FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

Kim, Mingeun; Kim, Dongkwan; Kim, Eun-Soo; Kim, Suryeon; Jang, Yeongjin; Kim, Yong‐Dae

doi:10.1145/3427228.3427294

Cited by 73 publications

(51 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Since our fuzzing test requires the network service of the device, a low simulation success rate cannot result in better runtime environment support. The subsequent improvement work, FirmAE [21] proposes arbitrated emulation to apply failure handling heuristics to the emulation environment. FirmAE significantly increases the emulation success rate (from Firmadyne's 16.28% to 79.36%).…”

Section: Firmware Simulationmentioning

confidence: 99%

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

et al. 2021

View full text Add to dashboard Cite

Cyber attacks against the web management interface of Internet of Things (IoT) devices often have serious consequences. Current research uses fuzzing technologies to test the web interfaces of IoT devices. These IoT fuzzers generate messages (a test case sent from the client to the server to test its functionality) without considering their dependency, which is unlikely to bypass the early check of the server. These invalid test cases significantly reduce the efficiency of fuzzing. To overcome this problem, we propose a stateful message generation (SMG) mechanism for IoT web fuzzing. SMG addresses two problems in IoT fuzzing. First, we retrieve the message dependency by using web front-end analysis and status analysis. These dependent messages, which can easily bypass the server check, are used as a valid seed. Second, we adopt a multi-message seed format to preserve the dependency of the messages when mutating the seed to get a valid test case, so that the test case can bypass the state check of the server to make a valid test. Message dependency preservation is implemented by our proposed parameter mutation and structural mutation methods. We implement SMG in our IoT fuzzer, SIoTFuzzer, which applies IoT firmware on the latest Linux-based simulation tool, FirmAE. We test nine IoT devices including a router and an IP camera and adopt a vulnerability detection mechanism. Our evaluation results show that (1) SIoTFuzzer is capable of finding real-world vulnerabilities in IoT devices; (2) our SMG is effective as it enables Boofuzz (a popular protocol fuzzer) to find command injection and cross-site scripting (XSS) vulnerabilities; and (3) compared to FirmFuzz, SIoTFuzzer found all the vulnerabilities in our benchmarks, while FirmFuzz found only four—the efficiency of our tool increased by 20.57% on average.

show abstract

Section: Firmware Simulationmentioning

confidence: 99%

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

et al. 2021

View full text Add to dashboard Cite

show abstract

“…On the one hand, unlike front-end fuzzing that is restricted by filtering rules or back-end fuzzing is dependent on static analysis of binaries as mentioned in Section 2.3, server fuzzing can achieve both goals of effective test case generation and low pre-analysis overhead. On the other hand, easy accessibility of firmware on the internet and the development of firmware emulation enable the possibility for large-scale testing of IoT firmware images [25,26].…”

Section: Motivationsmentioning

confidence: 99%

“…FirmHunter is implemented with around 3000 python lines of code and 1500 C lines of code in total. Furthermore, several open-source projects (e.g., Selenium [27], FirmAE [26], mitmproxy [28], and Panda [29]) are integrated into this fuzzer.…”

Section: Implementation Of Firmhuntermentioning

confidence: 99%

See 1 more Smart Citation

FirmHunter: State-Aware and Introspection-Driven Grey-Box Fuzzing towards IoT Firmware

2021

View full text Add to dashboard Cite

IoT devices are exponentially increasing in all aspects of our lives. Via the web interfaces of IoT devices, attackers can control IoT devices by exploiting their vulnerabilities. In order to guarantee IoT security, testing these IoT devices to detect vulnerabilities is very important. In this work, we present FirmHunter, an automated state-aware and introspection-driven grey-box fuzzer towards Linux-based firmware images on the basis of emulation. It employs a message-state queue to overcome the dependency problem in test cases. Furthermore, it implements a scheduler collecting execution information from system introspection to drive fuzzing towards more interesting test cases, which speeds up vulnerability discovery. We evaluate FirmHunter by emulating and fuzzing eight firmware images including seven routers and one IP camera with a state-of-the-art IoT fuzzer FirmFuzz and a web application scanner ZAP. Our evaluation results show that (1) the message-state queue enables FirmHunter to parse the dependencies in test cases and find real-world vulnerabilities that other fuzzers cannot detect; (2) our scheduler accelerates the discovery of vulnerabilities by an average of 42%; and (3) FirmHunter is able to find unknown vulnerabilities.

show abstract

“…Second, abstraction-based approaches side-step the problem of peripheral emulation by leveraging the abstraction layer available on firmware. For example, by emulating such an abstraction layer in Linux kernel, many Linux-based firmware binaries can be emulated [17,20,30,41]. Recently, HALucinator [19] has been proposed to automatically match the Hardware Abstraction Layer (HAL) APIs in firmware and replace them with host implementations.…”

Section: Introductionmentioning

confidence: 99%

Automatic Firmware Emulation through Invalidity-guided Knowledge Inference (Extended Version)

Zhou,

Guan,

Liu

et al. 2021

Preprint

View full text Add to dashboard Cite

Emulating firmware for microcontrollers is challenging due to the tight coupling between the hardware and firmware. This has greatly impeded the application of dynamic analysis tools to firmware analysis. The state-of-the-art work automatically models unknown peripherals by observing their access patterns, and then leverages heuristics to calculate the appropriate responses when unknown peripheral registers are accessed. However, we empirically found that this approach and the corresponding heuristics are frequently insufficient to emulate firmware. In this work, we propose a new approach called µEmu to emulate firmware with unknown peripherals. Unlike existing work that attempts to build a general model for each peripheral, our approach learns how to correctly emulate firmware execution at individual peripheral access points. It takes the image as input and symbolically executes it by representing unknown peripheral registers as symbols. During symbolic execution, it infers the rules to respond to unknown peripheral accesses. These rules are stored in a knowledge base, which is referred to during the dynamic firmware analysis. µEmu achieved a passing rate of 95% in a set of unit tests for peripheral drivers without any manual assistance. We also evaluated µEmu with real-world firmware samples and new bugs were discovered.

show abstract

FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

Cited by 73 publications

References 17 publications

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

FirmHunter: State-Aware and Introspection-Driven Grey-Box Fuzzing towards IoT Firmware

Automatic Firmware Emulation through Invalidity-guided Knowledge Inference (Extended Version)

Contact Info

Product

Resources

About