Review of Firmware Emulators in Embedded Devices

Zhang Hao; Shen Shandian; Liu Peng; Yang Zelin; Zhou Wei; Zhang Yuqing

doi:10.7544/issn1000-1239.202330476

Journal of Computer Research and Development > 2023 > 60(10): 2255-2270. > DOI: 10.7544/issn1000-1239.202330476 CSTR: 32373.14.issn1000-1239.202330476

Zhang Hao, Shen Shandian, Liu Peng, Yang Zelin, Zhou Wei, Zhang Yuqing. Review of Firmware Emulators in Embedded Devices[J]. Journal of Computer Research and Development, 2023, 60(10): 2255-2270. DOI: 10.7544/issn1000-1239.202330476

Citation:

PDF (1237 KB)

Review of Firmware Emulators in Embedded Devices

Zhang Hao^{1, 2},
Shen Shandian^{3, 4},
Liu Peng²,
Yang Zelin^{1, 2},
Zhou Wei^{3, 4},
Zhang Yuqing^{1, 2, 5, ,}

1.
(School of Cyber Engineering, Xidian University, Xi’an 710071
2.
National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 101408
3.
School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074
4.
Hubei Key Laboratory of Distributed System Security (Hubei Engineering Research Center on Big Data Security), Wuhan 430074
5.
School of Computer Science and Cyberspace Security, Hainan University, Haikou 570228

Funds: This work was supported by the National Key Research and Development Program of China (2023QY1202, 2022YFB31033400), the Key Program of the National Natural Science Foundation of China (U1836210), the National Natural Program of China (62202188), and the Key Research and Development Program of Hainan Province (GHYF2022010).

More Information

Author Bio:
Zhang Hao: born in 2000. Master candidate. His main research interests include Internet of things security and embedded device emulation

Shen Shandian: born in 2002. PhD candidate. Her main research interests include Internet of things security, embedded device emulation, and vulnerability detection

Liu Peng: born in 1996. PhD candidate. His main research interests include systems security, mobile security, and embedded systems security

Yang Zelin: born in 2000. Master candidate. His main research interests include software security and Internet of things security

Zhou Wei: born in 1993. PhD, associate professor. Member of CCF. His main research interests include Internet of things security, binary code analysis, and trusted computing

Zhang Yuqing: born in 1966. PhD, professor, PhD supervisor. His main research interests include information security and Internet of things security
Received Date: June 04, 2023
Revised Date: August 17, 2023
Available Online: October 07, 2023

Graphical Abstract

Abstract

Abstract

With the development of IoT technology, embedded devices are facing more severe security threats, especially the serious impact of embedded device vulnerabilities on the security development of the IoT industry. However, due to the limitations of hardware resources of embedded devices, dynamic vulnerability detection technologies commonly used in general computer systems such as fuzz testing are difficult to apply directly to embedded devices. Therefore, in recent years, embedded device firmware emulation technology has become a research hotspot in academia. By emulating or replacing the hardware dependency of embedded devices, general and efficient vulnerability detection technologies such as fuzz testing and symbolic execution can be applied to embedded devices. We focus on the latest embedded device emulation technology, collect and summarize top international academic papers in recent years, summarize and classify relevant research results based on the emulation technology and derivative relationships used, and then evaluate and refine these firmware emulators for technical reference for users to choose firmware emulators. Finally, based on the current situation of embedded device firmware emulators, we put forward the challenges and opportunities of firmware emulators and prospects for future research on firmware emulators.
- embedded devices,
- firmware,
- dynamic analysis,
- firmware emulation,
- fuzz testing

FullText(HTML)

References (58)

