skip to main content
10.1145/3545948.3545957acmotherconferencesArticle/Chapter ViewAbstractPublication PagesraidConference Proceedingsconference-collections
research-article
Public Access

What You See is Not What You Get: Revealing Hidden Memory Mapping for Peripheral Modeling

Published: 26 October 2022 Publication History

Abstract

Nowadays, there are a massive number of embedded Internet-of-Things (IoT) devices, each of which includes a microcontroller unit (MCU) that can support numerous peripherals. To detect security vulnerabilities of these embedded devices, there are a number of emulation (or rehosting) frameworks that enable scalable dynamic analysis by using only the device firmware code without involving the real hardware. However, we show that using only the firmware code for emulation is insufficient since there exists a special type of hardware-defined property among the peripheral registers that allows the bounded registers to be updated simultaneously without CPU interventions, which is called the hidden memory mapping. In this paper, we demonstrate that existing rehosting frameworks such as P2IM and μEMU have incorrect execution paths as they fail to properly handle hidden memory mapping during emulation. To address this challenge, we propose the first framework AutoMap that uses a differential hardware memory introspection approach to automatically reveal hidden memory mappings among peripheral registers for faithful firmware emulation. We have developed AutoMap atop the Unicorn emulator and evaluated it with 41 embedded device firmware developed based on the Nordic MCU and 9 real-world firmware evaluated by μEMU and P2IM on the two STMicroelectronics MCUs. Among them, AutoMap successfully extracted 2, 359 unique memory mappings in total which can be shared through a knowledge base with the rehosting frameworks. Moreover, by integrating AutoMap with μEMU, AutoMap is able to identify and correct the path of the program that will not run on the actual hardware.

