Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of our lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure, which led to the development of an IoT-specific cybercrime underground. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Moreover, most of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. For example, embedded devices often expose web-based interfaces comprised by a web server and various back-end applications. In this architecture, any given piece of functionality often relies on the execution of multiple programs: e.g., the web server that accepts an HTTP request, a local binary that is summoned by the web server (e.g., using sockets), and an external command that is executed by the local binary to accomplish the request. Each interacting firmware component (the web server, the back-end applications, and other helper programs) can make different assumptions about the data being shared, and inconsistencies can manifest as security vulnerabilities.
In this talk, we will unveil the inner peculiarities of embedded firmware, we will show why existing firmware analysis techniques are ineffective, and we will present Karonte, a novel static analysis tool capable of analyzing embedded-device firmware by modeling and tracking multi-binary interactions. Our tool is based on the intuition that binaries communicate using a finite set of Inter-Process Communication (IPC) paradigms, and it leverages commonalities in these paradigms to detect where user input is introduced into the firmware sample, and to identify interactions between the various components. The identified interactions are then used to track data flows between components, and perform cross-binary taint analysis, ultimately detecting insecure uses of the user-controlled input, which can lead to vulnerabilities.
We will then present the results and insights of our experiments. We first tested Karonte on 53 firmware samples from various vendors, showing that our prototype tool can successfully track and constrain multi-binary interactions. In doing so, we discovered 46 zero-day bugs, which we disclosed to the responsible entities. Then, we performed a large-scale experiment on 899 different samples, showing that Karonte scales well with firmware samples of different size and complexity, and can effectively and efficiently analyze real-world firmware in a generic and fully automated fashion.
Finally, we will demo our tool, showing how it led to the detection of a previously unknown memory corruption vulnerability.