Upload
others
View
19
Download
0
Embed Size (px)
Citation preview
A Large-Scale Analysis of the Security of Embedded Firmwares
AndreiCos+n,JonasZaddach,AurélienFrancillon,andDavideBalzaro:,Eurecomh;ps://www.usenix.org/conference/usenixsecurity14/technical-sessions/presenta+on/cos+n
SaeidMofrad
INTRODUCTION:Embeddedsystems:-Embeddedsystemarecomputerswithdedicatedfunc+onalitysuchasrou+ngpacket,prin+ngpagesormakingVOIPphonecallsandetc.-Theyarebroadlyused.-Theyarege:ngcomplexandsmarterandprovingadministra+veornon-administra+veinterfaceinexampletheyimplements-ComplexsoTware-Complexprotocols-Processvarioustypeofdata-Theyarege:ngheavilyinterconnectedinprivateorpublicnetworks(IoT)Firmware:ThesoTwareanddatawhichsupportsthefunc+onalityofembeddedsystemiscalledfirmware.
SecurityProblem:Manyexamplesofinsecureembeddedsystemhavebeenseenindailybases:RoutersPrintersVoIPCars...EachoftheabovefindingsisaresultofanindividualanalysisandresearchItincludesmanualandtediouseffortanddoesnotscale.
PaperGoal:
Performingalargescaleanalysistoprovideabe;erunderstandingoftheproblem
ProblemwithLargeScaleAnalysisinembeddedsystems:Heterogeneityof-Hardware,ArchitectureandOpera+ngSystems-Intendedusers,Requirementsofthedevices-SecurityGoalsforeachfirmwareanddeviceManualAnalysisdoesnotscale,itrequires-FindinganddownloadingFirmwarefiles-Unpackingandperformingini+alorsubsequentanalysis-RediscoveringthesameorsimilarbugsinotherFirmwarefiles
PreviousApproaches:
Testofrealdevices[Bojinobv9ccs]-Itisaccurate-Doesnotscaleverywellbecauseitneedsphysicaldevices,logis+candmanagementScanDevicesontheinternetLargescaletesNng[Coi10ACASC]-Canonlytestforknownvulnerability(likedefaultpasswords)-UsingBlackboxapproachSomeresearchistoointrusive[Census2012]-Theyareclosetobeingunethical.-Theyhadtoinjectcodeandcompromisedeviceshencea;ackingdevicesforstudy-
Thispaperapproachtothelargescaleanalysis
-Collectalargenumberoffirmwareimages-PerformBroadbutsimplesta+canalysis-CorrelateacrossfirmwaresthefindingsorresultsAdvantages:-Nointrusiveonlinetes+ng-Nodeviceatallintheexperiment-Scaleable(intermsofhardwareresources,compu+ngpower)-Buttherearemanychallenges
ChallengeobservaNon:MainstreamSystemshavecentralizedupdateandupdatechannelsandformatsarewellunderstoodandverywellstablished.Suchas-MicrosoTupdate-Appleupdate-LinuxupdatemanagerEmbeddedsystemdoesnothavecentralizedupdatesAfirmwareupdateorfirmwarerecoveryordumpinvolveacombina+onofveryrestrictsprocessincludingbuildingschema+csusingdevelopmentboards,customdriversorcustomu+li+es.-Nolargescalefirmwaredataset
ChallengeA:BuildingaRepresentaNveDataset: They collected a subset of firmwares available for download. -This is subset because many firmware and not publicly available -No intended to have an upgrade -Needs product purchase and registration. www.firmware.re project
ChallengeB:FirmwareIdenNficaNonInthecollecteddatasettherearesomefilesingrayarea“Uncertain”Goodexampleisprinterupgrade:Upgradebyprin+ngspeciallycraTedPSdocument.Soitseemsnotfirmwarefilebutitisfirmware!Soitbelongstouncertaintyareaandcannotbediscarded.
