HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation

Given the increasing ubiquity of online embedded devices, analyzing their firmware is important to security, privacy, and safety. The tight coupling between hardware and firmware and the diversity found in embedded systems makes it hard to perform dynamic analysis on firmware. However, firmware developers regularly develop code using abstractions, such as Hardware Abstraction Layers (HALs), to simplify their job. We leverage such abstractions as the basis for the re-hosting and analysis of firmware. By providing high-level replacements for HAL functions (a process termed High-Level Emulation – HLE), we decouple the hardware from the firmware. This approach works by first locating the library functions in a firmware sample, through binary analysis, and then providing generic implementations of these functions in a full-system emulator. We present these ideas in a prototype system, HALucinator, able to re-host firmware, and allow the virtual device to be used normally. First, we introduce extensions to existing library matching techniques that are needed to identify library functions in binary firmware, to reduce collisions, and for inferring additional function names. Next, we demonstrate the re-hosting process, through the use of simplified handlers and peripheral models, which make the process fast, flexible, and portable between firmware samples and chip vendors. Finally, we demonstrate the practicality of HLE for security analysis, by supplementing HALucinator with the American Fuzzy Lop fuzzer, to locate multiple previously-unknown vulnerabilities in firmware middleware libraries.

[1]  Christopher Krügel,et al.  Toward the Analysis of Embedded Firmware through Automated Re-hosting , 2019, RAID.

[2]  Thomas C. Schmidt,et al.  RIOT: An Open Source Operating System for Low-End Embedded Devices in the IoT , 2018, IEEE Internet of Things Journal.

[3]  Adam Dunkels,et al.  Cross-Level Sensor Network Simulation with COOJA , 2006, Proceedings. 2006 31st IEEE Conference on Local Computer Networks.

[4]  Lingyu Wang,et al.  FOSSIL: A Resilient and Efficient System for Identifying FOSS Functions in Malware Binaries , 2018, ACM Trans. Priv. Secur..

[5]  Tadayoshi Kohno,et al.  SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems , 2015, WOOT.

[6]  Michail Maniatakos,et al.  The Cybersecurity Landscape in Industrial Control Systems , 2016, Proceedings of the IEEE.

[7]  Xiaohong Su,et al.  Using Reduced Execution Flow Graph to Identify Library Functions in Binary Code , 2016, IEEE Transactions on Software Engineering.

[8]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[9]  Derek Bruening,et al.  AddressSanitizer: A Fast Address Sanity Checker , 2012, USENIX Annual Technical Conference.

[10]  Patrick Th. Eugster,et al.  TARDIS: software-only system-level record and replay in wireless sensor networks , 2015, IPSN '15.

[11]  Xiaohong Su,et al.  Library functions identification in binary code by using graph isomorphism testings , 2015, 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[12]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[13]  Adam Dunkels,et al.  Contiki - a lightweight and flexible operating system for tiny networked sensors , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[14]  Aurélien Francillon,et al.  Avatar2: A Multi-Target Orchestration Platform , 2018 .

[15]  Barton P. Miller,et al.  Labeling library functions in stripped binaries , 2011, PASTE '11.

[16]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[17]  Petar Tsankov,et al.  Debin: Predicting Debug Information in Stripped Binaries , 2018, CCS.

[18]  Thomas Dullien,et al.  Graph-based comparison of Executable Objects , 2005 .

[19]  Aurélien Francillon,et al.  What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices , 2018, NDSS.

[20]  Long Lu,et al.  P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling (extended version) , 2019, USENIX Security Symposium.

[21]  Halvar Flake,et al.  Structural Comparison of Executable Objects , 2004, DIMVA.

[22]  Brendan Dolan-Gavitt,et al.  Repeatable Reverse Engineering with PANDA , 2015, PPREW@ACSAC.

[23]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[24]  Apostolis Zarras,et al.  Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces , 2015, AsiaCCS.

[25]  Fredrik Larsson,et al.  Simics: A Full System Simulation Platform , 2002, Computer.