Research Overview
In my research, I mostly deal with embedded systems firmware.
My main research revolves around the following question: How can we analyze the security of a firmware image, independent from the hardware environment which it normally runs in?
We open-sourced Fuzzware – our generic firmware fuzzing emulator – here: Fuzzware.
Are you interested in diving deep into applied Security Competitions? Check out our university CTF team FluxFingers!
Tobias Scharnowski
Thesis Topic Overview
First, it is worth mentioning that in case you are interested in one of the general topics outlined here, or have an idea about a thesis topic which falls into my research area, then feel free to reach out so we can find a topic to work on or brainstorm about your idea.
General Thesis Topic Categories
- Fuzzing: Making firmware fuzzing more effective / efficient
- Emulation: Allowing emulators to run more diverse firmware (architectures, functionality types), allowing firmware to be run faster, or with less manual configuration effort
- Code Analysis Techniques: Using code analysis techniques to gather information about firmware images to improve firmware emulation efficiency / applicability
- Specialized Security Analysis: Analyzing the security of a specific firmware-related target
- Human-in-the-loop: Building tools that make humans more productive when fuzzing a (new) target
Currently Available Thesis Topics
- Bachelor’s / Master’s Thesis: Fuzzing Linux-based Firmware via generic Full-System Rehosting
- Bachelor’s / Master’s Thesis: Binary-Only Sanitizers for Firmware Fuzzing
- Bachelor’s / Master’s Thesis: Large-Scale Firmware Fuzzing
BA / MA: Fuzzing Linux-based Firmware via generic Full-System Rehosting
Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, they are particularly difficult to analyze: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack the computation power of general-purpose systems.
Fuzz testing (or fuzzing) is a proven technique to test software and identify vulnerabilities, especially on general-purpose systems. A recent line of work has focused on applying fuzzing to embedded firmware via rehosting [1,2,3,4]. Rehosting allows executing firmware in a powerful virtual environment rather than the low-power hardware that it was designed to run on. This allows embedded firmware to be fuzzed on general-purpose hardware.
Recent generic full-system rehosting techniques have been built with so called real-time operating systems (RTOS) in mind. While effective for RTOS, these rehosting works have not yet shown to also work for Linux-based firmware. The purpose of this thesis is to analyze what challenges Linux-based firmware pose for recent full-system rehosting approaches. In the process of this thesis you will build embedded Linux firmware and attempt to run recent full-system fuzzing solutions against it. You will analyze the progress that recent fuzzing solutions achieve against Linux-based firmware and identify hurdles and challenges faced by these solutions. Finally, you will devise customizations to the existing solutions towards fully fuzzing Linux-based firmware via generic full-system rehosting.
Requirements
- Basic knowledge about C and Python
- Interest in working with embedded systems firmware
- Interest in fuzzing
- Comfortability with or interest in learning about binary code / reverse engineering
Bachelor's / Master's Thesis: Binary-Only Sanitizers for Firmware Fuzzing
Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, they are particularly difficult to analyze: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack the computation power of general-purpose systems.
Fuzz testing (or fuzzing) is a proven technique to test software and identify vulnerabilities. A recent line of work has focused on applying fuzzing to embedded firmware via rehosting [1,2,3,4]. Rehosting allows executing firmware in a powerful virtual environment rather than the low-power hardware that it was designed to run on. This makes fuzzing of embedded firmware effective as it brings fast and scalable execution.
While recent rehosting-based fuzzing techniques have proven effective at triggering bugs in firmware, memory corruptions have shown to not always trigger actual crashes in firmware [5]. In addition, even if a crash is triggered within a firmware fuzzer, finding the root cause of a crash is a manual, often complicated and tedious effort.
The purpose of this thesis is to improve the ability of recent rehosting-based firmware fuzzing techniques to detect triggered bugs early by inserting a sanitization into the firmware fuzzing process. This will allow firmware fuzzers to trigger more bugs and aid in triaging crashes more quickly. You will analyze typical bug patterns and develop generic primitives to catch bugs triggered during firmware fuzzing that do not lead to a crash and can thus currently not be detected via fuzzing.
Related Work
- [1] Fuzzware: Using Precise MMIO Modeling for Effective Firmware
- [2] Hoedur: Embedded Firmware Fuzzing using Multi-Stream Inputs
- [3] Icicle: A Re-designed Emulator for Grey-Box Firmware Fuzzing
- [4] Ember-IO: Effective Firmware Fuzzing with Model-Free Memory
Mapped IO - [5] What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices
Requirements
- Interest in working with embedded systems firmware
- Interest in fuzzing
- Comfortability with or interest in learning about binary code / reverse engineering
- Basic knowledge about Python
Bachelor's / Master's Thesis: Large-Scale Firmware Fuzzing
Requirements
- Comfortability with native build systems
- Previous experience with or interest in learning about embedded systems firmware
- Previous experience with or interest in learning about fuzz testing