References

[1]	Wetzels. The RTOS exploit mitigation blues[J/OL]. [2017-09-19].https://hardwear.io/document/rtos-exploit-mitigation-blues-hardwear-io.pdf
[2]	绿盟科技. 洞见RSA 2023: 僵尸网络威胁态势观察[EB/OL]. （2023-05-10）. http: //blog.nsfocus.net/rsa-2023insight2/ NSFoCus. Insight RSA 2023: Botnet threat situation observation[EB/OL]. (2023-05-10). http://blog.nsfocus.net/rsa-2023insight2/
[3]	Artenstein. Broadpwn: Remotely compromising Android and iOS via a bug in the broadcom WI-FI chipset[EB/OL]. [2023-05-10]. http://blog.exodusintel.com/2017/07/26/broadpwn
[4]	于颖超,陈左宁,甘水滔,等. 嵌入式设备固件安全分析技术研究[J]. 计算机学报,2021,44(5):859−881 doi: 10.11897/SP.J.1016.2021.00859 Yu Yingchao, Chen Zuoning, Gan Shuitao, et al. Research on the technologies of analysis technologies on the embedded device firmware[J]. Chinese Journal of Computers, 2021, 44(5): 859−881 (in Chinese) doi: 10.11897/SP.J.1016.2021.00859
[5]	Costin A, Zaddach J, Francillon A, et al. A large-scale analysis of the security of embedded firmwares[C] //Proc of the 23rd USENIX Security Symp. San Diego, CA: USENIX Association, 2014: 95−110
[6]	Cheng Kai, Li Qiang, Wang Lei, et al. DTaint: Detecting the taint-style vulnerability in embedded device firmware[C] //Proc of the 48th Annual IEEE/IFIP Int Conf on Dependable Systems and Networks (DSN). Piscataway, NJ: IEEE, 2018: 430−441
[7]	David Y, Partush N, Yahav E. FirmUp: Precise static detection of common vulnerabilities in firmware[C] //Proc of the 23rd Int Conf on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2018). New York: ACM, 2018: 392−404
[8]	Ying Huan, Zhang Yanmian, Han Lifang, et al. Detecting buffer-overflow vulnerabilities in smart grid devices via automatic static analysis[C] //Proc of 2019 IEEE 3rd Information Technology, Networking, Electronic and Automation Control Conf (ITNEC). Piscataway, NJ: IEEE, 2019: 813−817
[9]	Chipounov V, Kuznetsov V, Candea G. S2E: A platform for in-vivo multi-path analysis of software systems[C] //Proc of 2011 ACM Sigplan Notices. New York: ACM, 2011, 46(3), 265−278
[10]	Kruegel C. Full system emulation: Achieving successful automated dynamic analysis of evasive malware[C] //Proc of BlackHat USA Security Conf. Las Vegas: blackhat 2014: 1−7
[11]	Phillips R, Montalvo B. Using emulation to debug control logic code[C] //Proc of the 2010 Winter Simulation Conf. Piscataway, NJ: IEEE, 2010: 1673−1677
[12]	Tanasache F D, Sorella M, Bonomi S, et al. Building an emulation environment for cyber security analyses of complex networked systems[C] //Proc of the 20th Int Conf on Distributed Computing and Networking. New York: ACM, 2019: 203−212
[13]	Jung M J, Ballo T. STM-based Introspection[R]. Albuquerque, NM: Sandia National Lab, 2017
[14]	Fasano A, Ballo T, Muench M, et al. Sok: Enabling security analyses of embedded systems via rehosting[C] //Proc of the 2021 ACM Asia Conf on Computer and Communications Security. New York: ACM, 2021: 687−701
[15]	Wright C, Moeglein W A, Bagchi S, et al. Challenges in firmware re-hosting, emulation, and analysis[J]. ACM Computing Surveys, 2021, 54(1): 1−36
[16]	Feng Xiaotao, Zhu Xiaogang, Han Qinglong, et al. Detecting vulnerability on IoT device firmware: A survey[J]. IEEE/CAA Journal of Automatica Sinica, 2022, 10(1): 25−41
[17]	Bellard F. QEMU, a fast and portable dynamic translator[C] //Proc of the FREENIX Track: 2005 USENIX Annual Technical Conf. Berkeley, CA: USENIX, 2005: 41−46
[18]	Chen D D, Woo M, Brumley D, et al. Towards automated dynamic analysis for Linux-based embedded firmware[C] //Proc of 2016 Network and Distributed System Security Symp. CA: ISOC 2016: 1.1−8.1
[19]	Unicorn Engine[CP/OL]. 2017 [2023−08−18]https://www:unicornengine:org/
[20]	NSA’s Research Directorat Ghidra[EB/OL]. [2022-11-19].https://ghidra-sre.org/
