Basic Search / Detailed Display

Author: 周毓綺
Yu-Chi Chou
Thesis Title: 透過韌體模擬來追蹤MCU的函式執行順序
Tracing Function execution sequence of Micro Control Unit via Firmware Emulation
Advisor: 鄭欣明
Shin-Ming Cheng
Committee: 沈上翔
Shan-Hsiang Shen
張世豪
Shih-Hao Chang
王紹睿
Shao-Jui Wang
Degree: 碩士
Master
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2022
Graduation Academic Year: 110
Language: 英文
Pages: 39
Keywords (in Chinese): 物聯網設備追蹤系統韌體模擬
Keywords (in other languages): IoT device, tracer, firmware emulation
Reference times: Clicks: 251Downloads: 0
Share:
School Collection Retrieve National Library Collection Retrieve Error Report

  • Abstract in Chinese . . . . . . . . . . . . . . . . . . . . . . . . . . iii Abstract in English . . . . . . . . . . . . . . . . . . . . . . . . . . iv Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . . v Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x List of Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 2 Related Work and Background . . . . . . . . . . . . . . . . . . . . . . 6 2.1 MCU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2.2 Security Threat on MCU-based Devices . . . . . . . . . . . . . . . . 7 2.3 Tracing Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 2.4 Instrumentation . . . . . . . . . . . . . . . . . . . . . . . . . . 11 2.5 AFL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 2.6 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.6.1 Avatar2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.6.2 Ghidra . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 2.6.3 Firmware Emulation . . . . . . . . . . . . . . . . . . . . . . . . 14 3 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . 17 3.2 Function Breakpoint Setting . . . . . . . . . . . . . . . . . . . . 18 3.3 Function Return Problem . . . . . . . . . . . . . . . . . . . . . . 19 3.3.1 Function Header Breakpoint . . . . . . . . . . . . . . . . . . . 19 3.3.2 Function Return Breakpoint . . . . . . . . . . . . . . . . . . . 20 3.4 Stack Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 3.5 System Flow Chart . . . . . . . . . . . . . . . . . . . . . . . . . 21 4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.1 Breakpoint Set . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.2 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 24 4.3 Firmware Emulation . . . . . . . . . . . . . . . . . . . . . . . . . 26 5 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.1 Experiment Process and Result . . . . . . . . . . . . . . . . . . . 27 5.2 Firmware Trace Data Set . . . . . . . . . . . . . . . . . . . . . . 27 5.3 Test for firmware compile by ourselves . . . . . . . . . . . . . . . 28 5.3.1 Compile with BOF Code . . . . . . . . . . . . . . . . . . . . . . 29 5.3.2 Complete Trace . . . . . . . . . . . . . . . . . . . . . . . . . . 31 6 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

