FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware

Hernandez, Grant; Muench, Marius; Maier, Dominik; Milburn, Alyssa; Park, Shinjo; Scharnowski, Tobias; Tucker, Tyler; Traynor, Patrick; Butler, Kevin

doi:10.14722/ndss.2022.23136

Cited by 14 publications

(4 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Cao et al [6], Johnson et al [29], and Zhou [62], all leverage symbolic execution to learn satisfying values to bypass peripheral checks. Hernandez et al [27] achieve full-system emulation of closed-source Shannon baseband firmware by adding missing architectural and peripheral support in QEMU, they later demonstrate that such an approach can be extended to other basebands [26]. In contrast to the aforementioned approaches, Milburn et al [38] build a custom emulator and peripheral models to rehost an automotive instrument cluster; they use their emulator to aid in reverse-engineering the firmware's UDS commands.…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…Mera et al [37] highlight this difficulty in their evaluationto test their approach on both ARM and MIPS32-based devices, they need to build separate prototypes of their tool for two different forks of QEMU, as neither variant supports both architectures. Hernandez et al [26] note the current impossibility of porting their baseband rehosting framework to work with Qualcomm basebands, due to lack of architecture support in the PANDA [14] QEMU fork.…”

Section: Discussion and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

Chen¹,

Thomas²,

Garcia³

2022

Preprint

View full text Add to dashboard Cite

In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto openproblem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis.We show that the flexibility afforded by our approach does not lead to a performance trade-off-MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors-none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker. CCS CONCEPTS• Hardware → Post-manufacture validation and debug; Simulation and emulation; • Software and its engineering → Software reverse engineering; Dynamic analysis; • Computer systems organization → Firmware; Embedded software; • Security and privacy → Embedded systems security.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

Section: Discussion and Related Workmentioning

confidence: 99%

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

Chen¹,

Thomas²,

Garcia³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Cao et al [5], Johnson et al [29], and Zhou [61], all leverage symbolic execution to learn satisfying values to bypass peripheral checks. Hernandez et al [27] achieve full-system emulation of closed-source Shannon baseband firmware by adding missing architectural and peripheral support in QEMU, they later demonstrate that such an approach can be extended to other basebands [26]. In contrast to the aforementioned approaches, Milburn et al [38] build a custom emulator and peripheral models to rehost an automotive instrument cluster; they use their emulator to aid in reverse-engineering the firmware's UDS commands.…”

Section: Discussion and Related Workmentioning

confidence: 99%

Section: Discussion and Related Workmentioning

confidence: 99%

MetaEmu

Chen

Thomas²,

Garcia

2022

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Link to publication on Research at Birmingham portal General rightsUnless a licence is specified above, all rights (including copyright and moral rights) in this document are retained by the authors and/or the copyright holders. The express permission of the copyright holder must be obtained for any use of this material other than for purposes permitted by law.•Users may freely distribute the URL that is used to identify this publication.•Users may download and/or print one copy of the publication from the University of Birmingham research portal for the purpose of private study or non-commercial research.•User may use extracts from the document in line with the concept of 'fair dealing' under the Copyright, Designs and Patents Act 1988 (?) •Users may not further distribute the material nor use it for the purposes of commercial gain.Where a licence is displayed above, please note the terms and conditions of the licence govern your use of this document.When citing, please reference the published version. Take down policy While the University of Birmingham exercises care and attention in making items available there are rare occasions when an item has been uploaded in error or has been deemed to be commercially or otherwise sensitive.

show abstract

Reproducibility of Firmware Analysis: An Empirical Study

Yousefnezhad,

Costin

2024

Lecture Notes in Business Information Processing

View full text Add to dashboard Cite

FirmWire: Transparent Dynamic Analysis for Cellular Baseband Firmware

Cited by 14 publications

References 0 publications

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

MetaEmu

Reproducibility of Firmware Analysis: An Empirical Study

Contact Info

Product

Resources

About