Abstract
Despite the increased concerning about embedded system security, the security assessment of commodity embedded devices is far from being adequate. The lack of assessment is mainly due to the tedious, time-consuming, and the very ad hoc reverse engineering procedure of the embedded device firmware. To simplify this procedure, we argue that only a particular part of the entire embedded device’s firmware, as we called vendor customized code, should be thoroughly analyzed. Vendor customized code is usually developed to deal with external inputs and is especially sensitive to attacks compared to other parts of the system. Moreover, vendor customized code is often highly specific and proprietary, which lacks security implementation guidelines. Therefore, the security demands of analyzing this kind of code is urgent.
In this paper, we present empirical security analysis of vendor customized code on commodity embedded devices. We first survey the feasibility and limitations of state-of-the-art analysis tools. We focus on investigating typical program analysis tools used for classical security assessment and check their usability on conducting practical embedded devices’ firmware reverse engineering. Then, we propose a methodology of vendor customized code analysis corresponding to both the feature of embedded devices and the usability of current analysis tools. It first locates the vendor customized code part of the firmware through black-box testing and firmware unpacking, and focuses on assessing typical aspects of common weakness of embedded devices in the particularly featured code part.
Based on our analysis methodology, we assess five popular embedded devices and find critical vulnerabilities. Our results show that: (a) the workload of assessing embedded devices could be significantly reduced according to our analysis methodology and only a small portion of programs on the device are needed to be assessed; (b) the vendor customized code is often more error-prone and thus vulnerable to attacks; (c) using existing tools to conduct automated analysis for many embedded devices is still infeasible, and manual intervention is essential to fulfil an effective assessment.
This work was partially supported by the Major Program of Shanghai Science and Technology Commission (Grants No.: 15511103002).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Costin, A., Zaddach, J. Francillon, A., Balzarotti, D., Antipolis, S.: A large scale analysis of the security of embedded firmwares. USENIX Security. USENIX Association (2014)
Cui, A., Stolfo, S.: Print me if you dare: firmware modification attacks and the rise of printer malware (2011)
Goodspeed, T., Francillon, A.: Half-blind attacks: mask rom bootloaders are dangerous. In: Proceedings of the 3rd USENIX Conference on Offensive Technologies, p. 6. USENIX Association (2009)
Heffner, C.: Binwalk-firmware analysis tool. https://code.google.com/p/binwalk/
Cui, A., Costello, M., Stolfo, S.J.: When firmware modifications attack: a case study of embedded exploitation. In: NDSS (2013)
Hemel, A., Kalleberg, K.T., Vermaas, R., Dolstra, E.: Finding software license violations through binary code clone detection. In: Proceedings of the 8th Working Conference on Mining Software Repositories, pp. 63–72. ACM (2011)
Ji, J.-H., Woo, G., Park, H.-B., Park, J.-S.: Design and implementation of retargetable software debugger based on gdb. In: Third International Conference on Convergence and Hybrid Information Technology, ICCIT 2008, vol. 1, pp. 737–740. IEEE (2008)
Bellard, F.: Qemu, a fast and portable dynamic translator. In: USENIX Annual Technical Conference, FREENIX Track, pp. 41–46 (2005)
Costin, A., Zarras, A., Francillon, A.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. arXiv preprint arXiv:1511.03609 (2015)
Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 73–84. ACM (2013)
A vulnerability and a hidden admin account all inside sitel ds114w routers! https://rootatnasro.wordpress.com/2015/01/04/a-vulnerability-anda-hidden-admin-account-all-inside-sitel-ds114-w-routers/
More than 60 undisclosed vulnerabilities affect 22 soho routers. http://seclists.org/fulldisclosure/2015/May/129
Cve-2015-3864. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3864
Cve-2014-7169. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
Ar9331 highly-integrated and cost effective ieee 802.11n 1x1 2.4 ghz soc for ap and router platforms. https://www.openhacks.com/uploadsproductos/ar9331datasheet.pdf
Quynh, N.A., Dang, H.-V.: Unicorn: next generation cpu emulator frame-work. In: BlackHat (2015)
Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: Rfc 2617: Http authentication: basic and digest access authentication. Internet RFCs (1999)
Pewny, J., Garmany, B., Gawlik, R., Rossow, C., Holz, T.: Cross-architecture bug search in binary executables (2015)
Bao, T., Burket, J., Woo, M., Turner, R., Brumley, D.: Byteweight: learning to recognize functions in binary code. In: USENIX Security Symposium (2014)
Chipounov, V., Candea, G.: Reverse engineering of binary device drivers with revnic. In: Proceedings of the 5th European Conference on Computer Systems, pp. 167–180. ACM (2010)
Kuznetsov, V., Chipounov, V., Candea, G.: Testing closed-source binary device drivers with ddt. In: USENIX Annual Technical Conference, no. EPFL-CONF- 147243 (2010)
Schlich, B.: Model checking of software for microcontrollers. ACM Trans. Embed. Comput. Syst. (TECS) 9(4), 36 (2010)
Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems firmwares. In: Symposium on Network and Distributed System Security (NDSS) (2014)
Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., Kruegel, C., Vigna, G.: SoK: (State of) the art of war: offensive techniques in binary analysis. In: IEEE Symposium on Security and Privacy (2016)
Chen, D.D., Egele, M., Woo, M., Brumley, D.: Towards automated dynamic analysis for linux-based embedded firmware. In: ISOC Network and Distributed System Security Symposium (NDSS) (2016)
Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice- automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS (2015)
Davidson, D., Moench, B., Ristenpart, T., Jha, S.: Fie on firmware: finding vulnerabilities in embedded systems using symbolic execution. Presented as part of the 22nd USENIX Security Symposium (USENIX Security 2013), pp. 463–478 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Liu, M., Zhang, Y., Li, J., Shu, J., Gu, D. (2017). Security Analysis of Vendor Customized Code in Firmware of Embedded Device. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_40
Download citation
DOI: https://doi.org/10.1007/978-3-319-59608-2_40
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59607-5
Online ISBN: 978-3-319-59608-2
eBook Packages: Computer ScienceComputer Science (R0)