    [1] M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar2: A multi-target orchestration platform,” in Proc. Workshop Binary Anal. Res., vol. 18, pp. 1–11, 2018.
    [2] Statista, “Number of IoT connected devices worldwide 2019-2030.” https://www.statista.com/
    statistics/1183457/iot-connected-devices-worldwide/, May 2022.
    [3] W. H. Hassan et al., “Current research on internet of things (IoT) security: A survey,” Computer
    networks, vol. 148, pp. 283–294, 2019.
    [4] J. Teel, “Introduction-to-microcontrollers.” https://predictabledesigns.com/
    introduction-to-microcontrollers/, Jun 2021.
    [5] F. Guan, L. Peng, L. Perneel, and M. Timmerman, “Open source freertos as a case study in real-time
    operating system evolution,” Journal of Systems and Software, vol. 118, pp. 19–35, 2016.
    [6] M. Eskandari, Z. H. Janjua, M. Vecchio, and F. Antonelli, “Passban IDS: An intelligent anomaly-based
    intrusion detection system for IoT edge devices,” IEEE Internet of Things Journal, vol. 7, pp. 6882–
    6897, Jan 2020.
    [7] B. M. Calatayud and L. Meany, “A comparative analysis of buffer overflow vulnerabilities in highend IoT devices,” in Proc. Computing and Communication Workshop and Conference, pp. 0694–0701,
    2022.
    [8] G. Mullen and L. Meany, “Assessment of buffer overflow based attacks on an IoT operating system,”
    in Proc. Global IoT Summit, pp. 1–6, 2019.
    [9] “OWASP top10.” https://owasp.org/www-project-top-ten/.
    [10] J. J. Olthuis, R. Jordx00E3;o, F. Robino, and S. Borrami, “Vrfy: Verification of formal requirements
    using generic traces,” in Proc. IEEE 21st International Conference on Software Quality, Reliability
    and Security Companion, pp. 177–183, 2021.
    [11] C. Wright, W. A. Moeglein, S. Bagchi, M. Kulkarni, and A. A. Clements, “Challenges in firmware
    re-hosting, emulation, and analysis,” ACM Computing Surveys, vol. 54, no. 1, pp. 1–36, 2021.
    [12] C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic
    execution approach for peripheral emulation,” in Proc. Annual Computer Security Applications Conference, pp. 746–759, Dec 2020.
    [13] R. Baldoni, E. Coppa, D. C. D’elia, C. Demetrescu, and I. Finocchi, “A survey of symbolic execution
    techniques,” ACM Computing Surveys, vol. 51, no. 3, pp. 1–39, 2018.
    [14] M. Desnoyers and M. R. Dagenais, “The LTTng tracer: A low impact performance and behavior
    monitor for GNU/Linux,” in Proc. Ottawa Linux Symposium, pp. 209–224, 2006.
    [15] M. Conti, D. Donadel, and F. Turrin, “A survey on industrial control system testbeds and datasets for
    security research,” IEEE Communications Communications Surveys And Tutorials, vol. 23, pp. 2248–
    2294, 2021.
    [16] M. O. Ojo, S. Giordano, G. Procissi, and I. N. Seitanidis, “A review of low-end, middle-end, and
    high-end IoT devices,” IEEE Access, vol. 6, pp. 70528–70554, Nov. 2018.
    [17] P. Hambarde, R. Varma, and S. Jha, “The survey of real time operating system: RTOS,” in Proc. International Conference on Electronic Systems, Signal Processing and Computing Technologies, pp. 34–
    39, IEEE, 2014.
    [18] V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, and B. Sikdar, “A survey on iot security: Application areas, security threats, and solution architectures,” IEEE Access, vol. 7, pp. 82721–82743,
    2019.
    [19] L. Luo, Y. Zhang, C. White, B. Keating, B. Pearson, X. Shao, Z. Ling, H. Yu, C. Zou, and X. Fu, “On
    security of trustzone-m-based iot systems,” IEEE Internet of Things Journal, vol. 9, pp. 9683–9699,
    Jan. 2022.
    [20] “Welcome to the barectf 3.0 documentation!.” https://barectf.org/docs/barectf/3.0/
    index.html.
    [21] F. Giraldeau, J. Desfossez, D. Goulet, M. Dagenais, and M. Desnoyers, “Recovering system metrics
    from kernel trace,” in Proc. Linux Symposium, vol. 109, 2011.
    [22] A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi,
    and M. Payer, “HALucinator: Firmware re-hosting through abstraction layer emulation,” in Proc.
    USENIX Security Symposium, pp. 1201–1218, Aug. 2020.
    [23] N. S. Agency, “Ghidra software reverse engineering framework.” https://github.com/
    NationalSecurityAgency/ghidra.
    [24] O. Levi, “Pin.” https://www.intel.com/content/www/us/en/developer/articles/tool/
    pin-a-dynamic-binary-instrumentation-tool.html.
    [25] D. Bruening and S. Amarasinghe, Efficient, transparent, and comprehensive runtime code manipulation. PhD thesis, 2004.
    [26] M. Zalewski, “Afl.” https://github.com/google/AFL.
    [27] K. T. K. David Weinstein, “frida.” https://github.com/frida.
    [28] “Technical whitepaper for afl-fuzz.” https://github.com/mrash/afl-cov.
    [29] F. Bellard, “QEMU, a fast and portable dynamic translator,” in Proc. USENIX ATC, pp. 41–46, Apr.
    2005.
    [30] B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling,” in Proc. USENIX Security 2020, Aug. 2020.
    [31] D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic analysis for linuxbased embedded firmware.,” in Proc. NDSS, vol. 1, pp. 1–1, 2016.
    [32] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towards large-scale emulation
    of IoT firmware for dynamic analysis,” in Proc. Annual Computer Security Applications Conference,
    pp. 733–745, 2020.
    [33] R. Rohleder, “Hands-on ghidra-a tutorial about the software reverse engineering framework,” in Proc.
    Proceedings of the 3rd ACM Workshop on Software Protection, pp. 77–78, 2019.
    [34] J. Zaddach, L. Bruno, A. Francillon, D. Balzarotti, et al., “Avatar: A framework to support dynamic
    security analysis of embedded systems’ firmwares.,” in Proc. NDSS, vol. 14, pp. 1–16, 2014.

    無法下載圖示 Full text public date 2025/08/29 (Intranet public)
    Full text public date 2025/08/29 (Internet public)
    Full text public date 2025/08/29 (National library)
    QR CODE