Challenge C: Unpacking and Custom Formats How to reliably unpack and learn format?
OTenafirmwareimageisjustdatabinarybloborasciblob(noheaders)
Paperapproachforunpacking&customformatchallengeTheycomparedseveralexisNngunpackingtools(binwalk,FRAK,BAT)TheyusedBAT(BinaryanalysisToolkit)ExtendeditwithmulNplecustomunpackers.BecauseOTenafirmwareimageisjustdatabinarybloborasciblob(noheaders)FileCarvingisrequired(togivemorechanceofextrac+ngsomething)CarvingusesBruteforceateveryoffsetwithallknownunpackersHeuris+cfordetec+ngwheretostopcarvingsinceitresultstohighfalseandnoisydata
ChallengeD:ScalabilityandComputaNonalLimits:-UnpackingandfilecarvingisveryCPUintensive-Unpackingresultsinmillionsoffilessomanualanalysisifinfeasible-One-to-OnefuzzyhashcomparisononbigdatasetisCPUintensive
ChallengeE:ResultsConfirmaNon• Annissuewhichisfoundsta+cally-Maynotapplytoarealdevice-CannotguaranteeexploitabilityInexamplevulnerabledaemonpresentbutneverstarted• Issueconfirma+onisdifficultproblem-Requiredadvancedanalysis(sta+c&dynamic)-OTenrequiredrealembeddeddevicesforfinalconfirma+on-Doesnotscalewellinheterogeneousenvironment(involvingmanydevicesand)
Architecture:
Crawler:759kcollectedfiles.1.8TBofdiskspaceUsesFTP-indexEnginesandGCSE(Googlecustomsearchengine)APIUnpacking:
StaNcanalysis:•
CorrelaNon/clustering:basedonfuzzyhashes,PrivateSSLkeys,Creden+als
• WebServerConfigs,hardcodedcreden+al,CodeRepositories• DataEnrichment:VersionBannersSpecificKeywords(e.gTelnet,Shell,UART,backdoor)
ExampleofCorrelaNon:correlaNonviafussyhashessimilariNes(ssdeep,sdhash)StrongCorrela+onbetweentwofirmwarebyhavingSharedCreden+alsandSelf-SignedCer+ficatesE.GvulnerabilitypropagaNon.
CaseStudies:1-BackdoorsinPlainSightthebackdoorwasfoundtobeac+vatedbythestring“xmlsetroodkcableoj28840yb+de”(i.e.,editby04882joelbackdoorinreverse).theyperformedastringsearchinthedatasetwithvariousbackdoorrelatedkeywordsandfound1198matches,in326firmwarecandidates.2-PrivateSSL(RSAkey)• manyfirmwareimagescontainingpublicandprivateRSA
keypairs• -plarormautoma+callyextractsthefingerprintofthepublic
keys,privatekeysandSSLcer+ficates.• -keysarethensearchedinZMap’sHTTPSsurveyDatabase• VendorC’sSSLcer+ficatewasfoundtobeusedbyaround
30KonlineIPaddresses.• -thenfetchedthewebpagesavailableatthoseaddresses(withouttryingtoauthen+cate).Surprisingly,ReturnedCCTVcamerasbrandedbyanothervendor–VendorB
ResultSummary:• 38newvulnerabili+es(CVE)• Correlatedthemto140konlinedevices.• Affected693firmwarefilesbyatleastoneofthese
vulnerabili+es.
Conclusion:Abroaderviewoffirmwares• Notonlybeneficialbutnecessaryfordiscoveryandanalysis• Correla+onrevealsfirmwarerela+onshipShowhowvulnerabilityreappearindifferentproductorvendor• Couldallowhowfirmwareareevolveorgetfixed• Therearemanyhiddenvulnerability• Securityisatradeoffwithcostand+metomarketandSecurityisnotpriorityofsomevendors
REFERENCE:
• h;ps://www.usenix.org/node/184450