Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale

Presented at Black Hat Asia 2020 Virtual, Oct. 2, 2020, 11:20 a.m. (40 minutes)

Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of our lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure, which led to the development of an IoT-specific cybercrime underground. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Moreover, most of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables.<br /> <br /> In this talk, we will unveil the inner peculiarities of embedded firmware, we will show why existing firmware analysis techniques are ineffective, and we will present Karonte, a novel static analysis tool capable of analyzing embedded-device firmware by modeling and tracking multi-binary interactions. Our tool propagates taint information between binaries to detect insecure, attacker-controlled interactions, and effectively identify vulnerabilities.<br /> <br /> We will then present the results and insights of our experiments. We tested Karonte on 53 firmware samples from various vendors, showing that our prototype tool can successfully track and constrain multi-binary interactions. In doing so, we discovered 46 zero-day bugs, which we disclosed to the responsible entities. We performed a large-scale experiment on 899 different samples, showing that Karonte scales well with firmware samples of different size and complexity, and can effectively and efficiently analyze real-world firmware in a generic and fully automated fashion.<br /> <br /> Finally, we will demo our tool, showing how it led to the detection of a previously unknown vulnerability.

Presenters:

• Giovanni Vigna - Professor, University of California, Santa Barbara
  Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara, and the CTO and co-founder of Lastline, Inc., a company that provides anti-malware solutions. His research interests include malware analysis, vulnerability assessment, the underground economy, binary analysis, web security, and mobile phone security.
• Chad Spensky - PhD Student, University of California, Santa Barbara
  Chad Spensky is currently a PhD student in the security lab (SecLab) at UCSB, and a recipient of the 2018 IBM PhD fellowship. Formerly, he was a member of the technical research staff at MIT Lincoln Laboratory. He obtained a BS in mathematics, a BS in computer science, and a minor in economics from the University of Pittsburgh and an MS in computer security from the University of North Carolina at Chapel Hill. His research interests include: usable authentication, embedded systems security, novel introspection techniques, and smart card security.
• Christopher Kruegel - Professor, University of California, Santa Barbara
  Christopher Kruegel is a Professor in the Computer Science Department at the University of California, Santa Barbara. He is also involved in the International Secure Systems Lab. He is one of the co-founders of Lastline, Inc., where he currently serve as the Chief Scientist. Lastline develops innovative solutions to detect and mitigate advanced malware (APTs) and targeted threats. His research interests include most aspects of computer security, with an emphasis on malware analysis, web security, network security, and vulnerability analysis.
• Yan Shoshitaishvili / Zardus - Assistant Professor, Arizona State University   as Yan Shoshitaishvili
  Yan Shoshitaishvili is an Assistant Professor at Arizona State University, focused mainly on advancing the state of the art of binary analysis.
• Ruoyu Wang - Assistant Professor, Arizona State University
  Ruoyu Wang is an Assistant Professor in the School of Computing, Informatics, and Decision Systems Engineering at Arizona State University. His research focuses on system security, especially on automated binary program analysis and reverse engineering of software. He is the co-founder and a core developer of the binary analysis platform, angr. He is a core member of the CTF team Shellphish. Sometimes he plays with Pwndevils, too. He is also a co-director of the Laboratory of Security Engineering For Future Computing (SEFCOM) along with Dr. Gail-Joon Ahn, Dr. Adam Doupé, Dr. Yan Shoshitaishvili, and Dr. Tiffany Bao. Prior to joining ASU, he received his PhD from the Department of Computer Science at the University of California, Santa Barbara, where he worked in the SecLab of UCSB, and was advised by two great professors, Dr. Giovanni Vigna and Dr. Christopher Kruegel. He received his Bachelors degree in Computer Software at Tsinghua University in 2013. He was a core member of the CGC team Shellphish CGC, with whom I won the third place and a lot of cash in the Final Event of the DARPA Cyber Grand Challenge in 2016.
• Aravind Machiry - PhD Student, University of California, Santa Barbara
  Aravind Machiry is a PhD student at the University of California, Santa Barbara
• Andrea Continella - Postdoctoral Researcher, University of California, Santa Barbara
  <span>Andrea Continella is currently a postdoctoral researcher in the Computer Science Department at the University of California, Santa Barbara (UCSB), and he will soon join the Faculty of Electrical Engineering, Mathematics and Computer Science of the University of Twente as an Assistant Professor. Andrea obtained a PhD cum laude in Computer Science and Engineering at Politecnico di Milano, Italy. His research activity focuses on different aspects of system security, such as malware analysis, mobile and IoT security & privacy, vulnerability discovery, and large-scale measurements of security issues. Andrea has published several research papers and he serves in the program committees of well-known system security conferences and workshops.</span><br><span>Andrea also loves Capture The Flag (CTF) competitions, which he currently plays with Shellphish, and he co-organized several editions of the PoliCTF and iCTF.</span>
• Nilo Redini - PhD Student, University of California, Santa Barbara
  Nilo Redini is a PhD student in Computer Security at UC Santa Barbara at the SecLab with Giovanni Vigna and Christopher Kruegel. His interests include computer security, reversing, program analysis, hacking, rock/punk music, cinema, and skateboarding. He is a member of the Shellphish hacking team and an organizer of the iCTF hacking competition.

Links:

• https://www.blackhat.com/asia-20/briefings/schedule/#identifying-multi-binary-vulnerabilities-in-embedded-firmware-at-scale-18681

Similar Presentations:

• Black Hat Europe 2014 / Firmware.RE: Firmware Unpacking, Analysis and Vulnerability-Discovery as a Service
• Black Hat USA 2015 / Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware
• 32C3 (2015) / (In)Security of Embedded Devices' Firmware - Fast and Furious at Large Scale