Fully automated large-scale firmware emulation and dynamic analysis

Abstract

IoT devices are becoming more and more popular with their various convenience, some of them such as routers and hubs play a vital role in the connection of each IoT devices. Due to the characteristic of the IoT devices, despite its essential role, the security of the software in the devices was not considered enough, and they are still connected to the Internet with the weak security. To improve the security of IoT devices by finding vulnerabilities, many kinds of research attempt at emulating the devices in various manners. One major emulation technique is that fully virtualize the whole system of device firmware

and full-system-emulation has many advantages such as low false positive rate, scalability, and no physical limitations. However, it has many challenges about inconsistencies in the execution environment. In this paper, we present FIRMADYNE-EX, fully automated and parallelized firmware emulation and pentesting system based on the FIRMADYNE. We solved the problems of the previous research about booting sequence, network setting, NVRAM library, and so on. As the results, the FIRMADYNE-EX has the high success rate of emulation. Finally, we developed the fuzzer which can find vulnerabilities which hard to verify by leveraging the emulated environment. With the wireless router and IP-camera firmwares on the 3 vendors (D-Link, NETGEAR, tp-link), the FIRMADYNE-EX achieved the high emulation success rate as 86% compared with 19% on the FIRMADYNE. For evaluation, we collected 560 latest distinct firmwares on 8 vendors. 234 firmwares on 3 vendors are the main set which we worked intensively, and our work emulated them with an average 79% compared with the 16% of previous work. The rest 326 firmwares on the other 5 vendors are sub-set which shows the similarity and difference with the main-set. Finally, we found 56 previously known vulnerabilities, some of them were found across each other vendors. Moreover, we found 25 new vulnerabilities which are previously unknown by using the new fuzzer, specialized in the emulation environment.