IEmu: Interrupt modeling from the logic hidden in the firmware

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE Journal of Systems Architecture Pub Date : 2024-07-16 DOI:10.1016/j.sysarc.2024.103237

Yuan Wei, Yongjun Wang, Lei Zhou, Xu Zhou, Zhiyuan Jiang

{"title":"IEmu: Interrupt modeling from the logic hidden in the firmware","authors":"Yuan Wei, Yongjun Wang, Lei Zhou, Xu Zhou, Zhiyuan Jiang","doi":"10.1016/j.sysarc.2024.103237","DOIUrl":null,"url":null,"abstract":"<div><p>The security of embedded firmware has become a critical issue in light of the rapid development of the Internet of Things. Current security analysis approaches, such as dynamic analysis, still face bottlenecks and difficulties due to the wide variety of devices and systems. Recent dynamic analysis approaches for embedded firmware have attempted to provide a general solution but heavily rely on detailed device manuals. Meanwhile, approaches that do not rely on manuals have randomness in interrupt triggering, which weakens emulation fidelity and dynamic analysis efficiency. In this paper, we propose a redundant-check-based embedded firmware interrupt modeling and security analysis method that does not rely on commercial manuals. This method involves reverse engineering the control flow of firmware binary and accurately extracting the correct interrupt triggering rules to emulate embedded firmware. We have implemented functional prototypes on QEMU, called <span>IEmu</span>, and evaluated it with 26 firmware in different MCUs. Our results demonstrate significant advantages compared to the recent state-of-the-art approach. On average, <span>IEmu</span> has improved interrupt path exploration efficiency by 2.4 times and fuzz testing coverage by 19%. <span>IEmu</span> restored the interrupt triggering logic in the manual, and emulated three firmware where the state-of-the-art emulator have limitations and found vulnerabilities.</p></div>","PeriodicalId":50027,"journal":{"name":"Journal of Systems Architecture","volume":"154 ","pages":"Article 103237"},"PeriodicalIF":3.7000,"publicationDate":"2024-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems Architecture","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1383762124001747","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

The security of embedded firmware has become a critical issue in light of the rapid development of the Internet of Things. Current security analysis approaches, such as dynamic analysis, still face bottlenecks and difficulties due to the wide variety of devices and systems. Recent dynamic analysis approaches for embedded firmware have attempted to provide a general solution but heavily rely on detailed device manuals. Meanwhile, approaches that do not rely on manuals have randomness in interrupt triggering, which weakens emulation fidelity and dynamic analysis efficiency. In this paper, we propose a redundant-check-based embedded firmware interrupt modeling and security analysis method that does not rely on commercial manuals. This method involves reverse engineering the control flow of firmware binary and accurately extracting the correct interrupt triggering rules to emulate embedded firmware. We have implemented functional prototypes on QEMU, called IEmu, and evaluated it with 26 firmware in different MCUs. Our results demonstrate significant advantages compared to the recent state-of-the-art approach. On average, IEmu has improved interrupt path exploration efficiency by 2.4 times and fuzz testing coverage by 19%. IEmu restored the interrupt triggering logic in the manual, and emulated three firmware where the state-of-the-art emulator have limitations and found vulnerabilities.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

IEmu：从隐藏在固件中的逻辑进行中断建模

随着物联网的快速发展，嵌入式固件的安全性已成为一个关键问题。由于设备和系统种类繁多，目前的安全分析方法（如动态分析）仍面临瓶颈和困难。最近针对嵌入式固件的动态分析方法试图提供通用解决方案，但严重依赖于详细的设备手册。同时，不依赖手册的方法在中断触发方面存在随机性，从而削弱了仿真保真度和动态分析效率。在本文中，我们提出了一种不依赖商业手册的基于冗余校验的嵌入式固件中断建模和安全分析方法。该方法涉及对固件二进制的控制流进行逆向工程，并准确提取正确的中断触发规则来仿真嵌入式固件。我们在 QEMU 上实现了功能原型，称为，并用不同 MCU 中的 26 个固件对其进行了评估。我们的结果表明，与最近最先进的方法相比，它具有明显的优势。平均而言，中断路径探索效率提高了 2.4 倍，模糊测试覆盖率提高了 19%。我们还原了手册中的中断触发逻辑，并仿真了三个固件，发现了最先进仿真器的局限性和漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Journal of Systems Architecture 工程技术-计算机：硬件

CiteScore

8.70

自引率

15.60%

发文量

226

审稿时长

46 days

期刊介绍： The Journal of Systems Architecture: Embedded Software Design (JSA) is a journal covering all design and architectural aspects related to embedded systems and software. It ranges from the microarchitecture level via the system software level up to the application-specific architecture level. Aspects such as real-time systems, operating systems, FPGA programming, programming languages, communications (limited to analysis and the software stack), mobile systems, parallel and distributed architectures as well as additional subjects in the computer and system architecture area will fall within the scope of this journal. Technology will not be a main focus, but its use and relevance to particular designs will be. Case studies are welcome but must contribute more than just a design for a particular piece of software. Design automation of such systems including methodologies, techniques and tools for their design as well as novel designs of software components fall within the scope of this journal. Novel applications that use embedded systems are also central in this journal. While hardware is not a part of this journal hardware/software co-design methods that consider interplay between software and hardware components with and emphasis on software are also relevant here.