Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale

Nilo Redini; Aravind Machiry; Ruoyu Wang; Chad Spensky; Andrea Continella; Yan Shoshitaishvili; Christopher Kruegel; Giovanni Vigna

Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale

Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna

Semantics, Cybersecurity & Services

Research output: Contribution to conference › Paper › peer-review

54 Downloads (Pure)

Abstract

Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of users’ lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Many of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this paper, we present KARONTE, a static analysis approach capable of analyzing embedded-device
firmware by modeling and tracking multi-binary interactions. Our approach propagates taint information between binaries to detect insecure interactions and identify vulnerabilities. We first evaluated KARONTE on 53 firmware samples from various vendors, showing that our prototype tool can successfully track
and constrain multi-binary interactions. This led to the discovery of 46 zero-day bugs. Then, we performed a large-scale experiment on 899 different samples, showing that KARONTE scales well with firmware samples of different size and complexity.

Original language	English
Number of pages	18
Publication status	Published - 1 Apr 2020
Event	Black Hat Asia 2020 - Online, Singapore Time Zone, Singapore Duration: 29 Sept 2020 → 2 Oct 2020 https://www.blackhat.com/asia-20/

Conference

Conference	Black Hat Asia 2020
Country/Territory	Singapore
Period	29/09/20 → 2/10/20
Internet address	https://www.blackhat.com/asia-20/

Keywords

Cybersecurity

Access to Document

Redini2020identifyingFinal published version, 600 KB

Cite this

@conference{d5034077592348cc908c2c9540522fa7,

title = "Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale",

abstract = "Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of users{\textquoteright} lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Many of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this paper, we present KARONTE, a static analysis approach capable of analyzing embedded-devicefirmware by modeling and tracking multi-binary interactions. Our approach propagates taint information between binaries to detect insecure interactions and identify vulnerabilities. We first evaluated KARONTE on 53 firmware samples from various vendors, showing that our prototype tool can successfully trackand constrain multi-binary interactions. This led to the discovery of 46 zero-day bugs. Then, we performed a large-scale experiment on 899 different samples, showing that KARONTE scales well with firmware samples of different size and complexity.",

keywords = "Cybersecurity",

author = "Nilo Redini and Aravind Machiry and Ruoyu Wang and Chad Spensky and Andrea Continella and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna",

year = "2020",

month = apr,

day = "1",

language = "English",

note = "Black Hat Asia 2020 ; Conference date: 29-09-2020 Through 02-10-2020",

url = "https://www.blackhat.com/asia-20/",

}

TY - CONF

T1 - Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale

AU - Redini, Nilo

AU - Machiry, Aravind

AU - Wang, Ruoyu

AU - Spensky, Chad

AU - Continella, Andrea

AU - Shoshitaishvili, Yan

AU - Kruegel, Christopher

AU - Vigna, Giovanni

PY - 2020/4/1

Y1 - 2020/4/1

N2 - Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of users’ lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Many of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this paper, we present KARONTE, a static analysis approach capable of analyzing embedded-devicefirmware by modeling and tracking multi-binary interactions. Our approach propagates taint information between binaries to detect insecure interactions and identify vulnerabilities. We first evaluated KARONTE on 53 firmware samples from various vendors, showing that our prototype tool can successfully trackand constrain multi-binary interactions. This led to the discovery of 46 zero-day bugs. Then, we performed a large-scale experiment on 899 different samples, showing that KARONTE scales well with firmware samples of different size and complexity.

AB - Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of users’ lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Many of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this paper, we present KARONTE, a static analysis approach capable of analyzing embedded-devicefirmware by modeling and tracking multi-binary interactions. Our approach propagates taint information between binaries to detect insecure interactions and identify vulnerabilities. We first evaluated KARONTE on 53 firmware samples from various vendors, showing that our prototype tool can successfully trackand constrain multi-binary interactions. This led to the discovery of 46 zero-day bugs. Then, we performed a large-scale experiment on 899 different samples, showing that KARONTE scales well with firmware samples of different size and complexity.

KW - Cybersecurity

M3 - Paper

T2 - Black Hat Asia 2020

Y2 - 29 September 2020 through 2 October 2020

ER -

Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale

Abstract

Conference

Keywords

Access to Document

Fingerprint

Cite this