Abstract
System emulation and firmware re-hosting have become popular techniques to answer various security and performance related questions, such as determining whether a firmware contain security vulnerabilities or meet timing requirements when run on a specific hardware platform. While this motivation for emulation and binary analysis has previously been explored and reported, starting to either work or research in the field is difficult. To this end, we provide a comprehensive guide for the practitioner or system emulation researcher. We layout common challenges faced during firmware re-hosting, explaining successive steps and surveying common tools used to overcome these challenges. We provide classification techniques on five different axes, including emulator methods, system type, fidelity, emulator purpose, and control. These classifications and comparison criteria enable the practitioner to determine the appropriate tool for emulation. We use our classifications to categorize popular works in the field and present 28 common challenges faced when creating, emulating, and analyzing a system from obtaining firmwares to post emulation analysis.
- 2017. $20M in Bounties Paid and $100M In Sight. Retrieved from https://www.hackerone.com/blog/20M-in-bounties-paid-and-100M-in-sight.Google Scholar
- AFL-Fuzz. [n.d.]. afl-fuzz. Retrieved from https://github.com/google/AFL.Google Scholar
- Irfan Ahmed, Sebastian Obermeier, Martin Naedele, and Golden G. Richard III. 2012. SCADA systems: Challenges for forensic investigators. Computer 45, 12 (December 2012), 44--51. DOI:https://doi.org/10.1109/MC.2012.325Google ScholarDigital Library
- Saed Alrabaee, Paria Shirani, Lingyu Wang, and Mourad Debbabi. 2018. FOSSIL: A resilient and efficient system for identifying FOSS functions in malware binaries. ACM Trans. Priv. Secur. 21, 2 (2018), 8.Google ScholarDigital Library
- angr. [n.d.]. boyscout. Retrieved from https://github.com/angr/angr/blob/master/angr/analyses/boyscout.py.Google Scholar
- angr. [n.d.]. girlscout. Retrieved from https://github.com/angr/angr/blob/master/angr/analyses/girlscout.py.Google Scholar
- Roberto Baldoni, Emilio Coppa, Daniele Cono D’elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. Comput. Surv. 51, 3, Article 50 (May 2018), 39 pages. DOI:https://doi.org/10.1145/3182657Google ScholarDigital Library
- Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to recognize functions in binary code. In Proceedings of the 23rd USENIX Security Symposium. 845--860.Google Scholar
- Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, and David Brumley. 2017. Your exploit is mine: Automatic shellcode transplant for remote exploits. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- BE-PUM. [n.d.]. BE-PUM. Retrieved from https://github.com/NMHai/BE-PUM.Google Scholar
- Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, 41--41.Google ScholarDigital Library
- Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib, Nilay Vaish, Mark D. Hill, and David A. Wood. 2011. The Gem5 simulator. SIGARCH Comput. Arch. News 39, 2 (August 2011), 1--7. DOI:https://doi.org/10.1145/2024716.2024718Google ScholarDigital Library
- BitBlaze. [n.d.]. FuzzBALL. Retrieved from https://github.com/bitblaze-fuzzball/fuzzball.Google Scholar
- boofuzz. [n.d.]. boofuzz.Retrieved from https://github.com/jtpereyda/boofuzz.Google Scholar
- Pietro Braione, Giovanni Denaro, and Mauro Pezzè. 2013. Enhancing symbolic execution with built-in term rewriting and constrained lazy initialization. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, New York, NY, 411--421. DOI:https://doi.org/10.1145/2491411.2491433Google ScholarDigital Library
- Pietro Braione, Giovanni Denaro, and Mauro Pezzè. 2015. Symbolic execution of programs with heap inputs. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. ACM, New York, NY, 602--613. DOI:https://doi.org/10.1145/2786805.2786842Google ScholarDigital Library
- Jonathan Broome and David Marx. 2000. Method and Iimplementation for Intercepting and Processing System Calls in Programmed Digital Computer to Emulate Retrograde operating System. US Patent 6,086,623.Google Scholar
- David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A binary analysis platform. In Proceedings of the International Conference on Computer Aided Verification. Springer, 463--469.Google ScholarDigital Library
- Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association, Berkeley, CA, 209--224. http://dl.acm.org/citation.cfm?id=1855741.1855756Google ScholarDigital Library
- Cristian Cadar, Patrice Godefroid, Sarfraz Khurshid, Corina S. Păsăreanu, Koushik Sen, Nikolai Tillmann, and Willem Visser. 2011. Symbolic execution for software testing in practice: Preliminary assessment. In Proceedings of the 33rd International Conference on Software Engineering. Association for Computing Machinery, New York, NY, 1066--1071. DOI:https://doi.org/10.1145/1985793.1985995Google ScholarDigital Library
