A survey on IoT & embedded device firmware security: architecture, extraction techniques, and vulnerability analysis frameworks
Tóm tắt
IoT and Embedded devices grow at an exponential rate, however, without adequate security mechanisms in place. One of the key challenges in the cyber world is the security of these devices. One of the main reasons that these devices are active targets for large-scale cyber-attacks is a lack of security standards and thorough testing by manufacturers. Manufacturer-specific operating systems or firmware of various architectures and characteristics are typically included with these devices. However, due to a lack of security testing and/or late patching, the underlying firmware or operating systems are vulnerable to numerous types of vulnerabilities. Reverse engineering and in-depth research of the firmware is required to detect the vulnerabilities. In this paper, we've delved into various aspects of IoT and embedded devices. This includes a comprehensive survey on the architecture of firmware, techniques for firmware extraction, and state-of-the-art vulnerability analysis frameworks for the detection of vulnerabilities using various approaches like static, dynamic, and hybrid approaches. Furthermore, we’ve scrutinized the challenges of existing vulnerability analysis frameworks and proposed a novel framework to address these issues.
Tài liệu tham khảo
Antonakakis M et al. (n.d.). Understanding the Mirai Botnet | USENIX. Retrieved September 30, 2021, from https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
The reaper botnet could be worse than the internet-Shaking Mirai Ever Was|WIRED. https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/. Accessed 27 Nov 2017.
Van Den Broek F, Hond B, Cedillo Torres A. Security testing of GSM implementations. In: Engineering secure software and systems. Springer International Publishing; 2014. p. 179–95.
Eschweiler S, Yakdan K, Gerhards-Padilla E. discovRE: efficient cross-architecture identification of bugs in binary code. NDSS; 2017. https://doi.org/10.14722/ndss.2016.23185.
Cui, A., Costello, M., & Stolfo, S. J. When Firmware Modifications Attack: A Case Study of Embedded Exploitation; 2013. https://doi.org/10.7916/D8P55NKB
Vulnerabilities in FOSCAM IP cameras 2 vulnerabilities in FOSCAM IP cameras. http://www.gartner.com/newsroom/id/3598917. Accessed 14 Sept 2021.
Gauthier F, Lavoie T, Merlo E. Uncovering access control weaknesses and flaws with security-discordant software clones. In: Proceedings of the 29th annual computer security applications conference; 2013. p. 209–18. https://doi.org/10.1145/2523649.2523650.
Gui Z, Shu H, Kang F, Xiong X. FIRMCORN: vulnerability-oriented fuzzing of IoT firmware via optimized virtual execution. IEEE Access. 2020;8:29826–41. https://doi.org/10.1109/ACCESS.2020.2973043.
Chen J, Diao W, Zhao Q, Zuo C, Lin Z, Wang X. I O TF UZZER : discovering memory corruptions in IoT through app-based fuzzing. No. February 2018, 2020.
Vasile S, Oswald D, Chothia T. Breaking all the things—a systematic survey of firmware extraction techniques for IoT devices, vol. 11389 LNCS. Cham: Springer International Publishing; 2019. https://doi.org/10.1007/978-3-030-15462-2_12.
Abu Waraga O, Bettayeb M, Nasir Q, Abu TM. Design and implementation of automated IoT security testbed. Comput Secur. 2020. https://doi.org/10.1016/j.cose.2019.101648.
Costin A, Zaddach J, Francillon A, Balzarotti D. A large-scale analysis of the security of embedded firmwares. In: Proceedings of the 23rd USENIX security symposium; 2014. p. 95–110.
Chen DD, Egele M, Woo M, Brumley D. Towards automated dynamic analysis for linux-based embedded firmware; 2017. https://doi.org/10.14722/ndss.2016.23415.
Arias O, Wurm J, Hoang K, Jin Y. Privacy and security in internet of things and wearable devices. IEEE Trans Multi-Scale Comput Syst. 2015;1(2):99–109. https://doi.org/10.1109/TMSCS.2015.2498605.
