Towards Automated Dynamic Analysis for Linux-based Embedded Firmware

Chen, Daming D.; Egele, Manuel; Woo, Maverick; Brumley, David

doi:10.14722/ndss.2016.23415

Cited by 273 publications

(217 citation statements)

References 4 publications

Supporting

Mentioning

212

Contrasting

Unclassified

Order By: Relevance

“…When emulation takes place without an in-guest component, bridging the semantic gap is necessary (see Section 7.4). In addition to analyzing personal computers, it was shown that emulation can also be used for firmware analysis [51].…”

Section: Emulationmentioning

confidence: 99%

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

et al. 2019

View full text Add to dashboard Cite

ORI OR-MEIR, NIR NISSIM, YUVAL ELOVICI, and LIOR ROKACH, Ben-Gurion University of the Negev, Beer-Sheva, IsraelAlthough malicious software (malware) has been around since the early days of computers, the sophistication and innovation of malware has increased over the years. In particular, the latest crop of ransomware has drawn attention to the dangers of malicious software, which can cause harm to private users as well as corporations, public services (hospitals and transportation systems), governments, and security institutions. To protect these institutions and the public from malware attacks, malicious activity must be detected as early as possible, preferably before it conducts its harmful acts. However, it is not always easy to know what to look for-especially when dealing with new and unknown malware that has never been seen. Analyzing a suspicious file by static or dynamic analysis methods can provide relevant and valuable information regarding a file's impact on the hosting system and help determine whether the file is malicious or not, based on the method's predefined rules. While various techniques (e.g., code obfuscation, dynamic code loading, encryption, and packing) can be used by malware writers to evade static analysis (including signature-based antivirus tools), dynamic analysis is robust to these techniques and can provide greater understanding regarding the analyzed file and consequently can lead to better detection capabilities. Although dynamic analysis is more robust than static analysis, existing dynamic analysis tools and techniques are imperfect, and there is no single tool that can cover all aspects of malware behavior. The most recent comprehensive survey performed in this area was published in 2012. Since that time, the computing environment has changed dramatically with new types of malware (ransomware, cryptominers), new analysis methods (volatile memory forensics, side-channel analysis), new computing environments (cloud computing, IoT devices), new machine-learning algorithms, and more. The goal of this survey is to provide a comprehensive and up-to-date overview of existing methods used to dynamically analyze malware, which includes a description of each method, its strengths and weaknesses, and its resilience against malware evasion techniques. In addition, we include an overview of prominent studies presenting the usage of machine-learning methods to enhance dynamic malware analysis capabilities aimed at detection, classification, and categorization.

show abstract

Section: Emulationmentioning

confidence: 99%

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

et al. 2019

View full text Add to dashboard Cite

show abstract

“…O trabalho de [Chen et al 2016] objetiva avaliar vulnerabilidades em dispositivos com kernel baseado em Linux. Para isso são executados ataques sobre firmwares emulados de dispositivos.…”

Section: Trabalhos Relacionadosunclassified

“…O sistema encontrado nesses dispositivosé projetado para executar em hardware de arquitetura específica. Para emular os dispositivos usados nos experimentos foi utilizada a ferramenta Firmadyne apresentada em [Chen et al 2016]. Firmadyneé um sistema que integra várias ferramentas para emular dispositivos baseados no kernel do sistema operacional Linux.…”

Section: Ambiente De Testesunclassified

Coleção de dados sobre ataques a dispositivos de Internet das Coisas

Abreu

Cardoso

Rosa

2019

Anais Do Workshop De Segurança Cibernética Em Dispositivos Conectados (WSCDC)

View full text Add to dashboard Cite

The number of Internet of Things (IoT) devices has increased every day and along with this growth arises the security concerns. Several techniques have been studied for the prevention, detection and treatment of attacks in conventional networks, such as the work of KDD CUP 99 that proposed a labeled collection, which has been quite exploited in recent decades. A good evaluation of techniques and algorithms of intrusion detection systems is related to the existence of good datasets. However, few works exploit the detection of attacks on Internet of Things and until now no collection of data has been proposed for this problem. Along with new technologies and devices arise new techniques of invasion, and even more elaborated. Therefore, it is necessary to treat the attack detection problem in a special way. In view of this, this work is dedicated to setting up a test environment that represents an Internet of Things network, collecting normal device traffic, simulating attacks, assembling a collection of data and analyzing it. For this, we run invasion tests on emulated devices, resulting in a new collection of data. We validate the new collection by applying machine learning algorithms and comparing with the KDD collection.

show abstract

“…irdly, static methods [16][17][18] or dynamic methods [6,15,19,20] are deployed to detect aws in these unpacked les. However, rmware-based approaches su er from known drawbacks.…”

Section: Introductionmentioning

confidence: 99%

“…ose images packed with a private file format or encrypted with a private key cannot be unpacked by these tools. For example, a prior work [19] collected 23,035 images, and it only succeeded in unpacking 8,617 images of them via existing tools. e third one is the difficulty of binary analysis due to the diversity of underlying architectures.…”

Section: Introductionmentioning

confidence: 99%

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

Wang

Zhang

Chen

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

A novel approach for discovering vulnerability in commercial off-the-shelf (COTS) IoT devices is proposed in this paper, which will revolutionize the area. Unlike previous work, the web management interface in IoT was used to detect vulnerabilities by leveraging fuzzing technology. To validate and evaluate this scheme, a tool named WMIFuzzer was designed and implemented. There were also two challenges: (1) due to the diversity of web interface implementations, there were no existing seed messages for fuzzing this interface and it was inefficient while taking random messages to launch the fuzzing and (2) because of the highly structured seed message, fuzzing with byte-level mutation could conduce to be rejected by the device at an early stage. To address these challenges, a brute-force UI automation was designed to drive the web interface to generate initial seed messages automatically, as well as a weighted message parse tree (WMPT) was proposed to guide the mutation to generate mostly structure-valid messages. The extensive experimental results show that WMIFuzzer could achieve expected result while 10 vulnerabilities including 6 zero-days in 7 COTS IoT devices were discovered.

show abstract

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware

Cited by 273 publications

References 4 publications

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Dynamic Malware Analysis in the Modern Era—A State of the Art Survey

Coleção de dados sobre ataques a dispositivos de Internet das Coisas

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

Contact Info

Product

Resources

About