Muhui Jiang,Lin Ma,Yajin Zhou,Qiang Liu,Cen Zhang,Zhi Wang,Xiapu Luo,Lei Wu,Kui Ren

DOI: https://doi.org/10.1145/3460120.3484753

2021-11-12

Abstract:Dynamic analysis based on the full-system emulator QEMU is widely used for various purposes.However, it is challenging to run firmware images of embedded devices in QEMU, especially the process to boot the Linux kernel (we call this process rehosting the Linux kernel in this paper). That's because embedded devices usually use different system-on-chips (SoCs) from multiple vendors and only a limited number of SoCs are currently supported in QEMU. In this work, we propose a technique called peripheral transplantation. The main idea is to transplant the device drivers of designated peripherals into the Linux kernel binary. By doing so, it can replace the peripherals in the kernel that are currently unsupported in QEMU with supported ones, thus making the Linux kernel rehostable. After that, various applications can be built. We implemented this technique inside a prototype system called ECMO and applied it to 815 firmware images, which consist of 20 kernel versions and 37 device models. The result shows that ECMO can successfully transplant peripherals for all the 815 Linux kernels. Among them, 710 kernels can be successfully rehosted, i.e., launching a user-space shell (87.1% success rate). The failed cases are mainly because the root file system format (ramfs) is not supported by the kernel. Meanwhile, we are able to inject rather complex drivers (i.e., NIC driver) for all the rehosted Linux kernels by installing kernel modules. We further build three applications, i.e., kernel crash analysis, rootkit forensic analysis, and kernel fuzzing, based on the rehosted kernels to demonstrate the usage scenarios of ECMO.

Muhui Jiang,Xiaoye Zheng,Rui Chang,Yajin Zhou,Xiapu Luo

DOI: https://doi.org/10.1109/tse.2024.3406900

IF: 7.4

2024-01-01

IEEE Transactions on Software Engineering

Abstract:Emulators are commonly employed to construct dynamic analysis frameworks due to their ability to perform fine-grained tracing, monitor full system functionality, and run on diverse operating systems and architectures. Nonetheless, the consistency of emulators with the real devices, remains uncertain. To address this issue, our objective is to automatically identify inconsistent instructions that exhibit different behavior between emulators and real devices across distinct privileges, including user-level and system-level privilege.We target the Arm architecture, which provides machine-readable specifications. Based on the specification, we propose a sufficient test case generator by designing and implementing the first symbolic execution engine for the Arm architecture specification language (ASL). We generated 2,774,649 representative instruction streams and developed a differential testing engine, EXAMINER PRO. With this engine, we compared the behavior of real Arm devices across different instruction sets (A32, A64, T16, and T32) with the popular QEMU emulator, both at the user-level and system-level. To demonstrate the generalizability of EXAMINER PRO, we also tested two other emulators, namely Unicorn and Angr. We find that undefined implementation in Arm manual and bugs of emulators are the major causes of inconsistencies. Furthermore, we discover 17 bugs, which influence commonly used instructions (e.g., BLX). With the inconsistent instructions, we build three security applications and demonstrate the capability of these instructions on detecting emulators, anti-emulation, and anti-fuzzing.

Sai Ritvik Tanksalkar,Paschal C. Amusuo,Aravind Machiry,Jayashree Srinivasan,James C. Davis

DOI: https://doi.org/10.1109/DSN-S58398.2023.00031

2023-06-01

Abstract:Dynamic analysis of embedded firmware is a necessary capability for many security tasks, e.g., vulnerability detection. Rehosting is a technique that enables dynamic analysis by facilitating the execution of firmware in a host environment decoupled from the actual hardware. Current rehosting techniques focus on high-fidelity execution of the entire firmware. Consequently, these techniques try to execute firmware in an emulated environment, with precise models of hardware (i.e., peripheral) interactions. However, these techniques are hard to scale and have various drawbacks.We propose a novel take on rehosting by focusing on the application components and their interactions with the firmware without the need to model hardware dependencies. We achieve this by rehosting the embedded application as a Linux application. In addition to avoiding precise peripheral modeling, our rehosting technique enables the use of existing dynamic analysis techniques on these embedded applications. We provide an overview of our approach and demonstrate its feasibility on three real-world embedded applications. Our testing of these rehosted applications found 2 previously unknown defects in driver components. We discuss challenges in automating our process and present possible future research directions.