- Joan Calvet, José M. Fernandez, and Jean-Yves Marion. 2012. Aligot: Cryptographic function identification in obfuscated binary programs. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 169--182.Google ScholarDigital Library
- Capstone. [n.d.]. Capstone Disassembler. Retrieved from http://www.capstone-engine.org/.Google Scholar
- Dan Caselden, Alex Bazhanyuk, Mathias Payer, Laszlo Szekeres, Stephen McCamant, and Dawn Song. 2013. Transformation-aware Exploit Generation Using a HI-CFG. Technical Report UCB/EECS-2013-85. EECS Department, University of California, Berkeley.Google Scholar
- Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing Mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 380--394. DOI:https://doi.org/10.1109/SP.2012.31Google ScholarDigital Library
- Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards automated dynamic analysis for linux-based embedded firmware. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
- Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint: Detecting the taint-style vulnerability in embedded device firmware. In Proceedings of the 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 430--441. DOI:https://doi.org/10.1109/DSN.2018.00052Google ScholarCross Ref
- Anton Chernoff, Mark Herdeg, Ray Hookway, Chris Reeve, Norman Rubin, Tony Tye, S. Bharadwaj Yadavalli, and John Yates. 1998. FX!32 a profile-directed binary translator. IEEE Micro 18, 2 (March 1998), 56--64. DOI:https://doi.org/10.1109/40.671403Google ScholarDigital Library
- Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. SIGARCH Comput. Arch. News 39, 1 (March 2011), 265--278. DOI:https://doi.org/10.1145/1961295.1950396Google ScholarDigital Library
- Zheng Leong Chua, Shiqi Shen, Prateek Saxena, and Zhenkai Liang. 2017. Neural nets can learn function type signatures from binaries. In Proceedings of the 26th USENIX Security Symposium. 99--116.Google Scholar
- Catalin Cimpanu. 2019. Android Exploits Are Now Worth More Than iOS Exploits For The First Time. Retrieved from https://www.zdnet.com/article/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time/.Google Scholar
- Cisco. [n.d.]. Joy. Retrieved from https://github.com/cisco/joy.Google Scholar
- Cisomag. 2020. Tesla Offers US$1 Million and a Car to Hack its Model 3 Car. Retrieved from https://www.cisomag.com/tesla-offers-us1-million-and-a-car-as-bug-bounty-reward/.Google Scholar
- James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis. ACM, New York, NY, 196--206. DOI:https://doi.org/10.1145/1273463.1273490Google ScholarDigital Library
- John Clemens. 2015. Automatic classification of object code using machine learning. Dig. Invest. 14, S1 (August 2015), S156–S162. DOI:https://doi.org/10.1016/j.diin.2015.05.007Google ScholarDigital Library
- Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware re-hosting through abstraction layer emulation. In 29th USENIX Security Symposium (USENIX Security'20). USENIX Association, 1201--1218. https://www.usenix.org/conference/usenixsecurity20/presentation/clements.Google Scholar
- Lucian Cojocar, Jonas Zaddach, Roel Verdult, Herbert Bos, Aurélien Francillon, and Davide Balzarotti. 2015. PIE: Parser identification in embedded systems. In Proceedings of the 31st Annual Computer Security Applications Conference. Association for Computing Machinery, New York, NY, 251--260. DOI:https://doi.org/10.1145/2818000.2818035Google ScholarDigital Library
- Comsecuris. [n.d.]. GDB Ghidra. Retrieved from https://github.com/Comsecuris/gdbghidra.Google Scholar
- ConsenSys. [n.d.]. Mythril. Retrieved from https://github.com/ConsenSys/mythril.Google Scholar
- Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. Difuze: Interface aware fuzzing for kernel drivers. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 2123--2138.Google ScholarDigital Library
- Nassim Corteggiani, Giovanni Camurati, and Aurélien Francillon. 2018. Inception: System-wide security testing of real-world embedded systems software. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, Baltimore, MD, 309--326. https://www.usenix.org/conference/usenixsecurity18/presentation/corteggiani.Google Scholar
- Andrei Costin and Jonas Zaddach. 2013. Embedded devices security and firmware reverse engineering. In black hat USA 2013 Workshop. blackhat.com. https://media.blackhat.com/us-13/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf.Google Scholar
- Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. [n.d.]. firmware.re. http://firmware.re/usenixsec14/.Google Scholar
- Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, 95--110. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin.Google Scholar
- Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2016. Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, New York, NY, 437--448. DOI:https://doi.org/10.1145/2897845.2897900Google ScholarDigital Library
- Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2017. Towards automated classification of firmware images and identification of embedded devices. In ICT Systems Security and Privacy Protection, Sabrina De Capitani di Vimercati and Fabio Martinelli (Eds.). Springer International Publishing, Cham, 233--247.Google Scholar
- Craig. 2012. Emulating NVRAM in Qemu. Retrieved from http://www.devttys0.com/2012/03/emulating-nvram-in-qemu/.Google Scholar
- Robin David, Sébastien Bardin, Thanh Dinh Ta, Laurent Mounier, Josselin Feist, Marie-Laure Potet, and Jean-Yves Marion. 2016. BINSEC/SE: A dynamic symbolic execution toolkit for binary-level analysis. In Proceedings of the IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering. IEEE Computer Society, Los Alamitos, CA, 653--656. DOI:https://doi.org/10.1109/SANER.2016.43Google ScholarCross Ref
- Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In Proceedings of the 22nd USENIX Security Symposium. USENIX Association, Berkeley, CA, 463--478.Google Scholar
- Pietro De Nicolao, Marcello Pogliani, Mario Polino, Michele Carminati, Davide Quarta, and Stefano Zanero. 2018. ELISA: ELiciting ISA of raw binaries for fine-grained code and data separation. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, Sébastien Bardin, and Gregory Blanc (Eds.). Springer International Publishing, Cham, 351--371.Google Scholar
- Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, and Ryan Whelan. 2015. Repeatable reverse engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop. ACM, New York, NY, Article 4, 11 pages. DOI:https://doi.org/10.1145/2843859.2843867Google ScholarDigital Library
- Christopher Domas. 2017. Breaking the x86 ISA. In black hat USA 2017 Workshop. blackhat.com. https://www. blackhat.com/docs/us-17/thursday/us-17-Domas-Breaking-The-x86-Instruction-Set-wp.pdf.Google Scholar
- DOSBox. [n.d.]. DOSBox. Retrieved from https://www.dosbox.com/.Google Scholar
- DroidSniff. [n.d.]. DroidSniff. Retrieved from https://github.com/evozi/DroidSniff.Google Scholar
- Thomas Dullien and Sebastian Porst. 2009. REIL: A platform-independent intermediate representation of disassembled code for static code analysis. Zynamics. https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/csw09.pdf.Google Scholar
- EtherApe. [n.d.]. EtherApe. Retrieved from https://etherape.sourceforge.io/.Google Scholar
- FaceDancer. [n.d.]. FaceDancer. Retrieved fom https://github.com/usb-tools/Facedancer.Google Scholar
- Bo Feng, Alejandro Mera, and Long Lu. 2019. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling (extended version). arXiv abs/1909.06472. Retrieved from https://arxiv.org/abs/1909.06472.Google Scholar
- Firmadyne. 2018. firmadyne/libnvram. Retrieved from https://github.com/firmadyne/libnvram.Google Scholar
- firminsight. [n.d.]. Retrieved from https://github.com/ilovepp/firminsight.Google Scholar
- firmware-mod-kit. [n.d.]. Retrieved from https://github.com/rampageX/firmware-mod-kit.Google Scholar
- José Fragoso Santos, Petar Maksimović, Gabriela Sampaio, and Philippa Gardner. 2019. JaVerT 2.0: Compositional symbolic execution for JavaScript. In Proceedings of the ACM on Principles of Programming Languages 3, Article 66 (January 2019), 31 pages. DOI:https://doi.org/10.1145/3290379Google ScholarDigital Library
- Prashant Gandhi, Somesh Khanna, and Sree Ramaswamy. 2017. Which Industries Are the Most Digital (and Why)? Retrieved from https://hbr.org/2016/04/a-chart-that-shows-which-industries-are-the-most-digital-and-why.Google Scholar
- Patrice Godefroid, Michael Y. Levin, and David Molnar. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed Systems Security Symposium.Google Scholar
- Google. [n.d.]. clusterfuzz. Retrieved from https://github.com/google/clusterfuzz.Google Scholar
- Google. [n.d.]. domato. Retrieved from https://github.com/googleprojectzero/domato.Google Scholar
- Google. [n.d.]. fuzzilli. Retrieved from https://github.com/googleprojectzero/fuzzilli.Google Scholar
- Google. [n.d.]. gofuzz. Retrieved from https://github.com/google/gofuzz.Google Scholar
- Google. [n.d.]. honggfuzz. Retrieved from https://github.com/google/honggfuzz.Google Scholar
- Google. [n.d.]. syzkaller. Retrieved from https://github.com/google/syzkaller.Google Scholar
- Google. [n.d.]. winafl. Retrieved from https://github.com/googleprojectzero/winafl.Google Scholar
