Smartphones are a fundamental building block of modern communication infrastructure. As such, their availability, integrity and confidentiality are essential to their users and are of interest to various malicious actors. These actors have in the past gone to great lengths to compromise smartphones, as Google and Apple are constantly improving the security of their mobile operating systems. Therefore, new attack angles become increasingly important. One of these attack angles is the baseband modem. This separate component acts as a peripheral towards the processor running the mobile operating system and attaches itself to the cellular network. These baseband modems run very complex firmware, and vulnerabilities in this firmware enable an attacker to prevent the victim from connecting to a cellular network, exfiltrate unencrypted communication, or even pivot to the mobile operating system with elevated privileges.
We are interested in how the SoC manufacturers developing this firmware (e.g. MediaTek, Samsung LSI) handle vulnerabilities at scale.
This thesis aims to analyze baseband modem firmware images at scale systematically. In particular, we are interested in change propagation and product line management: Do two different SoCs from the same manufacturer that share a code base receive the same bug fixes? Do manufacturers forget specific images when providing updates despite these images being vulnerable? Which libraries does a firmware image contain, and are these libraries updated frequently? As modem firmware images are only available from smartphone manufacturers (like Oppo, OnePlus, Samsung, and Xiaomi) who are the customers of the SoC manufacturers, you will not only have to perform binary analysis but also find a way to obtain these updates reliably.
Ultimately, we want to integrate your results into a web platform that we are building, which is intended to continuously update itself and provide an industry overview of bug-fixing practices for cellular modem firmware. Therefore, any analysis must be automatable, adding a separate challenge throughout your thesis.
Given the sufficient quality of your results, publishing a joint paper on the topic is also possible.
For this ambitious thesis directly related to our research, we are looking for a highly motivated Master’s student. While we can provide you with an introduction to the extraction of firmware image files, an ISA extension for Ghidra and some CVEs for which we have performed a root cause analysis as a reference, this thesis requires prior knowledge in the area of reverse engineering. We, therefore, require that you have taken a relevant course (e.g. „program analysis“, a practical course on microcontroller programming in Assembly, our practical course on mobile security) or can demonstrate your abilities via participation in CTFs or other extra-curricular projects. Knowledge of cellular networking protocols (GSM, LTE, 5G) might be helpful but is optional.