Computer Science,Engineering

Mingfeng Xin,Hui Wen,Liting Deng,Hong Li,Qiang Li,Limin Sun

DOI: https://doi.org/10.48550/arxiv.2107.09856

2021-01-01

Abstract: The rapid growth of the Industrial Internet of Things (IIoT) has brought embedded systems into focus as major targets for both security analysts and malicious adversaries. Due to the non-standard hardware and diverse software, embedded devices present unique challenges to security analysts for the accurate analysis of firmware binaries. The diversity in hardware components and tight coupling between firmware and hardware makes it hard to perform dynamic analysis, which must have the ability to execute firmware code in virtualized environments. However, emulating the large expanse of hardware peripherals makes analysts have to frequently modify the emulator for executing various firmware code in different virtualized environments, greatly limiting the ability of security analysis. In this work, we explore the problem of firmware re-hosting related to the real-time operating system (RTOS). Specifically, developers create a Board Support Package (BSP) and develop device drivers to make that RTOS run on their platform. By providing high-level replacements for BSP routines and device drivers, we can make the minimal modification of the firmware that is to be migrated from its original hardware environment into a virtualized one. We show that an approach capable of offering the ability to execute firmware at scale through patching firmware in an automated manner without modifying the existing emulators. Our approach, called static binary-level porting, first identifies the BSP and device drivers in target firmware, then patches the firmware with pre-built BSP routines and drivers that can be adapted to the existing emulators. Finally, we demonstrate the practicality of the proposed method on multiple hardware platforms and firmware samples for security analysis. The result shows that the approach is flexible enough to emulate firmware for vulnerability assessment and exploits development.

Zitai Chen,Sam L. Thomas,Flavio D. Garcia

DOI: https://doi.org/10.48550/arXiv.2208.03528

2022-08-06

Abstract:In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto open-problem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis. We show that the flexibility afforded by our approach does not lead to a performance trade-off -- MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors -- none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.

Cryptography and Security

Chen Qiao,Liehui Jiang,Wei Dong,Lixin Wang

2011-01-01

Abstract:This paper takes Alpha processor as the platform,and migrates the system simulation software of QEMU to Alpha platform,so that the virtual machine on system can perform Linux operating system based on x86 architecture to achieve Alpha processor compatible x86 applications.Performance test is performed on virtual machine.Through the statistics of code inflation rate,a restricted virtual machine performance instruction type,is found to provide reference for virtual machine performance optimization.

刘文峰,李程远,李善平

DOI: https://doi.org/10.3785/j.issn.1008-973x.2004.04.013

2004-01-01

Abstract:Taking advantages of the modular nature of Linux, a set of Linux modules were improved to make Linux run on various SoC. The module improvement was including: developing a target-specific bootloader, designing a memory management module for the MMU-less processor, real-time improvement in scheduling module and organizing a small footprint file system for the flash memory. These modules can be reassembled on demands, catering for different boards and applications. Moreover, methods for developing embedded Linux are concluded, including tool chains and debug techniques. Case studies on two hardware platforms, based on ARM720T and M68K respectively, shown that the work satisfies application requirements.

Wenqiang Li,Le Guan,Jingqiang Lin,Jiameng Shi,Fengjun Li

DOI: https://doi.org/10.14722/ndss.2021.24308

2021-07-05

Abstract:Finding bugs in microcontroller (MCU) firmware is challenging, even for device manufacturers who own the source code. The MCU runs different instruction sets than x86 and exposes a very different development environment. This invalidates many existing sophisticated software testing tools on x86. To maintain a unified developing and testing environment, a straightforward way is to re-compile the source code into the native executable for a commodity machine (called rehosting). However, ad-hoc re-hosting is a daunting and tedious task and subject to many issues (library-dependence, kernel-dependence and hardware-dependence). In this work, we systematically explore the portability problem of MCU software and propose pararehosting to ease the porting process. Specifically, we abstract and implement a portable MCU (PMCU) using the POSIX interface. It models common functions of the MCU cores. For peripheral specific logic, we propose HAL-based peripheral function replacement, in which high-level hardware functions are replaced with an equivalent backend driver on the host. These backend drivers are invoked by well-designed para-APIs and can be reused across many MCU OSs. We categorize common HAL functions into four types and implement templates for quick backend development. Using the proposed approach, we have successfully rehosted nine MCU OSs including the widely deployed Amazon FreeRTOS, ARM Mbed OS, Zephyr and LiteOS. To demonstrate the superiority of our approach in terms of security testing, we used off-the-shelf dynamic analysis tools (AFL and ASAN) against the rehosted programs and discovered 28 previously-unknown bugs, among which 5 were confirmed by CVE and the other 19 were confirmed by vendors at the time of writing.

Programming Languages,Cryptography and Security,Distributed, Parallel, and Cluster Computing,Software Engineering

Ke-sheng LI,Bo YANG,Tian-wei XU,Li LI,Shu-zhuan HE,Hong-bing PANG

DOI: https://doi.org/10.16208/j.issn1000-7024.2016.05.042

2016-01-01

Abstract:A QEMU-based emulator for reconfigurable application specific processor was proposed to deal with the severe time-consuming problem exists in the process of emulating the whole system of SystemC-based emulator encounters,including opera-ting system,device drivers,application interfaces and software applications.Compared with SystemC,QEMU outperformed obviously in emulation speed,which provided chances to solve the problem above.By taking advantage of QEMU and abstracting functionality and architecture from the processor,the emulator designed and implemented performed with high accuracy on behavior and storage.In test,it shows great improvement on the speed of the full system emulation.And it also provides a platform for the software developers to develop and test their programs before the hardware development board being in place.

