ECMO: Rehost Embedded Linux Kernels via Peripheral Transplantation

Presented at Black Hat Europe 2021, Nov. 11, 2021, 2:30 p.m. (30 minutes)

Dynamic analysis based on the full-system emulator QEMU is widely used for various purposes. However, it is challenging to run firmware images of embedded devices in QEMU, especially the process to boot the Linux kernel (we call this process rehosting the Linux kernel.) That's because embedded devices usually use different system-on-chips (SoCs) from multiple vendors and only a limited number of SoCs are currently supported in QEMU.

In this work, we propose a technique called peripheral transplantation. The main idea is to transplant the device drivers of designated peripherals into the Linux kernel. By doing so, it can replace the peripherals in the kernel that are currently unsupported in QEMU with supported ones, thus making the Linux kernel rehostable. After that, various applications can be built upon.

We implemented this technique inside a prototype system called ECMO and applied it to 815 firmware images, which consist of 20 kernel versions, 37 device models, and 24 vendors. The result shows that ECMO can successfully transplant peripherals for all the 815 Linux kernels. Among them,710 kernels can be successfully rehosted, i.e., launching a user-space shell (87.1% success rate). The failed cases are mainly because the root file system format (ramfs) is not supported by the kernel. We further build three applications, i.e., kernel crash analysis, rootkit forensic analysis, and kernel fuzzing, based on the rehosted kernels to demonstrate the usage scenarios of ECMO


Presenters:

  • Muhui Jiang - PhD Candidate, The Hong Kong Polytechnic University; Zhejiang University
    Jiang Muhui is a PhD candidate studying in the Department of Computing at The Hong Kong Polytechnic University, under the supervision of Dr. Xiapu Luo. He also works closely with Dr. Yajin Zhou. Before coming to PolyU, he received his B.Eng. in the Department of Software Engineering at Tongji University in 2016. His current research interests include network security, system security, and IoT security. More specifically, he is interested in reverse engineering, binary analysis, firmware rehosting, fuzzing techniques, and DDoS.

Links:

Similar Presentations: