Jun Yeon Won
ABSTRACT
Nowadays, there are a massive number of embedded Internet-of-Things (IoT) devices, each of which includes a microcontroller unit (MCU) that can support numerous peripherals. To detect security vulnerabilities of these embedded devices, there are a number of emulation (or rehosting) frameworks that enable scalable dynamic analysis by using only the device firmware code without involving the real hardware. However, we show that using only the firmware code for emulation is insufficient since there exists a special type of hardware-defined property among the peripheral registers that allows the bounded registers to be updated simultaneously without CPU interventions, which is called the hidden memory mapping. In this paper, we demonstrate that existing rehosting frameworks such as P2IM and μEMU have incorrect execution paths as they fail to properly handle hidden memory mapping during emulation. To address this challenge, we propose the first framework AutoMap that uses a differential hardware memory introspection approach to automatically reveal hidden memory mappings among peripheral registers for faithful firmware emulation. We have developed AutoMap atop the Unicorn emulator and evaluated it with 41 embedded device firmware developed based on the Nordic MCU and 9 real-world firmware evaluated by μEMU and P2IM on the two STMicroelectronics MCUs. Among them, AutoMap successfully extracted 2, 359 unique memory mappings in total which can be shared through a knowledge base with the rehosting frameworks. Moreover, by integrating AutoMap with μEMU, AutoMap is able to identify and correct the path of the program that will not run on the actual hardware.
- [n.d.]. Cortex-M3 Technical Reference Manual. https://developer.arm.com/documentation/ddi0337/h/.Google Scholar
- [n.d.]. Cortex-M4 Technical Reference Manual. https://developer.arm.com/documentation/ddi0439/b/.Google Scholar
- [n.d.]. DPPI - Distributed programmable peripheral interconnect. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fps_nrf9160%2Fdppi.html.Google Scholar
- [n.d.]. Kinetis K64F Sub-Family Data Sheet. https://www.nxp.com/docs/en/data-sheet/K64P144M120SF5.pdf.Google Scholar
- [n.d.]. MAX32600 Data Sheet. https://datasheets.maximintegrated.com/en/ds/MAX32600.pdf.Google Scholar
- [n.d.]. Nordic Clock Peripheral. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf52832.ps.v1.1%2Fclock.html&cp=4_2_0_18&anchor=frontpage_clock.Google Scholar
- [n.d.]. Nordic NRF52811 Engineering A Errata 173. https://infocenter.nordicsemi.com/index.jsp?topic=%2Ferrata_nRF52811_EngA%2FERR%2FnRF52811%2FEngineeringA%2Flatest%2Fanomaly_811_173.html&resultof=%22%43%50%55%22%20%22%63%70%75%22%20%22%63%79%63%6c%65%22%20%22%63%79%63%6c%22%20.Google Scholar
- [n.d.]. Nordic NRF52832. https://www.nordicsemi.com/Products/Low-power-short-range-wireless/nRF52832.Google Scholar
- [n.d.]. Nordic NRF52832 GPIO peripheral documentation. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf52832.ps.v1.1%2Fgpio.html&cp=4_2_0_19&anchor=concept_zyt_tcb_lr.Google Scholar
- [n.d.]. Nordic NRF52832 Memory Layout. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf52832.ps.v1.1%2Fmemory.html.Google Scholar
- [n.d.]. Nordic NRF52832 Product Specification v1.1. https://infocenter.nordicsemi.com/pdf/nRF52832_PS_v1.1.pdf.Google Scholar
- [n.d.]. Nordic semiconductor. https://www.nordicsemi.com.Google Scholar
- [n.d.]. SAM R21E Data Sheet. http://ww1.microchip.com/downloads/en/devicedoc/sam-r21_datasheet.pdf.Google Scholar
- [n.d.]. SAM3X Series Data Sheet. https://ww1.microchip.com/downloads/en/devicedoc/atmel-11057-32-bit-cortex-m3-microcontroller-sam3x-sam3a_datasheet.pdf.Google Scholar
- [n.d.]. Segger J-Link. https://www.segger.com/products/debug-probes/j-link/.Google Scholar
- [n.d.]. Smart Autonomous 32-bit Microcontroller Peripherals Push the Boundaries of Ultra-Low-Power Embedded System Design. https://www.silabs.com/documents/public/white-papers/low-power-32-bit-microcontroller-dtm.pdf.Google Scholar
- [n.d.]. STMicroelectronics. https://www.st.com/content/st_com/en.html.Google Scholar
- [n.d.]. STMicroelectronics st-link. https://www.st.com/en/development-tools/st-link-v2.html.Google Scholar
- [n.d.]. STMicroelectronics STM32F103. https://www.st.com/en/microcontrollers-microprocessors/stm32f103rb.html.Google Scholar