- Gustavo Grieco, Martín Ceresa, and Pablo Buiras. 2016. QuickFuzz: An automatic random fuzzer for common file formats. In Proceedings of the 9th International Symposium on Haskell. ACM, New York, NY, 13--20. DOI:https://doi.org/10.1145/2976002.2976017Google ScholarDigital Library
- Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurelien Francillon, Yung Ryn Choe, Christophe Kruegel, et al. 2020. Toward the analysis of embedded firmware through automated re-hosting. In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses.Google Scholar
- Jim Hall. [n.d.]. HP LaserJet The Early History. Retrieved from http://hparchive.com/seminar_notes/HP_LaserJet_The_Early_History_by_Jim_Hall_110512.pdf.Google Scholar
- Armijn Hemel and Shane Coughlan. [n.d.]. Binary Analysis Toolkit. Retrieved from http://www.binaryanalysis.org/old/home.Google Scholar
- Hemel, Armijn. [n.d.]. BANG—Binary Analysis Next Generation. Retrieved from https://github.com/armijnhemel/binaryanalysis-ng.Google Scholar
- Grant Hernandez, Farhaan Fowze, Dave Tian, Tuba Yavuz, and Kevin Butler. 2017. FirmUSB: Vetting USB device firmware using domain informed symbolic execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS'17). Association for Computing Machinery, New York, NY, USA, 2245--2262. https://doi.org/10.1145/3133956.3134050Google ScholarDigital Library
- Brendan Hesse. 2019. Earn Up to $1 Million from Apple’s Expanded Bug Bounty Program. Retrieved from https://lifehacker.com/earn-up-to-1-million-from-apples-expanded-bug-bounty-p-1837106598.Google Scholar
- Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller. 2011. Labeling library functions in stripped binaries. In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools. ACM, 1--8.Google Scholar
- Janala2. [n.d.]. Janala2. Retrieved from https://github.com/ksen007/janala2.Google Scholar
- Dave Jones. 2011. Trinity: A system call fuzzer. In Proceedings of the 13th Ottawa Linux Symposium.Google Scholar
- Sami Kairajärvi, Andrei Costin, and Timo Hämäläinen. 2020. ISAdetect: Usable automated detection of CPU architecture and endianness for executable binary files and object code. In Proceedings of the 10th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, New York, NY, 376--380. DOI:https://doi.org/10.1145/3374664.3375742Google ScholarDigital Library
- Sushma Kalle, Nehal Ameen, Hyunguk Yoo, and Irfan Ahmed. 2019. CLIK on PLCs! Attacking control logic with decompilation and virtual PLC. DOI:https://doi.org/10.14722/bar.2019.23xxxGoogle Scholar
- Aaron Kaluszka. [n.d.]. Computer Emulation History. Retrieved from https://kaluszka.com/vt/emulation/history.html.Google Scholar
- Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. 2014. Prospect: Peripheral proxying supported embedded code testing. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. ACM, New York, NY, 329--340. DOI:https://doi.org/10.1145/2590296.2590301Google ScholarDigital Library
- Stamatis Karnouskos. 2011. Stuxnet worm impact on industrial cyber-physical system security. In Proceedings of the 37th Annual Conference of the IEEE Industrial Electronics Society. 4490--4494. DOI:https://doi.org/10.1109/IECON.2011.6120048Google ScholarCross Ref
- Anastasis Keliris and Michail Maniatakos. 2019. ICSREF: A framework for automated reverse engineering of industrial control systems binaries. In Proceedings of the Network and Distributed Systems Security Symposium.Google ScholarCross Ref
- M. Ammar Ben Khadra, Dominik Stoffel, and Wolfgang Kunz. 2016. Speculative disassembly of binary code. In Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems. ACM, New York, NY, Article 16, 10 pages. DOI:https://doi.org/10.1145/2968455.2968505Google ScholarDigital Library
- Kismet. [n.d.]. Kismet. Retrieved from https://www.kismetwireless.net/.Google Scholar
- George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, 2123--2138. DOI:https://doi.org/10.1145/3243734.3243804Google ScholarDigital Library
- Karl Koscher, Tadayoshi Kohno, and David Molnar. 2015. SURROGATES: Enabling near-real-time dynamic analyses of embedded systems. In Proceedings of the 9th USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA.Google Scholar
- Christopher Kruegel. 2014. Full system emulation: Achieving successful automated dynamic analysis of evasive malware. In blackhat USA 2014 Workshop. blackhat.com. https://www.blackhat.com/docs/us-14/materials/us-14-Kruegel-Full-System-Emulation-Achieving-Successful-Automated-Dynamic-Analysis-Of-Evasive-Malware-WP.pdf.Google Scholar
- Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium, Vol. 14. 11--11.Google Scholar
- Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium, Vol. 13. 18--18.Google Scholar
- Christopher Kruegel, William Robertson, and Giovanni Vigna. 2004. Detecting kernel-level rootkits through binary analysis. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE, 91--100.Google ScholarDigital Library
