Background
Vulnerabilities in firmware can wreak havoc on commercial and military systems. Malware has been identified on many devices and detection can be quite difficult. The ability to detect and remove firmware vulnerabilities before release will drastically improve companies’ security posture.
Static analysis tools for firmware are widely available and are great for checking software. However, these tools are limited and cannot find issues that can be exposed by dynamic analysis such as buffer overflow and run time errors. Dynamic analysis tools are available for software running on high-level operating systems such as Linux or Windows but do not exist for embedded systems. Additionally, generic dynamic analysis across a breadth of embedded systems is difficult because there are fundamental differences in implementation for different hardware. Our client was interested in the feasibility of the Avatar dynamic analysis approach to the detection of firmware vulnerabilities. To understand its feasibility, this project examined two prototype configurations, AvatarOne and Avatar2, also called AvatarTwo, that claimed timing benefits over AvatarOne.
Approach
The research team combined the concepts from AvatarOne and AvatarTwo to determine how the automated detection analysis had improved and if AvatarTwo had overcome the complex firmware issues suffered by its predecessor. This research set up two prototype test environments for each framework, to compare the growth of the application and examine the claimed timing benefits of AvatarTwo. Research focused on three test cases:
Recording and Firmware Emulation
Complex Emulation, Dynamic Analysis, and Null Pointer Detection
Proof-of-Concept (POC) Automated Dynamic Analysis and Buffer Overflow Detection
Our approach first looked to prove that the framework could record and exchange parts during firmware execution. Next entailed proving the symbolic execution of complex binary software and the detection of a null pointer. This would include evaluation of the time required to detect the null pointer vulnerability and its effect on the software overall operating time. Finally, the updated dynamic analysis algorithm would be evaluated on the time required to detect a POC buffer overflow vulnerability and its effect on the embedded system’s overall operating time. With the dynamic analysis framework understood, the feasibility of detection in larger and more complex files was evaluated along with expansion to detection of other vulnerabilities.
Accomplishments
Testing successfully recreated demonstrations documented in the Avatar published papers. Recording and ARM architecture firmware emulation support was confirmed to be built in to the framework. Also, the framework was able to emulate a complex firmware and perform dynamic analysis and detect the sample null pointer vulnerability. After confirming that the targeted concepts were operating as expected, the next case combined the features to create the automated framework environment and to see how the updated dynamic vulnerability analysis performed against an unscripted POC buffer overflow vulnerability. This test was unsuccessful at finding the unscripted vulnerability. The research concluded that while the framework is modular, can emulate both complex and simple binary firmware, and is able to automate dynamic analysis, the framework still needs improvements regarding the vulnerability detection portion to make it viable for commercial use.