Cyr B, Horn W, Miao D, Specter M. Security analysis of wearable fitness devices (fitbit). Massachusetts Institute of Technology; 2014. p. 1–14.
Wurm J, Hoang K, Arias O, Sadeghi AR, Jin Y. Security analysis on consumer and industrial IoT devices. In: Proceedings of the Asia and South Pacific design automation conference, ASP-DAC, vol. 25–28; 2016. p. 519–24. https://doi.org/10.1109/ASPDAC.2016.7428064.
Li S, Choo KKR, Sun Q, Buchanan WJ, Cao J. IoT forensics: amazon echo as a use case. IEEE Internet Things J. 2019;6(4):6487–97. https://doi.org/10.1109/JIOT.2019.2906946.
Ronen E, Shamir A. Extended functionality attacks on IoT devices: the case of smart lights. In: Proceedings—2016 IEEE European symposium on security and privacy, EURO S and P 2016; 2016. p. 3–12. https://doi.org/10.1109/EuroSP.2016.13.
OpenWrt Forum Archive. (n.d.). Retrieved June 21, 2021, from https://forum.archive.openwrt.org/viewforum.php?id=10&p=1.
iot-fw-extraction/phillips_hue. Retrieved June 20, 2021, from https://github.com/david-oswald/iot-fw-extraction/tree/master/phillips_hue.
Hardware Hacking of Accu-Chek Performa Insight. (n.d.). Retrieved June 30, 2021, from https://hackaday.io/project/41162-hardware-hacking-of-accu-chek-performa-insight/details.
iot-fw-extraction/accuchek. Retrieved August 20, 2021, from https://github.com/david-oswald/iot-fw-extraction/tree/master/accuchek/
Vasile, S., Oswald, D., & Chothia, T. (2019). Breaking all the things—a systematic survey of firmware extraction techniques for IoT devices. Lecture Notes in Computer Science, 11389 LNCS, 171–185. https://doi.org/10.1007/978-3-030-15462-2_12/COVER
tencentbladeteam/Exploit-Amazon-Echo. (n.d.). Retrieved June 10, 2021, from https://github.com/tencentbladeteam?tab=repositories.
iot-fw-extraction/amazon_echo. Retrieved June 20, 2021, from https://github.com/david-oswald/iot-fw-extraction/tree/master/amazon_echo.
Adithyan A, Nagendran K, Chethana R, Gokul Pandy D, Gowri Prashanth K. Reverse engineering and backdooring router firmwares. In: 2020 6th international conference on advanced computing and communication systems, ICACCS 2020; 2020. p. 189–93. https://doi.org/10.1109/ICACCS48705.2020.9074317.
Crockett, E. Top IoT Devices. Retrieved October 1, 2021, from https://www.datamation.com/mobile-wireless/75-top-iot-devices-1.html.
Most Popular IoT Devices. Retrieved October 1, 2021, from https://www.softwaretestinghelp.com/iot-devices/.
Siboni S, et al. Security testbed for internet-of-things devices. IEEE Trans Reliab. 2019;68(1):23–44. https://doi.org/10.1109/TR.2018.2864536.
Angrishi, K. (2017). Turning Internet of Things(IoT) into Internet of Vulnerabilities (IoV) : IoT Botnets. https://arxiv.org/abs/1702.03681v1.
Notra S, Siddiqi M, Habibi Gharakheili H, Sivaraman V, Boreli R. An experimental study of security and privacy risks with emerging household appliances. In: 2014 IEEE conference on communications and network security; 2014. p. 79–84. https://doi.org/10.1109/CNS.2014.6997469.
OpenWrt Project: Belkin F7C027. (n.d.). Retrieved September 17, 2021, from https://openwrt.org/toh/belkin/f7c027#bootloader.
WebHome U-Boot. Retrieved October 7, 2021, from https://www.denx.de/wiki/U-Boot.
Defcon. “All your things are belongs to us”. Retrieved July 20, 2021, from https://infocondb.org/con/def-con/def-con-25/all-your-things-are-belong-to-us.
