Fuzzing, Emulating, and Analyzing Embedded Systems Firmware

Research Overview

In my research, I mostly deal with embedded systems firmware.

My main research revolves around the following question: How can we analyze the security of a firmware image, independent from the hardware environment which it normally runs in?

We open-sourced Fuzzware – our generic firmware fuzzing emulator – here: Fuzzware.

Are you interested in diving deep into applied Security Competitions? Check out our university CTF team FluxFingers!

Thesis Topic Overview

First, it is worth mentioning that in case you are interested in one of the general topics outlined here, or have an idea about a thesis topic which falls into my research area, then feel free to reach out so we can find a topic to work on or brainstorm about your idea.

General Thesis Topic Categories
  • Fuzzing: Making firmware fuzzing more effective / efficient
  • Emulation: Allowing emulators to run more diverse firmware (architectures, functionality types), allowing firmware to be run faster, or with less manual configuration effort
  • Code Analysis Techniques: Using code analysis techniques to gather information about firmware images to improve firmware emulation efficiency / applicability
  • Specialized Security Analysis: Analyzing the security of a specific firmware-related target
  • Human-in-the-loop: Building tools that make humans more productive when fuzzing a (new) target
 
Currently Available Thesis Topics
  • Bachelor’s / Master’s Thesis: Fuzzing Linux-based Firmware via generic Full-System Rehosting
  • Bachelor’s / Master’s Thesis: Binary-Only Sanitizers for Firmware Fuzzing
  • Bachelor’s / Master’s Thesis: Large-Scale Firmware Fuzzing
 
 
 

BA / MA: Fuzzing Linux-based Firmware via generic Full-System Rehosting

Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, they are particularly difficult to analyze: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack the computation power of general-purpose systems.

Fuzz testing (or fuzzing) is a proven technique to test software and identify vulnerabilities, especially on general-purpose systems. A recent line of work has focused on applying fuzzing to embedded firmware via rehosting [1,2,3,4]. Rehosting allows executing firmware in a powerful virtual environment rather than the low-power hardware that it was designed to run on. This allows embedded firmware to be fuzzed on general-purpose hardware.

Recent generic full-system rehosting techniques have been built with so called real-time operating systems (RTOS) in mind. While effective for RTOS, these rehosting works have not yet shown to also work for Linux-based firmware. The purpose of this thesis is to analyze what challenges Linux-based firmware pose for recent full-system rehosting approaches. In the process of this thesis you will build embedded Linux firmware and attempt to run recent full-system fuzzing solutions against it. You will analyze the progress that recent fuzzing solutions achieve against Linux-based firmware and identify hurdles and challenges faced by these solutions. Finally, you will devise customizations to the existing solutions towards fully fuzzing Linux-based firmware via generic full-system rehosting.

Requirements

  • Basic knowledge about C and Python
  • Interest in working with embedded systems firmware
  • Interest in fuzzing
  • Comfortability with or interest in learning about binary code / reverse engineering

Bachelor's / Master's Thesis: Binary-Only Sanitizers for Firmware Fuzzing

Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, they are particularly difficult to analyze: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack the computation power of general-purpose systems.

Fuzz testing (or fuzzing) is a proven technique to test software and identify vulnerabilities. A recent line of work has focused on applying fuzzing to embedded firmware via rehosting [1,2,3,4]. Rehosting allows executing firmware in a powerful virtual environment rather than the low-power hardware that it was designed to run on. This makes fuzzing of embedded firmware effective as it brings fast and scalable execution.

While recent rehosting-based fuzzing techniques have proven effective at triggering bugs in firmware, memory corruptions have shown to not always trigger actual crashes in firmware [5]. In addition, even if a crash is triggered within a firmware fuzzer, finding the root cause of a crash is a manual, often complicated and tedious effort.

The purpose of this thesis is to improve the ability of recent rehosting-based firmware fuzzing techniques to detect triggered bugs early by inserting a sanitization into the firmware fuzzing process. This will allow firmware fuzzers to trigger more bugs and aid in triaging crashes more quickly. You will analyze typical bug patterns and develop generic primitives to catch bugs triggered during firmware fuzzing that do not lead to a crash and can thus currently not be detected via fuzzing.

Bachelor's / Master's Thesis: Large-Scale Firmware Fuzzing

Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, it is difficult to analyze them: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack computation power which is available on general-purpose systems.

 

To analyze these targets, an active research area is finding ways of running firmware targets in an emulator, even if not all details about the hardware components are known. Current approaches use program analysis techniques to figure out from firmware behavior what hardware behavior is expected to look like. This behavior is then applied in an emulator to fuzz test the firmware in an emulated environment.

 

The systems described previously have typically been evaluated on a somewhat limited set of firmware images that represents only a small fraction of the challenges which an embedded firmware image may pose for its emulation and fuzzing environment.

 

In this thesis, you will prepare a diverse set of firmware images to benchmark firmware fuzz testing systems. You will look for ways of automating this process, to build and/or obtain them. You will also look for ways of automatically configuring the new firmware targets for fuzzing in our fuzzing environment, and devise ways of automatically validating their configuration within the same environment. You will evaluate the target set by analyzing which obstacles different types of firmware functionality poses for current firmware fuzzing systems, and derive future work that is required to overcome these obstacles.

Requirements

  • Comfortability with native build systems
  • Previous experience with or interest in learning about embedded systems firmware
  • Previous experience with or interest in learning about fuzz testing