Large-scale analysis in firmware images security using Embedded Binary Analysis Tool
More Info
expand_more
Abstract
This thesis researches the security of firmware images in the Internet of Things (IoT) and embedded devices. We present an open-source tool, Embedded Binary Analysis Tool (EBAT), designed to analyze cross-architectural firmware image security context. EBAT consists of various modules capable of discovering outdated software for various libraries, particularly on cryptographic libraries, and detecting Common Vulnerabilities and Exposures (CVEs), focusing on firmware's cryptographic libraries. It also detects exploit mitigation techniques on firmware's image binaries and discovers credentials and passwords with a focus on private keys embedded in the firmware image. Additionally, EBAT identifies Application Programming Interfaces (APIs) cryptographic misuses through static taint analysis (backward tracking) on cross-architectural binaries. We presented a total of 18 well-defined cryptographic rules and a list of 733 function calls with more than 1,600 function arguments, applicable in static taint analysis to check the possibility of cryptographic misuses based on 10 well-used open-source cryptographic libraries APIs. EBAT's static taint analysis provides a powerful framework for detecting the possibility of cryptographic misuses in cross-architectural binaries, making it a valuable tool for identifying and addressing vulnerabilities in cryptographic implementation in firmware images.
Using EBAT, we conducted a large-scale analysis of over 36,000 firmware images publicly crawled from the Internet and successfully unpacked over 60% of them. The created dataset of firmware images includes more than 5,000 different products across 33 vendors, spanning more than 20 years and a plethora of various device types. Our findings show that ARM and MIPS are the most prevailed CPU architecture in the IoT/embedded industry. We compared identical binaries across all vendors, revealing a significant percentage of similar binaries used across different vendors' firmware images. Our analysis of firmware binaries reveals a notable absence of exploit mitigation techniques in IoT/embedded firmware images, and we present many firmware images containing private keys, posing potential security threats. Additionally, versions of open-source cryptographic libraries used in firmware images are identified, and the CVEs of the cryptographic libraries are evaluated. Two real-world case studies on hard-coded credentials demonstrate the significance of the large-scale attack presented in this thesis. Hashed passwords, predominantly using outdated algorithms, have also been discovered, and several have been cracked.
The main goal of EBAT is to identify cryptographic misuses in cross-architectural binaries. By applying static taint analysis (backward tracking) to well-defined APIs on specific functions and arguments for 10 open-source cryptographic libraries, we can identify potential violations of cryptographic rules. This analysis was executed on over 1.4 million binaries, revealing that approximately 50% of examined firmware images violated at least one cryptographic rule. Various case studies on real-world vulnerabilities in firmware images are presented, including recent CVEs that are found in various vendors' products. Executing EBAT on those vulnerable firmware images, we tested the effectiveness of our tool to evaluate the automatic capturing of these known vulnerabilities. In addition, performing large-scale analysis on an extensive corpus of firmware images allows us to discover that other firmware images are affected by these known vulnerabilities, in some cases also across various product lines not covered on the public CVEs reports.
In conclusion, EBAT is a valuable resource for researchers working on firmware security. Its automated analysis process, comprehensive modules, and ability to discover possible vulnerabilities, cryptographic misuses at a binary level, and other security weaknesses make it a powerful tool for identifying and mitigating security risks in IoT/embedded devices.