Session
Fahrplan - Hauptprogramm 36C3
Security

Identifying Multi-Binary Vulnerabilities in Embedded Firmware at Scale

Eliza
Nilo Redini
Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of our lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure, which led to the development of an IoT-specific cybercrime underground. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Moreover, most of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables. In this talk, we will unveil the inner peculiarities of embedded firmware, we will show why existing firmware analysis techniques are ineffective, and we will present Karonte, a novel static analysis tool capable of analyzing embedded-device firmware by modeling and tracking multi-binary interactions. Our tool propagates taint information between binaries to detect insecure, attacker-controlled interactions, and effectively identify vulnerabilities. We will then present the results and insights of our experiments. We tested Karonte on 53 firmware samples from various vendors, showing that our prototype tool can successfully track and constrain multi-binary interactions. In doing so, we discovered 46 zero-day bugs, which we disclosed to the responsible entities. We performed a large-scale experiment on 899 different samples, showing that Karonte scales well with firmware samples of different size and complexity, and can effectively and efficiently analyze real-world firmware in a generic and fully automated fashion. Finally, we will demo our tool, showing how it led to the detection of a previously unknown vulnerability.

Presentation Outline 1. Introduction to IoT/Embedded firmware [~7 min] * A brief intro to the IoT landscape and the problems caused by insecure IoT devices. * Overview of the peculiarities that characterize embedded firmware. * Strong dependence from custom, unique environments. * Firmware samples are composed of multiple binaries, in a file system fashion (e.g., SquashFS). * Example of how a typical firmware sample looks like.

2. How to Analyze Firmware? [~5 min] * Overview on the current approaches/tools to analyze modern firmware and spot security vulnerabilities. * Description of the limitations of the current tools. * Dynamic analysis is usually unfeasible, because of the different, customized environments where firmware samples run. * Traditional, single-binary static analysis generates too many false positives because it does not take into account the interactions between the multiple binaries in a firmware sample.

3. Modeling Multi-Binary Interactions [~5 min] * Binaries/processes communicate through a finite set of communication paradigms, known as Inter-Process Communication (or IPC) paradigms. * An instance of an IPC is identified through a unique key (which we term a data key) that is known by every process involved in the communication. * Data keys associated with common IPC paradigms can be used to statically track the flow of attacker-controlled information between binaries.

4. Karonte: Design & Architecture [~15 min] * Our tool, Karonte, performs inter-binary data-flow tracking to automatically detect insecure interactions among binaries of a firmware sample, ultimately discovering security vulnerabilities (memory-corruption and DoS vulnerabilities). We will go through the steps of our approach. * As a first step, Karonte unpacks the firmware image using the off-the-shelf firmware unpacking utility binwalk. * Then, it analyzes the unpacked firmware sample and automatically retrieves the set of binaries that export the device functionality to the outside world. These border binaries incorporate the logic necessary to accept user requests received from external sources (e.g., the network), and represent the point where attacker-controlled data is introduced within the firmware itself. * Given a set of border binaries, Karonte builds a Binary Dependency Graph (BDG) that models communications among those binaries processing attacker-controlled data. The BDG is iteratively recovered by leveraging a collection of Communication Paradigm Finder (CPF) modules, which are able to reason about the different inter-process communication paradigms. * We perform static symbolic taint analysis to track how the data is propagated through the binary and collect the constraints that are applied to such data. We then propagate the data with its constraints to the other binaries in the BDG. * Finally, Karonte identifies security issues caused by insecure attacker-controlled data flows.

5. Evaluation & Results [~10 min] * We leveraged a dataset of 53 modern firmware samples to study, in depth, each phase of our approach and evaluate its effectiveness to find bugs. * We will show that our approach successfully identifies data flows across different firmware components, correctly propagating taint information. * This allowed us to discover potentially vulnerable data flows, leading to the discovery of 46 zero-day software bugs, and the rediscovery of another 5 n-days bugs. * Karonte provided an alert reduction of two orders of magnitude and a low false-positive rate. * We performed a large-scale experiment on 899 different firmware samples to assess the scalability of our tool. We will show that Karonte scales well with firmware samples of different size and complexity, and thus can be used to analyze real-world firmware.

6. Demo of Karonte [~5 min] * We will show how Karonte analyzes a real-world firmware sample and detects a security vulnerability that we found in the wild. * We will show the output that Karonte produces and how analysts can leverage our tool to test IoT devices.

7. Conclusive Remarks [~3 min] * A reprise of the initial questions and summary of the takeaways.

Additional information

Type lecture
Language English

More sessions

12/27/19
Security
Borg
Nowadays, Windows is still the most popular OS used in the world. It's very important for red teams / attackers to maintain the authority after they get into the OS by penetration test. So they need a vulnerability to hide in windows to escalate their account to system privilege.
12/27/19
Security
Hannes Mehnert
Dijkstra
Is the way we run services these days sustainable? The trusted computing base -- the lines of code where, if a flaw is discovered, jeopardizes the security and integrity of the entire service -- is enormous. Using orchestration systems that contain millions of lines of code, and that execute shell code, does not decrease this. This talk will present an alternative, minimalist approach to secure network services - relying on OCaml, a programming language that guarantees memory safety - composing ...
12/27/19
Security
littlelailo
Eliza
This talk is about running unsigned code at boot on iOS 11. I will demonstrate how you can start out with a daemon config file and end up with kernel code execution.
12/27/19
Security
Will Scott
Ada
It is easier to chat online securely today than it ever has been. Widespread adoption of signal, wire, and the private mode of WhatsApp have led a broader recognition of the importance of end-to-end encryption. There's still plenty of work to be done in finding new designs that balance privacy and usability in online communication.
12/27/19
Security
nba::yoh
Dijkstra
The 3DS is reaching end of life but has not revealed all its weaknesses yet. This talk will go through the process of reverse engineering an undocumented communication protocol and show how assessing hard-to-reach features yields dangerous results, including remote code execution exploits!
12/27/19
Security
Samuel Groß
Ada
So called “0-click” exploits, in which no user interaction is required to compromise a mobile device, have become a highly interesting topic for security researchers, and not just because Apple announced a one million dollar bug bounty for such exploits against the iPhone this year. This talk will go into the details of how a single memory corruption vulnerability in iMessage was remotely exploited to compromise an iPhone. The insights gained from the exploitation process will hopefully help ...
12/27/19
Security
Ada
Herzstück der digitalen Gesundheitsversorgung für 73 Millionen Versicherte ist die hochsichere, kritische Telematik-Infrastruktur mit bereits 115.000 angeschlossenen Arztpraxen. Nur berechtigte Teilnehmer haben über dieses geschlossene Netz Zugang zu unseren medizinischen Daten. Ein "Höchstmaß an Schutz" also, wie es das Gesundheitsministerium behauptet? Bewaffnet mit 10.000 Seiten Spezifikation und einem Faxgerät lassen wir Illusionen platzen und stellen fest: Technik allein ist auch ...