Using Static Binary Analysis to Find Vulnerabilities and Backdoors in Firmware

Presented at Black Hat USA 2015, Aug. 6, 2015, 3:50 p.m. (50 minutes)

Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing amount of the things with which we interact every day have been replaced with embedded devices. These include previously non-electronic devices, such as locks, light switches, and utility meters (such as electric meters and water meters), as well as increasingly more complex and ubiquitous devices, such as network routers and printers. Other devices are becoming increasingly intelligent as well. Modern printers and cameras include complex social media functionality, smart televisions are increasingly including Internet-based entertainment options, and even previously-simple devices, such as watches and glasses are being augmented with complex embedded components.

The increasingly-complex systems that drive these devices have one thing in common: they must all communicate to carry out their intended functionality. Smart TVs communicate with (and accept communication from) online media services, smart locks allow themselves to be unlocked by phones or keypads, digital cameras contact social media services, and smart meters communicate with the users utility company. Such communication, along with other functionalities of the device, is handled by software (termed firmware) embedded in the device. Because these devices often receive privacy-sensitive information from their sensors (such as what a user is watching, or how much electricity they are using), or carry out a safety-critical function (such as actuators that lock the front door), errors in the devices firmware, whether present due to an accidental mistake or purposeful malice, can have serious and varying implications in both the digital and physical world.

Firmware, like any piece of software, is susceptible to a wide range of software errors. These include memory corruption flaws, command injection vulnerabilities and application logic flaws. Another common error seen in firmware is a logic flaw called an authentication bypass or less formally, a backdoor. An authentication bypass occurs when an error in the authentication routine of a device allows a user to perform actions for which they would otherwise need to know a set of credentials. In other cases, backdoors are deliberately inserted by the manufacturer to get access to deployed devices for maintenance and upgrade.

Detecting vulnerabilities and backdoors in firmware is challenging for several reasons. To begin with, the devices in question are usually proprietary, and therefore the source code of the firmware is not available. While this is a problem common to analyzing binary software in general, firmware takes it one step further: firmware often takes the form of a single binary image that runs directly on the hardware of the device, without an underlying operating system. Because of this, OS and library abstractions do not exist in some cases, and are non-standard or undocumented in others, and it is frequently unknown how to properly initialize the runtime environment of the firmware sample (or even, at what offset to load the binary and at what address to begin execution). We term such firmware as binary blob firmware. These blobs can be very large, and therefore any analysis tool must be able to handle such complex firmware. Additionally, embedded devices frequently require their firmware to be cryptographically signed by the manufacturer, making modification of the firmware on the device for analysis purposes infeasible.

In this presentation, we will talk about the challenges of performing automated vulnerability analysis and backdoor finding in firmware. Then, we report on a binary static analysis system, called Angr, that automates most of the process of searching firmware binaries for the presence of flaws. To the best of our knowledge, Angr is the first firmware analysis system working at the binary level, in a scalable manner, and with no requirement to instrument code on the original device. To this end, Angr utilizes advanced program analysis techniques to analyze binary code in complex firmware of diverse hardware platforms, and it automates much of the process of identifying occurrences of buffer overflow and authentication bypass vulnerabilities. The tool uses novel techniques to improve the scalability of the analysis, which we will explain during the presentation. This includes a combination of more traditional static program analysis, value set analysis (VSA), and symbolic execution. The presentation will conclude with a few examples of vulnerabilities that our tool has discovered in firmware samples. We also plan to run a live demo that highlights the capabilities of our system.


  • Yan Shoshitaishvili / Zardus as Yan Shoshitaishvili
  • Christopher Kruegel - Lastline
    Currently on leave from his position as professor of computer science at UC Santa Barbara, Dr. Christopher Kruegel is co-founder and chief scientist at Lastline. He previously served on the faculty of the Technical University Vienna. He has published more than 100 peer-reviewed papers in top computer security conferences, and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators and the IBM Faculty Award. Christopher was Program Committee Chair of Usenix LEET in 2011, RAID in 2007 and WORM in 2007. He also advised the European Commission on defenses to mitigate future threats against the Internet and Europe's cyber-infrastructure. He has spoken at many conferences including the RSA Conference 2015, Black Hat 2014, and the Emerging Technology Conference at MIT in 2010.


Similar Presentations: