Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces
Abstract
Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface.
In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. Insights from this paper can help users, programmers and auditors in efficiently testing and securing their Internet enabled embedded devices.
We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. We also perform comprehensive failure analysis. We show that by applying relatively easy fixes during corrective maintenance it is possible to remediate at least 61.3% of emulation failures and at least 25.2% of web interface launch failures. These experimental results demonstrate the effectiveness of our approach.
Download
Download the peer-reviewed ASIACCS16 paper (DOI 10.1145/2897845.2897900), the original non refereed whitepaper (arXiv 1511.03609 mirror) published before a similar NDSS16 paper.
NOTE: BY USING WHOLE OR PART OF THIS DATA, YOU AGREE TO CITE OUR WORK AS SHOWN BELOW AND PROVIDE A LINK TO THIS PAGE WITHIN YOUR CODE, DOCUMENTATION, PUBLICATIONS AND OTHER FORMS THAT MAKE DIRECT OR INDIRECT USE OF THIS DATA.
Bibtex
@inproceedings{costin2016automated, author = {Costin, Andrei and Zarras, Apostolis and Francillon, Aurélien}, title = {{Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces}}, booktitle = {11th ACM Asia Conference on Computer and Communications Security (ASIACCS)}, year = {2016}, month = {May}, doi = {10.1145/2897845.2897900}, series = {ASIACCS 16}, location = {Xidian, China}, keywords = {firmware, embedded, web, virtualization, attacks}, affiliations = {Eurecom, TU Munich}, arate = {73/350} } @ARTICLE{2015arXiv151103609C, author = {{Costin}, A. and {Zarras}, A. and {Francillon}, A.}, title = "{Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces}", journal = {ArXiv e-prints}, archivePrefix = "arXiv", eprint = {1511.03609}, primaryClass = "cs.CR", keywords = {Computer Science - Cryptography and Security, Computer Science - Distributed, Parallel, and Cluster Computing, Computer Science - Networking and Internet Architecture, D.4.6, K.4.4, K.6.5, K.6.m, C.3, D.2.7, C.1.4, H.3.5}, year = 2015, month = nov, day = 11, adsurl = {http://adsabs.harvard.edu/abs/2015arXiv151103609C}, adsnote = {Provided by the SAO/NASA Astrophysics Data System} }
Datasets
File | Description | SHA256 | Size | Date (YYYY-MM-DD) |
---|---|---|---|---|
asiaccs16_dataset_categories.csv
asiaccs16_dataset_categories.csv.gpg |
Dataset of firmware to be "automagically" fixed and emulated, along with some meta-information about firmware and device type. |
afad048ee09e4a082a097184468a00843f43f9ec526568442ac82584c33d66a8
8b0d10d52bfa0b59f0f459858769508e8dc3228a9b08dcc75db723a755770b25 |
260000
94836 |
2017-01-11 |