Firmware Fat Camp: Embedded Security Using Binary Autotomy

Presented at 30C3 (2013), Dec. 27, 2013, 11 p.m. (60 minutes)

We present a collection of techniques which aim to automagically remove significant (and unnecessary) portions of firmware binaries from common embedded devices to drastically reduce the attack surface of these devices. We present a brief theoretical explanation of Firmware Fat Camp, a collection of "before" and "after" photos of graduates of FFC, along with a set of live demonstrations of FFC in action on common embedded devices. Modern embedded systems such as VoIP phones, network printers and routers typically ship with all available features compiled into its firmware image. A small subset of these features is activated at any given time on individual devices based on its specific configuration. An even smaller subset of features is actually used, as some unused and insecure features cannot are typically enabled by default and cannot be disabled. However, all embedded devices still contain a large amount of code and data that should never be executed or read according to its current configuration. This unnecessary binary is not simply a waste of memory; it contains vulnerable code and data that can be used by an attacker to exploit the system. This “dead code” provides an ideal attack surface. Automated minimization of this attack surface will significantly improve the security of the device without any impact to the device’s functionality. We propose a set of methods of hardening existing embedded systems against attack by employing Binary Autotomy or the automated removal of unnecessary binaries from each embedded device according to its current configuration. The configuration of the embedded device to be protected is analyzed. The firmware binary corresponding to the features enabled in the configuration is kept. The firmware corresponding to features not enabled in the configuration is removed from the firmware image. The firmware to be removed is determined by applying static and dynamic binary code analysis on the original firmware image. This analysis maps each configurable feature with a set of binary executable code within the firmware image. When a particular configuration is analyzed, a list of enabled features is built from this file. Using the feature to code mapping created from the original dynamic and static analysis, autotomic binary reduction simply removes all code that belongs to features that are not enabled, or should not be used, in the particular configuration file in question. We present quantitative analysis of the effectiveness of Binary Autotomy algorithms on a collection of common embedded devices along with several live demonstrations of embedded devices running post FFC firmware images. How much unnecessary binary can be ripped out of XYZ*? Come and find out! * XYZ = {Home routers | Enterprise routers | VoIP phones | Printers | Web Cams}


  • Ang Cui as angcui
    Ang Cui is a 3rd year PhD Student. His research is currently focus is on embedded devices such as home and corporate routers and cell phones. He is the primary inventor of a novel host-based defense mechanism known as Symbiotic Embedded Machines. SEMs are designed specifically to retrofit black-box, vulnerable legacy embedded systems with sophisticated anti-exploitation mechanisms. Over the past 3 years, Ang has been actively quantifying the extent of the embedded threat in real-world environments, developing novel exploitation techniques for embedded systems such as enterprise networking equipment and developing practical defenses for embedded systems which constitutes our global communication substrate. His current projects include: Symbiotic Embedded Machines and Vulnerable Embedded Device Scan.


Similar Presentations: