FirmPorter: Porting RTOSes at the Binary Level for Firmware Re-hosting

FirmPorter: Porting RTOSes at the Binary Level for Firmware Re-hosting

연구 분야: Analysis

학회: International Conference on Information and Communications Security

The rapid growth of the Industrial Internet of Things (IIoT) has brought real-time operating system (RTOS) into focus as major targets for both security analysts and malicious adversaries. Due to the non-standard hardware and diverse software, embedded RTOS devices present unique challenges to security analysts for the accurate analysis of firmware binaries. The diversity in hardware components and tight coupling between firmware and hardware makes it hard to perform dynamic analysis, which must have the ability to execute firmware code in virtualized environments. However, emulating the large expanse of hardware peripherals makes analysts have to frequently modify the emulator for executing various firmware code in different virtualized environments, which greatly limits the ability of analysis. In this work, we explore the problem of firmware re-hosting related to the RTOS. A device driver is developed by developers so that RTOS can be run on their platform. By providing alternative implementations for device drivers, we can make minimal modifications to the firmware that is to be migrated from its original hardware environment into a virtualized one. We show that an approach is capable of offering the ability to emulate various RTOS firmware in an automated manner without modifying existing emulators. Our approach, called static binary-level driver porting, first locates device driver initialization function and identify driver types in the target firmware, then adapts pre-built drivers to the existing emulator hardware. Finally, it replaces the drivers in the firmware with ours by utilizing binary rewriting technique. We demonstrate the practicality of the proposed method on multiple hardware platforms and firmware samples for security analysis. The results show that the approach is flexible enough to emulate firmware for vulnerability assessment and exploit development.