PASAN: Detecting Peripheral Access Concurrency Bugs within Bare-Metal Embedded Applications

Concurrency bugs might be one of the most challenging software defects to detect and debug due to their non-deterministic triggers caused by task scheduling and interrupt handling. While different tools have been proposed to address concurrency issues, protecting peripherals in embedded systems from concurrent accesses impose unique challenges. A naïve lock protection on a certain memory-mapped I/O (MMIO) address still allows concurrent accesses to other MMIO addresses of a peripheral. Meanwhile, embedded peripherals such as sensors often employ some internal state machines to achieve certain functionalities. As a result, improper locking can lead to the corruption of peripherals’ on-going jobs (we call transaction corruption) thus corrupted sensor values or failed jobs. In this paper, we propose a static analysis tool namely PASAN to detect peripheral access concurrency issues for embedded systems. PASAN automatically finds the MMIO address range of each peripheral device using the parser-ready memory layout documents, extracts the peripheral’s internal state machines using the corresponding device drivers, and detects concurrency bugs of peripheral accesses automatically. We evaluate PASAN on seven different embedded platforms, including multiple real time operating systems (RTOSes) and robotic aerial vehicles (RAVs). PASAN found 17 true positive concurrency bugs in total from three different platforms with the bug detection rates ranging from 40% to 100%. We have reported all our findings to the corresponding parties. To the best of our knowledge, PASAN is the first static analysis tool detecting the intrinsic problems in concurrent peripheral accesses for embedded systems.

[1]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[2]  Christopher Krügel,et al.  Toward the Analysis of Embedded Firmware through Automated Re-hosting , 2019, RAID.

[3]  Eljas Soisalon-Soininen,et al.  On Finding the Strongly Connected Components in a Directed Graph , 1994, Inf. Process. Lett..

[4]  Dinghao Wu,et al.  Reassembleable Disassembling , 2015, USENIX Security Symposium.

[5]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[6]  George Candea,et al.  RaceMob: crowdsourced data race detection , 2013, SOSP.

[7]  Christopher Krügel,et al.  DIFUZE: Interface Aware Fuzzing for Kernel Drivers , 2017, CCS.

[8]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[9]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[10]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[11]  Jean-Pierre Seifert,et al.  PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary , 2019, NDSS.

[12]  Friedemann Mattern,et al.  Virtual Time and Global States of Distributed Systems , 2002 .

[13]  Kyung-Joon Park,et al.  Empirical Analysis of MAVLink Protocol Vulnerability for Attacking Unmanned Aerial Vehicles , 2018, IEEE Access.

[14]  Xinyan Deng,et al.  RVFuzzer: Finding Input Validation Bugs in Robotic Vehicles through Control-Guided Testing , 2019, USENIX Security Symposium.

[15]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[16]  Herbert Bos,et al.  PIE: Parser Identification in Embedded Systems , 2015, ACSAC.

[17]  Christopher Krügel,et al.  DR. CHECKER: A Soundy Analysis for Linux Kernel Drivers , 2017, USENIX Security Symposium.

[18]  Gérard Berry,et al.  The Esterel Synchronous Programming Language: Design, Semantics, Implementation , 1992, Sci. Comput. Program..

[19]  George Candea,et al.  Testing Closed-Source Binary Device Drivers with DDT , 2010, USENIX Annual Technical Conference.

[20]  Hong Hu,et al.  Where Does It Go?: Refining Indirect-Call Targets with Multi-Layer Type Analysis , 2019, CCS.

[21]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[22]  Asim Kadav,et al.  SymDrive: Testing Drivers without Devices , 2012, OSDI.

[23]  David Brumley,et al.  BYTEWEIGHT: Learning to Recognize Functions in Binary Code , 2014, USENIX Security Symposium.

[24]  Shi-Min Hu,et al.  Detecting Data Races Caused by Inconsistent Lock Protection in Device Drivers , 2019, 2019 IEEE 26th International Conference on Software Analysis, Evolution and Reengineering (SANER).

[25]  R. Spenneberg Don ’ t trust your USB ! How to find bugs in USB device drivers , 2014 .

[26]  Eléonore Goblé Taint analysis for automotive safety using the LLVM compiler infrastructure , 2019 .

[27]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[28]  Insik Shin,et al.  Razzer: Finding Kernel Race Bugs through Fuzzing , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[29]  Dawson R. Engler,et al.  RacerX: effective, static detection of race conditions and deadlocks , 2003, SOSP '03.

[30]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[31]  David A. Wagner,et al.  Control-Flow Bending: On the Effectiveness of Control-Flow Integrity , 2015, USENIX Security Symposium.

[32]  Olaf Spinczyk,et al.  LockDoc: Trace-Based Analysis of Locking in the Linux Kernel , 2019, EuroSys.

[33]  S. Bharadwaj Yadavalli,et al.  Raising binaries to LLVM IR with MCTOLL (WIP paper) , 2019, LCTES.

[34]  Varmo Vene,et al.  Static race detection for device drivers: The Goblint approach , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[35]  Shi-Min Hu,et al.  DSAC: Effective Static Analysis of Sleep-in-Atomic-Context Bugs in Kernel Modules , 2018, USENIX Annual Technical Conference.

[36]  Tong Zhang,et al.  TxRace: Efficient Data Race Detection Using Commodity Hardware Transactional Memory , 2016, ASPLOS.

[37]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[38]  Mathias Payer,et al.  RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[39]  Xinyan Deng,et al.  From Control Model to Program: Investigating Robotic Aerial Vehicle Accidents with MAYDAY , 2020, USENIX Security Symposium.

[40]  Peng Liu,et al.  Cruiser: concurrent heap buffer overflow monitoring using lock-free data structures , 2011, PLDI '11.

[41]  Peter W. O'Hearn,et al.  Separation logic , 2019, Commun. ACM.

[42]  Sorin Lerner,et al.  RELAY: static race detection on millions of lines of code , 2007, ESEC-FSE '07.

[43]  Benjamin C. M. Fung,et al.  Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[44]  Ahmed M. Azab,et al.  PeX: A Permission Check Analysis Framework for Linux Kernel , 2019, USENIX Security Symposium.

[45]  Jingling Xue,et al.  SVF: interprocedural static value-flow analysis in LLVM , 2016, CC.

[46]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[47]  Giovanni Vigna,et al.  HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation , 2020, USENIX Security Symposium.

[48]  Hang Zhang,et al.  Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems , 2018, USENIX Security Symposium.

[49]  Heng Yin,et al.  FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation , 2019, USENIX Security Symposium.

[50]  Tong Zhang,et al.  ProRace: Practical Data Race Detection for Production Use , 2017, ASPLOS.

[51]  Yulei Sui,et al.  Accelerating Dynamic Data Race Detection Using Static Thread Interference Analysis , 2016, PMAM@PPoPP.

[52]  Nicholas D. Matsakis,et al.  The rust language , 2014, HILT '14.

[53]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.