Exploitee.rs. Retrieved May 16, 2022, from https://exploitee.rs/.
Shwartz O, Mathov Y, Bohadana M, Elovici Y, Oren Y. Opening Pandora’s box: effective techniques for reverse engineering IoT devices. In: Lecture notes in computer science (including subseries lecture notes in artificial intelligence and lecture notes in bioinformatics), vol. 10728 LNCS. Cham: Springer International Publishing; 2018. p. 1–21.
JTAGulator®|Grand Idea Studio. http://www.grandideastudio.com/jtagulator/. Accessed 29 Sept 2020.
Etemadieh, Z., Heres, C. J., & Hoang, K. (2014). Hacking Hardware With A $ 10 SD Card Reader. 1–17. https://bh2017.exploitee.rs
The Shikra|int3.cc. https://int3.cc/products/the-shikra. Accessed 25 Sept 2020.
Introduction to attify badge : hacking IoT hardware. https://blog.attify.com/hack-iot-device/. Accessed 25 Sept 2020.
Adafruit FT232H breakout—general purpose USB to GPIO, SPI, I2C [USB C & Stemma QT] ID: 2264—$14.95 : adafruit industries, unique & fun DIY electronics and kits.
HydraBus v1.0 Specifications|HydraBus. https://hydrabus.com/hydrabus-1-0-specifications. Accessed 23 Sept 2020.
Keil ULINK2 Debug Adapter. https://www.keil.com/arm/ulink2/. Accessed 26 Sept 2020.
Flyswatter 2|Tin Can Tools. https://www.tincantools.com/product/flyswatter2/. Accessed 15 Sept 2020.
Bus Pirate—v3.6a—TOL-12942—SparkFun Electronics. https://www.sparkfun.com/products/12942. Accessed 12 Sept 2020.
1BitSquared—Black Magic Probe V2.1. https://hackerwarehouse.com/product/black-magic-probe-v2/. Accessed 27 Sept 2020.
Attify Store—JTAGulator|Attify Store. https://www.attify-store.com/products/jtagulator. Accessed 11 Sept 2020.
AVR Dragon. https://www.microchip.com/en-us/development-tool/atavrdragon. Accessed 22 Sept 2020.
OpenOCD—Open On-Chip Debugger download|SourceForge.net. https://sourceforge.net/projects/openocd/. Accessed 24 Sept 2020.
Universal JTAG library, server and tools download|SourceForge.net. https://sourceforge.net/projects/urjtag/. Accessed 25 Sept 2020.
AVRdude GUI download|SourceForge.net. https://sourceforge.net/projects/avrdudegui/. Accessed 24 Sept 2020.
EasyJTAG Plus Software|EasyJtag—fastest memory programmer in the word! https://easy-jtag.com/easyjtag-plus-software/. Accessed 24 Sept 2020.
Binwalk|Firmware Extraction|ReFirm Labs. https://github.com/ReFirmLabs/binwalk. Accessed 22 Sept 2020.
Ghidra. https://github.com/NationalSecurityAgency/ghidra. Accessed 24 Sept 2020.
IDA Pro—Hex Rays. https://hex-rays.com/ida-pro/. Accessed 24 Sept 2020.
QEMU. https://www.qemu.org/docs/master/. Accessed 24 Sept 2020.
Home rampageX/firmware-mod-kit Wiki GitHub. https://github.com/rampageX/firmware-mod-kit. Accessed 24 Sept 2020.
radare. https://github.com/radareorg. Accessed 23 Sept 2020.
firmadyne: Platform for emulation and dynamic analysis of Linux-based firmware. Retrieved June 19, 2021, from https://github.com/firmadyne/firmadyne.
Cortesi, A. binvis.io. Retrieved July 30, 2021, from http://binvis.io/#/.
firmwalker: Script for searching the extracted firmware file system for goodies! (n.d.). Retrieved July 26, 2021, from https://github.com/craigz28/firmwalker.
