Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images

Eric Gustafson, Paul Grosen, Nilo Redini, Saagar Jha, Ruoyu Wang, Andrea Continella, Kevin Fu, Sara Rampazzi, Christopher Kruegel, Giovanni Vigna

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

8 Downloads (Pure)

Abstract

In today’s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic firmware, where the code and data are opaquely intermixed, have traditionally been difficult to examine and protect. In this paper, we explore the challenges of retrofitting monolithic firmware images with new security measures. First, we outline the steps any analyst must take to retrofit firmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects-locating attacker-controlled input, a safe retrofit injection location, and self-checks preventing modifications-through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retrofitted firmware image, once the vulnerability is identified. To evaluate Shimware, we employ both a synthetic evaluation and actual retrofitting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.

Original languageEnglish
Title of host publicationRAID '23
Subtitle of host publicationProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, Hong Kong, China, October 16-18, 2023
Place of PublicationNew York, NY
PublisherAssociation for Computing Machinery
Pages32-45
Number of pages14
ISBN (Print)979-8-4007-0765-0
DOIs
Publication statusPublished - 16 Oct 2023
Event26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023 - Hong Kong, China
Duration: 16 Oct 202318 Oct 2023
Conference number: 26

Conference

Conference26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
Abbreviated titleRAID
Country/TerritoryChina
CityHong Kong
Period16/10/2318/10/23

Keywords

  • Cybersecurity

Fingerprint

Dive into the research topics of 'Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images'. Together they form a unique fingerprint.

Cite this