Unveiling firmware weaknesses: An approach for large-scale security analysis
Resumo
The COVID-19 pandemic has driven widespread adoption of remote work, altering corporate network perimeters to include Small-Office and Home-Office (SOHO) Routers and exposing infrastructures to IoT threats. We researched and developed a scalable vulnerability analysis method for embedded systems, focusing on vulnerability enumeration and automated source code analysis. In Brazil, we studied 159 router models, obtaining firmware samples from 131. Our analysis revealed more vulnerabilities in official firmware compared to open-source versions, highlighting the security benefits of the latter. Using Binary Code Similarity Analysis (BCSA), we created BinclustRE, a tool for grouping similar binaries to prioritize impactful firmware samples analysis.
Referências
ACI (2018). Securing iot devices: How safe is your wi-fi router? [link]. Accessed: 26/12/2022.
Alfonso, I., Garcés, K., Castro, H., and Cabot, J. (2021). Self-adaptive architectures in iot systems: a systematic literature review. Journal of Internet Services and Applications, 12(1):1–28.
Alrawi, O., Lever, C., Antonakakis, M., and Monrose, F. (2019). Sok: Security evaluation of home-based iot deployments. In 2019 IEEE symposium on security and privacy (sp), pages 1362–1380. IEEE.
Costin, A., Zarras, A., and Francillon, A. (2016). Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’16, page 437–448, New York, NY, USA. Association for Computing Machinery.
Fiorenza, M., Kreutz, D., Escarrone, T., and Temp, D. (2020). Uma análise da utilização de https no brasil. In Anais do XXXVIII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 966–979, Porto Alegre, RS, Brasil. SBC.
Gibert, D., Mateu, C., and Planes, J. (2020). The rise of machine learning for detection and classification of malware: Research developments, trends and challenges. Journal of Network and Computer Applications, 153:102526.
Helmke, R. and Dorp, J. v. (2022). Towards reliable and scalable linux kernel cve attribution in automated static firmware analyses. DOI: 10.48550/ARXIV.2209.05217.
Kim, D., Kim, E., Cha, S. K., Son, S., and Kim, Y. (2023). Revisiting binary code similarity analysis using interpretable feature engineering and lessons learned. IEEE Transactions on Software Engineering, 49(4):1661–1682.
Liu, K., Yang, M., Ling, Z., Yan, H., Zhang, Y., Fu, X., and Zhao, W. (2020). On manually reverse engineering communication protocols of linux-based iot systems. IEEE Internet of Things Journal, 8(8):6815–6827.
Ponce, L., Gimpel, M., Fazzion, E., Ítalo Cunha, Hoepers, C., Steding-Jessen, K., Chaves, M., Guedes, D., and Jr., W. M. (2022). Caracterização escalável de vulnerabilidades de segurança: um estudo de caso na internet brasileira. In Anais do XL Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 433–446, Porto Alegre, RS, Brasil. SBC.
Romana, S., Grandhi, J., and Eswari, P. R. L. (2020). Security analysis of soho wi-fi routers. In 2020 International Conference on Software Security and Assurance.
Sanches, A., Cardoso, J. M., and Delbem, A. C. (2011). Identifying merge-beneficial software kernels for hardware implementation. In 2011 International Conference on Reconfigurable Computing and FPGAs, pages 74–79.
Synopsys (2023). Open source security and risk analysis report.
WEFORUM, W. E. F. (2022). Employers are giving workers the work from home days they want. [link]. Accessed: 05/01/2023.
Weidenbach, P. and vom Dorp, J. (2020). Home router security report 2020.
Zhang, C., Wang, Y., and Wang, L. (2020). Firmware fuzzing: The state of the art. In Proceedings of the 12th Asia-Pacific Symposium on Internetware, pages 110–115.
Alfonso, I., Garcés, K., Castro, H., and Cabot, J. (2021). Self-adaptive architectures in iot systems: a systematic literature review. Journal of Internet Services and Applications, 12(1):1–28.
Alrawi, O., Lever, C., Antonakakis, M., and Monrose, F. (2019). Sok: Security evaluation of home-based iot deployments. In 2019 IEEE symposium on security and privacy (sp), pages 1362–1380. IEEE.
Costin, A., Zarras, A., and Francillon, A. (2016). Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’16, page 437–448, New York, NY, USA. Association for Computing Machinery.
Fiorenza, M., Kreutz, D., Escarrone, T., and Temp, D. (2020). Uma análise da utilização de https no brasil. In Anais do XXXVIII Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 966–979, Porto Alegre, RS, Brasil. SBC.
Gibert, D., Mateu, C., and Planes, J. (2020). The rise of machine learning for detection and classification of malware: Research developments, trends and challenges. Journal of Network and Computer Applications, 153:102526.
Helmke, R. and Dorp, J. v. (2022). Towards reliable and scalable linux kernel cve attribution in automated static firmware analyses. DOI: 10.48550/ARXIV.2209.05217.
Kim, D., Kim, E., Cha, S. K., Son, S., and Kim, Y. (2023). Revisiting binary code similarity analysis using interpretable feature engineering and lessons learned. IEEE Transactions on Software Engineering, 49(4):1661–1682.
Liu, K., Yang, M., Ling, Z., Yan, H., Zhang, Y., Fu, X., and Zhao, W. (2020). On manually reverse engineering communication protocols of linux-based iot systems. IEEE Internet of Things Journal, 8(8):6815–6827.
Ponce, L., Gimpel, M., Fazzion, E., Ítalo Cunha, Hoepers, C., Steding-Jessen, K., Chaves, M., Guedes, D., and Jr., W. M. (2022). Caracterização escalável de vulnerabilidades de segurança: um estudo de caso na internet brasileira. In Anais do XL Simpósio Brasileiro de Redes de Computadores e Sistemas Distribuídos, pages 433–446, Porto Alegre, RS, Brasil. SBC.
Romana, S., Grandhi, J., and Eswari, P. R. L. (2020). Security analysis of soho wi-fi routers. In 2020 International Conference on Software Security and Assurance.
Sanches, A., Cardoso, J. M., and Delbem, A. C. (2011). Identifying merge-beneficial software kernels for hardware implementation. In 2011 International Conference on Reconfigurable Computing and FPGAs, pages 74–79.
Synopsys (2023). Open source security and risk analysis report.
WEFORUM, W. E. F. (2022). Employers are giving workers the work from home days they want. [link]. Accessed: 05/01/2023.
Weidenbach, P. and vom Dorp, J. (2020). Home router security report 2020.
Zhang, C., Wang, Y., and Wang, L. (2020). Firmware fuzzing: The state of the art. In Proceedings of the 12th Asia-Pacific Symposium on Internetware, pages 110–115.
Publicado
16/09/2024
Como Citar
FREITAS, Osmany Barros de; PEREIRA JÚNIOR, Lourenço Alves.
Unveiling firmware weaknesses: An approach for large-scale security analysis. In: CONCURSO DE TESES E DISSERTAÇÕES - SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 73-80.
DOI: https://doi.org/10.5753/sbseg_estendido.2024.241638.
