Towards system-wide dynamic analysis of embedded systems

Corteggiani, Nassim

Connected embedded systems are increasingly widely deployed, for example,
in IoT devices or critical control systems. Their security is becoming a serious concern, either because they control some sensitive system or because they can be massively exploited to mount large scale attacks. One of the specificities of embedded systems is the high interactions between the firmware and the hardware peripherals that generally interface them with the real world. These interactions are often the source of critical bugs. One common way of testing such systems is dynamic analysis. However, current approaches generally focus on closed-source firmware and rely on testing components separately such as binary code, C-based code, or hardware peripherals. Achieving system-level testing is necessary to thoroughly test these systems. Major challenges in this topic include performance limitations, semantics differences, and limited control/visibility on hardware peripherals. In this thesis, we tackle these three main challenges for system-level dynamic analysis of embedded systems while taking the point of view of a designer. To begin with, this thesis offers a general discussion on achieving a system-wide analysis of System-on-Chip (SoC) where we point out challenges and highlight research directions. To overcome performance limitations when interacting with peripherals (i.e., hardware-in-the-loop testing),
we propose Steroids, a USB5-based high-performance low-latency system probe. Second, we designed and developed Inception, a complete solution for testing system-wide firmware programs source-code. Inception supports different semantics levels (e.g., assembly and C), which are often combined when writing the firmware program. Third, we propose a solution for snapshotting the entire system under test, including both hardware and software state. We implement this solution in HardSnap, a system that enables system restoration at a precise point for testing multiple execution
paths concurrently while preserving analysis consistency.

Sécurité numérique
Eurecom Ref:
© EURECOM. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
See also: