What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices

As networked embedded systems are becoming more ubiquitous, their security is becoming critical to our daily life. While manual or automated large scale analysis of those systems regularly uncover new vulnerabilities, the way those systems are analyzed follows often the same approaches used on desktop systems. More specifically, traditional testing approaches relies on observable crashes of a program, and binary instrumentation techniques are used to improve the detection of those faulty states. In this paper, we demonstrate that memory corruptions, a common class of security vulnerabilities, often result in different behavior on embedded devices than on desktop systems. In particular, on embedded devices, effects of memory corruption are often less visible. This reduces significantly the effectiveness of traditional dynamic testing techniques in general, and fuzzing in particular. Additionally, we analyze those differences in several categories of embedded devices and show the resulting impact on firmware analysis. We further describe and evaluate relatively simple heuristics which can be applied at run time (on an execution trace or in an emulator), during the analysis of an embedded device to detect previously undetected memory corruptions.

[1]  Herbert Bos,et al.  Memory Errors: The Past, the Present, and the Future , 2012, RAID.

[2]  Wolfgang Kastner,et al.  Prospect: peripheral proxying supported embedded code testing , 2014, AsiaCCS.

[3]  Jean-Pierre Seifert,et al.  SMS of Death: From Analyzing to Attacking Mobile Phones on a Large Scale , 2011, USENIX Security Symposium.

[4]  Konstantin Serebryany,et al.  ThreadSanitizer: data race detection in practice , 2009, WBIA '09.

[5]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[6]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[7]  Steve Heath,et al.  Embedded Systems Design , 1997 .

[8]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[9]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[10]  Herbert Bos,et al.  VUzzer: Application-aware Evolutionary Fuzzing , 2017, NDSS.

[11]  Priya Narasimhan,et al.  Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis , 2014, PPREW'14.

[12]  Peter G. Neumann,et al.  The future of the internet of things , 2017, Commun. ACM.

[13]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[14]  Salvatore J. Stolfo,et al.  Defending Embedded Systems with Software Symbiotes , 2011, RAID.

[15]  Jean-Louis Lanet,et al.  Analysis of HTTP Protocol Implementation in Smart Card Embedded Web Server , 2013 .

[16]  Christophe Rosenberger,et al.  Analysis of embedded applications by evolutionary fuzzing , 2014, 2014 International Conference on High Performance Computing & Simulation (HPCS).

[17]  Jaein Kim,et al.  Fuzzing CAN Packets into Automobiles , 2015, 2015 IEEE 29th International Conference on Advanced Information Networking and Applications.

[18]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[19]  Martin C. Rinard,et al.  Taint-based directed whitebox fuzzing , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[20]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[21]  Apostolis Zarras,et al.  Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces , 2015, AsiaCCS.

[22]  Konstantin Serebryany,et al.  MemorySanitizer: Fast detector of uninitialized memory use in C++ , 2015, 2015 IEEE/ACM International Symposium on Code Generation and Optimization (CGO).

[23]  Wolfgang Kastner,et al.  Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation , 2016, SECURWARE 2016.

[24]  Konrad Rieck,et al.  Pulsar: Stateful Black-Box Fuzzing of Proprietary Network Protocols , 2015, SecureComm.

[25]  Kostya Serebryany Sanitize, Fuzz, and Harden Your C++ Code , 2016 .

[26]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[27]  Amy Nordrum,et al.  The internet of fewer things [News] , 2016 .

[28]  Pedram Amini,et al.  Fuzzing: Brute Force Vulnerability Discovery , 2007 .

[29]  Levente Buttyán,et al.  Embedded systems security: Threats, vulnerabilities, and attack taxonomy , 2015, 2015 13th Annual Conference on Privacy, Security and Trust (PST).

[30]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[31]  William K. Robertson,et al.  LAVA: Large-Scale Automated Vulnerability Addition , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[32]  Matti Valovirta,et al.  Experimental Security Analysis of a Modern Automobile , 2011 .

[33]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[34]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[35]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[36]  Brendan Dolan-Gavitt,et al.  Repeatable Reverse Engineering with PANDA , 2015, PPREW@ACSAC.

[37]  Brinio Hond,et al.  Security Testing of GSM Implementations , 2014, ESSoS.

[38]  Tadayoshi Kohno,et al.  SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems , 2015, WOOT.

[39]  Xi Chen,et al.  Who allocated my memory? Detecting custom memory allocators in C binaries , 2013, 2013 20th Working Conference on Reverse Engineering (WCRE).

[40]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[41]  Stefan Savage,et al.  Fast and Vulnerable: A Story of Telematic Failures , 2015, WOOT.