MMIO Access-Based Coverage for Firmware Analysis

MMIO Access-Based Coverage for Firmware Analysis

연구 분야: Analysis

학회: 2023 IEEE Conference on Communications and Network Security (CNS)

Firmware rehosting techniques have enabled the analysis of firmware without a real device through peripheral access modeling. However, existing techniques use the number of basic blocks to evaluate success in firmware code coverage without paying attention to whether code locations that process data received from specific peripherals receive sufficient coverage. In this paper, we present a hybrid firmware analysis approach, FIRMSTAT, that combines symbolic execution based firmware rehosting and static code analysis to evaluate dynamic code coverage in terms of the API functions that propagate data register values into the upper layers of firmware. Our static analysis supports both polling-based and interrupt-driven accesses and extract API summaries. We apply FIRMSTAT to various ARM Cortex M3 benchmarks from the literature and show that despite demonstrating a decent performance in terms of basic block coverage compared to some of the state-of-the-art firmware rehosting approaches, it may fail to cover some peripheral data-flows in complex firmware, which can be captured by the proposed MMIO access-based coverage metrics.