research-article

Open Access

Challenges in Firmware Re-Hosting, Emulation, and Analysis

Authors:
Christopher Wright

Purdue University

Purdue University

0000-0002-2592-0407
View Profile

,
William A. Moeglein

Sandia National Laboratories

Sandia National Laboratories
View Profile

,
Saurabh Bagchi

Purdue University

Purdue University
View Profile

,
Milind Kulkarni

Purdue University

Purdue University
View Profile

,
Abraham A. Clements

Sandia National Laboratories

Sandia National Laboratories
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 54 Issue 1Article No.: 5pp 1–36https://doi.org/10.1145/3423167

Published:02 January 2021Publication History

ACM Computing Surveys

Abstract

System emulation and firmware re-hosting have become popular techniques to answer various security and performance related questions, such as determining whether a firmware contain security vulnerabilities or meet timing requirements when run on a specific hardware platform. While this motivation for emulation and binary analysis has previously been explored and reported, starting to either work or research in the field is difficult. To this end, we provide a comprehensive guide for the practitioner or system emulation researcher. We layout common challenges faced during firmware re-hosting, explaining successive steps and surveying common tools used to overcome these challenges. We provide classification techniques on five different axes, including emulator methods, system type, fidelity, emulator purpose, and control. These classifications and comparison criteria enable the practitioner to determine the appropriate tool for emulation. We use our classifications to categorize popular works in the field and present 28 common challenges faced when creating, emulating, and analyzing a system from obtaining firmwares to post emulation analysis.