[21]	Zaddach J, Bruno L, Francillon A, et al. AVATAR: A framework to support dynamic security analysis of embedded systems’ firmwares[C] //Proc of the 21st Annual Network and Distributed System Security Symp (NDSS 2014). CA: ISOC, 2014: 1−16
[22]	Kammerstetter M, Platzer C, Kastner W. PROSPECT: peripheral proxying supported embedded code testing[C]//Proc of the 9th ACM Symp on Information, Computer and Communications Security. New York: ACM, 2014: 329−340
[23]	Koscher K, Kohno T, Molnar D. SURROGATES: Enabling near-real-time dynamic analyses of embedded systems[C] //Proc of the 9th USENIX Workshop on Offensive Technologies. Berkeley, CA: USENIX, 2015: 1−10
[24]	Dolan-Gavitt B, Hodosh J, Hulin P, et al. Repeatable reverse engineering with PANDA[C] //Proc of the 5th Program Protection and Reverse Engineering Workshop. New York: ACM, 2015: 1−11
[25]	Gustafson E, Muench M, Spensky C, et al. Toward the analysis of embedded firmware through automated re-hosting[C] //Proc of the 22nd Int Symp on Research in Attacks, Intrusions and Defenses. Berkeley, CA: USENIX, 2019: 135−150
[26]	Feng Bo, Mera A, Lu Long. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling[C] //Proc of the 29th USENIX Security Symp (USENIX Security’20). Berkeley, CA: USENIX, 2020: 1237−1254
[27]	Zhou Wei, Guan Le, Liu Peng, et al. Automatic firmware emulation through invalidity-guided knowledge inference[C] //Proc of the 30th USENIX Security Symp (USENIX Security’21). Berkeley, CA: USENIX, 2021: 2007−2024
[28]	Johnson E, Bland M, Zhu Yifei, et al. Jetset: Targeted firmware rehosting for embedded systems[C] //Proc of the 30th USENIX Security Symp (USENIX Security’21). Berkeley, CA: USENIX, 2021: 321−338
[29]	Shoshitaishvili Y, Wang R, Salls C, et al. Sok: (state of) the art of war: Offensive techniques in binary analysis[C] //Proc of the 2016 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2016: 138−157
[30]	Mera A, Feng B, Lu L, et al. DICE: Automatic emulation of DMA input channels for dynamic firmware analysis[C] //Proc of the 2021 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2021: 1938−1954
[31]	Zhou Wei, Zhang Lan, Guan Le, et al. What your firmware tells you is not how you should emulate it: A specification-guided approach for firmware emulation[C] //Proc of the 2022 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2022: 3269−3283
[32]	Scharnowski T, Bars N, Schloegel M, et al. Fuzzware: Using precise MMIO modeling for effective firmware fuzzing[C] //Proc of the 31st USENIX Security Symp. Berkeley, CA: USENIX, 2022: 1239−1256
[33]	Farrelly G, Chesser M, Ranasinghe D C. Ember-IO: Effective firmware fuzzing with model-free memory mapped IO[J]. arXiv preprint, arXiv: 2301.06689, 2023
[34]	Clements A A, Gustafson E, Scharnowski T, et al. HALucinator: Firmware Re-hosting through abstraction layer emulation[C] //Proc of the 29th USENIX Security Symp (USENIX Security’20). Berkeley, CA: USENIX, 2020: 1201−1218
[35]	Muench M, Nisi D, Francillon A, et al. AVATAR 2: A multi-target orchestration platform[C] //Proc of 2018 Network and Distributed System Security Symp. CA: ISOC, 2018: 1−11
[36]	Chen Cao, Le Guan, Jiang Ming, et al. Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation[C] //Proc of In Annual Computer Security Applications Conf. New York: ACM, 2020: 746−759
[37]	Chesser M, Nepal S, Ranasinghe D C. Icicle: A re-designed emulator for grey-box firmware fuzzing[J]. arXiv preprint, arXiv: 2301.13346, 2023
[38]	Chen Zitai, Thomas S L, Garcia F D. MetaEmu: An architecture agnostic rehosting framework for automotive firmware[C] //Proc of the 2022 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2022: 515−529
