HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation

Abstract

Given the increasing ubiquity of online embedded devices,analyzing their firmware is important to security, privacy, andsafety. The tight coupling between hardware and firmwareand the diversity found in embedded systems makes it hard toperform dynamic analysis on firmware. However, firmwaredevelopers regularly develop code using abstractions, such asHardware Abstraction Layers (HALs), to simplify their job.We leverage such abstractions as the basis for the re-hostingand analysis of firmware. By providing high-level replace-ments for HAL functions (a process termedHigh-Level Emu-lation – HLE), we decouple the hardware from the firmware.This approach works by first locating the library functions in afirmware sample, through binary analysis, and then providinggeneric implementations of these functions in a full-systememulator.We present these ideas in a prototype system, HALucinator,able to re-host firmware, and allow the virtual device to beused normally. First, we introduce extensions to existinglibrary matching techniques that are needed to identify libraryfunctions in binary firmware, to reduce collisions, and forinferring additional function names. Next, we demonstratethe re-hosting process, through the use of simplifiedhandlersandperipheral models, which make the process fast, flexible,and portable between firmware samples and chip vendors.Finally, we demonstrate the practicality of HLE for securityanalysis, by supplementing HALucinator with the AmericanFuzzy Lop fuzzer, to locate multiple previously-unknownvulnerabilities in firmware middleware libraries.