References

2017. $20M in Bounties Paid and $100M In Sight. Retrieved from https://www.hackerone.com/blog/20M-in-bounties-paid-and-100M-in-sight.Google Scholar
AFL-Fuzz. [n.d.]. afl-fuzz. Retrieved from https://github.com/google/AFL.Google Scholar
Irfan Ahmed, Sebastian Obermeier, Martin Naedele, and Golden G. Richard III. 2012. SCADA systems: Challenges for forensic investigators. Computer 45, 12 (December 2012), 44--51. DOI:https://doi.org/10.1109/MC.2012.325Google ScholarDigital Library
Saed Alrabaee, Paria Shirani, Lingyu Wang, and Mourad Debbabi. 2018. FOSSIL: A resilient and efficient system for identifying FOSS functions in malware binaries. ACM Trans. Priv. Secur. 21, 2 (2018), 8.Google ScholarDigital Library
angr. [n.d.]. boyscout. Retrieved from https://github.com/angr/angr/blob/master/angr/analyses/boyscout.py.Google Scholar
angr. [n.d.]. girlscout. Retrieved from https://github.com/angr/angr/blob/master/angr/analyses/girlscout.py.Google Scholar
Roberto Baldoni, Emilio Coppa, Daniele Cono D’elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. Comput. Surv. 51, 3, Article 50 (May 2018), 39 pages. DOI:https://doi.org/10.1145/3182657Google ScholarDigital Library
Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to recognize functions in binary code. In Proceedings of the 23rd USENIX Security Symposium. 845--860.Google Scholar
Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, and David Brumley. 2017. Your exploit is mine: Automatic shellcode transplant for remote exploits. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarCross Ref
BE-PUM. [n.d.]. BE-PUM. Retrieved from https://github.com/NMHai/BE-PUM.Google Scholar
Fabrice Bellard. 2005. QEMU, a fast and portable dynamic translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference. USENIX Association, Berkeley, CA, 41--41.Google ScholarDigital Library
Nathan Binkert, Bradford Beckmann, Gabriel Black, Steven K. Reinhardt, Ali Saidi, Arkaprava Basu, Joel Hestness, Derek R. Hower, Tushar Krishna, Somayeh Sardashti, Rathijit Sen, Korey Sewell, Muhammad Shoaib, Nilay Vaish, Mark D. Hill, and David A. Wood. 2011. The Gem5 simulator. SIGARCH Comput. Arch. News 39, 2 (August 2011), 1--7. DOI:https://doi.org/10.1145/2024716.2024718Google ScholarDigital Library
BitBlaze. [n.d.]. FuzzBALL. Retrieved from https://github.com/bitblaze-fuzzball/fuzzball.Google Scholar
boofuzz. [n.d.]. boofuzz.Retrieved from https://github.com/jtpereyda/boofuzz.Google Scholar
Pietro Braione, Giovanni Denaro, and Mauro Pezzè. 2013. Enhancing symbolic execution with built-in term rewriting and constrained lazy initialization. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM, New York, NY, 411--421. DOI:https://doi.org/10.1145/2491411.2491433Google ScholarDigital Library
Pietro Braione, Giovanni Denaro, and Mauro Pezzè. 2015. Symbolic execution of programs with heap inputs. In Proceedings of the 2015 10th Joint Meeting on Foundations of Software Engineering. ACM, New York, NY, 602--613. DOI:https://doi.org/10.1145/2786805.2786842Google ScholarDigital Library
Jonathan Broome and David Marx. 2000. Method and Iimplementation for Intercepting and Processing System Calls in Programmed Digital Computer to Emulate Retrograde operating System. US Patent 6,086,623.Google Scholar
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A binary analysis platform. In Proceedings of the International Conference on Computer Aided Verification. Springer, 463--469.Google ScholarDigital Library
Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation. USENIX Association, Berkeley, CA, 209--224. http://dl.acm.org/citation.cfm?id=1855741.1855756Google ScholarDigital Library
Cristian Cadar, Patrice Godefroid, Sarfraz Khurshid, Corina S. Păsăreanu, Koushik Sen, Nikolai Tillmann, and Willem Visser. 2011. Symbolic execution for software testing in practice: Preliminary assessment. In Proceedings of the 33rd International Conference on Software Engineering. Association for Computing Machinery, New York, NY, 1066--1071. DOI:https://doi.org/10.1145/1985793.1985995Google ScholarDigital Library
Joan Calvet, José M. Fernandez, and Jean-Yves Marion. 2012. Aligot: Cryptographic function identification in obfuscated binary programs. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, 169--182.Google ScholarDigital Library
Capstone. [n.d.]. Capstone Disassembler. Retrieved from http://www.capstone-engine.org/.Google Scholar
Dan Caselden, Alex Bazhanyuk, Mathias Payer, Laszlo Szekeres, Stephen McCamant, and Dawn Song. 2013. Transformation-aware Exploit Generation Using a HI-CFG. Technical Report UCB/EECS-2013-85. EECS Department, University of California, Berkeley.Google Scholar
Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing Mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 380--394. DOI:https://doi.org/10.1109/SP.2012.31Google ScholarDigital Library
Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards automated dynamic analysis for linux-based embedded firmware. In Proceedings of the 23rd Annual Network and Distributed System Security Symposium.Google ScholarCross Ref
Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint: Detecting the taint-style vulnerability in embedded device firmware. In Proceedings of the 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 430--441. DOI:https://doi.org/10.1109/DSN.2018.00052Google ScholarCross Ref
Anton Chernoff, Mark Herdeg, Ray Hookway, Chris Reeve, Norman Rubin, Tony Tye, S. Bharadwaj Yadavalli, and John Yates. 1998. FX!32 a profile-directed binary translator. IEEE Micro 18, 2 (March 1998), 56--64. DOI:https://doi.org/10.1109/40.671403Google ScholarDigital Library
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. SIGARCH Comput. Arch. News 39, 1 (March 2011), 265--278. DOI:https://doi.org/10.1145/1961295.1950396Google ScholarDigital Library
Zheng Leong Chua, Shiqi Shen, Prateek Saxena, and Zhenkai Liang. 2017. Neural nets can learn function type signatures from binaries. In Proceedings of the 26th USENIX Security Symposium. 99--116.Google Scholar
Catalin Cimpanu. 2019. Android Exploits Are Now Worth More Than iOS Exploits For The First Time. Retrieved from https://www.zdnet.com/article/android-exploits-are-now-worth-more-than-ios-exploits-for-the-first-time/.Google Scholar
