Research Overview
In my research, I mostly deal with embedded systems firmware.
My main research revolves around the following question: How can we analyze the security of a firmware image, independent from the hardware environment which it normally runs in?
We open-sourced Fuzzware – our generic firmware fuzzing emulator – here: Fuzzware.
Are you interested in diving deep into applied Security Competitions? Check out our university CTF team FluxFingers!
Tobias Scharnowski
Thesis Topic Overview
First, it is worth mentioning that in case you are interested in one of the general topics outlined here, or have an idea about a thesis topic which falls into my research area, then feel free to reach out so we can find a topic to work on or brainstorm about your idea.
General Thesis Topic Categories
- Fuzzing: Making firmware fuzzing more effective / efficient
- Emulation: Allowing emulators to run more diverse firmware (architectures, functionality types), allowing firmware to be run faster, or with less manual configuration effort
- Code Analysis Techniques: Using code analysis techniques to gather information about firmware images to improve firmware emulation efficiency / applicability
- Specialized Security Analysis: Analyzing the security of a specific firmware-related target
- Human-in-the-loop: Building tools that make humans more productive when fuzzing a (new) target
Currently Available Thesis Topics
- Master’s Thesis: Extending Binary Analysis Tooling to Aid a Human in Exploring Fuzzing Results
- Bachelor’s / Master’s Thesis: Large-Scale Firmware Fuzzing
Master's Thesis: Extending Binary Analysis Tooling to Aid a Human in Exploring Fuzzing Results
Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, it is difficult to analyze them: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack computation power which is available on general-purpose systems.
To analyze these targets, an active research area is finding ways of running firmware targets in an emulator, even if not all details about the hardware components are known. Emulation tools exist which run and fuzz test firmware images without available hardware.
However, the results these tools produce are hard for a human to understand. A lot of expertise is required for a human to measure the progress these emulators achieved in exploring the firmware functionality. It is also laborious for a human to identify potential road blocks which the fuzzer is encountering, and subsequently resolve these issues.
In this thesis, you will work on tooling to which analyzes dynamic coverage and trace information that such firmware fuzzing tools (Fuzzware, our generic firmware emulation/fuzzing platform) produces and make the results available to a human to allow them to interactively analyze the fuzzing progress, identify coverage obstacles, and help the human resolve obstacles. This will allow a human to work with the fuzzer in a more efficient manner and with less experience with the tool required to make progress in the fuzzing effort.
Requirements
- Interest in development in Rust and possibly Python
- Comfortability with or interest in learning about binary code / reverse engineering
- Previous experience with or interest in working with embedded systems firmware
Bachelor's / Master's Thesis: Large-Scale Firmware Fuzzing
Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, it is difficult to analyze them: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack computation power which is available on general-purpose systems.
To analyze these targets, an active research area is finding ways of running firmware targets in an emulator, even if not all details about the hardware components are known. Current approaches use program analysis techniques to figure out from firmware behavior what hardware behavior is expected to look like. This behavior is then applied in an emulator to fuzz test the firmware in an emulated environment.
The systems described previously have typically been evaluated on a somewhat limited set of firmware images that represents only a small fraction of the challenges which an embedded firmware image may pose for its emulation and fuzzing environment.
In this thesis, you will prepare a diverse set of firmware images to benchmark firmware fuzz testing systems. You will look for ways of automating this process, to build and/or obtain them. You will also look for ways of automatically configuring the new firmware targets for fuzzing in our fuzzing environment, and devise ways of automatically validating their configuration within the same environment. You will evaluate the target set by analyzing which obstacles different types of firmware functionality poses for current firmware fuzzing systems, and derive future work that is required to overcome these obstacles.
Requirements
- Comfortability with native build systems
- Previous experience with or interest in learning about embedded systems firmware
- Previous experience with or interest in learning about fuzz testing