P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version)

Dynamic testing or fuzzing of embedded firmware is severely limited by hardware-dependence and poor scalability, partly contributing to the widespread vulnerable IoT devices. We propose a software framework that continuously executes a given firmware binary while channeling inputs from an off-the-shelf fuzzer, enabling hardware-independent and scalable firmware testing. Our framework, using a novel technique called P$^2$IM, abstracts diverse peripherals and handles firmware I/O on the fly based on automatically generated models. P$^2$IM is oblivious to peripheral designs and generic to firmware implementations, and therefore, applicable to a wide range of embedded devices. We evaluated our framework using 70 sample firmware and 10 firmware from real devices, including a drone, a robot, and a PLC. It successfully executed 79% of the sample firmware without any manual assistance. We also performed a limited fuzzing test on the real firmware, which unveiled 7 unique unknown bugs.

[1]  Aurélien Francillon,et al.  Inception: System-Wide Security Testing of Real-World Embedded Systems Software , 2018, USENIX Security Symposium.

[2]  Guofei Gu,et al.  TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[4]  Tadayoshi Kohno,et al.  SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems , 2015, WOOT.

[5]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[6]  Asim Kadav,et al.  SymDrive: Testing Drivers without Devices , 2012, OSDI.

[7]  Somesh Jha,et al.  FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution , 2013, USENIX Security Symposium.

[8]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[9]  Aurélien Francillon,et al.  Avatar2: A Multi-Target Orchestration Platform , 2018 .

[10]  Jean-Pierre Seifert,et al.  PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary , 2019, NDSS.

[11]  Wolfgang Kastner,et al.  Embedded Security Testing with Peripheral Device Caching and Runtime Program State Approximation , 2016, SECURWARE 2016.

[12]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[13]  Wolfgang Kastner,et al.  Prospect: peripheral proxying supported embedded code testing , 2014, AsiaCCS.

[14]  Levente Buttyán,et al.  Embedded systems security: Threats, vulnerabilities, and attack taxonomy , 2015, 2015 13th Annual Conference on Privacy, Security and Trust (PST).

[15]  Aurélien Francillon,et al.  What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices , 2018, NDSS.

[16]  Hang Zhang,et al.  Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems , 2018, USENIX Security Symposium.

[17]  Farhaan Fowze,et al.  FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution , 2017, CCS.

[18]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[19]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[20]  Apostolis Zarras,et al.  Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces , 2015, AsiaCCS.