- [n.d.]. STMicroelectronics STM32F103 reference manual. https://www.st.com/resource/en/reference_manual/cd00171190-stm32f101xx-stm32f102xx-stm32f103xx-stm32f105xx-and-stm32f107xx-advanced-arm-based-32-bit-mcus-stmicroelectronics.pdf.Google Scholar
- [n.d.]. STMicroelectronics STM32F429. https://www.st.com/en/microcontrollers-microprocessors/stm32f429-439.html.Google Scholar
- Lucas Apa and Carlos Mario Penagos. 2013. Compromising industrial facilities from 40 miles away. IOActive Technical White Paper(2013).Google Scholar
- Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2020. Hall Spoofing: A Non-Invasive DoS Attack on Grid-Tied Solar Inverter. In 29th USENIX Security Symposium (USENIX Security 20). 1273–1290.Google Scholar
- Cristian Cadar, Daniel Dunbar, Dawson R Engler, 2008. Klee: unassisted and automatic generation of high-coverage tests for complex systems programs.. In OSDI, Vol. 8. 209–224.Google Scholar
- Chen Cao, Le Guan, Jiang Ming, and Peng Liu. 2020. Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation. In Annual Computer Security Applications Conference. 746–759.Google ScholarDigital Library
- Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing.. In NDSS.Google Scholar
- Libo Chen, Yanhao Wang, Quanpu Cai, Yunfan Zhan, Hong Hu, Jiaqi Linghu, Qinsheng Hou, Chao Zhang, Haixin Duan, and Zhi Xue. 2021. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems. In 30th USENIX Security Symposium (USENIX Security 21).Google Scholar
- Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint: detecting the taint-style vulnerability in embedded device firmware. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 430–441.Google ScholarCross Ref
- Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. Acm Sigplan Notices 46, 3 (2011), 265–278.Google ScholarDigital Library
- Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware re-hosting through abstraction layer emulation. In 29th USENIX Security Symposium (USENIX Security 20). 1201–1218.Google Scholar
- Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In 22nd USENIX Security Symposium (USENIX Security 13). 463–478.Google Scholar
- Andrew Fasano, Tiemoko Ballo, Marius Muench, Tim Leek, Alexander Bulekov, Brendan Dolan-Gavitt, Manuel Egele, Aurélien Francillon, Long Lu, Nick Gregory, 2021. SoK: Enabling Security Analyses of Embedded Systems via Rehosting. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 687–701.Google ScholarDigital Library
- Bo Feng, Alejandro Mera, and Long Lu. 2020. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In 29th USENIX Security Symposium (USENIX Security 20). 1237–1254.Google Scholar
- Fred Glover. 1977. Heuristics for integer programming using surrogate constraints. Decision sciences 8, 1 (1977), 156–166.Google Scholar
- Grant Hernandez, Farhaan Fowze, Dave Tian, Tuba Yavuz, and Kevin RB Butler. 2017. Firmusb: Vetting usb device firmware using domain informed symbolic execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2245–2262.Google ScholarDigital Library
- Hubert Högl and Dominic Rath. 2006. Open on-chip debugger–openocd–. Fakultat fur Informatik, Tech. Rep(2006).Google Scholar
- Evan Johnson, Maxwell Bland, YiFei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, and Kirill Levchenko. 2021. Jetset: Targeted firmware rehosting for embedded systems. In 30th USENIX Security Symposium (USENIX Security 21).Google Scholar
- S. Khandelwal. 2016-10-27. Friday’s massive DDoS attack came from just 100,000 hacked IoT devices.http://thehackernews.com/2016/10/ddos-attack-mirai-iot.html.Google Scholar
- Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae Kim. 2020. Firmae: Towards large-scale emulation of iot firmware for dynamic analysis. In Annual Computer Security Applications Conference. 733–745.Google ScholarDigital Library
- Taegyu Kim, Vireshwar Kumar, Junghwan Rhee, Jizhou Chen, Kyungtae Kim, Chung Hwan Kim, Dongyan Xu, and Dave Jing Tian. 2021. PASAN: Detecting Peripheral Access Concurrency Bugs within Bare-Metal Embedded Applications. In 30th USENIX Security Symposium (USENIX Security 21).Google Scholar
- Paul Kocher, Ruby Lee, Gary McGraw, and Anand Raghunathan. 2004. Security as a new dimension in embedded system design. In Proceedings of the 41st annual Design Automation Conference. 753–760.Google ScholarDigital Library
- Philip Koopman. 2004. Embedded system security. Computer 37, 7 (2004), 95–97.Google ScholarDigital Library