Cisco. [n.d.]. Joy. Retrieved from https://github.com/cisco/joy.Google Scholar
Cisomag. 2020. Tesla Offers US$1 Million and a Car to Hack its Model 3 Car. Retrieved from https://www.cisomag.com/tesla-offers-us1-million-and-a-car-as-bug-bounty-reward/.Google Scholar
James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: A generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis. ACM, New York, NY, 196--206. DOI:https://doi.org/10.1145/1273463.1273490Google ScholarDigital Library
John Clemens. 2015. Automatic classification of object code using machine learning. Dig. Invest. 14, S1 (August 2015), S156–S162. DOI:https://doi.org/10.1016/j.diin.2015.05.007Google ScholarDigital Library
Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware re-hosting through abstraction layer emulation. In 29th USENIX Security Symposium (USENIX Security'20). USENIX Association, 1201--1218. https://www.usenix.org/conference/usenixsecurity20/presentation/clements.Google Scholar
Lucian Cojocar, Jonas Zaddach, Roel Verdult, Herbert Bos, Aurélien Francillon, and Davide Balzarotti. 2015. PIE: Parser identification in embedded systems. In Proceedings of the 31st Annual Computer Security Applications Conference. Association for Computing Machinery, New York, NY, 251--260. DOI:https://doi.org/10.1145/2818000.2818035Google ScholarDigital Library
Comsecuris. [n.d.]. GDB Ghidra. Retrieved from https://github.com/Comsecuris/gdbghidra.Google Scholar
ConsenSys. [n.d.]. Mythril. Retrieved from https://github.com/ConsenSys/mythril.Google Scholar
Jake Corina, Aravind Machiry, Christopher Salls, Yan Shoshitaishvili, Shuang Hao, Christopher Kruegel, and Giovanni Vigna. 2017. Difuze: Interface aware fuzzing for kernel drivers. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. ACM, 2123--2138.Google ScholarDigital Library
Nassim Corteggiani, Giovanni Camurati, and Aurélien Francillon. 2018. Inception: System-wide security testing of real-world embedded systems software. In Proceedings of the 27th USENIX Security Symposium. USENIX Association, Baltimore, MD, 309--326. https://www.usenix.org/conference/usenixsecurity18/presentation/corteggiani.Google Scholar
Andrei Costin and Jonas Zaddach. 2013. Embedded devices security and firmware reverse engineering. In black hat USA 2013 Workshop. blackhat.com. https://media.blackhat.com/us-13/US-13-Zaddach-Workshop-on-Embedded-Devices-Security-and-Firmware-Reverse-Engineering-WP.pdf.Google Scholar
Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. [n.d.]. firmware.re. http://firmware.re/usenixsec14/.Google Scholar
Andrei Costin, Jonas Zaddach, Aurélien Francillon, and Davide Balzarotti. 2014. A large-scale analysis of the security of embedded firmwares. In Proceedings of the 23rd USENIX Security Symposium. USENIX Association, San Diego, CA, 95--110. https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin.Google Scholar
Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2016. Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. ACM, New York, NY, 437--448. DOI:https://doi.org/10.1145/2897845.2897900Google ScholarDigital Library
Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2017. Towards automated classification of firmware images and identification of embedded devices. In ICT Systems Security and Privacy Protection, Sabrina De Capitani di Vimercati and Fabio Martinelli (Eds.). Springer International Publishing, Cham, 233--247.Google Scholar
Craig. 2012. Emulating NVRAM in Qemu. Retrieved from http://www.devttys0.com/2012/03/emulating-nvram-in-qemu/.Google Scholar
Robin David, Sébastien Bardin, Thanh Dinh Ta, Laurent Mounier, Josselin Feist, Marie-Laure Potet, and Jean-Yves Marion. 2016. BINSEC/SE: A dynamic symbolic execution toolkit for binary-level analysis. In Proceedings of the IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering. IEEE Computer Society, Los Alamitos, CA, 653--656. DOI:https://doi.org/10.1109/SANER.2016.43Google ScholarCross Ref
Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In Proceedings of the 22nd USENIX Security Symposium. USENIX Association, Berkeley, CA, 463--478.Google Scholar
Pietro De Nicolao, Marcello Pogliani, Mario Polino, Michele Carminati, Davide Quarta, and Stefano Zanero. 2018. ELISA: ELiciting ISA of raw binaries for fine-grained code and data separation. In Detection of Intrusions and Malware, and Vulnerability Assessment, Cristiano Giuffrida, Sébastien Bardin, and Gregory Blanc (Eds.). Springer International Publishing, Cham, 351--371.Google Scholar
Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, and Ryan Whelan. 2015. Repeatable reverse engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop. ACM, New York, NY, Article 4, 11 pages. DOI:https://doi.org/10.1145/2843859.2843867Google ScholarDigital Library
Christopher Domas. 2017. Breaking the x86 ISA. In black hat USA 2017 Workshop. blackhat.com. https://www. blackhat.com/docs/us-17/thursday/us-17-Domas-Breaking-The-x86-Instruction-Set-wp.pdf.Google Scholar
DOSBox. [n.d.]. DOSBox. Retrieved from https://www.dosbox.com/.Google Scholar
DroidSniff. [n.d.]. DroidSniff. Retrieved from https://github.com/evozi/DroidSniff.Google Scholar
Thomas Dullien and Sebastian Porst. 2009. REIL: A platform-independent intermediate representation of disassembled code for static code analysis. Zynamics. https://static.googleusercontent.com/media/www.zynamics.com/en//downloads/csw09.pdf.Google Scholar
EtherApe. [n.d.]. EtherApe. Retrieved from https://etherape.sourceforge.io/.Google Scholar
FaceDancer. [n.d.]. FaceDancer. Retrieved fom https://github.com/usb-tools/Facedancer.Google Scholar
Bo Feng, Alejandro Mera, and Long Lu. 2019. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling (extended version). arXiv abs/1909.06472. Retrieved from https://arxiv.org/abs/1909.06472.Google Scholar
Firmadyne. 2018. firmadyne/libnvram. Retrieved from https://github.com/firmadyne/libnvram.Google Scholar
firminsight. [n.d.]. Retrieved from https://github.com/ilovepp/firminsight.Google Scholar
firmware-mod-kit. [n.d.]. Retrieved from https://github.com/rampageX/firmware-mod-kit.Google Scholar