- C. Lattner and V. Adve. 2004. LLVM: A compilation framework for lifelong program analysis transformation. In Proceedings of the International Symposium on Code Generation and Optimization. 75--86.Google Scholar
- Kevin P. Lawton. 1996. Bochs: A portable pc emulator for Unix/X. Linux J. 1996, 29es, Article 7 (September 1996). http://dl.acm.org/citation.cfm?id=326350.326357Google Scholar
- Leveldown Security. [n.d.]. SVD-Loader-Ghidra. Retrieved from https://github.com/leveldown-security/SVD-Loader-Ghidra.Google Scholar
- R. Li, Z. Zhao, X. Zhou, G. Ding, Y. Chen, Z. Wang, and H. Zhang. 2017. Intelligent 5G: When cellular networks meet artificial intelligence. IEEE Wireless Commun. 24, 5 (2017), 175--183.Google ScholarDigital Library
- Yanlin Li, Jonathan M. McCune, and Adrian Perrig. 2011. VIPER: Verifying the integrity of PERipherals’ firmware. In Proceedings of the 18th ACM Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, 3--16. DOI:https://doi.org/10.1145/2046707.2046711Google ScholarDigital Library
- Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, and Kang Li. 2018. Mobilefindr: Function similarity identification for reversing mobile binaries. In Proceedings of the European Symposium on Research in Computer Security. Springer, 66--83.Google ScholarCross Ref
- Ulf Lindqvist and Peter G. Neumann. 2017. The future of the Internet of Things. Commun. ACM 60, 2 (January 2017), 26--30. DOI:https://doi.org/10.1145/3029589Google ScholarDigital Library
- Peng Liu, Chunchang Xiang, Xiaohang Wang, Binjie Xia, Yangfan Liu, Weidong Wang, and Qingdong Yao. 2009. A NoC emulation/verification framework. In Proceedings of the 6th International Conference on Information Technology: New Generations. IEEE, 859--864.Google ScholarDigital Library
- Blake Loring, Duncan Mitchell, and Johannes Kinder. 2017. ExpoSE: Practical symbolic execution of standalone JavaScript. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software. ACM, New York, NY, 196--199. DOI:https://doi.org/10.1145/3092282.3092295Google ScholarDigital Library
- Aravind Machiry, Eric Gustafson, Chad Spensky, Christopher Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. 2017. BOOMERANG: Exploiting the semantic gap in trusted execution environments. In Proceedings of the 2017 Network and Distributed System Security Symposium.Google ScholarCross Ref
- Peter S. Magnusson, Magnus Christensson, Jesper Eskilson, Daniel Forsgren, Gustav Hallberg, Johan Hogberg, Fredrik Larsson, Andreas Moestedt, and Bengt Werner. 2002. Simics: A full system simulation platform. Computer 35, 2 (2002), 50--58.Google ScholarDigital Library
- Malcolm. [n.d.]. Malcolm. Retrieved from https://github.com/idaholab/Malcolm.Google Scholar
- James Manyika, Sree Ramaswamy, Somesh Khanna, Hugo Sarrazin, Gary Pinkus, Guru Sethupathy, and Andrew Yaffe. 2015. Digital America: A tale of the haves and have-mores. Retrieved from https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/digital-america-a-tale-of-the-haves-and-have-mores.Google Scholar
- Xavi Mendez. [n.d.]. wfuzz. Retrieved from https://github.com/xmendez/wfuzz.Google Scholar
- Gaurav Mittal, David Zaretsky, Gokhan Memik, and Prith Banerjee. 2005. Automatic extraction of function bodies from software binaries. In Proceedings of the ASP-DAC 2005. Asia and South Pacific Design Automation Conference, 2005, Vol. 2. IEEE, 928--931.Google ScholarCross Ref
- Harish Mohanan, Perraju Bendapudi, Abishek Kumarasubramanian, Rajesh Jalan, and Ramarathnam Venkatesan. 2012. Function Matching in Binaries. US Patent 8,166,466.Google Scholar
- Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. arxiv:cs.SE/1907.03890. Retrieved from https://arxiv.org/abs/1907.03890.Google Scholar
- Marius Muench, Dario Nisi, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar: A multi-target orchestration platform. In Proceedings of the Workshop on Binary Analysis Research, Colocated with Network and Distributed Systems Security Symposium.Google Scholar
- Marius Muench, Jan Stijohann, Frank Kargl, Aurelien Francillon, and Davide Balzarotti. 2018. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
- NationalSecurityAgency. [n.d.]. NationalSecurityAgency/ghidra. Retrieved from https://github.com/NationalSecurityAgency/ghidra/wiki/Frequently-asked-questions.Google Scholar
- Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. ACM SIGPLAN Conf. Program. Lang. Des. Implement. 42, 6 (June 2007), 89--100. DOI:https://doi.org/10.1145/1273442.1250746Google ScholarDigital Library
- Netresec. [n.d.]. NetworkMiner. Retrieved from https://www.netresec.com/?page=NetworkMiner.Google Scholar
- NetWorkPacketCapture. [n.d.]. Retrieved from https://github.com/huolizhuminh/NetWorkPacketCapture.Google Scholar
- Lily Hay Newman. 2018. Facebook Bug Bounty Program Makes Biggest Reward Payout Yet. Retrieved from https://www.wired.com/story/facebook-bug-bounty-biggest-payout/.Google Scholar
- NSA. [n.d.]. Ghidra. Retrieved from https://ghidra-sre.org/.Google Scholar
- U.S. Department of Energy. [n.d.]. The Smart Grid. Retrieved from https://www.smartgrid.gov/the_smart_grid/smart_grid.html.Google Scholar
- OWASP. [n.d.]. IoTGoat. Retrieved from https://github.com/OWASP/IoTGoat.Google Scholar
- PAGalaxyLab. [n.d.]. vxhunter. Retrieved from https://github.com/PAGalaxyLab/vxhunter.Google Scholar
- Dorottya Papp, Zhendong Ma, and Levente Buttyan. 2015. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In Proceedings of the 2015 13th Annual Conference on Privacy, Security and Trust. 145--152. DOI:https://doi.org/10.1109/PST.2015.7232966Google ScholarCross Ref
- Riyad Parvez, Paul A. S. Ward, and Vijay Ganesh. 2016. Combining static analysis and targeted symbolic execution for scalable bug-finding in application binaries. In Proceedings of the 26th Annual International Conference on Computer Science and Software Engineering. IBM Corp., Riverton, NJ, 116--127. http://dl.acm.org/citation.cfm?id=3049877.3049889Google ScholarDigital Library
- PcapPlusPlus. [n.d.]. PcapPlusPlus. Retrieved from https://github.com/seladb/PcapPlusPlus.Google Scholar
- PCem. [n.d.]. PCem. Retrieved from https://github.com/Anamon/pcem.Google Scholar
- Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-fuzz: Fuzzing by program transformation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 697--710.Google ScholarCross Ref
- Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, and Thorsten Holz. 2015. Cross-architecture bug search in binary executables. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 709--724.Google ScholarDigital Library
- Richard Phillips and Bonnie Montalvo. 2010. Using emulation to debug control logic code. In Proceedings of the 2010 Winter Simulation Conference (2010). DOI:https://doi.org/10.1109/wsc.2010.5678904Google ScholarCross Ref
- PixelCyber. [n.d.]. Thor. Retrieved from https://github.com/PixelCyber/Thor.Google Scholar
- Praetorian. [n.d.]. The Damn Vulnerable Router Firmware Project. Retrieved from https://github.com/praetorian-code/DVRF.Google Scholar
- Rui Qiao and R. Sekar. 2016. Effective Function Recovery for COTS Binaries Using Interface Verification. Technical Report. Technical report, Secure Systems Lab, Stony Brook University.Google Scholar
- Rui Qiao and R. Sekar. 2017. Function interface analysis: A principled approach for function recognition in COTS binaries. In Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 201--212.Google Scholar
- radamsa. [n.d.]. radamsa. Retrieved from https://gitlab.com/akihe/radamsa.Google Scholar
- Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware evolutionary fuzzing. In Proceedings of the Network and Distributed Systems Security Symposium, Vol. 17. 1--14.Google ScholarCross Ref
- Hex Rays. [n.d.]. Retrieved from https://hex-rays.com/products/ida/.Google Scholar
- Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. KARONTE: Detecting insecure multi-binary interactions in embedded firmware. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Teddy Reed. [n.d.]. subzero. Retrieved from https://github.com/theopolis/subzero.Google Scholar
- ReFirm Labs. [n.d.]. binwalk. Retrieved from https://github.com/ReFirmLabs/binwalk.Google Scholar
- Corinne Reichert. 2019. Google’s Android Bug Bounty Program Will Now Pay Out $1.5 Million. Retrieved from https://www.cnet.com/news/googles-android-bug-bounty-program-will-now-pay-out-1-5-million/.Google Scholar
- Samsung. [n.d.]. Jalangi2. Retrieved from https://github.com/Samsung/jalangi2.Google Scholar
- Chase Schultz. [n.d.]. firmware_collection. Retrieved from https://github.com/f47h3r/firmware_collection.Google Scholar
- Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, 317--331. DOI:https://doi.org/10.1109/SP.2010.26Google ScholarDigital Library
- Sen, Koushik. [n.d.]. jCUTE. Retrieved from https://github.com/osl/jcute.Google Scholar
- Kostya Serebryany. 2017. OSS-Fuzz-Google’s Continuous Fuzzing Service for Open Source Software.Google Scholar
- Saumil Shah. [n.d.]. The ARM-X Firmware Emulation Framework. Retrieved from https://github.com/therealsaumil/armx.Google Scholar
- Asankhaya Sharma. 2014. Exploiting undefined behaviors for efficient symbolic execution. In Companion Proceedings of the 36th International Conference on Software Engineering. ACM, New York, NY, 727--729. DOI:https://doi.org/10.1145/2591062.2594450Google ScholarDigital Library
- Shellphish. 2017. Cyber Grand Shellphish. Retrieved from http://phrack.org/papers/cyber_grand_shellphish.html.Google Scholar
- Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing functions in binaries with neural networks. In Proceedings of the 24th USENIX Security Symposium. 611--626.Google Scholar
- Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice - Automatic detection of authentication bypass vulnerabilities in binary firmware. In Proceedings of the 2015 Network and Distributed System Security Symposium.Google ScholarCross Ref
- Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK: (State of) the art of war: Offensive techniques in binary analysis. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarCross Ref
- Sibyl. [n.d.]. Sibyl. Retrieved from https://github.com/cea-sec/Sibyl.Google Scholar
- Sickendick, Karl. [n.d.]. pcode-emulator. Retrieved from https://github.com/kc0bfv/pcode-emulator.Google Scholar
- Slack. [n.d.]. Slack. Retrieved from https://angr.slack.com.Google Scholar
- Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the International Conference on Information Systems Security. Springer, 1--25.Google ScholarDigital Library
- Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, and Mathias Payer. 2019. FirmFuzz: Automated IoT firmware introspection and analysis. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things (2019), 15--21. DOI:https://doi.org/10.1145/3338507.3358616Google ScholarDigital Library
- SSRFmap. [n.d.]. SSRFmap. Retrieved from https://github.com/swisskyrepo/SSRFmap.Google Scholar
- Nick Stephens, John Grosen, Christopher Salls, Audrey Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In Proceedings of the 2016 Network and Distributed System Security Symposium.Google ScholarCross Ref
- Vinaitheerthan Sundaram, Patrick Eugster, and Xiangyu Zhang. 2010. Efficient diagnostic tracing for wireless sensor networks. In Proceedings of the 8th ACM Conference on Embedded Networked Sensor Systems. ACM, 169--182.Google ScholarDigital Library
- Florin Dragos Tanasache, Mara Sorella, Silvia Bonomi, Raniero Rapone, and Davide Meacci. 2019. Building an emulation environment for cyber security analyses of complex networked systems. In Proceedings of the 20th International Conference on Distributed Computing and Networking (2019). DOI:https://doi.org/10.1145/3288599.3288618Google ScholarDigital Library
- Matthew Tancreti, Mohammad Sajjad Hossain, Saurabh Bagchi, and Vijay Raghunathan. 2011. Aveksha: A hardware-software approach for non-intrusive tracing and profiling of wireless embedded systems. In Proceedings of the 9th ACM Conference on Embedded Networked Sensor Systems. ACM, 288--301.Google ScholarDigital Library
- Matthew Tancreti, Vinaitheerthan Sundaram, Saurabh Bagchi, and Patrick Eugster. 2015. TARDIS: Software-only system-level record and replay in wireless sensor networks. In Proceedings of the 14th International Conference on Information Processing in Sensor Networks. ACM, 286--297.Google ScholarDigital Library
- TCPDump. [n.d.]. Retrieved from http://www.tcpdump.org/.Google Scholar
- Radare2 Team. 2017. Radare2 Book. GitHub.Google Scholar
- Telerik. [n.d.]. Fiddler. Retrieved from https://www.telerik.com/fiddler.Google Scholar
- Keen Security Lab Tencent. 2016. Car Hacking Research: Remote Attack Tesla Motors. Retrieved from https://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/.Google Scholar
- Sam Thomas, Flavio Garcia, and Tom Chothia. 2017. HumIDIFy: A tool for hidden functionality detection in firmware. 279--300. DOI:https://doi.org/10.1007/978-3-319-60876-1_13Google Scholar
- Michael F. Thompson and Timothy Vidas. 2018. CGC Monitor: A Vetting System for the DARPA Cyber Grand Challenge. Retrieved from https://calhoun.nps.edu/handle/10945/59209.Google Scholar
- Brian Van Leeuwen, Vincent Urias, John Eldridge, Charles Villamarin, and Ron Olsberg. 2010. Cyber security analysis testbed: Combining real, emulation, and simulation. In Proceedings of the 44th Annual 2010 IEEE International Carnahan Conference on Security Technology. 121--126. DOI:https://doi.org/10.1109/CCST.2010.5678720Google ScholarCross Ref
- Sebastian Vasile, David Oswald, and Tom Chothia. 2019. Breaking all the things—A systematic survey of firmware extraction techniques for IoT devices. In Smart Card Research and Advanced Applications, Begül Bilgin and Jean-Bernard Fischer (Eds.). Springer International Publishing, Cham, 171--185.Google Scholar
- Marek Vasut. 2017. Adding New Architecture to QEMU. Retrieved from https://events17.linuxfoundation.org/sites/events/files/slides/ossj-2017.pdf.Google Scholar
- Trygve Vea. [n.d.]. firmwaredb. Retrieved from https://github.com/kvisle/firmwaredb.Google Scholar
- Vector 35. [n.d.]. Binary Ninja. Retrieved from https://binary.ninja/.Google Scholar
