Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images

Eric Gustafson; Paul Grosen; Nilo Redini; Saagar Jha; Ruoyu Wang; Andrea Continella; Kevin Fu; Sara Rampazzi; Christopher Kruegel; Giovanni Vigna

doi:10.1145/3607199.3607217

Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images

Eric Gustafson, Paul Grosen, Nilo Redini, Saagar Jha, Ruoyu Wang, Andrea Continella, Kevin Fu, Sara Rampazzi, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

2 Citations (Scopus)

74 Downloads (Pure)

Abstract

In today’s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic firmware, where the code and data are opaquely intermixed, have traditionally been difficult to examine and protect. In this paper, we explore the challenges of retrofitting monolithic firmware images with new security measures. First, we outline the steps any analyst must take to retrofit firmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects-locating attacker-controlled input, a safe retrofit injection location, and self-checks preventing modifications-through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retrofitted firmware image, once the vulnerability is identified. To evaluate Shimware, we employ both a synthetic evaluation and actual retrofitting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.

Original language	English
Title of host publication	RAID '23
Subtitle of host publication	Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, China, October 16-18, 2023
Place of Publication	New York, NY
Publisher	Association for Computing Machinery
Pages	32-45
Number of pages	14
ISBN (Print)	979-8-4007-0765-0
DOIs	https://doi.org/10.1145/3607199.3607217
Publication status	Published - 16 Oct 2023
Event	26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023 - Hong Kong, China Duration: 16 Oct 2023 → 18 Oct 2023 Conference number: 26

Conference

Conference	26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
Abbreviated title	RAID
Country/Territory	China
City	Hong Kong
Period	16/10/23 → 18/10/23

Keywords

Cybersecurity

Access to Document

10.1145/3607199.3607217

ArticleFinal published version, 3.89 MBLicence: CC BY

Cite this

Gustafson, E., Grosen, P., Redini, N., Jha, S., Wang, R., Continella, A., Fu, K., Rampazzi, S., Kruegel, C., & Vigna, G. (2023). Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images. In RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, China, October 16-18, 2023 (pp. 32-45). Association for Computing Machinery. https://doi.org/10.1145/3607199.3607217

@inproceedings{160d13e5ab4c4eccbb698cc33a061ad6,

title = "Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images",

abstract = "In today{\textquoteright}s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic firmware, where the code and data are opaquely intermixed, have traditionally been difficult to examine and protect. In this paper, we explore the challenges of retrofitting monolithic firmware images with new security measures. First, we outline the steps any analyst must take to retrofit firmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects-locating attacker-controlled input, a safe retrofit injection location, and self-checks preventing modifications-through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retrofitted firmware image, once the vulnerability is identified. To evaluate Shimware, we employ both a synthetic evaluation and actual retrofitting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.",

keywords = "Cybersecurity",

author = "Eric Gustafson and Paul Grosen and Nilo Redini and Saagar Jha and Ruoyu Wang and Andrea Continella and Kevin Fu and Sara Rampazzi and Christopher Kruegel and Giovanni Vigna",

note = "Publisher Copyright: {\textcopyright} 2023 Copyright held by the owner/author(s).; 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023, RAID ; Conference date: 16-10-2023 Through 18-10-2023",

year = "2023",

month = oct,

day = "16",

doi = "10.1145/3607199.3607217",

language = "English",

isbn = "979-8-4007-0765-0",

pages = "32--45",

booktitle = "RAID '23",

publisher = "Association for Computing Machinery",

address = "United States",

}

Gustafson, E, Grosen, P, Redini, N, Jha, S, Wang, R, Continella, A, Fu, K, Rampazzi, S, Kruegel, C & Vigna, G 2023, Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images. in RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, China, October 16-18, 2023. Association for Computing Machinery, New York, NY, pp. 32-45, 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023, Hong Kong, China, 16/10/23. https://doi.org/10.1145/3607199.3607217

Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images. / Gustafson, Eric; Grosen, Paul; Redini, Nilo et al.
RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, China, October 16-18, 2023. New York, NY: Association for Computing Machinery, 2023. p. 32-45.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images

AU - Gustafson, Eric

AU - Grosen, Paul

AU - Redini, Nilo

AU - Jha, Saagar

AU - Wang, Ruoyu

AU - Continella, Andrea

AU - Fu, Kevin

AU - Rampazzi, Sara

AU - Kruegel, Christopher

AU - Vigna, Giovanni

N1 - Conference code: 26

PY - 2023/10/16

Y1 - 2023/10/16

N2 - In today’s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic firmware, where the code and data are opaquely intermixed, have traditionally been difficult to examine and protect. In this paper, we explore the challenges of retrofitting monolithic firmware images with new security measures. First, we outline the steps any analyst must take to retrofit firmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects-locating attacker-controlled input, a safe retrofit injection location, and self-checks preventing modifications-through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retrofitted firmware image, once the vulnerability is identified. To evaluate Shimware, we employ both a synthetic evaluation and actual retrofitting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.

AB - In today’s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic firmware, where the code and data are opaquely intermixed, have traditionally been difficult to examine and protect. In this paper, we explore the challenges of retrofitting monolithic firmware images with new security measures. First, we outline the steps any analyst must take to retrofit firmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects-locating attacker-controlled input, a safe retrofit injection location, and self-checks preventing modifications-through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retrofitted firmware image, once the vulnerability is identified. To evaluate Shimware, we employ both a synthetic evaluation and actual retrofitting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.

KW - Cybersecurity

UR - http://www.scopus.com/inward/record.url?scp=85175689780&partnerID=8YFLogxK

U2 - 10.1145/3607199.3607217

DO - 10.1145/3607199.3607217

M3 - Conference contribution

AN - SCOPUS:85175689780

SN - 979-8-4007-0765-0

SP - 32

EP - 45

BT - RAID '23

PB - Association for Computing Machinery

CY - New York, NY

T2 - 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023

Y2 - 16 October 2023 through 18 October 2023

ER -

Gustafson E, Grosen P, Redini N, Jha S, Wang R, Continella A et al. Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images. In RAID '23: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, China, October 16-18, 2023. New York, NY: Association for Computing Machinery. 2023. p. 32-45 doi: 10.1145/3607199.3607217

Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this