José Fragoso Santos, Petar Maksimović, Gabriela Sampaio, and Philippa Gardner. 2019. JaVerT 2.0: Compositional symbolic execution for JavaScript. In Proceedings of the ACM on Principles of Programming Languages 3, Article 66 (January 2019), 31 pages. DOI:https://doi.org/10.1145/3290379Google ScholarDigital Library
Prashant Gandhi, Somesh Khanna, and Sree Ramaswamy. 2017. Which Industries Are the Most Digital (and Why)? Retrieved from https://hbr.org/2016/04/a-chart-that-shows-which-industries-are-the-most-digital-and-why.Google Scholar
Patrice Godefroid, Michael Y. Levin, and David Molnar. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed Systems Security Symposium.Google Scholar
Google. [n.d.]. clusterfuzz. Retrieved from https://github.com/google/clusterfuzz.Google Scholar
Google. [n.d.]. domato. Retrieved from https://github.com/googleprojectzero/domato.Google Scholar
Google. [n.d.]. fuzzilli. Retrieved from https://github.com/googleprojectzero/fuzzilli.Google Scholar
Google. [n.d.]. gofuzz. Retrieved from https://github.com/google/gofuzz.Google Scholar
Google. [n.d.]. honggfuzz. Retrieved from https://github.com/google/honggfuzz.Google Scholar
Google. [n.d.]. syzkaller. Retrieved from https://github.com/google/syzkaller.Google Scholar
Google. [n.d.]. winafl. Retrieved from https://github.com/googleprojectzero/winafl.Google Scholar
Gustavo Grieco, Martín Ceresa, and Pablo Buiras. 2016. QuickFuzz: An automatic random fuzzer for common file formats. In Proceedings of the 9th International Symposium on Haskell. ACM, New York, NY, 13--20. DOI:https://doi.org/10.1145/2976002.2976017Google ScholarDigital Library
Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurelien Francillon, Yung Ryn Choe, Christophe Kruegel, et al. 2020. Toward the analysis of embedded firmware through automated re-hosting. In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses.Google Scholar
Jim Hall. [n.d.]. HP LaserJet The Early History. Retrieved from http://hparchive.com/seminar_notes/HP_LaserJet_The_Early_History_by_Jim_Hall_110512.pdf.Google Scholar
Armijn Hemel and Shane Coughlan. [n.d.]. Binary Analysis Toolkit. Retrieved from http://www.binaryanalysis.org/old/home.Google Scholar
Hemel, Armijn. [n.d.]. BANG—Binary Analysis Next Generation. Retrieved from https://github.com/armijnhemel/binaryanalysis-ng.Google Scholar
Grant Hernandez, Farhaan Fowze, Dave Tian, Tuba Yavuz, and Kevin Butler. 2017. FirmUSB: Vetting USB device firmware using domain informed symbolic execution. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS'17). Association for Computing Machinery, New York, NY, USA, 2245--2262. https://doi.org/10.1145/3133956.3134050Google ScholarDigital Library
Brendan Hesse. 2019. Earn Up to $1 Million from Apple’s Expanded Bug Bounty Program. Retrieved from https://lifehacker.com/earn-up-to-1-million-from-apples-expanded-bug-bounty-p-1837106598.Google Scholar
Emily R. Jacobson, Nathan Rosenblum, and Barton P. Miller. 2011. Labeling library functions in stripped binaries. In Proceedings of the 10th ACM SIGPLAN-SIGSOFT Workshop on Program Analysis for Software Tools. ACM, 1--8.Google Scholar
Janala2. [n.d.]. Janala2. Retrieved from https://github.com/ksen007/janala2.Google Scholar
Dave Jones. 2011. Trinity: A system call fuzzer. In Proceedings of the 13th Ottawa Linux Symposium.Google Scholar
Sami Kairajärvi, Andrei Costin, and Timo Hämäläinen. 2020. ISAdetect: Usable automated detection of CPU architecture and endianness for executable binary files and object code. In Proceedings of the 10th ACM Conference on Data and Application Security and Privacy. Association for Computing Machinery, New York, NY, 376--380. DOI:https://doi.org/10.1145/3374664.3375742Google ScholarDigital Library
Sushma Kalle, Nehal Ameen, Hyunguk Yoo, and Irfan Ahmed. 2019. CLIK on PLCs! Attacking control logic with decompilation and virtual PLC. DOI:https://doi.org/10.14722/bar.2019.23xxxGoogle Scholar
Aaron Kaluszka. [n.d.]. Computer Emulation History. Retrieved from https://kaluszka.com/vt/emulation/history.html.Google Scholar
Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. 2014. Prospect: Peripheral proxying supported embedded code testing. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. ACM, New York, NY, 329--340. DOI:https://doi.org/10.1145/2590296.2590301Google ScholarDigital Library
Stamatis Karnouskos. 2011. Stuxnet worm impact on industrial cyber-physical system security. In Proceedings of the 37th Annual Conference of the IEEE Industrial Electronics Society. 4490--4494. DOI:https://doi.org/10.1109/IECON.2011.6120048Google ScholarCross Ref
Anastasis Keliris and Michail Maniatakos. 2019. ICSREF: A framework for automated reverse engineering of industrial control systems binaries. In Proceedings of the Network and Distributed Systems Security Symposium.Google ScholarCross Ref
M. Ammar Ben Khadra, Dominik Stoffel, and Wolfgang Kunz. 2016. Speculative disassembly of binary code. In Proceedings of the International Conference on Compilers, Architectures and Synthesis for Embedded Systems. ACM, New York, NY, Article 16, 10 pages. DOI:https://doi.org/10.1145/2968455.2968505Google ScholarDigital Library
Kismet. [n.d.]. Kismet. Retrieved from https://www.kismetwireless.net/.Google Scholar
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. ACM, New York, NY, 2123--2138. DOI:https://doi.org/10.1145/3243734.3243804Google ScholarDigital Library
Karl Koscher, Tadayoshi Kohno, and David Molnar. 2015. SURROGATES: Enabling near-real-time dynamic analyses of embedded systems. In Proceedings of the 9th USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA.Google Scholar
Christopher Kruegel. 2014. Full system emulation: Achieving successful automated dynamic analysis of evasive malware. In blackhat USA 2014 Workshop. blackhat.com. https://www.blackhat.com/docs/us-14/materials/us-14-Kruegel-Full-System-Emulation-Achieving-Successful-Automated-Dynamic-Analysis-Of-Evasive-Malware-WP.pdf.Google Scholar
Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. 2005. Automating mimicry attacks using static binary analysis. In Proceedings of the 14th USENIX Security Symposium, Vol. 14. 11--11.Google Scholar
Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static disassembly of obfuscated binaries. In Proceedings of the 13th USENIX Security Symposium, Vol. 13. 18--18.Google Scholar
