Browse > Article
http://dx.doi.org/10.13089/JKIISC.2021.31.1.31

A Study on Systematic Firmware Security Analysis Method for IoT Devices  

Kim, Yejun (CIST(Center for Information Security and Technologies) School of Cybersecurity, Korea University)
Gim, Jeonghyeon (CIST(Center for Information Security and Technologies) School of Cybersecurity, Korea University)
Kim, Seungjoo (CIST(Center for Information Security and Technologies) School of Cybersecurity, Korea University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.31, no.1, 2021 , pp. 31-49 More about this Journal
Abstract
IoT devices refer to embedded devices that can communicate with networks. Since there are various types of IoT devices and they are widely used around us, in the event of an attack, damages such as personal information leakage can occur depending on the type of device. While the security team analyzes IoT devices, they should target firmware as well as software interfaces since IoT devices are operated by both of them. However, the problem is that it is not easy to extract and analyze firmware and that it is not easy to manage product quality at a certain level even if the same target is analyzed according to the analyst's expertise within the security team. Therefore, in this paper, we intend to establish a vulnerability analysis process for the firmware of IoT devices and present available tools for each step. Besides, we organized the process from firmware acquisition to analysis of IoT devices produced by various commercial manufacturers, and we wanted to prove their validity by applying it directly to drone analysis by various manufacturers.
Keywords
IoT; Firmware; Firmware Analysis; Vulnerability Analysis;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Bellard, Fabrice. "QEMU, a fast and portable dynamic translator." USENIX Annual Technical Conference, FREENIX Track. Vol. 41. 2005.
2 Zheng, Yaowen, et al. "FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation." 28th {USENIX} Security Symposium ({USENIX} Security 19). 2019.
3 Microsoft, "Security Development Lifecycle - SDL Process Guidance Version 5.2", 2012
4 Choi, Byung-Chul, et al. "Secure firmware validation and update for consumer devices in home networking." IEEE Transactions on Consumer Electronics 62.1 (2016): 39-44.   DOI
5 Konstantinou, Charalambos, and Michail Maniatakos. "Impact of firmware modification attacks on power systems field devices." 2015 IEEE International Conference on Smart Grid Communications (SmartGridComm). IEEE, 2015.
6 Liu, Jiajia, and Wen Sun. "Smart attacks against intelligent wearables in people-centric internet of things." IEEE Communications Magazine 54.12 (2016): 44-49.   DOI
7 Ling, Zhen, et al. "Security vulnerabilities of internet of things: A case study of the smart plug system." IEEE Internet of Things Journal 4.6 (2017): 1899-1909.   DOI
8 Shudrak, Maxim, and Vyacheslav Zolotarev. "The technique of dynamic binary analysis and its application in the information security sphere." Eurocon 2013. IEEE, 2013.
9 Chen, Jiongyi, et al. "IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing." NDSS. 2018.
10 Manes, Valentin Jean Marie, et al. "The art, science, and engineering of fuzzing: A survey." IEEE Transactions on Software Engineering (2019).   DOI
11 Zheng, Yaowen, et al. "FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation." 28th {USENIX} Security Symposium ({USENIX} Security 19). 2019.
12 Li, Yanlin, Jonathan M. McCune, and Adrian Perrig. "VIPER: verifying the integrity of PERipherals' firmware." Proceedings of the 18th ACM conference on Computer and communications security. 2011.
13 Kim, Taegyu, et al. "RVFUZZER: finding input validation bugs in robotic vehicles through control-guided testing." 28th {USENIX} Security Symposium ({USENIX} Security 19). 2019.
14 Gui, Zhijie, et al. "FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution." IEEE Access 8 (2020): 29826-29841.   DOI
15 Yu, Bo, et al. "Poster: Fuzzing iot firmware via multi-stage message generation." Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2019.
16 Srivastava, Prashast, et al. "FirmFuzz: automated IoT firmware introspection and analysis." Proceedings of the 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. 2019.
17 Shila, Devu Manikantan, Penghe Geng, and Teems Lovett. "I can detect you: Using intrusion checkers to resist malicious firmware attacks." 2016 IEEE Symposium on Technologies for Homeland Security (HST). IEEE, 2016.
18 Eriksson, Jakob, Srikanth V. Krishnamurthy, and Michalis Faloutsos. "Truelink: A practical countermeasure to the wormhole attack in wireless networks." Proceedings of the 2006 IEEE International Conference on Network Protocols. IEEE, 2006.
19 Cao, Fei, Qingbao Li, and Zhifeng Chen. "Vulnerability Model and Evaluation of the UEFI Platform Firmware Based on Improved Attack Graphs." 2018 IEEE 9th International Conference on Software Engineering and Service Science (ICSESS). IEEE, 2018.
20 Sun, Pengfei, et al. "Hybrid Firmware Analysis for Known Mobile and IoT Security Vulnerabilities." 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2020.
21 Costin, Andrei, Apostolis Zarras, and Aurelien Francillon. "Automated dynamic firmware analysis at scale: a case study on embedded web interfaces." Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. 2016.
22 Shoshitaishvili, Yan, et al. "Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware." NDSS. 2015.
23 Maskiewicz, Jacob, et al. "Mouse Trap: Exploiting Firmware Updates in {USB} Peripherals." 8th {USENIX} Workshop on Offensive Technologies ({WOOT} 14). 2014.
24 David, Yaniv, Nimrod Partush, and Eran Yahav. "Firmup: Precise static detection of common vulnerabilities in firmware." ACM SIGPLAN Notices 53.2 (2018): 392-404.   DOI
25 Visoottiviseth, Vasaka, et al. "Firmaster: Analysis Tool for Home Router Firmware." 2018 15th International Joint Conference on Computer Science and Software Engineering (JCSSE). IEEE, 2018.
26 Hernandez, Grant, et al. "Firmusb: Vetting USB device firmware using domain informed symbolic execution." Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. 2017.
27 Davidson, Drew, et al. "{FIE} on firmware: Finding vulnerabilities in embedded systems using symbolic execution." 22nd {USENIX} Security Symposium ({USENIX} Security 13). 2013.
28 Chen, Daming D., et al. "Towards Automated Dynamic Analysis for Linux-based Embedded Firmware." NDSS. Vol. 16. 2016.
29 Zaddach, Jonas, et al. "AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares." NDSS. Vol. 14. 2014.
30 Thomas, Sam L., Flavio D. Garcia, and Tom Chothia. "HumIDIFy: a tool for hidden functionality detection in firmware." International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Cham, 2017.
31 Okmianski, Anton, Mickael Graham, and Joshua B. Littlefield. "Method of identifying a home gateway using network traffic sniffing and apparatus employing the same." U.S. Patent No. 7,505,464. 17 Mar. 2009.
32 Chong, Hon Fong, and Danny Wee Kiat Ng. "Development of IoT device for traffic management system." 2016 IEEE Student Conference on Research and Development (SCOReD). IEEE, 2016
33 Lu, Chung-Ming. "Communication system for devices with UART interfaces." U.S. Patent No. 7,650,449. 19 Jan. 2010.
34 Zadigian, Timothy, Jonathan Stroud, and Michael Moriarty. "JTAG-based programming and debug." U.S. Patent No. 8,856,600. 7 Oct. 2014.
35 Rosenfeld, Kurt, and Ramesh Karri. "Attacks and Defenses for JTAG." IEEE Design & Test of Computers 27.1 (2010): 36-47.   DOI
36 Hwang, Joo-Young, et al. "Xen on ARM: System virtualization using Xen hypervisor for ARM-based secure mobile phones." 2008 5th IEEE Consumer Communications and Networking Conference. IEEE, 2008.
37 Ito, Masayuki, et al. "An 8640 MIPS SoC with independent power-off control of 8 CPUs and 8 RAMs by an automatic parallelizing compiler." 2008 IEEE International Solid-State Circuits Conference-Digest of Technical Papers. IEEE, 2008.
38 Firmware Mod Kit, [online] Available: https://github.com/rampageX/firmware-mod-kit/wiki
39 Pastrnak, Milan, et al. "Data-flow timing models of dynamic multimedia applications for multiprocessor systems." 4th IEEE International Workshop on System-on-chip for Real-time Applications. IEEE, 2004.
40 Avgerinos, Thanassis, et al. "AEG: Automatic exploit generation." (2011).
41 Binwalk, https://github.com/ReFirmLabs/Binwalk.
42 Pa, Yin Minn Pa, et al. "IoTPOT: analysing the rise of IoT compromises." 9th {USENIX} Workshop on Offensive Technologies ({WOOT} 15). 2015.
43 Okoli, Chitu, and Kira Schabram. "A guide to conducting a systematic literature review of information systems research." (2010).
44 Security Today, "The IoT Rundown For 2020: Stats, Risks, and Solutions." Security Today, 13 Jan 2020. https://securitytoday.com/Articles/2020/01/13/The-IoT-Rundown-for-2020.aspx?Page=2
45 PALOALTO, [online] Available: https://unit42.paloaltonetworks.com/iot-threat-report-2020/
46 Alshamrani, Adel, and Abdullah Bahattab. "A comparison between three SDLC models waterfall model, spiral model, and Incremental/Iterative model." International Journal of Computer Science Issues (IJCSI) 12.1 (2015): 106.
