SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Fasano, Andrew; Ballo, Tiemoko; Muench, Marius; Leek, Tim; Bulekov, Alexander; Dolan-Gavitt, Brendan; Egele, Manuel; Francillon, Aurélien; Lu, Long; Gregory, Nick; Balzarotti, Davide; Robertson, William

doi:10.1145/3433210.3453093

Cited by 25 publications

(21 citation statements)

References 62 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In Table 2 (Appendix E), we provide a feature, architecture, and analysis-support comparison of MetaEmu with the state-of-the-art, using the framework classification proposed by Fasano [16]. The key difference between MetaEmu and the frameworks listed, is that our approach generically enables analysis of firmware not currently supported by other frameworks with little effort.…”

Section: Discussion and Related Workmentioning

confidence: 99%

“…As highlighted by Fasano et al [16], rehosting is an iterative process that requires human intervention and debugging. To that end, we integrate MetaEmu with widely used binary analysis and reverseengineering tools, to reduce the manual effort involved.…”

Section: Integration With External Toolsmentioning

confidence: 99%

“…At the time of writing, most published work has sought to address the former challenge: peripheral support. However, as noted by Fasano et al [16] in their systematization of the field, for devices whose firmware is not supported by an off-the-shelf emulator, the latter challenge-obtaining a suitable execution environment-remains an open problem, hampering the analysis of a large and vital class of devices.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

Chen¹,

Thomas²,

Garcia³

2022

Preprint

View full text Add to dashboard Cite

In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto openproblem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis.We show that the flexibility afforded by our approach does not lead to a performance trade-off-MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors-none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker. CCS CONCEPTS• Hardware → Post-manufacture validation and debug; Simulation and emulation; • Software and its engineering → Software reverse engineering; Dynamic analysis; • Computer systems organization → Firmware; Embedded software; • Security and privacy → Embedded systems security.

show abstract

Section: Discussion and Related Workmentioning

confidence: 99%

Section: Integration With External Toolsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

Chen¹,

Thomas²,

Garcia³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Detailed summaries of the challenges of fuzzing embedded systems ) and security analysis of embedded systems (Fasano et al 2021;Wright et al 2021) have been published. However, these reviews do concentrate almost solely on emulation-based approaches.…”

Section: Related Workmentioning

confidence: 99%

Embedded fuzzing: a review of challenges, tools, and solutions

et al. 2022

View full text Add to dashboard Cite

Fuzzing has become one of the best-established methods to uncover software bugs. Meanwhile, the market of embedded systems, which binds the software execution tightly to the very hardware architecture, has grown at a steady pace, and that pace is anticipated to become yet more sustained in the near future. Embedded systems also benefit from fuzzing, but the innumerable existing architectures and hardware peripherals complicate the development of general and usable approaches, hence a plethora of tools have recently appeared. Here comes a stringent need for a systematic review in the area of fuzzing approaches for embedded systems, which we term “embedded fuzzing” for brevity. The inclusion criteria chosen in this article are semi-objective in their coverage of the most relevant publication venues as well as of our personal judgement. The review rests on a formal definition we develop to represent the realm of embedded fuzzing. It continues by discussing the approaches that satisfy the inclusion criteria, then defines the relevant elements of comparison and groups the approaches according to how the execution environment is served to the system under test. The resulting review produces a table with 42 entries, which in turn supports discussion suggesting vast room for future research due to the limitations noted.

show abstract

“…At the time of writing, most published work has sought to address the former challenge: peripheral support. However, as noted by Fasano et al [17] in their systematization of the field, for devices whose firmware is not supported by an off-the-shelf emulator, the latter challenge-obtaining a suitable execution environment-remains an open problem, hampering the analysis of a large and vital class of devices.…”

Section: Introductionmentioning

confidence: 99%

MetaEmu

Chen

Thomas²,

Garcia

2022

Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

View full text Add to dashboard Cite

Link to publication on Research at Birmingham portal General rightsUnless a licence is specified above, all rights (including copyright and moral rights) in this document are retained by the authors and/or the copyright holders. The express permission of the copyright holder must be obtained for any use of this material other than for purposes permitted by law.•Users may freely distribute the URL that is used to identify this publication.•Users may download and/or print one copy of the publication from the University of Birmingham research portal for the purpose of private study or non-commercial research.•User may use extracts from the document in line with the concept of 'fair dealing' under the Copyright, Designs and Patents Act 1988 (?) •Users may not further distribute the material nor use it for the purposes of commercial gain.Where a licence is displayed above, please note the terms and conditions of the licence govern your use of this document.When citing, please reference the published version. Take down policy While the University of Birmingham exercises care and attention in making items available there are rare occasions when an item has been uploaded in error or has been deemed to be commercially or otherwise sensitive.

show abstract

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Cited by 25 publications

References 62 publications

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

Embedded fuzzing: a review of challenges, tools, and solutions

MetaEmu

Contact Info

Product

Resources

About