Christopher Kruegel, William Robertson, and Giovanni Vigna. 2004. Detecting kernel-level rootkits through binary analysis. In Proceedings of the 20th Annual Computer Security Applications Conference. IEEE, 91--100.Google ScholarDigital Library
C. Lattner and V. Adve. 2004. LLVM: A compilation framework for lifelong program analysis transformation. In Proceedings of the International Symposium on Code Generation and Optimization. 75--86.Google Scholar
Kevin P. Lawton. 1996. Bochs: A portable pc emulator for Unix/X. Linux J. 1996, 29es, Article 7 (September 1996). http://dl.acm.org/citation.cfm?id=326350.326357Google Scholar
Leveldown Security. [n.d.]. SVD-Loader-Ghidra. Retrieved from https://github.com/leveldown-security/SVD-Loader-Ghidra.Google Scholar
R. Li, Z. Zhao, X. Zhou, G. Ding, Y. Chen, Z. Wang, and H. Zhang. 2017. Intelligent 5G: When cellular networks meet artificial intelligence. IEEE Wireless Commun. 24, 5 (2017), 175--183.Google ScholarDigital Library
Yanlin Li, Jonathan M. McCune, and Adrian Perrig. 2011. VIPER: Verifying the integrity of PERipherals’ firmware. In Proceedings of the 18th ACM Conference on Computer and Communications Security. Association for Computing Machinery, New York, NY, 3--16. DOI:https://doi.org/10.1145/2046707.2046711Google ScholarDigital Library
Yibin Liao, Ruoyan Cai, Guodong Zhu, Yue Yin, and Kang Li. 2018. Mobilefindr: Function similarity identification for reversing mobile binaries. In Proceedings of the European Symposium on Research in Computer Security. Springer, 66--83.Google ScholarCross Ref
Ulf Lindqvist and Peter G. Neumann. 2017. The future of the Internet of Things. Commun. ACM 60, 2 (January 2017), 26--30. DOI:https://doi.org/10.1145/3029589Google ScholarDigital Library
Peng Liu, Chunchang Xiang, Xiaohang Wang, Binjie Xia, Yangfan Liu, Weidong Wang, and Qingdong Yao. 2009. A NoC emulation/verification framework. In Proceedings of the 6th International Conference on Information Technology: New Generations. IEEE, 859--864.Google ScholarDigital Library
Blake Loring, Duncan Mitchell, and Johannes Kinder. 2017. ExpoSE: Practical symbolic execution of standalone JavaScript. In Proceedings of the 24th ACM SIGSOFT International SPIN Symposium on Model Checking of Software. ACM, New York, NY, 196--199. DOI:https://doi.org/10.1145/3092282.3092295Google ScholarDigital Library
Aravind Machiry, Eric Gustafson, Chad Spensky, Christopher Salls, Nick Stephens, Ruoyu Wang, Antonio Bianchi, Yung Ryn Choe, Christopher Kruegel, and Giovanni Vigna. 2017. BOOMERANG: Exploiting the semantic gap in trusted execution environments. In Proceedings of the 2017 Network and Distributed System Security Symposium.Google ScholarCross Ref
Peter S. Magnusson, Magnus Christensson, Jesper Eskilson, Daniel Forsgren, Gustav Hallberg, Johan Hogberg, Fredrik Larsson, Andreas Moestedt, and Bengt Werner. 2002. Simics: A full system simulation platform. Computer 35, 2 (2002), 50--58.Google ScholarDigital Library
Malcolm. [n.d.]. Malcolm. Retrieved from https://github.com/idaholab/Malcolm.Google Scholar
James Manyika, Sree Ramaswamy, Somesh Khanna, Hugo Sarrazin, Gary Pinkus, Guru Sethupathy, and Andrew Yaffe. 2015. Digital America: A tale of the haves and have-mores. Retrieved from https://www.mckinsey.com/industries/technology-media-and-telecommunications/our-insights/digital-america-a-tale-of-the-haves-and-have-mores.Google Scholar
Xavi Mendez. [n.d.]. wfuzz. Retrieved from https://github.com/xmendez/wfuzz.Google Scholar
Gaurav Mittal, David Zaretsky, Gokhan Memik, and Prith Banerjee. 2005. Automatic extraction of function bodies from software binaries. In Proceedings of the ASP-DAC 2005. Asia and South Pacific Design Automation Conference, 2005, Vol. 2. IEEE, 928--931.Google ScholarCross Ref
Harish Mohanan, Perraju Bendapudi, Abishek Kumarasubramanian, Rajesh Jalan, and Ramarathnam Venkatesan. 2012. Function Matching in Binaries. US Patent 8,166,466.Google Scholar
Mark Mossberg, Felipe Manzano, Eric Hennenfent, Alex Groce, Gustavo Grieco, Josselin Feist, Trent Brunson, and Artem Dinaburg. 2019. Manticore: A User-Friendly Symbolic Execution Framework for Binaries and Smart Contracts. arxiv:cs.SE/1907.03890. Retrieved from https://arxiv.org/abs/1907.03890.Google Scholar
Marius Muench, Dario Nisi, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar: A multi-target orchestration platform. In Proceedings of the Workshop on Binary Analysis Research, Colocated with Network and Distributed Systems Security Symposium.Google Scholar
Marius Muench, Jan Stijohann, Frank Kargl, Aurelien Francillon, and Davide Balzarotti. 2018. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In Proceedings of the Network and Distributed System Security Symposium.Google ScholarCross Ref
NationalSecurityAgency. [n.d.]. NationalSecurityAgency/ghidra. Retrieved from https://github.com/NationalSecurityAgency/ghidra/wiki/Frequently-asked-questions.Google Scholar
Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. ACM SIGPLAN Conf. Program. Lang. Des. Implement. 42, 6 (June 2007), 89--100. DOI:https://doi.org/10.1145/1273442.1250746Google ScholarDigital Library
Netresec. [n.d.]. NetworkMiner. Retrieved from https://www.netresec.com/?page=NetworkMiner.Google Scholar
NetWorkPacketCapture. [n.d.]. Retrieved from https://github.com/huolizhuminh/NetWorkPacketCapture.Google Scholar
Lily Hay Newman. 2018. Facebook Bug Bounty Program Makes Biggest Reward Payout Yet. Retrieved from https://www.wired.com/story/facebook-bug-bounty-biggest-payout/.Google Scholar
NSA. [n.d.]. Ghidra. Retrieved from https://ghidra-sre.org/.Google Scholar
U.S. Department of Energy. [n.d.]. The Smart Grid. Retrieved from https://www.smartgrid.gov/the_smart_grid/smart_grid.html.Google Scholar
OWASP. [n.d.]. IoTGoat. Retrieved from https://github.com/OWASP/IoTGoat.Google Scholar
PAGalaxyLab. [n.d.]. vxhunter. Retrieved from https://github.com/PAGalaxyLab/vxhunter.Google Scholar
Dorottya Papp, Zhendong Ma, and Levente Buttyan. 2015. Embedded systems security: Threats, vulnerabilities, and attack taxonomy. In Proceedings of the 2015 13th Annual Conference on Privacy, Security and Trust. 145--152. DOI:https://doi.org/10.1109/PST.2015.7232966Google ScholarCross Ref