FWAnalyzer: a tool to analyze filesystem images. (n.d.). Retrieved August 30, 2021, from https://firmwaresecurity.com/2019/08/07/fwanalyzer-a-tool-to-analyze-filesystem-images/.
Fernandes E, Jung J, Prakash A. Security analysis of emerging smart home applications. In: 2016 IEEE symposium on security and privacy (SP); 2016. p. 636–54. https://doi.org/10.1109/SP.2016.44.
Ramljak M. Security analysis of open home automation bus system. In: 2017 40th international convention on information and communication technology, electronics and microelectronics (MIPRO); 2017. p. 1245–50. https://doi.org/10.23919/MIPRO.2017.7973614.
Hassanzadeh A, Modi S, Mulchandani S. Towards effective security control assignment in the Industrial Internet of Things. In: 2015 IEEE 2nd world forum on internet of things (WF-IoT); 2015. p. 795–800. https://doi.org/10.1109/WF-IoT.2015.7389155.
Johnson, C. Securing the participation of safety-critical SCADA systems in the industrial internet of things.(2016). 11–13. https://eprints.gla.ac.uk/130828/.
Sajid A, Abbas H, Saleem K. Cloud-assisted IoT-based SCADA systems security: a review of the state of the art and future challenges. IEEE Access. 2016;4:1375–84. https://doi.org/10.1109/ACCESS.2016.2549047.
Sachidananda V, Bhairav S, Ghosh N, Elovici Y. PIT: a probe into internet of things by comprehensive security analysis. In: 2019 18th IEEE international conference on trust, security and privacy in computing and communications/13th IEEE international conference on big data science and engineering (TrustCom/BigDataSE); 2019. p. 522–9. https://doi.org/10.1109/TrustCom/BigDataSE.2019.00076.
Ferrara P, Mandal AK, Cortesi A, Spoto F. Static analysis for discovering IoT vulnerabilities. Int J Softw Tools Technol Transfer. 2021;23(1):71–88. https://doi.org/10.1007/s10009-020-00592-x.
GitHub—nccgroup/VCG: VisualCodeGrepper—code security scanning tool. https://github.com/nccgroup/VCG. Accessed 16 Sept 2021.
Cppcheck—a tool for static C/C++ code analysis. https://cppcheck.sourceforge.io/. Accessed 16 Sept 2021.
PMD. https://pmd.github.io/. Accessed 16 Sept 2021.
USENIX Association. Proceedings of the seventeenth Large Installation Systems Administration Conference (LISA XVII) : October 26–31, 2003 San Diego, CA, USA. USENIX Association; 2003.
Qasem A, Shirani P, Debbabi M, Wang L, Lebel B, Agba BL. Automatic vulnerability detection in embedded devices and firmware: survey and layered taxonomies. ACM Comput Surv. 2021. https://doi.org/10.1145/3432893.
Feng Q, Zhou R, Xu C, Cheng Y, Testa B, Yin H. Scalable graph-based bug search for firmware images. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security; 2016. p. 480–91. https://doi.org/10.1145/2976749.2978370.
Shirani P, Collard L, Agba BL, Lebel B, Debbabi M, Wang L, Hanna A. BINARM: scalable and efficient detection of vulnerabilities in firmware images of intelligent electronic devices. In: Detection of intrusions and malware, and vulnerability assessment; 2018. p. 114–38.
David Y, Partush N, Yahav E. FirmUp: precise static detection of common vulnerabilities in firmware. SIGPLAN Not. 2018;53(2):392–404. https://doi.org/10.1145/3296957.3177157.
Rocha TA, Martins AT, Ferreira FM. Synthesis of a DNF formula from a sample of strings using Ehrenfeucht-Fraïssé games. Theor Comput Sci. 2020;805:109–26. https://doi.org/10.1016/j.tcs.2019.08.015.
Feng Q, Wang M, Zhang M, Zhou R, Henderson A, Yin H. Extracting conditional formulas for cross-platform bug search. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security; 2017. p. 346–59. https://doi.org/10.1145/3052973.3052995.
