Eric Gustafson
ABSTRACT
In today’s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic firmware, where the code and data are opaquely intermixed, have traditionally been difficult to examine and protect.
In this paper, we explore the challenges of retrofitting monolithic firmware images with new security measures. First, we outline the steps any analyst must take to retrofit firmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects—locating attacker-controlled input, a safe retrofit injection location, and self-checks preventing modifications—through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retrofitted firmware image, once the vulnerability is identified.
To evaluate Shimware, we employ both a synthetic evaluation and actual retrofitting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.
- 2019. D-Link Adds More Buggy Router Models to ‘Won’t Fix’ List. https://threatpost.com/d-link-wont-fix-router-bugs/150438/.Google Scholar
- 2020. Arduino. http://arduino.cc/.Google Scholar
- 2020. CA S.B. 327. https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327.Google Scholar
- 2020. OpenDPS. https://github.com/kanflo/opendps.Google Scholar
- 2020. S.734 - Internet of Things Cybersecurity Improvement Act of 2019. https://www.congress.gov/bill/116th-congress/senate-bill/734.Google Scholar
- Ioannis Agadakos, Di Jin, David Williams-King, Vasileios P Kemerlis, and Georgios Portokalidis. 2019. Nibbler: debloating binary shared libraries. In Annual Computer Security Applications Conference. 70–83.Google ScholarDigital Library
- AliExpress. 2020. RD DPS5015. https://www.aliexpress.com/item/32702714880.html.Google Scholar
- Amazon. 2020. Creating a code-signing certificate for the Texas Instruments CC3220SF-LAUNCHXL. https://docs.aws.amazon.com/freertos/latest/userguide/ota-code-sign-cert-ti.html.Google Scholar
- Frank Armstrong. 2013. A Discussion on Atmel Lock Byte and Firmware Protection. https://www.avrfreaks.net/sites/default/files/A%20discussion%20on%20Atmel%20Lock%20Bits.pdf.Google Scholar
- Erick Bauman, Zhiqiang Lin, and Kevin W Hamlen. 2018. Superset Disassembly: Statically Rewriting x86 Binaries Without Heuristics.. In NDSS.Google Scholar
- Catalin Cimparu. 2019. DHS and FDA warn about much broader impact of Urgent/11 vulnerabilities. https://www.zdnet.com/article/dhs-and-fda-warn-about-much-broader-impact-of-urgent11-vulnerabilities/.Google Scholar
- Clements, Abraham and Gustafson, Eric and Scharnowski, Tobias and Grosen, Paul and Fritz, David and Kruegel, Christopher and Vigna, Giovanni and Bagchi, Saurabh and Payer, Mathias. 2020. HALucinator: Firmware Re-hosting through Abstraction Layer Emulation. In USENIX Security Symposium.Google Scholar
- European Commission. 2022. Cyber Resilience Act. https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act.Google Scholar
- DARPA. 2020. Assured Micro-Patching (AMP). https://www.darpa.mil/program/assured-micropatching.Google Scholar
- Sushant Dinesh, Nathan Burow, Dongyan Xu, and Mathias Payer. 2020. RetroWrite: Statically Instrumenting COTS Binaries for Fuzzing and Sanitization. In IEEE Security and Privacy.Google Scholar
- Steven H.H. Ding, Benjamin C.M. Fung, and Philippe Charland. 2019. Asm2Vec: Boosting Static Representation Robustness for Binary Clone Search against Code Obfuscation and Compiler Optimization. In IEEE Security and Privacy.Google Scholar
- Ruian Duan, Ashish Bijlani, Yang Ji, Omar Alrawi, Yiyuan Xiong, Moses Ike, Brendan Saltaformaggio, and Wenke Lee. 2019. Automating Patching of Vulnerable Open-Source Software Versions in Application Binaries.. In NDSS.Google Scholar
- EEVBlog. 2017. Flaming Power Supply!https://www.youtube.com/watch?v=Q2rvAoO-MIA.Google Scholar
- Sebastian Eschweiler, Khaled Yakdan, and Elmar Gerhards-Padilla. 2016. discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code. In NDSS.Google Scholar
- Bo Feng, Alejandro Mera, and Long Lu. 2020. P2IM: Scalable and Hardware-independent Firmware Testing via Automatic Peripheral Interface Modeling. In USENIX Security Symposium.Google Scholar
- Felix Gröbert. 2010. Automatic identification of cryptographic primitives in software. Ruhr-University Bochum (2010), 115.Google Scholar
- Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Aurelien Francillon, Davide Balzarotti, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. 2019. Toward the Analysis of Embedded Firmware through Automated Re-hosting. In Research in Attacks, Intrusions, and Defenses (USENIX RAID).Google Scholar
- Yi He, Zhenhua Zou, Kun Sun, Zhuotao Liu, Ke Xu, Qian Wang, Chao Shen, Zhi Wang, and Qi Li. 2022. RapidPatch: Firmware Hotpatching for Real-Time Embedded Devices. In Usenix Security Symposium.Google Scholar
- Y. Hu, Y. Zhang, and D. Gu. 2019. Automatically Patching Vulnerabilities of Binary Programs via Code Transfer From Correct Versions. IEEE Access 7 (2019), 28170–28184. https://doi.org/10.1109/ACCESS.2019.2901951Google ScholarCross Ref
- Galen Hunt and Doug Brubacher. 1999. Detours: Binary Interception of Win32 Functions. In USENIX Windows NT Symposium.Google Scholar
- Taegyu Kim, Aolin Ding, Sriharsha Etigowni, Pengfei Sun, Jizhou Chen, Luis Garcia, Saman Zonouz, Dongyan Xu, and Dave Tian. 2021. Reverse Engineering and Retrofitting Robotic Aerial Vehicle Control Firmware using DisPatch. In International Conference on Mobile Systems, Applications and Services (MobiSys).Google Scholar
- Taegyu Kim, Chung Hwan Kim, Hongjun Choi, Yonghwi Kwon, Brendan Saltaformaggio, Xiangyu Zhang, and Dongyan Xu. 2017. RevARM: A Platform-Agnostic ARM Binary Rewriter for Security Applications. In Annual Computer Security Applications Conference (ACSAC). 412–424.Google ScholarDigital Library
- JongHyup Lee, Thanassis Avgerinos, and David Brumley. 2011. TIE: Principled Reverse Engineering of Types in Binary Programs. In NDSS.Google Scholar
- Pierre Lestringant, Frédéric Guihéry, and Pierre-Alain Fouque. 2015. Automated identification of cryptographic primitives in binary code with data flow graph isomorphism. In ACM Symposium on Information, Computer and Communications Security (CCS).Google ScholarDigital Library
- mbed OS 2020. mbed OS. https://www.mbed.com/en/development/mbed-os/.Google Scholar
- Microchip. 2020. AT16743: SAM V7/E7/S7 Safe and Secure Bootloader. http://ww1.microchip.com/downloads/en/AppNotes/Atmel-42725-Safe-and-Secure-Bootloader-for-SAM-V7-E7-S7-MCUs_AT16743_ApplicationNote.pdf.Google Scholar
- Jose Nazario. 2017. The problem with patching in addressing IoT vulnerabilities. https://www.fastly.com/blog/problem-patching-addressing-iot-vulnerabilities.Google Scholar
- Lily Hay Newman. 2019. Decades-Old Code Is Putting Millions of Critical Devices at Risk. https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/.Google Scholar
- Christian Niesler, Sebastian Surminski, and Lucas Davi. 2021. HERA: Hotpatching of Embedded Real-time Applications. In Symposium on Network and Distrbuted Systems Security (NDSS).Google Scholar
- Office of Naval Research (ONR). 2020. Total Platform Cyber Protection (TPCP). https://www.onr.navy.mil/-/media/Files/Funding-Announcements/BAA/2017/N00014-17-S-B010.ashx.Google Scholar
- Osbourne, Paul. [n. d.]. CMSIS-SVD Repository and Parsers. https://github.com/posborne/cmsis-svd.Google Scholar
- Chenxiong Qian, Hong Hu, Mansour Alharthi, Pak Ho Chung, Taesoo Kim, and Wenke Lee. 2019. RAZOR: A Framework for Post-deployment Software Debloating. In USENIX Security Symposium.Google Scholar
- Anh Quach and Aravind Prakash. 2019. Bloat Factors and Binary Specialization. In ACM Workshop on Forming an Ecosystem Around Software Transformation.Google Scholar
- Vaibhav Rastogi, Drew Davidson, Lorenzo De Carli, Somesh Jha, and Patrick McDaniel. 2017. Cimplifier: automatically debloating containers. In Joint Meeting on Foundations of Software Engineering. 476–486.Google ScholarDigital Library