Riyad Parvez, Paul A. S. Ward, and Vijay Ganesh. 2016. Combining static analysis and targeted symbolic execution for scalable bug-finding in application binaries. In Proceedings of the 26th Annual International Conference on Computer Science and Software Engineering. IBM Corp., Riverton, NJ, 116--127. http://dl.acm.org/citation.cfm?id=3049877.3049889Google ScholarDigital Library
PcapPlusPlus. [n.d.]. PcapPlusPlus. Retrieved from https://github.com/seladb/PcapPlusPlus.Google Scholar
PCem. [n.d.]. PCem. Retrieved from https://github.com/Anamon/pcem.Google Scholar
Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-fuzz: Fuzzing by program transformation. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 697--710.Google ScholarCross Ref
Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, and Thorsten Holz. 2015. Cross-architecture bug search in binary executables. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 709--724.Google ScholarDigital Library
Richard Phillips and Bonnie Montalvo. 2010. Using emulation to debug control logic code. In Proceedings of the 2010 Winter Simulation Conference (2010). DOI:https://doi.org/10.1109/wsc.2010.5678904Google ScholarCross Ref
PixelCyber. [n.d.]. Thor. Retrieved from https://github.com/PixelCyber/Thor.Google Scholar
Praetorian. [n.d.]. The Damn Vulnerable Router Firmware Project. Retrieved from https://github.com/praetorian-code/DVRF.Google Scholar
Rui Qiao and R. Sekar. 2016. Effective Function Recovery for COTS Binaries Using Interface Verification. Technical Report. Technical report, Secure Systems Lab, Stony Brook University.Google Scholar
Rui Qiao and R. Sekar. 2017. Function interface analysis: A principled approach for function recognition in COTS binaries. In Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. IEEE, 201--212.Google Scholar
radamsa. [n.d.]. radamsa. Retrieved from https://gitlab.com/akihe/radamsa.Google Scholar
Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. VUzzer: Application-aware evolutionary fuzzing. In Proceedings of the Network and Distributed Systems Security Symposium, Vol. 17. 1--14.Google ScholarCross Ref
Hex Rays. [n.d.]. Retrieved from https://hex-rays.com/products/ida/.Google Scholar
Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. KARONTE: Detecting insecure multi-binary interactions in embedded firmware. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarCross Ref
Teddy Reed. [n.d.]. subzero. Retrieved from https://github.com/theopolis/subzero.Google Scholar
ReFirm Labs. [n.d.]. binwalk. Retrieved from https://github.com/ReFirmLabs/binwalk.Google Scholar
Corinne Reichert. 2019. Google’s Android Bug Bounty Program Will Now Pay Out $1.5 Million. Retrieved from https://www.cnet.com/news/googles-android-bug-bounty-program-will-now-pay-out-1-5-million/.Google Scholar
Samsung. [n.d.]. Jalangi2. Retrieved from https://github.com/Samsung/jalangi2.Google Scholar
Chase Schultz. [n.d.]. firmware_collection. Retrieved from https://github.com/f47h3r/firmware_collection.Google Scholar
Edward J. Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Washington, DC, 317--331. DOI:https://doi.org/10.1109/SP.2010.26Google ScholarDigital Library
Sen, Koushik. [n.d.]. jCUTE. Retrieved from https://github.com/osl/jcute.Google Scholar
Kostya Serebryany. 2017. OSS-Fuzz-Google’s Continuous Fuzzing Service for Open Source Software.Google Scholar
Saumil Shah. [n.d.]. The ARM-X Firmware Emulation Framework. Retrieved from https://github.com/therealsaumil/armx.Google Scholar
Asankhaya Sharma. 2014. Exploiting undefined behaviors for efficient symbolic execution. In Companion Proceedings of the 36th International Conference on Software Engineering. ACM, New York, NY, 727--729. DOI:https://doi.org/10.1145/2591062.2594450Google ScholarDigital Library
Shellphish. 2017. Cyber Grand Shellphish. Retrieved from http://phrack.org/papers/cyber_grand_shellphish.html.Google Scholar
Eui Chul Richard Shin, Dawn Song, and Reza Moazzezi. 2015. Recognizing functions in binaries with neural networks. In Proceedings of the 24th USENIX Security Symposium. 611--626.Google Scholar
Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice - Automatic detection of authentication bypass vulnerabilities in binary firmware. In Proceedings of the 2015 Network and Distributed System Security Symposium.Google ScholarCross Ref
Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Audrey Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2016. SoK: (State of) the art of war: Offensive techniques in binary analysis. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarCross Ref
Sibyl. [n.d.]. Sibyl. Retrieved from https://github.com/cea-sec/Sibyl.Google Scholar
Sickendick, Karl. [n.d.]. pcode-emulator. Retrieved from https://github.com/kc0bfv/pcode-emulator.Google Scholar
Slack. [n.d.]. Slack. Retrieved from https://angr.slack.com.Google Scholar
Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, Pongsin Poosankam, and Prateek Saxena. 2008. BitBlaze: A new approach to computer security via binary analysis. In Proceedings of the International Conference on Information Systems Security. Springer, 1--25.Google ScholarDigital Library
Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, and Mathias Payer. 2019. FirmFuzz: Automated IoT firmware introspection and analysis. In Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things (2019), 15--21. DOI:https://doi.org/10.1145/3338507.3358616Google ScholarDigital Library
SSRFmap. [n.d.]. SSRFmap. Retrieved from https://github.com/swisskyrepo/SSRFmap.Google Scholar
Nick Stephens, John Grosen, Christopher Salls, Audrey Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In Proceedings of the 2016 Network and Distributed System Security Symposium.Google ScholarCross Ref
Vinaitheerthan Sundaram, Patrick Eugster, and Xiangyu Zhang. 2010. Efficient diagnostic tracing for wireless sensor networks. In Proceedings of the 8th ACM Conference on Embedded Networked Sensor Systems. ACM, 169--182.Google ScholarDigital Library
