Skip to main content
SpringerLink
Log in

Anatomist: Enhanced Firmware Vulnerability Discovery Based on Program State Abnormality Determination with Whole-System Replay

  • Conference paper
  • First Online:
Information Security (ISC 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13640))

Included in the following conference series:

  • 828 Accesses

Abstract

With the widespread deployment of Internet of Things (IoT) devices, firmware vulnerabilities can result in considerable damage. However, existing firmware fuzzing methods, which rely on program exception signals, can only find memory corruption vulnerabilities that lead to program crashes. Fuzzing also misses vulnerabilities that exist in the execution path but are not triggered. To solve this problem, we propose Anatomist, the first enhanced firmware vulnerability discovery method based on program state abnormality determination with whole-system replay. The Anatomist first identifies the dangerous operation candidates during whole-system replay. Using single-path symbolic tracing, Anatomist determines whether the program states of dangerous operation candidates are abnormal. Also, Anatomist identifies vulnerabilities on the execution path based on program state abnormality determination. We implemented Anatomist and compared the results of Anatomist with those of FirmAFL, the most advanced firmware vulnerability discovery method, on the FirmAFL dataset. The experimental results showed that Anatomist increased the vulnerability discovery speed by 741.64% on average. Additionally, Anatomist successfully found 3 0-day vulnerabilities in 3 firmware, including 2 memory corruption vulnerabilities and 1 logic vulnerability. The experimental results demonstrated that Anatomist augments firmware vulnerability discovery in two aspects. Anatomist can detect untriggered vulnerabilities on the execution path that are missed by fuzzing. In addition, Anatomist can also identify logic vulnerabilities that cannot be detected by fuzzing.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. The 33 vulnerabilities impacting millions of IoT, OT and it devices that present an immediate risk for organizations worldwide. https://www.forescout.com/resources/amnesia33-research-report-executive-summary/

  2. The name:wreck vulnerability impacts nearly 100 million IoT devices. https://www.forescout.com/resources/namewreck-breaking-and-fixing-dns-implementations/

  3. The attach on smart-ups devices. https://www.theregister.com/2022/03/09/tlstorm_apc_ups_critical_zero_days/

  4. Sivakumaran, P., Blasco, J.: argXtract: Deriving IoT security configurations via automated static analysis of stripped arm cortex-m binaries. In: Annual Computer Security Applications Conference, pp. 861–876 (2021)

    Google Scholar 

  5. Feng, X., et al.: Snipuzz: Black-box fuzzing of IoT firmware via message snippet inference. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 337–350 (2021)

    Google Scholar 

  6. Kim, M., Kim, D., Kim, E., Kim, S., Jang, Y., Kim, Y.: FirmAE: towards large-scale emulation of IoT firmware for dynamic analysis. In: Annual Computer Security Applications Conference, pp. 733–745 (2020)

    Google Scholar 

  7. Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS, vol. 1, p. 1 (2015)

    Google Scholar 

  8. Kim, Y., Kim, Y., Kim, T., Lee, G., Jang, Y., Kim, M.: Automated unit testing of large industrial embedded software using concolic testing. In: 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 519–528 (2013). https://doi.org/10.1109/ASE.2013.6693109

  9. Zheng, Y., Davanian, A., Yin, H., Song, C., Zhu, H., Sun, L.: \(\{\)FIRM-AFL\(\}\):\(\{\)High-Throughput\(\}\) greybox fuzzing of \(\{\)IoT\(\}\) firmware via augmented process emulation. In: 28th USENIX Security Symposium (USENIX Security 19), pp. 1099–1114 (2019)

    Google Scholar 

  10. Feng, H., Li, H., Pan, X., Zhao, Z., Cactilab, T.: A formal analysis of the FIDO UAF protocol. In: Proceedings of 28th Network And Distributed System Security Symposium (NDSS) (2021)

    Google Scholar 

  11. Manès, V.J., et al.: The art, science, and engineering of fuzzing: a survey. IEEE Trans. Softw. Eng. 47(11), 2312–2331 (2019)

    Google Scholar 

  12. Yagemann, C., Chung, S.P., Saltaformaggio, B., Lee, W.: Automated bug hunting with data-driven symbolic root cause analysis. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 320–336 (2021)

    Google Scholar 

  13. Cao, M., et al.: Different is good: detecting the use of uninitialized variables through differential replay. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1883–1897 (2019)

    Google Scholar 

  14. Thalheim, J., Bhatotia, P., Fetzer, C.: Inspector: data provenance using intel processor trace (PT). In: 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS), pp. 25–34. IEEE (2016)

    Google Scholar 

  15. Dovgalyuk, P.: Deterministic replay of system’s execution with multi-target QEMU simulator for dynamic analysis and reverse debugging. In: CSMR, pp. 553–556 (2012)

    Google Scholar 

  16. Yagemann, C., Pruett, M., Chung, S.P., Bittick, K., Saltaformaggio, B., Lee, W.: \(\{\)ARCUS\(\}\): symbolic root cause analysis of exploits in production systems. In: 30th \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 21) (2021)

    Google Scholar 

  17. Baldoni, R., Coppa, E., D’elia, D.C., Demetrescu, C., Finocchi, I.: A survey of symbolic execution techniques. ACM Comput. Surv. (CSUR) 51(3), 1–39 (2018)

    Article  Google Scholar 

  18. Chen, J., et al.: Iotfuzzer: Discovering memory corruptions in IoT through app-based fuzzing. In: NDSS (2018)

    Google Scholar 

  19. Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D., et al.: Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS, vol. 14, pp. 1–16 (2014)

    Google Scholar 

  20. Muench, M., Nisi, D., Francillon, A., Balzarotti, D.: Avatar 2: a multi-target orchestration platform. In: Proceedings of the Workshop Binary Anal. Res. (Colocated NDSS Symp.), vol. 18, pp. 1–11 (2018)

    Google Scholar 

  21. Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for linux-based embedded firmware. In: NDSS, vol. 1, p. 1 (2016)

    Google Scholar 

  22. Craig, L., Fasano, A., Ballo, T., Leek, T., Dolan-Gavitt, B., Robertson, W.: PyPANDA: taming the pandamonium of whole system dynamic analysis. In: Workshop on Binary Analysis Research (BAR), vol. 2021, p. 21 (2021)

    Google Scholar 

  23. Shoshitaishvili, Y., et al.: Sok:(state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)

    Google Scholar 

  24. Moura, L.D., Bjørner, N.: Z3: An efficient SMT solver. In: International conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 337–340. Springer (2008). https://doi.org/10.1007/978-3-540-78800-3_24

  25. Wang, H., et al.: Typestate-guided fuzzer for discovering use-after-free vulnerabilities. In: 2020 IEEE/ACM 42nd International Conference on Software Engineering (ICSE), pp. 999–1010. IEEE (2020)

    Google Scholar 

  26. CVE-2014-0160, a memory leakage vulnerability in OpenSSL. https://www.cvedetails.com/cve/CVE-2014-0160

  27. Böhme, M., Pham, V.T., Nguyen, M.D., Roychoudhury, A.: Directed greybox fuzzing. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2329–2344 (2017)

    Google Scholar 

  28. Moukahal, L.J., Zulkernine, M., Soukup, M.: Vulnerability-oriented fuzz testing for connected autonomous vehicle systems. IEEE Trans. Reliabil. 70(4), 1422–1437 (2021)

    Article  Google Scholar 

Download references

Acknowledgements

This work was supported by the Natural Science Foundation of China (61902416, 61902412) and the Natural Science Foundation of Hunan Province in China (2019JJ50729).

Author information

Authors and Affiliations

  1. College of Computer, National University of Defense Technology, Changsha, China

    Runhao Liu, Bo Yu, Baosheng Wang & Jianbin Ye

Authors
  1. Runhao Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bo Yu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Baosheng Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jianbin Ye
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Bo Yu .

Editor information

Editors and Affiliations

  1. University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. Xidian University, Xian, China

    Xiaofeng Chen

  3. University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

  4. University of Wollongong, Wollongong, NSW, Australia

    Yudi Zhang

  5. Petra Christian University, Surabaya, Indonesia

    Rolly Intan

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, R., Yu, B., Wang, B., Ye, J. (2022). Anatomist: Enhanced Firmware Vulnerability Discovery Based on Program State Abnormality Determination with Whole-System Replay. In: Susilo, W., Chen, X., Guo, F., Zhang, Y., Intan, R. (eds) Information Security. ISC 2022. Lecture Notes in Computer Science, vol 13640. Springer, Cham. https://doi.org/10.1007/978-3-031-22390-7_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-22390-7_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-22389-1

  • Online ISBN: 978-3-031-22390-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation