Knowing where to look for new vulnerabilities in an embedded system is hard. We can automatically identify new exploit primitives in embedded systems through semi-supervised firmware-function clustering, clustered around vulnerable functions marked by CVEs or underconstrained concolic analysis.
The market and development cycle for embedded devices is fragmented. Vendors are building their products on non-standard boards, using different SDKs, all with no solid coding guidelines. Creating tools to analyze firmware running on arbitrary architectures with different build tool chains is a daunting task that can be tackled by pairing concolic analysis with supervised data clustering.
Current concolic analysis tools suffer from memory consumption issues (often called path-explosion) and an inability to multi-process analysis. Underconstraining concolic analysis enables these tools to analyze systems with a smaller performance loss at the cost of losing some function accuracy. Through function prototype recovery and function call state modeling, concolic analysis tools can be run on a function-by-function basis in parallel, reaching code that is normally unreachable.
Using vulnerabilities discovered through concolic analysis or existing CVEs, function clustering can be supervised and guided to identify functions exceptionally similar to known vulnerable ones. By using function traits provided by reversing tools and refined through data mining tools, extraordinarily similar functions can be discovered across a firmware, allowing compiler agnostic function comparisons to identify where known vulnerable patterns are replicated.