Towards system-wide dynamic analysis of embedded systems

Corteggiani, Nassim

Connected embedded systems are increasingly widely deployed, for example,
in IoT devices or critical control systems. Their security is becoming a
serious concern, either because they control some sensitive system or because
they can be massively exploited to mount large scale attacks.
One of the specificities of embedded systems is the high interactions
between the firmware and the hardware peripherals that generally interface
them with the real world. These interactions are often the source of
critical bugs. One common way of testing such systems is dynamic analysis.
However, current approaches generally focus on closed-source firmware
and rely on testing components separately such as binary code, C-based
code, or hardware peripherals. Achieving system-level testing is necessary
to thoroughly test these systems. Major challenges in this topic include performance
limitations, semantics differences, and limited control/visibility on
hardware peripherals.
In this thesis, we tackle these three main challenges for system-level dynamic
analysis of embedded systems while taking the point of view of a
designer. To begin with, this thesis offers a general discussion on achieving
a system-wide analysis of System-on-Chip (SoC) where we point out challenges
and highlight research directions. To overcome performance limitations
when interacting with peripherals (i.e., hardware-in-the-loop testing),
we propose Steroids, a USB5-based high-performance low-latency system
probe. Second, we designed and developed Inception, a complete solution
for testing system-wide firmware programs source-code. Inception
supports different semantics levels (e.g., assembly and C), which are often
combined when writing the firmware program. Third, we propose a solution
for snapshotting the entire system under test, including both hardware and
software state. We implement this solution in HardSnap, a system that
enables system restoration at a precise point for testing multiple execution
paths concurrently while preserving analysis consistency.

Sécurité numérique
Eurecom Ref:
© EURECOM. Personal use of this material is permitted. The definitive version of this paper was published in Thesis and is available at :
See also: