近年來由於物聯網設備的迅速普及，遭受感染的設備可能會導致物聯網設備安全上的隱憂，為了捕捉物聯網設備的運行行為，動態分析是現有物聯網評估中最主流的方法，通過在虛擬環境中模擬韌體，動態分析能夠達到更高的擴展性，而為了自動模擬各種硬體架構和包含多樣性外圍設備的物聯網設備，從而實現高真實度的韌體模擬是非常有挑戰性的議題，為此本文針對採用Linux的物聯網設備提出了一個基於符號執行來對韌體進行模擬的框架FirmSE來解決外圍設備回應的問題。FirmSE不會對整個韌體透過符號執行來進行分析，而是專注於與系統呼叫相關的程式，如此一來便能更有效地推斷出固件和外設之間的交互方式並實作於內核模組來載入到模擬設備的內核中。在系統呼叫層面引入符號執行，確保了固件的正確操作不局限於啟動程序，而且也能提高模擬韌體的真實性，我們也展示透過FirmSE在多個硬體平台上模擬韌體樣本的方式能夠探索更多的程式執行路徑。

The rapid popularity of IoT devices in recent years introduces the security concerns of IoT devices since the compromised one might result in economic loss or personal unsafety. To capture the runtime behavior of IoT devices, dynamic analysis is the most promising approach among existing IoT assessments. By re-hosting firmware in a virtual software environment rather than the original physical equipment, the analysis can be executed in a scalable fashion. However, how to automatically emulate IoT devices with heterogeneous architectures and peripherals so that a high-fidelity re-hosting firmware is achieved is the most challenging issue. This thesis proposes a novel firmware emulation framework for Linux-based IoT devices with the aid of symbolic execution, named FirmSE. Instead of investigating on whole firmware binary for symbolic execution, FirmSE focuses on the codes related to the system call, so that the interactions between the firmware and peripherals can be inferred much more efficiently. The inferred peripherals are included in the kernel modules, which can be loaded into the kernel of emulated devices in a scalable fashion. The introduction of symbolic execution at the system call level ensures the correct operations of the firmware are not limited to booting procedure, and fidelity of emulated firmware is much more increased. By performing FirmSE on multiple hardware platforms and firmware samples, we show that FirmSE allows for the exploration of more code paths in an efficient fashion.

[1] J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti et al., “AVATAR: a framework to support dynamic security analysis of embedded systems’ firmwares.” in Proceeding of The Network and Distributed System Security Symposium, vol. 14, 2014, pp. 1–16.
[2] D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic analysis for linux-based embedded firmware.” in Proceeding of The Network and Distributed System Security Symposium, vol. 1, 2016, pp. 1–1.
[3] E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y. Fratantonio, D. Balzarotti, A. Francillon, Y. R. Choe, C. Kruegel et al., “Toward the analysis of embedded firmware through automated Re-hosting,” in Proceeding of 22nd International Symposium on Research in Attacks, Intrusions and Defenses, 2019, pp. 135–150.
[4] A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “Halucinator: Firmware re-hosting through abstraction layer emulation,” in Proceeding of 29th {USENIX} Security Symposium, 2020, pp. 1201–1218.
[5] B. Feng, A. Mera, and L. Lu, “P2im: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling,” in Proceeding of 29th {USENIX} Security Symposium, 2020, pp. 1237–1254.
[6] C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,” in Proceeding of Annual Computer Security Applications Conference, 2020, pp. 746–759.
[7] E. Johnson, M. Bland, Y. Zhu, J. Mason, S. Checkoway, S. Savage, and K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,” in Proceeding of 30th {USENIX} Security Symposium, 2021.
[8] W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation through invalidity-guided knowledge inference,” in Proceeding of 30th {USENIX} Security Symposium, 2021.
[9] C. Spensky, A. Machiry, N. Redini, C. Unger, G. Foster, E. Blasband, H. Okhravi, C. Kruegel, and G. Vigna, “Conware: Automated modeling of hardware peripherals,” in Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, 2021, pp. 95–109.
[10] M. Jiang, L. Ma, Y. Zhou, Q. Liu, C. Zhang, Z. Wang, X. Luo, L. Wu, and K. Ren, “Ecmo: Peripheral transplantation to rehost embedded linux kernels,” arXiv preprint arXiv:2105.14295, 2021.
[11] Z. Gui, H. Shu, F. Kang, and X. Xiong, “Firmcorn: Vulnerability-oriented fuzzing of iot firmware via optimized virtual execution,” IEEE Access, vol. 8, pp. 29 826–29 841, 2020.
[12] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “Firmae: Towards large-scale emulation of iot firmware for dynamic analysis,” in Proceeding of 20th Annual Computer Security Applications Conference, 2020, pp. 733–745.
[13] A. Mera, B. Feng, L. Lu, E. Kirda, and W. Robertson, “Dice: Automatic emulation of dma input channels for dynamic firmware analysis,” arXiv preprint arXiv:2007.01502, 2020.
[14] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “Firm-afl: highthroughput grey-box fuzzing of iot firmware via augmented process emulation,” in Proceeding of USENIX Security Symposium, 2019, pp. 1099–1114.
[15] P. Srivastava, H. Peng, J. Li, H. Okhravi, H. Shrobe, and M. Payer, “Firmfuzz: automated iot firmware introspection and analysis,” in Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things, 2019, pp. 15–21.
[16] A. Costin, A. Zarras, and A. Francillon, “Automated dynamic firmware analysis at scale: a case study on embedded web interfaces,” in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, 2016, pp. 437–448.
[17] ReFirmLabs, “binwalk,” https://github.com/ReFirmLabs/binwalk, 2020.
[18] M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What you corrupt is not what you crash: Challenges in fuzzing embedded devices.” In Proceeding of The Network and Distributed System Security Symposium, 2018.
[19] M. Yu, J. Zhuge, M. Cao, Z. Shi, and L. Jiang, “A survey of security vulnerability analysis, discovery, detection, and mitigation on iot devices,” Future Internet, vol. 12, no. 2, p. 27, 2020.
[20] N. A. Quynh and D. H. Vu, “Unicorn: Next generation cpu emulator framework,” BlackHat USA, vol. 476, 2015.
[21] M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar 2: A multitarget orchestration platform,” in Proceeding of Workshop on Binary Analysis Research, vol. 18, 2018, pp. 1–11.
[22] “Angr,” https://github.com/angr/angr.
[23] V. Chipounov, V. Kuznetsov, and G. Candea, “S2e: A platform for in-vivo multi-path analysis of software systems,” Acm Sigplan Notices, vol. 46, no. 3, pp. 265–278, 2011.
[24] “Radare2,” https://github.com/radareorg/radare2.