Abstract:Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically wellsupported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyse… Show more
“…In Table 2 (Appendix E), we provide a feature, architecture, and analysis-support comparison of MetaEmu with the state-of-the-art, using the framework classification proposed by Fasano [16]. The key difference between MetaEmu and the frameworks listed, is that our approach generically enables analysis of firmware not currently supported by other frameworks with little effort.…”
Section: Discussion and Related Workmentioning
confidence: 99%
“…As highlighted by Fasano et al [16], rehosting is an iterative process that requires human intervention and debugging. To that end, we integrate MetaEmu with widely used binary analysis and reverseengineering tools, to reduce the manual effort involved.…”
Section: Integration With External Toolsmentioning
confidence: 99%
“…At the time of writing, most published work has sought to address the former challenge: peripheral support. However, as noted by Fasano et al [16] in their systematization of the field, for devices whose firmware is not supported by an off-the-shelf emulator, the latter challenge-obtaining a suitable execution environment-remains an open problem, hampering the analysis of a large and vital class of devices.…”
In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto openproblem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis.We show that the flexibility afforded by our approach does not lead to a performance trade-off-MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors-none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.
CCS CONCEPTS• Hardware → Post-manufacture validation and debug; Simulation and emulation; • Software and its engineering → Software reverse engineering; Dynamic analysis; • Computer systems organization → Firmware; Embedded software; • Security and privacy → Embedded systems security.
“…In Table 2 (Appendix E), we provide a feature, architecture, and analysis-support comparison of MetaEmu with the state-of-the-art, using the framework classification proposed by Fasano [16]. The key difference between MetaEmu and the frameworks listed, is that our approach generically enables analysis of firmware not currently supported by other frameworks with little effort.…”
Section: Discussion and Related Workmentioning
confidence: 99%
“…As highlighted by Fasano et al [16], rehosting is an iterative process that requires human intervention and debugging. To that end, we integrate MetaEmu with widely used binary analysis and reverseengineering tools, to reduce the manual effort involved.…”
Section: Integration With External Toolsmentioning
confidence: 99%
“…At the time of writing, most published work has sought to address the former challenge: peripheral support. However, as noted by Fasano et al [16] in their systematization of the field, for devices whose firmware is not supported by an off-the-shelf emulator, the latter challenge-obtaining a suitable execution environment-remains an open problem, hampering the analysis of a large and vital class of devices.…”
In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto openproblem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis.We show that the flexibility afforded by our approach does not lead to a performance trade-off-MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors-none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.
CCS CONCEPTS• Hardware → Post-manufacture validation and debug; Simulation and emulation; • Software and its engineering → Software reverse engineering; Dynamic analysis; • Computer systems organization → Firmware; Embedded software; • Security and privacy → Embedded systems security.
“…Detailed summaries of the challenges of fuzzing embedded systems ) and security analysis of embedded systems (Fasano et al 2021;Wright et al 2021) have been published. However, these reviews do concentrate almost solely on emulation-based approaches.…”
Fuzzing has become one of the best-established methods to uncover software bugs. Meanwhile, the market of embedded systems, which binds the software execution tightly to the very hardware architecture, has grown at a steady pace, and that pace is anticipated to become yet more sustained in the near future. Embedded systems also benefit from fuzzing, but the innumerable existing architectures and hardware peripherals complicate the development of general and usable approaches, hence a plethora of tools have recently appeared. Here comes a stringent need for a systematic review in the area of fuzzing approaches for embedded systems, which we term “embedded fuzzing” for brevity. The inclusion criteria chosen in this article are semi-objective in their coverage of the most relevant publication venues as well as of our personal judgement. The review rests on a formal definition we develop to represent the realm of embedded fuzzing. It continues by discussing the approaches that satisfy the inclusion criteria, then defines the relevant elements of comparison and groups the approaches according to how the execution environment is served to the system under test. The resulting review produces a table with 42 entries, which in turn supports discussion suggesting vast room for future research due to the limitations noted.
“…At the time of writing, most published work has sought to address the former challenge: peripheral support. However, as noted by Fasano et al [17] in their systematization of the field, for devices whose firmware is not supported by an off-the-shelf emulator, the latter challenge-obtaining a suitable execution environment-remains an open problem, hampering the analysis of a large and vital class of devices.…”
Link to publication on Research at Birmingham portal
General rightsUnless a licence is specified above, all rights (including copyright and moral rights) in this document are retained by the authors and/or the copyright holders. The express permission of the copyright holder must be obtained for any use of this material other than for purposes permitted by law.•Users may freely distribute the URL that is used to identify this publication.•Users may download and/or print one copy of the publication from the University of Birmingham research portal for the purpose of private study or non-commercial research.•User may use extracts from the document in line with the concept of 'fair dealing' under the Copyright, Designs and Patents Act 1988 (?) •Users may not further distribute the material nor use it for the purposes of commercial gain.Where a licence is displayed above, please note the terms and conditions of the licence govern your use of this document.When citing, please reference the published version. Take down policy While the University of Birmingham exercises care and attention in making items available there are rare occasions when an item has been uploaded in error or has been deemed to be commercially or otherwise sensitive.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.