embedded security researcher,fresh dr. :)...first framework for automated large scale security...
TRANSCRIPT
![Page 2: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/2.jpg)
2/97
• Embedded security researcher,fresh Dr. :)
# whoami
![Page 3: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/3.jpg)
3/97
Intro
![Page 4: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/4.jpg)
4/97
Embedded DevicesAre Everywhere
by Wilgengebroed on Flickr [CC-BY-2.0]
![Page 5: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/5.jpg)
5/97
Embedded DevicesSmarter and More Complex
by Wilgengebroed on Flickr [CC-BY-2.0]
![Page 6: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/6.jpg)
6/97
Embedded DevicesMore Interconnected
by Wilgengebroed on Flickr [CC-BY-2.0]
![Page 7: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/7.jpg)
7/97
Embedded SoftwareFirmware is Everywhere
• Embedded devices are diverse – but all of them run software, commonly referred to as firmware
![Page 8: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/8.jpg)
8/97
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
![Page 9: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/9.jpg)
9/97
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
• By 2014, there were 14 billion Internet connected objects (Cisco, Internet of Things Connections Counter, 2014)
![Page 10: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/10.jpg)
10/97
ObservationsMagnitude of Embedded/Firmware
• By 2014, there were hundred thousands firmware packages (Costin et al., USENIX Security 2014)
• By 2014, there were 14 billion Internet connected objects (Cisco, Internet of Things Connections Counter, 2014)
• By 2020, there will be between 20 and 50 billion interconnected IoT/embedded devices (Cisco, The Internet of Everything in Motion, 2013)
![Page 11: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/11.jpg)
11/97
Importance of Embedded Systems' Security
• Embedded devices are ubiquitous– Even invisible, they are essential to our lives
• Can operate for many years– Legacy systems, no (security) updates
• Have a large attack surface– Web interfaces– Networking services– Debug interfaces (forgotten, backdoor)– ...
![Page 12: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/12.jpg)
12/97
Many Examples of Insecure Embedded Systems
● Routers
![Page 13: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/13.jpg)
13/97
● Routers● Printers
Many Examples of Insecure Embedded Systems
Networked printers at risk(30/12/2011, McAfee Labs)
![Page 14: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/14.jpg)
14/97
● Routers● Printers● VoIP
Cisco VoIP Phones Affected By On Hook Security Vulnerability(12/06/2012, Forbes)
Many Examples of Insecure Embedded Systems
![Page 15: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/15.jpg)
15/97
● Routers● Printers● VoIP● Cars
Hackers Reveal Nasty New Car Attacks – With Me Behind The Wheel (12/08/2013, Forbes)
Many Examples of Insecure Embedded Systems
![Page 16: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/16.jpg)
16/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones
![Page 17: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/17.jpg)
17/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks
Remote Control
Firing Module
![Page 18: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/18.jpg)
18/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks● Etc.
![Page 19: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/19.jpg)
19/97
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● Fireworks● Etc.
Each of the above is a result of individual analysis
Manual and tedious efforts → Does not scale
![Page 20: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/20.jpg)
20/97
ReviewManual Analysis Process
●
firmware
![Page 21: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/21.jpg)
21/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
IHEX format
plain text firmware
![Page 22: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/22.jpg)
22/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
detect CPU,static analysis
dynamic analysis
Motorola m68k-based CPU
![Page 23: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/23.jpg)
23/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns? 802.15.4 functions
UART “boot>” prompts
detect CPU,static analysis
dynamic analysis
![Page 24: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/24.jpg)
24/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy devicedetect CPU,static analysis
dynamic analysis
![Page 25: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/25.jpg)
25/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device setup devicedetect CPU,static analysis
dynamic analysis
![Page 26: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/26.jpg)
26/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
setup devicedetect CPU,static analysis
dynamic analysis
![Page 27: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/27.jpg)
27/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
Open Problem: Hard to automate
setup devicedetect CPU,static analysis
dynamic analysis
![Page 28: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/28.jpg)
28/97
ReviewManual Analysis Process
●
firmware
decrypt
unpack
debug interfaces?
