The security of embedded devices is a growing concern, necessitating the analysis of firmware binaries, even when no source code is available.
This thesis presents Avatar, a framework for bringing the benefits of advanced dynamic analysis techniques (such as symbolic execution) to embedded devices. It orchestrates the execution of binary firmware in an emulator together with the real hardware, thus avoiding the challenge of emulating all of the embedded device's peripherals. We propose several methods for improving the system's performance.
The real-world usability of the framework is then demonstrated in the firmware analysis of an off-the-shelf hard drive. We show the catastrophic loss of security that occurs when a firmware is not trustworthy by implementing a prototype rootkit. This rootkit replaces arbitrary blocks when they are written to disk, constituting a data replacement backdoor. A remote attacker can then establish a covert communication channel with the backdoor to infiltrate commands and exfiltrate data.
Finally, we extended Avatar to identify peripheral devices, with the goal of automating the generation of a platform description of the embedded device. By observing the communication between firmware and peripheral devices, we generate a fingerprint. This fingerprint is then compared against a database of known fingerprints to identify likely matches.
Avatar is a first step towards more automated and intelligent tools for the dynamic security analysis of embedded devices.