- Nilo Redini, Aravind Machiry, Dipanjan Das, Yanick Fratantonio, Antonio Bianchi, Eric Gustafson, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2017. BootStomp: On the Security of Bootloaders in Mobile Devices. In USENIX Security Symposium. Vancouver, BC.Google Scholar
- Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware. In IEEE Security & Privacy.Google Scholar
- Nilo Redini, Ruoyu Wang, Aravind Machiry, Yan Shoshitaishvili, Giovanni Vigna, and Christopher Kruegel. 2019. BinTrimmer: Towards Static Binary Debloating Through Abstract Interpretation. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. 482–501.Google Scholar
- Jessica Rich. 2016. What happens when the sun sets on a smart product?https://www.ftc.gov/news-events/blogs/business-blog/2016/07/what-happens-when-sun-sets-smart-product.Google Scholar
- Rockwell Automation. 2020. ControlLogix and GuardLogix Controllers. https://literature.rockwellautomation.com/idc/groups/literature/documents/td/1756-td001_-en-p.pdf.Google Scholar
- Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- STMicroelectronics. 2020. AN4701: Proprietary code read-out protection on microcontrollers of the STM32F4 Series. https://www.st.com/resource/en/application_note/dm00186528-proprietary-code-readout-protection-on-microcontrollers-of-the-stm32f4-series-stmicroelectronics.pdf.Google Scholar
- subwire. 2020. Autoblob: Automatic Blob-loading for CLE. https://github.com/subwire/autoblob.Google Scholar
- TI. 2020. Understanding security features for MSP430™ Microcontrollers. http://www.ti.com/lit/ml/swpb018/swpb018.pdf?ts=1587844615741.Google Scholar
- Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Aravind Machiry, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making Reassembly Great Again.. In NDSS.Google Scholar
- Shuai Wang, Pei Wang, and Dinghao Wu. 2015. Reassembleable Disassembling.. In USENIX Security Symposium. 627–642.Google ScholarDigital Library
- S. Wang, P. Wang, and D. Wu. 2016. UROBOROS: Instrumenting Stripped Binaries with Static Reassembling. In Conference on Software Analysis, Evolution, and Reengineering (SANER).Google Scholar
- Shuai Wang, Wenhao Wang, Qinkun Bao, Pei Wang, XiaoFeng Wang, and Dinghao Wu. 2017. Binary Code Retrofitting and Hardening Using SGX. In Workshop on Forming an Ecosystem Around Software Transformation (FEAST).Google Scholar
- Haohuang Wen, Zhiqiang Lin, and Yinqian Zhang. 2020. FirmXRay: Detecting Bluetooth Link Layer Vulnerabilities From Bare-Metal Firmware. In ACM Conference on Computer and Communications Security (CCS).Google Scholar
- Matthias Wenzl, Georg Merzdovnik, Johanna Ullrich, and Edgar Weippl. 2019. From Hack to Elaborate Technique - A Survey on Binary Rewriting. In ACM Computing Surveys (CSUR).Google Scholar
Index Terms
- Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images
Recommendations
A taxonomy of IoT firmware security and principal firmware analysis techniques
AbstractInternet of Things (IoT) has come a long way since its inception. However, the standardization process in IoT systems for a secure IoT solution is still in its early days. Numerous quality review articles have been contributed by ...
Graphical abstractDisplay Omitted
Firmware Update Attacks and Security for IoT Devices: Survey
ArabWIC 2019: Proceedings of the ArabWIC 6th Annual International Conference Research TrackThe increasing vulnerabilities found in Internet of Things (IoT) devices have raised the need for a solid mechanism of securing the firmware update of these connected objects, since firmware updates are one way to patch vulnerabilities and add security ...
Defending Against Malicious USB Firmware with GoodUSB
ACSAC '15: Proceedings of the 31st Annual Computer Security Applications ConferenceUSB attacks are becoming more sophisticated. Rather than using USB devices solely as a delivery mechanism for host-side exploits, attackers are targeting the USB stack itself, embedding malicious code in device firmware to covertly request additional ...
Comments