Embedded systems are a key component of modern life. Hence, the code running on those systems, called "firmware", has to be carefully evaluated and tested.
One common way to evaluate the security of firmware, especially in the absence of source code, is dynamic analysis. Unfortunately, compared to analysis and testing on desktop system, dynamic analysis for firmware is lacking behind. In this thesis, we identify the main challenges preventing dynamic analysis and testing techniques from reaching their full potential on firmware.
We develop avatar2, a multi-target orchestration framework which is capable of running firmware in both fully, and partially emulated settings. Using this framework, we adapt several dynamic analysis techniques to successfully operate on binary firmware. In detail we use its scriptability to easily replicate a previous study, we demonstrate that it allows to record and replay the execution of an embedded system, and implement heuristics for better fault detection as run-time monitors. Additionally, the framework serves as building block for an experimental evaluation of fuzz testing on embedded systems, and is used as part in a scalable concolic execution engine for firmware.
Last but not least, we present Groundhogger, a novel approach for unpacking embedded devices' firmware which, unlike other unpacking tools, uses dynamic analysis.