47 IEEE. https://ieeexplore.ieee.org/
48 ACM. https://dl.acm.org/
49 NDSS. https://dblp.org/db/conf/ndss/index
50 Usenix. https://www.usenix.org/
51 NDSS. https://www.sciencedirect.com/
52 Springer, https://www.springer.com/
53 Zaddach, Jonas, and Andrei Costin. "Embedded devices security and firmware reverse engineering." Black-Hat USA (2013).
54 Shwartz, Omer, et al. "Reverse engineering IoT devices: Effective techniques and methods." IEEE Internet of Things Journal 5.6 (2018): 4965-4976.   DOI
55 Hernandez, Grant, et al. "Toward Automated Firmware Analysis in the IoT Era." IEEE Security & Privacy 17.5 (2019): 38-46.   DOI
56 Lee, Seoksu, and Eun-Sun Cho. "Toward Firmware-Type Analysis Using machine Learning Techniques." 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC). Vol. 1. IEEE, 2018.
57 Schulz, Matthias, Daniel Wegemer, and Matthias Hollick. "The Nexmon firmware analysis and modification framework: Empowering researchers to enhance Wi-Fi devices." Computer Communications 129 (2018): 269-285.   DOI
58 Fowze, Farhaan, et al. "ProXray: Protocol Model Learning and Guided Firmware Analysis." IEEE Transactions on Software Engineering (2019).   DOI
59 Basnight, Zachry, et al. "Firmware modification attacks on programmable logic controllers." International Journal of Critical Infrastructure Protection 6.2 (2013): 76-84.   DOI
60 Costin, Andrei, et al. "A large-scale analysis of the security of embedded firmwares." 23rd {USENIX} Security Symposium ({USENIX} Security 14). 2014.
61 Xu, Yifei, et al. "A Search-based Firmware Code Analysis Method for IoT Devices." 2018 IEEE Conference on Communications and Network Security (CNS). IEEE, 2018.
62 English, K. Virgil, Islam Obaidat, and Meera Sridhar. "Exploiting Memory Corruption Vulnerabilities in Connman for IoT Devices." 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2019.
63 Cam, Nguyen Tan, et al. "Detect malware in android firmware based on distributed network environment." 2019 IEEE 19th International Conference on Communication Technology (ICCT). IEEE, 2019.
64 Cheng, Kai, et al. "DTaint: detecting the taint-style vulnerability in embedded device firmware." 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 2018.
65 Liu, Muqing, et al. "Security analysis of vendor customized code in firmware of embedded device." International Conference on Security and Privacy in Communication Systems. Springer, Cham, 2016.
66 Hou, Jin-bing, Tong Li, and Cheng Chang. "Research for vulnerability detection of embedded system firmware." Procedia Computer Science 107 (2017): 814-818.   DOI
67 Xie, Wei, et al. "Vulnerability detection in iot firmware: A survey." 2017 IEEE 23rd International Conference on Parallel and Distributed Systems (ICPADS). IEEE, 2017.
68 Yao, Yao, et al. "Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution." European Symposium on Research in Computer Security. Springer, Cham, 2019.
69 Al-Alami, Haneen, Ali Hadi, and Hussein Al-Bahadili. "Vulnerability scanning of IoT devices in Jordan using Shodan." 2017 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes & Systems (IT-DREPS). IEEE, 2017.
70 Krishnankutty, Deepak, et al. "Fiscal: Firmware identification using side-channel power analysis." 2017 IEEE 35th VLSI Test Symposium (VTS). IEEE, 2017.
71 Shirani, Paria, et al. "Binarm: Scalable and efficient detection of vulnerabilities in firmware images of intelligent electronic devices." International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, Cham, 2018.
72 Cui, Ang, Michael Costello, and Salvatore Stolfo. "When firmware modifications attack: A case study of embedded exploitation." (2013).
73 Mulliner, Collin, and Benjamin Michele. "Read It Twice! A Mass-Storage-Based TOCTTOU Attack." WOOT. 2012.
74 Classen, Jiska, et al. "Anatomy of a vulnerable fitness tracking system: Dissecting the fitbit cloud, app, and firmware." Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2.1 (2018): 1-24.
75 Miller, Charlie. "Battery firmware hacking." Black Hat USA (2011): 3-4.
76 Papp, Dorottya, Zhendong Ma, and Levente Buttyan. "Embedded systems security: Threats, vulnerabilities, and attack taxonomy." 2015 13th Annual Conference on Privacy, Security and Trust (PST). IEEE, 2015.
77 Hudson, Trammell, and Larry Rudolph. "Thunderstrike: EFI firmware bootkits for Apple MacBooks." Proceedings of the 8th ACM International Systems and Storage Conference. 2015.