Ecole d'ingénieur et centre de recherche en Sciences du numérique

Automated dynamic firmware analysis at scale: A case study on embedded web interfaces

Costin, Andrei; Zarras, Apostolis; Francillon, Aurélien

ASIACCS 2016, ACM Symposium on InformAtion, Computer and Communications Security, May 30-June 3, 2016, Xi'An, China

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that embedded devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Web security is still dicult and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the fi rst fully automated framework that applies dynamic rmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded rmware images. We apply our framework to study the security of embedded web interfaces running in Commercial O -The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the devices' vendor, type, or architecture. To reach this goal, we perform full system emulation to achieve the execution of rmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we automatically analyze the web interfaces within the rmware using both static and dynamic analysis tools. We also present some interesting case-studies and discuss the main challenges associated with the dynamic analysis of fi rmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale.

Document Doi Arxiv Bibtex

Titre:Automated dynamic firmware analysis at scale: A case study on embedded web interfaces
Type:Conférence
Langue:English
Ville:Xi'an
Pays:CHINE
Date:
Département:Sécurité numérique
Eurecom ref:4851
Copyright: © ACM, 2016. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2016, ACM Symposium on InformAtion, Computer and Communications Security, May 30-June 3, 2016, Xi'An, China http://dx.doi.org/10.1145/2897845.2897900
Bibtex: @inproceedings{EURECOM+4851, doi = {http://dx.doi.org/10.1145/2897845.2897900}, year = {2016}, title = {{A}utomated dynamic firmware analysis at scale: {A} case study on embedded web interfaces}, author = {{C}ostin, {A}ndrei and {Z}arras, {A}postolis and {F}rancillon, {A}ur{\'e}lien}, booktitle = {{ASIACCS} 2016, {ACM} {S}ymposium on {I}nform{A}tion, {C}omputer and {C}ommunications {S}ecurity, {M}ay 30-{J}une 3, 2016, {X}i'{A}n, {C}hina}, address = {{X}i'an, {CHINE}}, month = {05}, url = {http://www.eurecom.fr/publication/4851} }
Voir aussi: