Device-agnostic Firmware Execution is Possible
Abstract: With the rapid proliferation of IoT devices, our cyberspace is nowadays dominated by billions of low-cost computing nodes, which expose an unprecedented heterogeneity to our computing systems. Dynamic analysis, one of the most effective approaches to finding software bugs, has become paralyzed due to the lack of a generic emulator capable of running diverse previously-unseen firmware. In recent years, we have witnessed devastating security breaches targeting IoT devices. These security concerns have significantly hamstrung further evolution of IoT technology. In this work, we present Laelaps, a device emulator specifically designed to run diverse software on low-cost IoT devices. We do not encode into our emulator any specific information about a device. Instead, Laelaps infers the expected behavior of firmware via symbolic-execution-assisted peripheral emulation and generates proper inputs to steer concrete execution on the fly. This unique design feature makes Laelaps the first generic device emulator capable of running diverse firmware with no a priori knowledge about the target device. To demonstrate the capabilities of Laelaps, we deployed two popular dynamic analysis techniques---fuzzing testing and dynamic symbolic execution---on top of our emulator. We successfully identified both self-injected and real-world vulnerabilities.
Keywords: firmware analysis, symbolic execution
TL;DR: Device-agnostic Firmware Execution
0 Replies
Loading