A Large Scale Analysis of the Security of Embedded...
Transcript of A Large Scale Analysis of the Security of Embedded...
![Page 1: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/1.jpg)
A Large Scale Analysis of the Securityof Embedded Firmwares
A. Costin, J. Zaddach, A. Francillon, D. Balzarotti
EURECOM, France
20th August 2014
USENIX Security '14 – San Diego, USA
![Page 2: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/2.jpg)
Andrei Costin2
Embedded Systems Are Everywhere
By Wilgengebroed on Flickr [CC-BY-2.0]
![Page 3: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/3.jpg)
Andrei Costin3
Smarter & More Complex
By Wilgengebroed on Flickr [CC-BY-2.0]
![Page 4: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/4.jpg)
Andrei Costin4
Heavily Interconnected
By Wilgengebroed on Flickr [CC-BY-2.0]
![Page 5: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/5.jpg)
Andrei Costin5
Many Examples of Insecure Embedded Systems
● Routers
![Page 6: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/6.jpg)
Andrei Costin6
Many Examples of Insecure Embedded Systems
● Routers● Printers
![Page 7: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/7.jpg)
Andrei Costin7
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP
![Page 8: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/8.jpg)
Andrei Costin8
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars
![Page 9: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/9.jpg)
Andrei Costin9
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones
![Page 10: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/10.jpg)
Andrei Costin10
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● ...
![Page 11: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/11.jpg)
Andrei Costin11
Many Examples of Insecure Embedded Systems
● Routers● Printers● VoIP● Cars● Drones● ...
● Each of above is a result of an individual analysis● Manual and tedious efforts, Does not scale
![Page 12: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/12.jpg)
Andrei Costin12
The Goal
Perform a large scale analysis to provide a better
undestanding of the problem
![Page 13: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/13.jpg)
Andrei Costin13
The Problem WithLarge Scale Analysis
● Heterogeneity of● Hardware, architectures, OSes● Users, requirements● Security goals
![Page 14: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/14.jpg)
Andrei Costin14
The Problem WithLarge Scale Analysis
● Heterogeneity of● Hardware, architectures, OSes● Users, requirements● Security goals
● Manual analysis does not scale, it requires● Finding and downloading the firmwares● Unpacking and performing initial analysis● Re-discovering the same or similar bug in other
firmwares
![Page 15: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/15.jpg)
Andrei Costin15
Previous Approaches
● Test on real devices [Bojinov09CCS]● Accurate results● Does not scale well
![Page 16: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/16.jpg)
Andrei Costin16
Previous Approaches
● Test on real devices [Bojinov09CCS]● Accurate results● Does not scale well
● Scan devices on the Internet● Large scale testing [Cui10ACSAC]
– Can only test for known vulnerabilities– Blackbox approach
● More is too intrusive [Census2012]
![Page 17: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/17.jpg)
Andrei Costin17
Our Approach to TheLarge Scale Analysis
● Collect a large number of firmware images
![Page 18: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/18.jpg)
Andrei Costin18
Our Approach to TheLarge Scale Analysis
● Collect a large number of firmware images● Perform broad but simple static analysis
![Page 19: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/19.jpg)
Andrei Costin19
Our Approach to TheLarge Scale Analysis
● Collect a large number of firmware images● Perform broad but simple static analysis● Correlate across firmwares
![Page 20: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/20.jpg)
Andrei Costin20
Our Approach to TheLarge Scale Analysis
● Collect a large number of firmware images● Perform broad but simple static analysis● Correlate across firmwares● Advantages
● No intrusive online testing, no devices involved● Scalable
![Page 21: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/21.jpg)
Andrei Costin21
Our Approach to TheLarge Scale Analysis
● Collect a large number of firmware images● Perform broad but simple static analysis● Correlate across firmwares● Advantages
● No intrusive online testing, no devices involved● Scalable
● But many challenges