- D. Lee. 2018-05-24. Amazon Alexa heard and sent private chat.https://www.bbc.com/news/technology-44248122.Google Scholar
- Wenqiang Li, Le Guan, Jingqiang Lin, Jiameng Shi, and Fengjun Li. 2021. From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware. arXiv preprint arXiv:2107.12867(2021).Google Scholar
- Knud Lasse Lueth. 2020-11-19. State of the IoT 2020: 12 billion IoT connections, surpassing non-IoT for the first time. https://iot-analytics.com/state-of-the-iot-2020-12-billion-iot-connections-surpassing-non-iot-for-the-first-time/.Google Scholar
- A. Mera, B. Feng, L. Lu, E. Kirda, and W. Robertson. 2021. DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis. In 2021 2021 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 1938–1954. https://doi.org/10.1109/SP40001.2021.00018Google Scholar
- Sukhvir Notra, Muhammad Siddiqi, Hassan Habibi Gharakheili, Vijay Sivaraman, and Roksana Boreli. 2014. An experimental study of security and privacy risks with emerging household appliances. In 2014 IEEE conference on communications and network security. IEEE, 79–84.Google ScholarCross Ref
- NGUYEN Anh Quynh and DANG Hoang Vu. 2015. Unicorn: Next generation cpu emulator framework. BlackHat USA 476(2015).Google Scholar
- Srivaths Ravi, Anand Raghunathan, Paul Kocher, and Sunil Hattangady. 2004. Security in embedded systems: Design challenges. ACM Transactions on Embedded Computing Systems (TECS) 3, 3(2004), 461–491.Google ScholarDigital Library
- Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. Karonte: Detecting insecure multi-binary interactions in embedded firmware. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1544–1561.Google ScholarCross Ref
- Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. 2020. Frankenstein: Advanced wireless fuzzing to exploit new bluetooth escalation targets. In 29th USENIX Security Symposium (USENIX Security 20). 19–36.Google Scholar
- Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity22/presentation/scharnowskiGoogle Scholar
- Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware.. In NDSS, Vol. 1. 1–1.Google Scholar
- Vijay Sivaraman, Hassan Habibi Gharakheili, Arun Vishwanath, Roksana Boreli, and Olivier Mehani. 2015. Network-level security and privacy control for smart-home IoT devices. In 2015 IEEE 11th International conference on wireless and mobile computing, networking and communications (WiMob). IEEE, 163–167.Google ScholarCross Ref
- Dokyung Song, Felicitas Hetzelt, Dipanjan Das, Chad Spensky, Yeoul Na, Stijn Volckaert, Giovanni Vigna, Christopher Kruegel, Jean-Pierre Seifert, and Michael Franz. 2019. Periscope: An effective probing and fuzzing framework for the hardware-os boundary. In NDSS.Google Scholar
- Michael Sutton, Adam Greene, and Pedram Amini. 2007. Fuzzing: brute force vulnerability discovery. Pearson Education.Google Scholar
- Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. 2020. FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 167–180.Google ScholarDigital Library
- Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti, 2014. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares.. In NDSS, Vol. 23. 1–16.Google Scholar
- Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In 28th USENIX Security Symposium (USENIX Security 19). 1099–1114.Google Scholar
- Wei Zhou, Le Guan, Peng Liu, and Yuqing Zhang. 2021. Automatic Firmware Emulation through Invalidity-guided Knowledge Inference. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. https://www.usenix.org/conference/usenixsecurity21/presentation/zhouGoogle Scholar
Index Terms
- What You See is Not What You Get: Revealing Hidden Memory Mapping for Peripheral Modeling
Recommendations
Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications ConferenceWith the rapid proliferation of IoT devices, our cyberspace is nowadays dominated by billions of low-cost computing nodes, which are very heterogeneous to each other. Dynamic analysis, one of the most effective approaches to finding software bugs, has ...
What Your Firmware Tells You Is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications SecurityEmulating firmware of microcontrollers is challenging due to the lack of peripheral models. Existing work finds out how to respond to peripheral read operations by analyzing the target firmware. This is problematic because the firmware sometimes does ...
Comments