1. »
  2. Lehrstuhl für Systemsicherheit
  3. »
  4. Lehre
  5. »
  6. Abschlussarbeiten
  7. »
  8. Fuzzing, Emulating, and Analyzing Embedded Systems Firmware

Fuzzing, Emulating, and Analyzing Embedded Systems Firmware

Research Overview

In my research, I mostly deal with embedded systems firmware.

My main research revolves around the following question: How can we analyze the security of a firmware image, independent from the hardware environment which it normally runs in?

We open-sourced Fuzzware – our generic firmware fuzzing emulator – here: Fuzzware.

Are you interested in diving deep into applied Security Competitions? Check out our university CTF team FluxFingers!

Thesis Topic Overview

First, it is worth mentioning that in case you are interested in one of the general topics outlined here, or even have an idea about a thesis topic which falls into my research area, then feel free to reach out so we can find a topic to work on or brainstorm about your idea.

General Thesis Topic Categories
  • Fuzzing: Making firmware fuzzing more effective / efficient
  • Emulation: Allowing emulators to run more diverse firmware (architectures, functionality types), allowing firmware to be run faster, or with less manual configuration effort
  • Code Analysis Techniques: Using code analysis techniques to gather information about firmware images to improve firmware emulation efficiency / applicability
  • Specialized Security Analysis: Analyzing the security of a specific firmware-related target
  • Human-in-the-loop: Building tools that make humans more productive when fuzzing a (new) target
 
Currently Available Thesis Topics
  • Master’s Thesis: Automated Identification of Network Protocol Implementations in Firmware for Structure-aware Firmware Fuzzing
  • Master’s Thesis: Refining Peripheral Modeling Approaches For Embedded Device Firmware
  • Master’s Thesis: Extending Binary Analysis Tooling to Aid a Human in Exploring Fuzzing Results
  • Bachelor’s / Master’s Thesis: Large-Scale Firmware Fuzzing

Master's Thesis: Automated Identification of Network Protocol Implementations in Firmware for Structure-aware Firmware Fuzzing

Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, it is difficult to analyze them: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack computation power which is available on general-purpose systems.

 

To analyze these targets, an active research area is finding ways of running firmware targets in an emulator, even if not all details about the hardware components are known. Emulation tools exist which run and fuzz test firmware images without available hardware. Oftentimes, devices are able to connect to each other, which results in most embedded devices including some networking functionality. For example, such devices often use wireless protocols such Bluetooth, 6LoWPAN, IEEE 802.15.4, Zigbee, WiFi, and more. Some also implement wired protocols such as Ethernet, DHCP, TCP/IP v4/v6 etc.
 
However, current fuzzers are unaware of the network protocols which are implemented in their targets, and blindly throw binary data against the firmware. This makes current fuzzers ineffective at reaching deep into firmware logic which is hidden behind the network protocols which the target implements. For example, while fuzzers can currently effectively test the 6LoWPAN network layer parsing routines of a firmware target, they are unable to test functionality on higher protocol layers, such as an SNMP/Webserver running on the device.

 

In this thesis, you will design and implement an approach to identifying which known network protocol layers are implemented in a given firmware target, and adapt a fuzzer to efficiently supply inputs that conform to the network protocol. An effective approach will allow a fuzzer to effectively fuzz test deep application-layer firmware logic, where current fuzzing solutions are only able to scratch the surface of firmware network layer parsing.

Requirements

  • Ability to program in Java (for Ghidra Plugin Development)
    and Python or Rust (for trace analysis)
  • Comfortability with binary code / reverse engineering
  • Previous experience with or interest in working with embedded systems firmware
  • Previous experience with or interest in learning about emulation and program analysis techniques (symbolic execution or static analysis)

Master's Thesis: Refining Peripheral Modeling Approaches For Embedded Device Firmware

Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, it is difficult to analyze them: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack computation power which is available on general-purpose systems.

To analyze these targets, an active research area is finding ways of running firmware targets in an emulator, even if not all details about the hardware components are known. Current approaches use program analysis techniques to figure out from firmware behavior what hardware behavior is expected to look like. This behavior is then applied in an emulator to fuzz test the firmware in an emulated environment.

While existing approaches already provide a basic level of hardware behavior, current approaches are not able to figure out any more subtle hardware behavior.

In this thesis, you will tackle the some of the remaining challenges of hardware behavior modeling, and look for new ways to analyze firmware behavior to successfully model some of the previously unsupported behavior types. You will then be able to test your new techniques within our research prototype, Fuzzware, and automatically fuzz test firmware targets which previously required manual configuration.

Requirements

  • Ability to program in Python and some C
  • Comfortability with binary code / reverse engineering
  • Previous experience with or in interest in learning about embedded systems firmware
  • Previous experience with or interest in learning about emulation and program analysis techniques such as symbolic execution

Master's Thesis: Extending Binary Analysis Tooling to Aid a Human in Exploring Fuzzing Results

Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, it is difficult to analyze them: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack computation power which is available on general-purpose systems.

 

To analyze these targets, an active research area is finding ways of running firmware targets in an emulator, even if not all details about the hardware components are known. Emulation tools exist which run and fuzz test firmware images without available hardware.
 
However, the results these tools produce are hard for a human to understand. A lot of expertise is required for a human to measure the progress these emulators achieved in exploring the firmware functionality. It is also laborious for a human to identify potential road blocks which the fuzzer is encountering, and subsequently resolve these issues.

 

 

In this thesis, you will work on tooling to which analyzes dynamic coverage and trace information that such firmware fuzzing tools (Fuzzware, our generic firmware emulation/fuzzing platform) produces and make the results available to a human to allow them to interactively analyze the fuzzing progress, identify coverage obstacles, and help the human resolve obstacles. This will allow a human to work with the fuzzer in a more efficient manner and with less experience with the tool required to make progress in the fuzzing effort.

Requirements

  • Interest in development in Rust and possibly Python
  • Comfortability with or interest in learning about binary code / reverse engineering
  • Previous experience with or interest in working with embedded systems firmware

Bachelor's / Master's Thesis: Large-Scale Firmware Fuzzing

Firmware images which power connected embedded devices such as smart light bulbs, programmable logic controllers (PLCs), engine control units (ECUs) power much of our modern computing infrastructure. While these are highly connected and an attractive target for attackers, it is difficult to analyze them: They run on systems which are hard to access physically, that may include custom peripherals, and generally lack computation power which is available on general-purpose systems.

 

To analyze these targets, an active research area is finding ways of running firmware targets in an emulator, even if not all details about the hardware components are known. Current approaches use program analysis techniques to figure out from firmware behavior what hardware behavior is expected to look like. This behavior is then applied in an emulator to fuzz test the firmware in an emulated environment.

 

The systems described previously have typically been evaluated on a somewhat limited set of firmware images that represents only a small fraction of the challenges which an embedded firmware image may pose for its emulation and fuzzing environment.

 

In this thesis, you will prepare a diverse set of firmware images to benchmark firmware fuzz testing systems. You will look for ways of automating this process, to build and/or obtain them. You will also look for ways of automatically configuring the new firmware targets for fuzzing in our fuzzing environment, and devise ways of automatically validating their configuration within the same environment. You will evaluate the target set by analyzing which obstacles different types of firmware functionality poses for current firmware fuzzing systems, and derive future work that is required to overcome these obstacles.

Requirements

  • Comfortability with native build systems
  • Previous experience with or interest in learning about embedded systems firmware
  • Previous experience with or interest in learning about fuzz testing