Embedded Firmware Rehosting System Through Automatic Peripheral Modeling

Abstract

Read online

Embedded devices are becoming increasingly common and, as a result, more susceptible to security threats. Consequently, analyzing the firmware of these devices is essential for detecting and mitigating vulnerabilities. Hardware dependencies pose a major challenge for firmware analysis, as they require either running the firmware on the original hardware or emulating various hardware behaviors in a virtualized environment. Firmware rehosting, which allows firmware to run in a virtualized environment (i.e., emulation), is a recent research approach to overcome the hardware dependency problem. However, this approach faces several challenges, such as: limited applicability, path elimination, and lack of support for dynamic direct memory access (DMA). To address these challenges, we propose VDEmu, a novel firmware rehosting system that integrates hybrid fuzzing-based memory-mapped I/O (MMIO) modeling and dynamic DMA support. VDEmu can handle MMIO accesses without requiring precise implementation of peripherals and can access overlooked DMA logic by creating and removing DMA streams through a virtual DMA controller. Therefore, VDEmu can mitigate limited applicability and path elimination through fuzzing and explore more firmware logic through DMA support. We evaluated our approach on real-world targets comprising a total of eight hardware platforms and 14 firmware images. Compared with state-of-the-art works, VDEmu was the only work that could model all interactions between firmware and hardware (i.e., MMIO, DMA, and interrupts), and VDEmu achieved a code coverage that was up to 9.15 times higher. VDEmu discovered two previously unknown bugs, including ones previously analyzed in other works.

Keywords

• Firmware
• MMIO
• DMA
• dynamic analysis
• emulation
• fuzzing