled data requires an understanding of where such data flows within software, which is challenging due to the complex peripheral behavior. We present a symbolic execution-based firmware rehosting approach that utilizes MMIO access guided API modeling to avoid the complexity in handling low-level details of peripheral behaviors and to precisely track the flows of the peripheral data registers into the upper layers in the software stack. We have developed FIRMMOD on top of S2E for ARM Cortex M3 and applied it to Amazon FreeRTOS firmware samples. Our results indicate that API modeling is an effective approach for goal-based reachability analysis for firmware. It enables FIRMMOD to achieve up to 2X more code coverage compared to Fuzzware and to detect two known buffer overflow vulnerabilities at the ES WIFI layer.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

FIRMMOD: Generating API Taint Models for Firmware Analysis

  • Ken Yihang Bai,
  • Tuba Yavuz

摘要

Firmware is an important part of the attack surface for the Internet of Things. Attackers typically inject malicious data through the peripherals. Understanding the impact of attacker-controlled data requires an understanding of where such data flows within software, which is challenging due to the complex peripheral behavior. We present a symbolic execution-based firmware rehosting approach that utilizes MMIO access guided API modeling to avoid the complexity in handling low-level details of peripheral behaviors and to precisely track the flows of the peripheral data registers into the upper layers in the software stack. We have developed FIRMMOD on top of S2E for ARM Cortex M3 and applied it to Amazon FreeRTOS firmware samples. Our results indicate that API modeling is an effective approach for goal-based reachability analysis for firmware. It enables FIRMMOD to achieve up to 2X more code coverage compared to Fuzzware and to detect two known buffer overflow vulnerabilities at the ES WIFI layer.