UART consoles?
known/obvious vulns?
buy device
disassemble/analyzedevice
Goal: Automate these steps
setup devicedetect CPU,static analysis
dynamic analysis
![Page 29: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/29.jpg)
29/97
Goals and Challenges
![Page 30: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/30.jpg)
30/97
Idea → Goal
Perform large scale automated analysis to better understand, classify and analyze firmware images, without using devices
![Page 31: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/31.jpg)
31/97
Challenges
• Large number of devices → Analysis without devices
• Large number of firmware files → Scalable architectures
• Highly heterogeneous systems → Generic techniques
• Increasingly “smart”, “connected” → Focus on web interfaces & APIs
• Highly unstructured firmware data → Large dataset classification
• Vulnerable devices exposed → Technology-independent device fingerprinting
![Page 32: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/32.jpg)
32/97
Challenges → Solutions
• Large number of devices → Analysis without devices
• Large number of firmware files → Scalable architectures
• Highly heterogeneous systems → Generic techniques
• Increasingly “smart”, “connected” → Focus on web interfaces & APIs
• Highly unstructured firmware data → Large dataset classification
• Vulnerable devices exposed → Technology-independent device fingerprinting
![Page 33: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/33.jpg)
33/97
Large Scale Challenge 1:Firmware and Device Classification
![Page 34: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/34.jpg)
34/97
Firmware ClassificationWhy and How?
● Why?– There are hundred thousands
firmware packages (Costin et al., USENIX Security 2014)
– Any volunteer for manual triage? :)● How?
– Machine Learning (ML)– E.g., python's scikit-learn
![Page 35: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/35.jpg)
35/97
Firmware ClassificationML Details
● Random Forests, Decision Trees● File size● Entropy value● Extended entropy information● Category strings● Category unique strings
![Page 36: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/36.jpg)
36/97
Firmware ClassificationML Examples
![Page 37: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/37.jpg)
37/97
Firmware ClassificationML Summary
● The local optimum for our setup– Features [size, entropy, entropy extended,
category strings, category unique strings]
– Random Forests classifier
– Training sets based on 40% of each category
– Achieves more than 90% accuracy
![Page 38: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/38.jpg)
38/97
Large Scale Challenge 2:Automated Static Analysis
![Page 39: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/39.jpg)
39/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
![Page 40: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/40.jpg)
40/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
FirmwareAnalysis Cloud
![Page 41: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/41.jpg)
41/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
FirmwareAnalysis Cloud
Password Hash Cracker
![Page 42: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/42.jpg)
42/97
Static Firmware AnalysisAutomated and Large Scale
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
Firmware Analysis & Reports DB
FirmwareAnalysis Cloud
Password Hash Cracker
Data Enrichment
Correlation Engine
![Page 43: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/43.jpg)
43/97
Static Firmware AnalysisTypes of Tests
● Misconfiguration● Web-server configs, Code repositories
● Credentials● Weak/Default/Hard-coded
● Data enrichment● Versions → Software packages● Keywords → Known problems (telnet, shell, UART, backdoor)
● Correlation and clustering● Based on: Fuzzy hashes, Private SSL keys, Credentials
![Page 44: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/44.jpg)
44/97
Example:Firmware content correlation
Firmware 1
![Page 45: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/45.jpg)
45/97
Example:Firmware content correlation
Firmware 1
![Page 46: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/46.jpg)
46/97
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 47: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/47.jpg)
47/97
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 48: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/48.jpg)
48/97
Example:Firmware content correlation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 49: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/49.jpg)
49/97
Example:Firmware HTTPS keys correlation
![Page 50: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/50.jpg)
50/97
Example:Firmware HTTPS keys correlation
![Page 51: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/51.jpg)
51/97
Example:Firmware HTTPS keys correlation
![Page 52: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/52.jpg)
52/97
Example:Firmware HTTPS keys correlation
Vendor A
![Page 53: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/53.jpg)
53/97
Example:Firmware HTTPS keys correlation
Vendor A
![Page 54: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/54.jpg)
54/97
Example:Firmware HTTPS keys correlation
Vendor A
![Page 55: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/55.jpg)
55/97
Example:Firmware HTTPS keys correlation
Vendor A
![Page 56: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/56.jpg)
56/97
Example:Firmware HTTPS keys correlation
Same key
Vendor A
![Page 57: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/57.jpg)
57/97
Example:Firmware HTTPS keys correlation
Same key
Vendor A
Vendor B
![Page 58: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/58.jpg)
58/97
Example:Firmware HTTPS keys correlation
Vendor B
Same key
Vendor A
![Page 59: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/59.jpg)
59/97
Example:Firmware HTTPS keys correlation
For one certificate, we found at least: - 1 vulnerability
- 2 vendors
- 35K online devices
In total: - 109 private RSA keys for HTTPS certificates
Same key
![Page 60: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/60.jpg)
60/97
Static Firmware AnalysisSome Results
● 38 new vulnerabilities
● 693 firmware images with at least one vulnerability
● 140K online devices correlated to some vulnerabilities
![Page 61: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/61.jpg)
61/97
Large Scale Challenge 3:Automated Dynamic Analysis
![Page 62: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/62.jpg)
62/97