[39]	ReFirm Labs. Binwalk. [CP/OL].https://github.com/ReFirmLabs/binwalk
[40]	Hemel A, Kalleberg K T, Vermaas R, et al. Finding software license violations through binary code clone detection[C] //Proc of the 8th Working Conf on Mining Software Repositories. New York: ACM, 2011: 63-72
[41]	Costin A, Zaddach J, Francillon A, et al. A large-scale analysis of the security of embedded firmwares[C] //Proc of the 23rd USENIX Security Symp. Berkeley, CA: USENIX, 2014: 95−110
[42]	Kargén U, Shahmehri N. Speeding up bug finding using focused fuzzing[C] //Proc of the 13th Int Conf on Availability, Reliability and Security. New York: ACM, 2018: 1−10
[43]	Schwartz E J, Avgerinos T, Brumley D. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask)[C] //Proc of the 2010 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2010: 317−331
[44]	Magnusson P S, Christensson M, Eskilson J, et al. Simics: A full system simulation platform[J]. Computer, 2002, 35(2): 50−58 doi: 10.1109/2.982916
[45]	Kim M, Kim D, Kim E, et al. FirmAE: Towards large-scale emulation of IoT firmware for dynamic analysis[C] //Proc of Annual Computer Security Applications Conf. New York: ACM, 2020: 733−745
[46]	Jiang Muhui, Ma Lin, Zhou Yajin, et al. ECMO: Peripheral transplantation to rehost embedded linux kernels[C] //Proc of the 2021 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2021: 734−748
[47]	Li Wenqiang, Guan Le, Lin Jingqiang, et al. From library portability to para-rehosting: Natively executing microcontroller software on commodity hardware[C] //Proc of the 28th Annual Network and Distributed System Security Symp. CA: ISOC, 2021: 1−18
[48]	Corteggiani N, Camurati G, Francillon A. Inception: System-wide security testing of real-world embedded systems software[C] //Proc of the 27th USENIX Security Symp (USENIX Security’18). Berkeley, CA: USENIX, 2018: 309−326
[49]	Muench M, Stijohann J, Kargl F, et al. What you corrupt is not what you crash: Challenges in fuzzing embedded devices[C] //Proc of the 25th Annual Network and Distributed System Security Symp. CA: ISOC, 2018: 1−15
[50]	Hex Rays. IDA[CP/OL].https://hex-rays.com/products/ida/
[51]	Vogl S, Gawlik R, Garmany B, et al. Dynamic hooks: Hiding control flow changes within non-control data[C] //Proc of the 23rd USENIX Security Symp (USENIX Security’14). Berkeley, CA: USENIX, 2014: 813−328
[52]	Shoshitaishvili Y, Wang Ruoyu, Hauser C, et al. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware[C] // Proc of the 22th Annual Network and Distributed System Security Symp. CA: ISOC. 2015: 1.1−8.1
[53]	Pewny J, Garmany B, Gawlik R, et al. Cross-architecture bug search in binary executables[C] //Proc of the 2015 IEEE Symp on Security and Privacy. Piscataway, NJ: IEEE, 2015: 709−724
[54]	Stephens N, Grosen J, Salls C, et al. Driller: Augmenting fuzzing through selective symbolic execution[C] // Proc of the 23rd Annual Network and Distributed System Security Symp. CA: ISOC: 2016: 1−16
[55]	Parvez M R. Combining static analysis and targeted symbolic execution for scalable bug-finding in application binaries[D]. Washington: University of Waterloo, 2016
[56]	Bao T, Wang R, Shoshitaishvili Y, et al. Your exploit is mine: Automatic shellcode transplant for remote exploits[C] //Proc of the 2017 IEEE Symp on Security and Privacy (SP). Piscataway, NJ: IEEE, 2017: 824−839
[57]	Machiry A, Gustafson E, Spensky C, et al. BOOMERANG: Exploiting the semantic gap in trusted execution environments[C] // Proc of the 24th Annual Network and Distributed System Security Symp. CA: ISOC, 2017: 1−15
[58]	Wang R, Shoshitaishvili Y, Bianchi A, et al. Ramblr: Making reassembly great again[C] // Proc of the 24th Annual Network and Distributed System Security Symp. CA: ISOC, 2017: 1−15