Florin Dragos Tanasache, Mara Sorella, Silvia Bonomi, Raniero Rapone, and Davide Meacci. 2019. Building an emulation environment for cyber security analyses of complex networked systems. In Proceedings of the 20th International Conference on Distributed Computing and Networking (2019). DOI:https://doi.org/10.1145/3288599.3288618Google ScholarDigital Library
Matthew Tancreti, Mohammad Sajjad Hossain, Saurabh Bagchi, and Vijay Raghunathan. 2011. Aveksha: A hardware-software approach for non-intrusive tracing and profiling of wireless embedded systems. In Proceedings of the 9th ACM Conference on Embedded Networked Sensor Systems. ACM, 288--301.Google ScholarDigital Library
Matthew Tancreti, Vinaitheerthan Sundaram, Saurabh Bagchi, and Patrick Eugster. 2015. TARDIS: Software-only system-level record and replay in wireless sensor networks. In Proceedings of the 14th International Conference on Information Processing in Sensor Networks. ACM, 286--297.Google ScholarDigital Library
TCPDump. [n.d.]. Retrieved from http://www.tcpdump.org/.Google Scholar
Radare2 Team. 2017. Radare2 Book. GitHub.Google Scholar
Telerik. [n.d.]. Fiddler. Retrieved from https://www.telerik.com/fiddler.Google Scholar
Keen Security Lab Tencent. 2016. Car Hacking Research: Remote Attack Tesla Motors. Retrieved from https://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/.Google Scholar
Sam Thomas, Flavio Garcia, and Tom Chothia. 2017. HumIDIFy: A tool for hidden functionality detection in firmware. 279--300. DOI:https://doi.org/10.1007/978-3-319-60876-1_13Google Scholar
Michael F. Thompson and Timothy Vidas. 2018. CGC Monitor: A Vetting System for the DARPA Cyber Grand Challenge. Retrieved from https://calhoun.nps.edu/handle/10945/59209.Google Scholar
Brian Van Leeuwen, Vincent Urias, John Eldridge, Charles Villamarin, and Ron Olsberg. 2010. Cyber security analysis testbed: Combining real, emulation, and simulation. In Proceedings of the 44th Annual 2010 IEEE International Carnahan Conference on Security Technology. 121--126. DOI:https://doi.org/10.1109/CCST.2010.5678720Google ScholarCross Ref
Sebastian Vasile, David Oswald, and Tom Chothia. 2019. Breaking all the things—A systematic survey of firmware extraction techniques for IoT devices. In Smart Card Research and Advanced Applications, Begül Bilgin and Jean-Bernard Fischer (Eds.). Springer International Publishing, Cham, 171--185.Google Scholar
Marek Vasut. 2017. Adding New Architecture to QEMU. Retrieved from https://events17.linuxfoundation.org/sites/events/files/slides/ossj-2017.pdf.Google Scholar
Trygve Vea. [n.d.]. firmwaredb. Retrieved from https://github.com/kvisle/firmwaredb.Google Scholar
Vector 35. [n.d.]. Binary Ninja. Retrieved from https://binary.ninja/.Google Scholar
John Viega and Hugh Thompson. 2012. The state of embedded-device security (Spoiler Alert: It’s Bad). IEEE Symp. Secur. Priv. 10, 5 (September 2012), 68--70. DOI:https://doi.org/10.1109/MSP.2012.134Google ScholarDigital Library
Sebastian Vogl, Robert Gawlik, Behrad Garmany, Thomas Kittel, Jonas Pfoh, Claudia Eckert, and Thorsten Holz. 2014. Dynamic hooks: Hiding control flow changes within non-control data. In Proceedings of the 23rd USENIX Security Symposium. 813--328.Google Scholar
Ruoyu Wang, Yan Shoshitaishvili, Antonio Bianchi, Machiry Aravind, John Grosen, Paul Grosen, Christopher Kruegel, and Giovanni Vigna. 2017. Ramblr: Making reassembly great again. In Proceedings of the 2017 Network and Distributed System Security Symposium.Google ScholarCross Ref
Xiajing Wang, Rui Ma, Bowen Dou, Zefeng Jian, and Hongzhou Chen. 2018. OFFDTAN: A new approach of offline dynamic taint analysis for binaries. Secur. Commun. Netw. 2018 (2018), 13. 10.1155/2018/7693861Google ScholarDigital Library
Kayla Wiles. 2019. First All-digital Nuclear Reactor System in the U.S. Installed at Purdue University. Retrieved from https://www.purdue.edu/newsroom/releases/2019/Q3/first-all-digital-nuclear-reactor-control-system-in-the-u.s.-installed-at-purdue-university.html.Google Scholar
Wireshark. [n.d.]. Wireshark. Retrieved from https://www.wireshark.org/.Google Scholar
Dongpeng Xu, Jiang Ming, and Dinghao Wu. 2017. Cryptographic function detection in obfuscated binaries via bit-precise symbolic loop mapping. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 921--937.Google ScholarCross Ref
Hongfa Xue, Shaowen Sun, Guru Venkataramani, and Tian Lan. 2019. Machine learning-based analysis of program binaries: A comprehensive study. IEEE Access 7 (2019), 65889--65912.Google ScholarCross Ref
Seung Jei Yang, Jung Ho Choi, Ki Bom Kim, and Taejoo Chang. 2015. New acquisition method based on firmware update protocols for Android smartphones. Dig. Invest. 14 (2015), S68–S76. DOI:https://doi.org/10.1016/j.diin.2015.05.008Google ScholarDigital Library
Miao Yu, Jianwei Zhuge, Ming Cao, Zhiwei Shi, and Lin Jiang. 2020. A survey of security vulnerability analysis, discovery, detection, and mitigation on IoT devices. Fut. Internet 12, 2 (February 2020), 27. DOI:https://doi.org/10.3390/fi12020027Google Scholar
Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium. 745--761.Google Scholar
Jonas Zaddach, Luca Bruno, Aurãlien Francillon, and Davide Balzarotti. 2014. Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares. In Proceedings of the Network and Distributed Systems Security Symposium. DOI:https://doi.org/10.14722/ndss.2014.23229Google ScholarCross Ref
Jonas Zaddach, Anil Kurmus, Davide Balzarotti, Erik-Oliver Blass, Aurélien Francillon, Travis Goodspeed, Moitrayee Gupta, and Ioannis Koltsidas. 2013. Implementation and implications of a stealth hard-drive backdoor. In Proceedings of the 29th Annual Computer Security Applications Conference. Association for Computing Machinery, New York, NY, 279--288. DOI:https://doi.org/10.1145/2523649.2523661Google ScholarDigital Library
Ruijin Zhu, Yu-an Tan, Quanxin Zhang, Yuanzhang Li, and Jun Zheng. 2016. Determining image base of firmware for ARM devices by matching literal pools. Dig. Invest. 16 (2016), 19--28. DOI:https://doi.org/10.1016/j.diin.2016.01.002Google ScholarDigital Library
Ruijin Zhu, Baofeng Zhang, Junjie Mao, Quanxin Zhang, and Yu-an Tan. 2017. A methodology for determining the image base of ARM-based industrial control system firmware. Int. J. Crit. Infrastruct. Protect. 16 (2017), 26--35. DOI:https://doi.org/10.1016/j.ijcip.2016.12.002Google ScholarDigital Library