- John Viega and Hugh Thompson. 2012. The state of embedded-device security (Spoiler Alert: It’s Bad). IEEE Symp. Secur. Priv. 10, 5 (September 2012), 68--70. DOI:https://doi.org/10.1109/MSP.2012.134Google ScholarDigital Library
- Sebastian Vogl, Robert Gawlik, Behrad Garmany, Thomas Kittel, Jonas Pfoh, Claudia Eckert, and Thorsten Holz. 2014. Dynamic hooks: Hiding control flow changes within non-control data. In Proceedings of the 23rd USENIX Security Symposium. 813--328.Google Scholar
- Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Machiry Aravind, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making reassembly great again. In Proceedings of the 2017 Network and Distributed System Security Symposium.Google ScholarCross Ref
- Xiajing Wang, Rui Ma, Bowen Dou, Zefeng Jian, and Hongzhou Chen. 2018. OFFDTAN: A new approach of offline dynamic taint analysis for binaries. Secur. Commun. Netw. 2018 (2018), 13. 10.1155/2018/7693861Google ScholarDigital Library
- Kayla Wiles. 2019. First All-digital Nuclear Reactor System in the U.S. Installed at Purdue University. Retrieved from https://www.purdue.edu/newsroom/releases/2019/Q3/first-all-digital-nuclear-reactor-control-system-in-the-u.s.-installed-at-purdue-university.html.Google Scholar
- Wireshark. [n.d.]. Wireshark. Retrieved from https://www.wireshark.org/.Google Scholar
- Dongpeng Xu, Jiang Ming, and Dinghao Wu. 2017. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 921--937.Google ScholarCross Ref
- Hongfa Xue, Shaowen Sun, Guru Venkataramani, and Tian Lan. 2019. Machine learning-based analysis of program binaries: A comprehensive study. IEEE Access 7 (2019), 65889--65912.Google ScholarCross Ref
- Seung Jei Yang, Jung Ho Choi, Ki Bom Kim, and Taejoo Chang. 2015. New acquisition method based on firmware update protocols for Android smartphones. Dig. Invest. 14 (2015), S68–S76. DOI:https://doi.org/10.1016/j.diin.2015.05.008Google ScholarDigital Library
- Miao Yu, Jianwei Zhuge, Ming Cao, Zhiwei Shi, and Lin Jiang. 2020. A survey of security vulnerability analysis, discovery, detection, and mitigation on IoT devices. Fut. Internet 12, 2 (February 2020), 27. DOI:https://doi.org/10.3390/fi12020027Google Scholar
- Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium. 745--761.Google Scholar
- Jonas Zaddach, Luca Bruno, Aurãlien Francillon, and Davide Balzarotti. 2014. Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares. In Proceedings of the Network and Distributed Systems Security Symposium. DOI:https://doi.org/10.14722/ndss.2014.23229Google ScholarCross Ref
- Jonas Zaddach, Anil Kurmus, Davide Balzarotti, Erik-Oliver Blass, Aurélien Francillon, Travis Goodspeed, Moitrayee Gupta, and Ioannis Koltsidas. 2013. Implementation and implications of a stealth hard-drive backdoor. In Proceedings of the 29th Annual Computer Security Applications Conference. Association for Computing Machinery, New York, NY, 279--288. DOI:https://doi.org/10.1145/2523649.2523661Google ScholarDigital Library
- Ruijin Zhu, Yu-an Tan, Quanxin Zhang, Yuanzhang Li, and Jun Zheng. 2016. Determining image base of firmware for ARM devices by matching literal pools. Dig. Invest. 16 (2016), 19--28. DOI:https://doi.org/10.1016/j.diin.2016.01.002Google ScholarDigital Library
- Ruijin Zhu, Baofeng Zhang, Junjie Mao, Quanxin Zhang, and Yu-an Tan. 2017. A methodology for determining the image base of ARM-based industrial control system firmware. Int. J. Crit. Infrastruct. Protect. 16 (2017), 26--35. DOI:https://doi.org/10.1016/j.ijcip.2016.12.002Google ScholarDigital Library
Index Terms
- Challenges in Firmware Re-Hosting, Emulation, and Analysis
Recommendations
Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications ConferenceWith the rapid proliferation of IoT devices, our cyberspace is nowadays dominated by billions of low-cost computing nodes, which are very heterogeneous to each other. Dynamic analysis, one of the most effective approaches to finding software bugs, has ...
Fidelity Evaluation based Time Dilation in Hybrid Network Emulation
SIGSIM PADS '15: Proceedings of the 3rd ACM SIGSIM Conference on Principles of Advanced Discrete SimulationHybrid network emulation has emerged as a new way to exploit advantages of both network simulation and emulation. Hybrid network emulation often uses a technology called time dilation to combat performance limitation. In order to implement accurate time ...
An Emulation Model of IA-32 Memory Management
ISIE '11: Proceedings of the 2011 International Conference on Intelligence Science and Information EngineeringSystem emulation provides a new solution for software migrating on heterogeneous platform. As one of the important components of system emulation, memory emulation directly affects the performance of system. This paper presents a universal emulation ...
Comments