Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware

被引:161
作者
Shoshitaishvili, Yan [1 ]
Wang, Ruoyu [1 ]
Hauser, Christophe [1 ]
Kruegel, Christopher [1 ]
Vigna, Giovanni [1 ]
机构
[1] UC Santa Barbara, Santa Barbara, CA 93106 USA
来源
22ND ANNUAL NETWORK AND DISTRIBUTED SYSTEM SECURITY SYMPOSIUM (NDSS 2015) | 2015年
关键词
D O I
10.14722/ndss.2015.23294
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Embedded devices have become ubiquitous, and they are used in a range of privacy-sensitive and security-critical applications. Most of these devices run proprietary software, and little documentation is available about the software's inner workings. In some cases, the cost of the hardware and protection mechanisms might make access to the devices themselves infeasible. Analyzing the software that is present in such environments is challenging, but necessary, if the risks associated with software bugs and vulnerabilities must be avoided. As a matter of fact, recent studies revealed the presence of backdoors in a number of embedded devices available on the market. In this paper, we present Firmalice, a binary analysis framework to support the analysis of firmware running on embedded devices. Firmalice builds on top of a symbolic execution engine, and techniques, such as program slicing, to increase its scalability. Furthermore, Firmalice utilizes a novel model of authentication bypass flaws, based on the attacker's ability to determine the required inputs to perform privileged operations. We evaluated Firmalice on the firmware of three commercially-available devices, and were able to detect authentication bypass backdoors in two of them. Additionally, Firmalice was able to determine that the backdoor in the third firmware sample was not exploitable by an attacker without knowledge of a set of unprivileged credentials.
引用
收藏
页数:15
相关论文
共 30 条
  • [1] [Anonymous], 2014, FIND REV ENG BACKD C FIND REV ENG BACKD C
  • [2] [Anonymous], 2013, REV ENG D LINK BACKD REV ENG D LINK BACKD
  • [3] [Anonymous], 2013, Forbes
  • [4] [Anonymous], 2013, CHIN LOV CHIN LOV
  • [5] [Anonymous], 2014, P 2014 NETW DISTR SY
  • [6] Arstechnica, 2014, ARSTECHNICA ARSTECHNICA
  • [7] Avgerinos T., 2011, NDSS
  • [8] Babic Domagoj, 2011, P 20 INT S SOFTW TES, P12, DOI DOI 10.1145/2001420.2001423
  • [9] Cadar C., 2008, Proceedings of the 8th USENIX conference on Operating systems design and implementation, OSDI'08, (USA), P209
  • [10] Unleashing MAYHEM on Binary Code
    Cha, Sang Kil
    Avgerinos, Thanassis
    Rebert, Alexandre
    Brumley, David
    [J]. 2012 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP), 2012, : 380 - 394