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 63: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/63.jpg)
63/97
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 64: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/64.jpg)
64/97
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 65: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/65.jpg)
65/97
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 66: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/66.jpg)
66/97
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 67: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/67.jpg)
67/97
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 68: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/68.jpg)
68/97
Dynamic Firmware AnalysisAutomated and Large Scale
![Page 69: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/69.jpg)
69/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 70: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/70.jpg)
70/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 71: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/71.jpg)
71/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 72: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/72.jpg)
72/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 73: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/73.jpg)
73/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 74: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/74.jpg)
74/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 75: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/75.jpg)
75/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 76: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/76.jpg)
76/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 77: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/77.jpg)
77/97
Dynamic Firmware AnalysisEmulator's Dilemma
![Page 78: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/78.jpg)
78/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 79: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/79.jpg)
79/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 80: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/80.jpg)
80/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 81: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/81.jpg)
81/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 82: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/82.jpg)
82/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 83: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/83.jpg)
83/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 84: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/84.jpg)
84/97
Dynamic Firmware AnalysisScalable Emulation and Analysis
![Page 85: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/85.jpg)
85/97
Dynamic Firmware AnalysisSome Results
● High-severity vulnerability impact● Command injection, XSS, CSRF● Automated+scalable static and dynamic analysis● 225 high-severity vulnerabilities, many previously unknown● 185 firmware images (~10% of original)● 13 vendors (~25% of original)
● Total alerts from the tools● 6068 dynamic analysis alerts on 58 firmware images● 9046 static analysis alerts on 145 firmware images● Manual triage and confirmation is challenging
![Page 86: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/86.jpg)
86/97
Applications
![Page 87: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/87.jpg)
87/97
Application ExampleIndustry Players
● 1 big player in SCADA/ICS/embedded● In ”Top 100” of ”Fortune Global 500” (2015)
● 3 years R&D contract (from 2015)
● Using our frameworks● For their own firmware life-cycle● Firmware collection, unpacking, analysis● Dynamic analysis and symbolic execution
![Page 88: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/88.jpg)
88/97
Firmware.REFirst project of its kind
![Page 89: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/89.jpg)
89/97
Firmware.REDemo Time!
![Page 90: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/90.jpg)
90/97
Conclusions
● Plenty of latent vulnerabilities in embedded firmware
● Firmware security analysis is absolutely necessary
● Involves many untrivial steps and challenges● A broader view on firmwares is not just
beneficial, but necessary
![Page 91: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/91.jpg)
91/97
Conclusions
● Security● Tradeoff with both cost and time-to-market● Clearly not a priority for some vendors
● Vendors are encouraged to:● Integrate this or similar frameworks in their
firmware SoftDev and QA cycles● Have an easy to reach
[email protected] security response team
![Page 92: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/92.jpg)
92/97
Summary
● We build-up research expertise and implement our expertise in working prototypes
● First framework for automated large scale security analysis and classification of firmwares and embedded devices● Simple and advanced analysis using dynamic
and static techniques● Quick identification of (un)known
vulnerabilities● Automated classification and fingerprinting
![Page 93: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/93.jpg)
93/97
References
● Please read, share, RT!● ”Automated Dynamic Firmware Analysis at
Scale: A Case Study on Embedded Web Interfaces” http://firmware.re/dynamicanalysis/
● ”A Large-Scale Analysis of the Security of Embedded Firmwares” http://firmware.re/usenixsec14/
● www.firmware.re ● www.s3.eurecom.fr/~costin/
![Page 94: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/94.jpg)
94/97
Tools
● http://binwalk.org/ ● http://www.binaryanalysis.org/● http://rips-scanner.sourceforge.net/ ● http://www.arachni-scanner.com/ ● https://www.owasp.org/index.php/OWASP_Zed ● http://w3af.org/ ● http://www.metasploit.com/ ● http://www.tenable.com/products/nessus-vulnerability-scanner
![Page 95: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/95.jpg)
95/97
Tools
● https://shodan.io ● https://zmap.io ● https://scans.io ● https://censys.io
![Page 96: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/96.jpg)
96/97
Acknowledgements
● Dr. Jonas Zaddach
● Prof. Aurelien Francillon
● Prof. Davide Balzarotti
● Dr. Apostolis Zarras
![Page 97: Embedded security researcher,fresh Dr. :)...First framework for automated large scale security analysis and classification of firmwares and embedded devices Simple and advanced analysis](https://reader034.vdocument.in/reader034/viewer/2022051917/6009339a82948126a14fe650/html5/thumbnails/97.jpg)
97/97
The End
Thank You!Questions?
{name}@firmware.re
@costinandrei