McSema: Static Translation of X86 Instructions to LLVM. www.cs.umd.edu/~awruef
Gao, J., Yang, X., Fu, Y., Jiang, Y., & Sun, J. (2018). Vulseeker: A semantic learning based vulnerability seeker for cross-platform binary. ASE 2018 - Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 896–899. https://doi.org/10.1145/3238147.3240480
Liu B et al. αDiff: cross-version binary code similarity detection with DNN. In: Proceedings of the 33rd ACM/IEEE international conference on automated software engineering; 2018. p. 667–78. https://doi.org/10.1145/3238147.3238199.
Zaddach J, Bruno L, Balzarotti D. Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares; 2014. http://www.arm.com/community/partners/silicon.php
Costin, A., Zarras, A., & Francillon, A. (2016). Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. ASIA CCS 2016 - Proceedings of the 11th ACM Asia Conference on Computer and Communications Security, pp. 437–448. https://doi.org/10.1145/2897845.2897900.
Chen J, et al. IoTFuzzer: discovering memory corruptions in IoT through app-based fuzzing. NDSS; 2018. https://doi.org/10.1007/978-3-319-75208-2_1.
Gustafson E et al. Toward the analysis of embedded firmware through automated re-hosting. https://github.com/ucsb-seclab/pretender
Bellard, F, QEMU, a fast and portable dynamic translator. In USENIX annual technical conference, FREENIX Track (Vol. 41, p. 46). 2005, April. https://www.usenix.org/legacy/event/usenix05/tech/freenix/full_papers/bellard/bellard.pdf.
Srivastava, P., Peng, H., Li, J., Okhravi, H., Shrobe, H., & Payer, M. (2019). FirmFuzz: Automated IoT Firmware Introspection and Analysis. IoT S and P 2019 - Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things, pp. 15–21. https://doi.org/10.1145/3338507.3358616.
Cheng, K., Li, Q., Wang, L., Chen, Q., Zheng, Y., Sun, L., & Liang, Z. (2018). DTaint: Detecting the Taint-Style vulnerability in embedded device firmware. Proceedings - 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2018, pp. 430–441. https://doi.org/10.1109/DSN.2018.00052
Kyatam S, Alhayajneh A, Hayajneh T. Heartbleed attacks implementation and vulnerability. In: 2017 IEEE Long Island Systems, Applications and Technology Conference (LISAT); 2017. p. 1–6. https://doi.org/10.1109/LISAT.2017.8001980.
Sun P, Garcia L, Salles-Loustau G, Zonouz S. Hybrid firmware analysis for known mobile and IoT security vulnerabilities. In: 2020 50th annual IEEE/IFIP international conference on dependable systems and networks (DSN); 2020. p. 373–84. https://doi.org/10.1109/DSN48063.2020.00053.
David Y, Partush N, Yahav E. FirmUp: precise static detection of common vulnerabilities in firmware. In: Proceedings of the twenty-third international conference on architectural support for programming languages and operating systems; 2018. p. 392–404. https://doi.org/10.1145/3173162.3177157.
GitHub—firmadyne/firmadyne: platform for emulation and dynamic analysis of Linux-based firmware. https://github.com/firmadyne/firmadyne. Accessed 28 Sept 2020.
FIRST “Common vulnerability scoring system version 3.1 specification document revision 1”; 2019. p. 1–24. https://www.first.org/cvss/.
Fang Y, Liu Y, Huang C, Liu L. FastEmbed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm. PLoS ONE. 2020;15(2): e0228439.
Charmanas K, Mittas N, Angelis L. Exploitation of vulnerabilities: a topic-based machine learning framework for explaining and predicting exploitation. Information. 2023;14(7):403.
Hashmat F, Abbas SG, Hina S, Shah GA, Bakhshi T, Abbas W. An automated context-aware IoT vulnerability assessment rule-set generator. Comput Commun. 2022;186:133–52.
Jung B, Li Y, Bechor T. CAVP: a context-aware vulnerability prioritization model. Comput Secur. 2022;116: 102639.