References

[1]
[n.d.]. Cortex-M3 Technical Reference Manual. https://developer.arm.com/documentation/ddi0337/h/.
[2]
[n.d.]. Cortex-M4 Technical Reference Manual. https://developer.arm.com/documentation/ddi0439/b/.
[3]
[n.d.]. DPPI - Distributed programmable peripheral interconnect. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fps_nrf9160%2Fdppi.html.
[4]
[n.d.]. Kinetis K64F Sub-Family Data Sheet. https://www.nxp.com/docs/en/data-sheet/K64P144M120SF5.pdf.
[5]
[n.d.]. MAX32600 Data Sheet. https://datasheets.maximintegrated.com/en/ds/MAX32600.pdf.
[6]
[n.d.]. Nordic Clock Peripheral. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf52832.ps.v1.1%2Fclock.html&cp=4_2_0_18&anchor=frontpage_clock.
[7]
[n.d.]. Nordic NRF52811 Engineering A Errata 173. https://infocenter.nordicsemi.com/index.jsp?topic=%2Ferrata_nRF52811_EngA%2FERR%2FnRF52811%2FEngineeringA%2Flatest%2Fanomaly_811_173.html&resultof=%22%43%50%55%22%20%22%63%70%75%22%20%22%63%79%63%6c%65%22%20%22%63%79%63%6c%22%20.
[8]
[n.d.]. Nordic NRF52832. https://www.nordicsemi.com/Products/Low-power-short-range-wireless/nRF52832.
[9]
[n.d.]. Nordic NRF52832 GPIO peripheral documentation. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf52832.ps.v1.1%2Fgpio.html&cp=4_2_0_19&anchor=concept_zyt_tcb_lr.
[10]
[n.d.]. Nordic NRF52832 Memory Layout. https://infocenter.nordicsemi.com/index.jsp?topic=%2Fcom.nordic.infocenter.nrf52832.ps.v1.1%2Fmemory.html.
[11]
[n.d.]. Nordic NRF52832 Product Specification v1.1. https://infocenter.nordicsemi.com/pdf/nRF52832_PS_v1.1.pdf.
[12]
[n.d.]. Nordic semiconductor. https://www.nordicsemi.com.
[13]
[n.d.]. SAM R21E Data Sheet. http://ww1.microchip.com/downloads/en/devicedoc/sam-r21_datasheet.pdf.
[14]
[n.d.]. SAM3X Series Data Sheet. https://ww1.microchip.com/downloads/en/devicedoc/atmel-11057-32-bit-cortex-m3-microcontroller-sam3x-sam3a_datasheet.pdf.
[15]
[n.d.]. Segger J-Link. https://www.segger.com/products/debug-probes/j-link/.
[16]
[n.d.]. Smart Autonomous 32-bit Microcontroller Peripherals Push the Boundaries of Ultra-Low-Power Embedded System Design. https://www.silabs.com/documents/public/white-papers/low-power-32-bit-microcontroller-dtm.pdf.
[17]
[n.d.]. STMicroelectronics. https://www.st.com/content/st_com/en.html.
[18]
[n.d.]. STMicroelectronics st-link. https://www.st.com/en/development-tools/st-link-v2.html.
[19]
[n.d.]. STMicroelectronics STM32F103. https://www.st.com/en/microcontrollers-microprocessors/stm32f103rb.html.
[20]
[n.d.]. STMicroelectronics STM32F103 reference manual. https://www.st.com/resource/en/reference_manual/cd00171190-stm32f101xx-stm32f102xx-stm32f103xx-stm32f105xx-and-stm32f107xx-advanced-arm-based-32-bit-mcus-stmicroelectronics.pdf.
[21]
[n.d.]. STMicroelectronics STM32F429. https://www.st.com/en/microcontrollers-microprocessors/stm32f429-439.html.
[22]
Lucas Apa and Carlos Mario Penagos. 2013. Compromising industrial facilities from 40 miles away. IOActive Technical White Paper(2013).
[23]
Anomadarshi Barua and Mohammad Abdullah Al Faruque. 2020. Hall Spoofing: A Non-Invasive DoS Attack on Grid-Tied Solar Inverter. In 29th USENIX Security Symposium (USENIX Security 20). 1273–1290.
[24]
Cristian Cadar, Daniel Dunbar, Dawson R Engler, 2008. Klee: unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, Vol. 8. 209–224.
[25]
Chen Cao, Le Guan, Jiang Ming, and Peng Liu. 2020. Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation. In Annual Computer Security Applications Conference. 746–759.
[26]
Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In NDSS.
[27]
Libo Chen, Yanhao Wang, Quanpu Cai, Yunfan Zhan, Hong Hu, Jiaqi Linghu, Qinsheng Hou, Chao Zhang, Haixin Duan, and Zhi Xue. 2021. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems. In 30th USENIX Security Symposium (USENIX Security 21).
[28]
Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint: detecting the taint-style vulnerability in embedded device firmware. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 430–441.
[29]
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. Acm Sigplan Notices 46, 3 (2011), 265–278.
[30]
Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware re-hosting through abstraction layer emulation. In 29th USENIX Security Symposium (USENIX Security 20). 1201–1218.
[31]
Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In 22nd USENIX Security Symposium (USENIX Security 13). 463–478.
[32]
Andrew Fasano, Tiemoko Ballo, Marius Muench, Tim Leek, Alexander Bulekov, Brendan Dolan-Gavitt, Manuel Egele, Aurélien Francillon, Long Lu, Nick Gregory, 2021. SoK: Enabling Security Analyses of Embedded Systems via Rehosting. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. 687–701.
[33]
Bo Feng, Alejandro Mera, and Long Lu. 2020. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In 29th USENIX Security Symposium (USENIX Security 20). 1237–1254.
[34]
Fred Glover. 1977. Heuristics for integer programming using surrogate constraints. Decision sciences 8, 1 (1977), 156–166.
[35]
Grant Hernandez, Farhaan Fowze, Dave Tian, Tuba Yavuz, and Kevin RB Butler. 2017. Firmusb: Vetting usb device firmware using domain informed symbolic execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2245–2262.
[36]
Hubert Högl and Dominic Rath. 2006. Open on-chip debugger–openocd–. Fakultat fur Informatik, Tech. Rep(2006).
[37]
Evan Johnson, Maxwell Bland, YiFei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, and Kirill Levchenko. 2021. Jetset: Targeted firmware rehosting for embedded systems. In 30th USENIX Security Symposium (USENIX Security 21).
[38]
S. Khandelwal. 2016-10-27. Friday’s massive DDoS attack came from just 100,000 hacked IoT devices.http://thehackernews.com/2016/10/ddos-attack-mirai-iot.html.
[39]
Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae Kim. 2020. Firmae: Towards large-scale emulation of iot firmware for dynamic analysis. In Annual Computer Security Applications Conference. 733–745.
[40]
Taegyu Kim, Vireshwar Kumar, Junghwan Rhee, Jizhou Chen, Kyungtae Kim, Chung Hwan Kim, Dongyan Xu, and Dave Jing Tian. 2021. PASAN: Detecting Peripheral Access Concurrency Bugs within Bare-Metal Embedded Applications. In 30th USENIX Security Symposium (USENIX Security 21).
[41]
Paul Kocher, Ruby Lee, Gary McGraw, and Anand Raghunathan. 2004. Security as a new dimension in embedded system design. In Proceedings of the 41st annual Design Automation Conference. 753–760.
[42]
Philip Koopman. 2004. Embedded system security. Computer 37, 7 (2004), 95–97.
[43]
D. Lee. 2018-05-24. Amazon Alexa heard and sent private chat.https://www.bbc.com/news/technology-44248122.
[44]
Wenqiang Li, Le Guan, Jingqiang Lin, Jiameng Shi, and Fengjun Li. 2021. From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware. arXiv preprint arXiv:2107.12867(2021).
[45]
Knud Lasse Lueth. 2020-11-19. State of the IoT 2020: 12 billion IoT connections, surpassing non-IoT for the first time. https://iot-analytics.com/state-of-the-iot-2020-12-billion-iot-connections-surpassing-non-iot-for-the-first-time/.
[46]
A. Mera, B. Feng, L. Lu, E. Kirda, and W. Robertson. 2021. DICE: Automatic Emulation of DMA Input Channels for Dynamic Firmware Analysis. In 2021 2021 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, CA, USA, 1938–1954. https://doi.org/10.1109/SP40001.2021.00018
[47]
Sukhvir Notra, Muhammad Siddiqi, Hassan Habibi Gharakheili, Vijay Sivaraman, and Roksana Boreli. 2014. An experimental study of security and privacy risks with emerging household appliances. In 2014 IEEE conference on communications and network security. IEEE, 79–84.
[48]
NGUYEN Anh Quynh and DANG Hoang Vu. 2015. Unicorn: Next generation cpu emulator framework. BlackHat USA 476(2015).
[49]
Srivaths Ravi, Anand Raghunathan, Paul Kocher, and Sunil Hattangady. 2004. Security in embedded systems: Design challenges. ACM Transactions on Embedded Computing Systems (TECS) 3, 3(2004), 461–491.
[50]
Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. Karonte: Detecting insecure multi-binary interactions in embedded firmware. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 1544–1561.
[51]
Jan Ruge, Jiska Classen, Francesco Gringoli, and Matthias Hollick. 2020. Frankenstein: Advanced wireless fuzzing to exploit new bluetooth escalation targets. In 29th USENIX Security Symposium (USENIX Security 20). 19–36.
[52]
Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In 31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA. https://www.usenix.org/conference/usenixsecurity22/presentation/scharnowski
[53]
Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In NDSS, Vol. 1. 1–1.
[54]
Vijay Sivaraman, Hassan Habibi Gharakheili, Arun Vishwanath, Roksana Boreli, and Olivier Mehani. 2015. Network-level security and privacy control for smart-home IoT devices. In 2015 IEEE 11th International conference on wireless and mobile computing, networking and communications (WiMob). IEEE, 163–167.
[55]
Dokyung Song, Felicitas Hetzelt, Dipanjan Das, Chad Spensky, Yeoul Na, Stijn Volckaert, Giovanni Vigna, Christopher Kruegel, Jean-Pierre Seifert, and Michael Franz. 2019. Periscope: An effective probing and fuzzing framework for the hardware-os boundary. In NDSS.
[56]
Michael Sutton, Adam Greene, and Pedram Amini. 2007. Fuzzing: brute force vulnerability discovery. Pearson Education.
[57]
Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. 2020. FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. 167–180.
[58]
Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti, 2014. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares. In NDSS, Vol. 23. 1–16.
[59]
Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In 28th USENIX Security Symposium (USENIX Security 19). 1099–1114.
[60]
Wei Zhou, Le Guan, Peng Liu, and Yuqing Zhang. 2021. Automatic Firmware Emulation through Invalidity-guided Knowledge Inference. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association. https://www.usenix.org/conference/usenixsecurity21/presentation/zhou