Index Terms

Challenges in Firmware Re-Hosting, Emulation, and Analysis
1. Computer systems organization
  1. Embedded and cyber-physical systems
    1. Embedded systems
  2. Real-time systems
2. Hardware
  1. Hardware validation
    1. Functional verification
      1. Simulation and emulation

Recommendations

Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
ACSAC '20: Proceedings of the 36th Annual Computer Security Applications Conference

With the rapid proliferation of IoT devices, our cyberspace is nowadays dominated by billions of low-cost computing nodes, which are very heterogeneous to each other. Dynamic analysis, one of the most effective approaches to finding software bugs, has ...
Read More
Fidelity Evaluation based Time Dilation in Hybrid Network Emulation
SIGSIM PADS '15: Proceedings of the 3rd ACM SIGSIM Conference on Principles of Advanced Discrete Simulation

Hybrid network emulation has emerged as a new way to exploit advantages of both network simulation and emulation. Hybrid network emulation often uses a technology called time dilation to combat performance limitation. In order to implement accurate time ...
Read More
An Emulation Model of IA-32 Memory Management
ISIE '11: Proceedings of the 2011 International Conference on Intelligence Science and Information Engineering

System emulation provides a new solution for software migrating on heterogeneous platform. As one of the important components of system emulation, memory emulation directly affects the performance of system. This paper presents a universal emulation ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
ACM Computing Surveys Volume 54, Issue 1
January 2022
844 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/3446641
Editor:
Albert Zomaya
University of Sydney, Australia
Issue’s Table of Contents
Copyright © 2021 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 January 2021
- Accepted: 1 September 2020
- Revised: 1 July 2020
- Received: 1 January 2020
Published in csur Volume 54, Issue 1

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Firmware re-hosting
binary analysis
embedded systems
emulation challenges
emulation fidelity
emulator classification
reverse engineering
system emulation
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 23
  Total Citations
  View Citations
- 2,896
  Total Downloads
- Downloads (Last 12 months)1,113
- Downloads (Last 6 weeks)161
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format .

View HTML Format

Challenges in Firmware Re-Hosting, Emulation, and Analysis

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation

Fidelity Evaluation based Time Dilation in Hybrid Network Emulation

An Emulation Model of IA-32 Memory Management