![Page 22: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/22.jpg)
Andrei Costin22
Mainstream SystemsHave Centralized Updates
![Page 23: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/23.jpg)
Andrei Costin23
Challenge: Embedded SystemsHave No Centralized Updates
![Page 24: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/24.jpg)
Andrei Costin24
Collecting a Dataset
● No large scale firmware dataset yet● As opposed to existing datasets in security or other
CS research areas
![Page 25: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/25.jpg)
Andrei Costin25
Collecting a Dataset
● No large scale firmware dataset yet● As opposed to existing datasets in security or other
CS research areas
● We collected a subset of the firmwares available for download
![Page 26: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/26.jpg)
Andrei Costin26
Collecting a Dataset
● No large scale firmware dataset yet● As opposed to existing datasets in security or other
CS research areas
● We collected a subset of the firmwares available for download
● Many firmwares are not publicly available● Not intended to have an upgrade● Require product purchase and registration
![Page 27: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/27.jpg)
Andrei Costin27
Collecting a Dataset
● No large scale firmware dataset yet● As opposed to existing datasets in security or other
CS research areas
● We collected a subset of the firmwares available for download
● Many firmwares are not publicly available● Not intended to have an upgrade● Require product purchase and registration
● www.firmware.re project
![Page 28: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/28.jpg)
Andrei Costin28
Challenge:Firmware Identification
Clearly a Firmware
![Page 29: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/29.jpg)
Andrei Costin29
Challenge:Firmware Identification
Clearly a Firmware Clearly not a Firmware
![Page 30: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/30.jpg)
Andrei Costin30
Challenge:Firmware Identification
Clearly a Firmware Clearly not a Firmware
Uncertain
![Page 31: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/31.jpg)
Andrei Costin31
Challenge:Firmware Identification
● E.g., upgrade by printing a PS document
![Page 32: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/32.jpg)
Andrei Costin32
Challenge:Unpacking & Custom Formats
● How to reliably unpack and learn formats?
![Page 33: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/33.jpg)
Andrei Costin33
Challenge:Unpacking & Custom Formats
● How to reliably unpack and learn formats?● E.g., vendor provides a .ZIP 'firmware package'
● .ZIP→.EXE+.PS– .EXE→self-extracting archive
● Extract more or not?● Turns out to contain a printer driver inside
![Page 34: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/34.jpg)
Andrei Costin34
Challenge:Unpacking & Custom Formats
● How to reliably unpack and learn formats?● E.g., vendor provides a .ZIP 'firmware package'
● .ZIP→.EXE+.PS– .EXE→self-extracting archive
● Extract more or not?● Turns out to contain a printer driver inside
– .PS→ASCII85 stream→ELF file that could be:● A complete embedded system software● An executable performing the firmware upgrade● A firmware patch
![Page 35: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/35.jpg)
Andrei Costin35
Challenge:Unpacking & Custom Formats
● How to reliably unpack and learn formats?● E.g., vendor provides a .ZIP 'firmware package'
● .ZIP→.EXE+.PS– .EXE→self-extracting archive
● Extract more or not?● Turns out to contain a printer driver inside
– .PS→ASCII85 stream→ELF file that could be:● A complete embedded system software● An executable performing the firmware upgrade● A firmware patch
● Often, a firmware image→just 'data' binary blob
![Page 36: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/36.jpg)
Andrei Costin36
Our Approach to Unpacking & Custom Formats
● We compared existing tools● Used BAT (Binary Analysis Toolkit)
● Extended it with multiple custom unpackers● Continuous development effort
![Page 37: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/37.jpg)
Andrei Costin37
Our Approach to Unpacking & Custom Formats
● We compared existing tools● Used BAT (Binary Analysis Toolkit)
● Extended it with multiple custom unpackers● Continuous development effort
● Often, a firmware image→just 'data' binary blob● File carving required● Bruteforce at every offset with all known unpackers
![Page 38: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/38.jpg)
Andrei Costin38
Our Approach to Unpacking & Custom Formats
