Symbolic Execution for BIOS Security

We are building a tool that uses symbolic execution to search for BIOS security vulnerabilities including dangerous memory references (call outs) by SMM interrupt handlers in UEFI-compliant implementations of BIOS. Our tool currently applies only to interrupt handlers for SMM variables. Given a snapshot of SMRAM, the base address of SMRAM, and the address of the variable interrupt handler in SMRAM, the tool uses S2E to run the KLEE symbolic execution engine to search for concrete examples of a call to the interrupt handler that causes the handler to read memory outside of SMRAM. This is a work in progress. We discuss our approach, our current status, our plans for the tool, and the obstacles we face.

[1]  Steve Hanna,et al.  A Symbolic Execution Framework for JavaScript , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.

[3]  Patrice Godefroid,et al.  Micro execution , 2014, ICSE.

[4]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[5]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[6]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[7]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[8]  George Candea,et al.  Enabling sophisticated analyses of ×86 binaries with RevGen , 2011, 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops (DSN-W).

[9]  George Candea,et al.  Testing Closed-Source Binary Device Drivers with DDT , 2010, USENIX Annual Technical Conference.

[10]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[11]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[12]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[13]  Ricardo Corin,et al.  Taint Analysis of Security Code in the KLEE Symbolic Execution Engine , 2012, ICICS.

[14]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[15]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[16]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[17]  George Candea,et al.  Enabling Sophisticated Analysis of x86 Binaries with RevGen , 2011, HotDep 2011.