[1]	Wang Haotian, Ding Yan, He Xianhao, Xiao Guoqing, Yang Wangdong. SparseMode: A Sparse Compiler Framework for Efficient SpMV Vectorized Code Generation[J]. Journal of Computer Research and Development. DOI: 10.7544/issn1000-1239.202550139
[2]	Yan Zhiyuan, Xie Biwei, Bao Yungang. HVMS: A Hybrid Vectorization-Optimized Mechanism of SpMV[J]. Journal of Computer Research and Development, 2024, 61(12): 2969-2984. DOI: 10.7544/issn1000-1239.202330204
[3]	Feng Jingge, He Yeping, Tao Qiuming, Ma Hengtai. SLP Vectorization Method Based on Multiple Isomorphic Transformations[J]. Journal of Computer Research and Development, 2023, 60(12): 2907-2927. DOI: 10.7544/issn1000-1239.202220354
[4]	Li Xiaodan, Wu Wenling, Zhang Li. Efficient Search for Optimal Vector Permutations of uBlock-like Structures[J]. Journal of Computer Research and Development, 2022, 59(10): 2275-2285. DOI: 10.7544/issn1000-1239.20220485
[5]	Chen Yu, Liu Zhongjin, Zhao Weiwei, Ma Yuan, Shi Zhiqiang, Sun Limin. A Large-Scale Cross-Platform Homologous Binary Retrieval Method[J]. Journal of Computer Research and Development, 2018, 55(7): 1498-1507. DOI: 10.7544/issn1000-1239.2018.20180078
[6]	Li Junnan, Yang Xiangrui, Sun Zhigang. DrawerPipe: A Reconfigurable Packet Processing Pipeline for FPGA[J]. Journal of Computer Research and Development, 2018, 55(4): 717-728. DOI: 10.7544/issn1000-1239.2018.20170927
[7]	Zhao Jianghua, Mu Shuting, Wang Xuezhi, Lin Qinghui, Zhang Xi, Zhou Yuanchun. Crowdsourcing-Based Scientific Data Processing[J]. Journal of Computer Research and Development, 2017, 54(2): 284-294. DOI: 10.7544/issn1000-1239.2017.20160850
[8]	Luo Zhangqi, Huang Kun, Zhang Dafang, Guan Hongtao, Xie Gaogang. A Many-Core Processor Resource Allocation Scheme for Packet Processing[J]. Journal of Computer Research and Development, 2014, 51(6): 1159-1166.
[9]	Wen Shuguang, Xie Gaogang. libpcap-MT: A General Purpose Packet Capture Library with Multi-Thread[J]. Journal of Computer Research and Development, 2011, 48(5): 756-764.
[10]	Tian Daxin, Liu Yanheng, Li Yongli, Tang Yi. A Fast Matching Algorithm and Conflict Detection for Packet Filter Rules[J]. Journal of Computer Research and Development, 2005, 42(7): 1128-1135.