● We compared existing tools● Used BAT (Binary Analysis Toolkit)
● Extended it with multiple custom unpackers● Continuous development effort
● Often, a firmware image→just 'data' binary blob● File carving required● Bruteforce at every offset with all known unpackers
● Heuristics for detecting when to stop
![Page 39: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/39.jpg)
Andrei Costin39
Challenge:Scalability & Computational Limits
● Unpacking and file carving is very CPU intensive
![Page 40: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/40.jpg)
Andrei Costin40
Challenge:Scalability & Computational Limits
● Unpacking and file carving is very CPU intensive
● Results in millions of unpacked files ● Manual analysis infeasible● One-to-one fuzzy hash comparison is CPU
intensive
![Page 41: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/41.jpg)
Andrei Costin41
Challenge:Results Confirmation
● An issue found statically● May not apply to a real-device● Cannot guarantee exploitability● E.g., vulnerable daemon present but never started
![Page 42: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/42.jpg)
Andrei Costin42
Challenge:Results Confirmation
● An issue found statically● May not apply to a real-device● Cannot guarantee exploitability● E.g., vulnerable daemon present but never started
● Issue confirmation is difficult● Requires advanced analysis (static & dynamic)● Often requires real embedded devices● Does not scale well in heterogeneous environments
![Page 43: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/43.jpg)
Andrei Costin43
Architecture
Internet
Crawl
Firmware Datastore
![Page 44: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/44.jpg)
Andrei Costin44
Architecture
Internet Public Web Interface
Crawl Submit
Firmware Datastore
![Page 45: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/45.jpg)
Andrei Costin45
Architecture
Internet Public Web Interface
Crawl Submit
Firmware Datastore
FirmwareAnalysis Cloud
![Page 46: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/46.jpg)
Andrei Costin46
Architecture
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
FirmwareAnalysis Cloud
![Page 47: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/47.jpg)
Andrei Costin47
Architecture
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
FirmwareAnalysis Cloud
Password Hash Cracker
![Page 48: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/48.jpg)
Andrei Costin48
Architecture
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
Firmware Analysis & Reports DB
FirmwareAnalysis Cloud
Password Hash Cracker
![Page 49: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/49.jpg)
Andrei Costin49
Architecture
Internet Public Web Interface
Crawl Submit
Firmware Datastore
Master
Workers
Distribute
UnpackingStatic AnalysisFuzzy Hashing
Firmware Analysis & Reports DB
FirmwareAnalysis Cloud
Password Hash Cracker
Data Enrichment
Correlation Engine
![Page 50: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/50.jpg)
Andrei Costin50
Crawler
● 759 K collected files, 1.8 TB of disk space
![Page 51: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/51.jpg)
Andrei Costin51
Crawler
● 759 K collected files, 1.8 TB of disk space● FTP-index engines
![Page 52: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/52.jpg)
Andrei Costin52
Crawler
● 759 K collected files, 1.8 TB of disk space● FTP-index engines and GCSE
![Page 54: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/54.jpg)
Andrei Costin54
Unpacking
● 759 K total files collected
● 172 K filtered interesting files
● 32 K analyzed
● 26 K unpacked (fully or partially)
● 1.7 M resulted files after unpacking
Filter non firmware
Random selection
Successful unpack
Unpacked files
![Page 55: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/55.jpg)
Andrei Costin55
Static Analysis
● Correlation/clustering● Fuzzy hashes, Private SSL keys, Credentials
● Misconfigurations● Web-server configs, Credentials, Code repositories
● Data enrichment● Version banners● Keywords (e.g., telnet, shell, UART, backdoor)
![Page 56: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/56.jpg)
Andrei Costin56
Example: Correlation
● Correlation via fuzzy-hashes (ssdeep, sdhash)● E.g., Vulnerability Propagation
Firmware 1
![Page 57: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/57.jpg)
Andrei Costin57
Example: Correlation
● Correlation via fuzzy-hashes (ssdeep, sdhash)● E.g., Vulnerability Propagation
Firmware 1
![Page 58: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/58.jpg)
Andrei Costin58
