Ruhr-Uni-Bochum

HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation

2020

Conference / Journal

Authors

Tobias Scharnowski Saurabh Bagchi Paul Grosen Mathias Payer Giovanni Vigna Eric Gustafson David Fritz Christopher Kruegel Abraham A. Clements

Research Hub

Research Hub B: Eingebettete Sicherheit
Research Hub C: Sichere Systeme

Research Challenges

RC 8: Security with Untrusted Components

Abstract

Given the increasing ubiquity of online embedded devices,analyzing their firmware is important to security, privacy, andsafety. The tight coupling between hardware and firmwareand the diversity found in embedded systems makes it hard toperform dynamic analysis on firmware. However, firmwaredevelopers regularly develop code using abstractions, such asHardware Abstraction Layers (HALs), to simplify their job.We leverage such abstractions as the basis for the re-hostingand analysis of firmware. By providing high-level replace-ments for HAL functions (a process termedHigh-Level Emu-lation – HLE), we decouple the hardware from the firmware.This approach works by first locating the library functions in afirmware sample, through binary analysis, and then providinggeneric implementations of these functions in a full-systememulator.We present these ideas in a prototype system, HALucinator,able to re-host firmware, and allow the virtual device to beused normally. First, we introduce extensions to existinglibrary matching techniques that are needed to identify libraryfunctions in binary firmware, to reduce collisions, and forinferring additional function names. Next, we demonstratethe re-hosting process, through the use of simplifiedhandlersandperipheral models, which make the process fast, flexible,and portable between firmware samples and chip vendors.Finally, we demonstrate the practicality of HLE for securityanalysis, by supplementing HALucinator with the AmericanFuzzy Lop fuzzer, to locate multiple previously-unknownvulnerabilities in firmware middleware libraries.

Tags

Software Reverse Engineering
Software Security
Program Analysis