Cited By

View all
  • (2025)IoT Firmware Emulation and Its Security Application in Fuzzing: A Critical RevisitFuture Internet10.3390/fi1701001917:1(19)Online publication date: 6-Jan-2025
  • (2024)IEmu: Interrupt modeling from the logic hidden in the firmwareJournal of Systems Architecture10.1016/j.sysarc.2024.103237154(103237)Online publication date: Sep-2024

Index Terms

  1. What You See is Not What You Get: Revealing Hidden Memory Mapping for Peripheral Modeling

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      RAID '22: Proceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses
      October 2022
      536 pages
      ISBN:9781450397049
      DOI:10.1145/3545948
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 26 October 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Embedded devices
      2. Firmware analysis
      3. Firmware emulation
      4. Peripheral modeling

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Funding Sources

      Conference

      RAID 2022

      Acceptance Rates

      Overall Acceptance Rate 43 of 173 submissions, 25%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)280
      • Downloads (Last 6 weeks)31
      Reflects downloads up to 17 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2025)IoT Firmware Emulation and Its Security Application in Fuzzing: A Critical RevisitFuture Internet10.3390/fi1701001917:1(19)Online publication date: 6-Jan-2025
      • (2024)IEmu: Interrupt modeling from the logic hidden in the firmwareJournal of Systems Architecture10.1016/j.sysarc.2024.103237154(103237)Online publication date: Sep-2024

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      HTML Format

      View this article in HTML Format.

      HTML Format

      Login options

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media