Example: Correlation
● Correlation via fuzzy-hashes (ssdeep, sdhash)● E.g., Vulnerability Propagation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 59: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/59.jpg)
Andrei Costin59
Example: Correlation
● Correlation via fuzzy-hashes (ssdeep, sdhash)● E.g., Vulnerability Propagation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 60: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/60.jpg)
Andrei Costin60
Example: Correlation
● Correlation via fuzzy-hashes (ssdeep, sdhash)● E.g., Vulnerability Propagation
Firmware 1
Firmware 2
Firmware 3
95%
99%
0%
Firmware 4
Firmware 5
![Page 61: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/61.jpg)
Andrei Costin61
Private RSA keys
● SSL keys correlation + vulnerability propagation
Example: RSA Keys
![Page 62: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/62.jpg)
Andrei Costin62
Analysis & Reports Database
Private RSA keys
● SSL keys correlation + vulnerability propagation
Example: RSA Keys
![Page 63: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/63.jpg)
Andrei Costin63
Analysis & Reports Database
Private RSA keys
VendorA Device1
● SSL keys correlation + vulnerability propagation
Example: RSA Keys
![Page 64: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/64.jpg)
Andrei Costin64
Analysis & Reports Database
Private RSA keys
VendorA
HTTPS Ecosystem Scans
1 key → ~30.000 IPs
Device1
Check ZMap IP addresses
● SSL keys correlation + vulnerability propagation
Example: RSA Keys
![Page 65: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/65.jpg)
Andrei Costin65
Analysis & Reports Database
Private RSA keys
VendorA
HTTPS Ecosystem Scans
1 key → ~30.000 IPs
VendorB
SAME private RSASAME self-signed SSL certificateDIFFERENT vendor
Device1
Device2
Check ZMap IP addresses
● SSL keys correlation + vulnerability propagation
Example: RSA Keys
![Page 66: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/66.jpg)
Andrei Costin66
Analysis & Reports Database
Private RSA keys
VendorA
HTTPS Ecosystem Scans
1 key → ~30.000 IPs
VendorB
SAME private RSASAME self-signed SSL certificateDIFFERENT vendor
Device1
Device2
Check ZMap IP addresses
Common Vulnerable Components
● SSL keys correlation + vulnerability propagation
Example: RSA Keys
![Page 67: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/67.jpg)
Andrei Costin67
Results: Summary
● 38 new vulnerabilities (CVE)
● Correlated them to 140 K online devices
● Affected 693 firmware files by at least one vuln
![Page 68: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/68.jpg)
Andrei Costin68
Contributions Summary
● First large-scale static analysis of firmwares● Described the main challenges associated ● Shown the advantages of performing a large-
scale analysis of firmware images● Implemented a framework and several efficient
static techniques
![Page 69: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/69.jpg)
Andrei Costin69
Conclusions
● A broader view on firmwares● Not only beneficial● But necessary for discovery and analysis of
vulnerabilities
● Correlation reveals firmware relatioship● Shows how vulnerabilities reappear across different
products● Could allow seeing how firmwares evolve/get fixed
![Page 70: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/70.jpg)
Andrei Costin70
Conclusions
● There are plenty of latent vulnerabilities
● Security● Tradeoff with cost and time-to-market● Clearly not a priority for some vendors
![Page 71: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/71.jpg)
Andrei Costin71
Thank You!Questions?
{name.surname}@eurecom.fr
![Page 72: A Large Scale Analysis of the Security of Embedded Firmwaress3.eurecom.fr/slides/usenixsec14_costin.slides.pdf · Andrei Costin 72 References [1] A. Costin, J. Zaddach, A. Francillon,](https://reader034.fdocuments.us/reader034/viewer/2022042809/5f903a2571bc540854080046/html5/thumbnails/72.jpg)
Andrei Costin72
References● [1] A. Costin, J. Zaddach, A. Francillon, D. Balzarotti,
”A Large-Scale Analysis of the Security of Embedded Firmwares”, In Proceedings of the 23rd USENIX Conference on Security (to appear)
● [2] A. Costin, J. Zaddach, ”Poster: Firmware.RE: Firmware Unpacking and Analysis as a Service”, In Proceedings of the ACM Conference on Security and Privacy in Wireless Mobile Networks (WiSec) '14
● [3] A. Costin, A. Francillon, ”Short paper: A Dangerous 'Pyrotechnic Composition': Fireworks, Embedded Wireless and Insecurity-by-Design”, In Proceedings of the ACM Conference on Security and Privacy in Wireless Mobile Networks (WiSec) '14