Wei Zhou,Lan Zhang,Le Guan,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.48550/arXiv.2208.07833

2022-08-16

Cryptography and Security

Abstract:Emulating firmware of microcontrollers is challenging due to the lack of peripheral models. Existing work finds out how to respond to peripheral read operations by analyzing the target firmware. This is problematic because the firmware sometimes does not contain enough clues to support the emulation or even contains misleading information (e.g. buggy firmware). In this work, we propose a new approach that builds peripheral models from the peripheral specification. Using NLP, we translate peripheral behaviors in human language (documented in chip manuals) into a set of structured condition-action rules. By checking, executing, and chaining them at runtime, we can dynamically synthesize a peripheral model for each firmware execution. The extracted condition-action rules might not be complete or even be wrong. We, therefore, propose incorporating symbolic execution to quickly pinpoint the root cause. This assists us in the manual correction of the problematic rules. We have implemented our idea for five popular MCU boards spanning three different chip vendors. Using a new edit-distance-based algorithm to calculate trace differences, our evaluation against a large firmware corpus confirmed that our prototype achieves much higher fidelity compared with state-of-the-art solutions. Benefiting from the accurate emulation, our emulator effectively avoids false positives observed in existing fuzzing work. We also designed a new dynamic analysis method to perform driver code compliance checks against the specification. We found some non-compliance which we later confirmed to be bugs caused by race conditions.

Wei Zhou,Le Guan,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.48550/arXiv.2107.07759

2021-07-16

Cryptography and Security

Abstract:Emulating firmware for microcontrollers is challenging due to the tight coupling between the hardware and firmware. This has greatly impeded the application of dynamic analysis tools to firmware analysis. The state-of-the-art work automatically models unknown peripherals by observing their access patterns, and then leverages heuristics to calculate the appropriate responses when unknown peripheral registers are accessed. However, we empirically found that this approach and the corresponding heuristics are frequently insufficient to emulate firmware. In this work, we propose a new approach called uEmu to emulate firmware with unknown peripherals. Unlike existing work that attempts to build a general model for each peripheral, our approach learns how to correctly emulate firmware execution at individual peripheral access points. It takes the image as input and symbolically executes it by representing unknown peripheral registers as symbols. During symbolic execution, it infers the rules to respond to unknown peripheral accesses. These rules are stored in a knowledge base, which is referred to during the dynamic firmware analysis. uEmu achieved a passing rate of 95% in a set of unit tests for peripheral drivers without any manual assistance. We also evaluated uEmu with real-world firmware samples and new bugs were discovered.

lei xu,zonghui wang,wenzhi chen

DOI: https://doi.org/10.1155/2015/310308

2015-01-01

Abstract:AbstractIn common sense, virtualization technology is adopted to offer several isolated execution environments and make better use of computational resources in server environment. However, in embedded systems, the significance of virtualization does not come into the picture. The extensive utilization of mobile smart devices has led to a series of issues such as security, wasting of resources, and power consumption. In this paper, we discuss how mobile virtualization addresses these challenges and then present a detail analysis of four mainstream mobile virtualization solutions: containers, paravirtualization, hardware-assisted full virtualization, and microkernel. At last, we carry out a series of performance comparisons among these solutions and make some suggestions for further research.

Disheng Su,Wenzhi Chen,Wei Huang,Haitao Shan,Yunhong Jiang

DOI: https://doi.org/10.1145/1519130.1519137

2009-01-01

Abstract:ABSTRACTEmbedded systems are making rapid changes and becoming increasingly sophisticated. To make full use of all the hardware resources on the system, multi OS environments and virtualization are both feasible ways but either needs lots of porting efforts or suffers performance degradation without hardware support for virtualization. We propose a virtualization platform for embedded system named the SmartVisor to provide a PC-compatible layer for guest OS, and it gains native-like performance while keeping zero-modification to guest OS by leveraging KVM and Intel's Atom embedded processor. SmartVisor realizes device pass-through by identity mapping of the guest memory and implements a Direct-Shadow mechanism to get rid of majority part of VMExit overhead. Measurement result shows the benefits of SmartVisor and deeper study of host-swapping reveals the potential advantages of SmartVisor on embedded systems.

CHEN Wen-zhi,HUANG Wei,XIE Cheng,HE Qin-ming

DOI: https://doi.org/10.3785/j.issn.1008-973x.2009.02.016

2009-01-01

Abstract:Virtualization was introduced to increase the security of embedded devices while avoiding the shortcomings caused by the hardware-based approach such as poor flexibility,high complexity and high production cost of equipments.Virtualization platform SmartVP offers a secure system environment by the software-based approach.SmartVP partitions the computing resources on the ARM processor into two parallel sets,one for standard real-time operating system T-Kernel and the other for general-purpose operating system Linux.The trusted computing base of SmartVP is constructed by protecting the code and data of the software on T-Kernel,as well as by implementing the fundamental security services and interfaces.Both performance benchmark and applications show that SmartVP improves the security of embedded devices and reduces the implementing risk together with developing time and cost.

Alexis Engelke,Dominik Okwieka,Martin Schulz

DOI: https://doi.org/10.1145/3453933.3454022

2021-04-07

Abstract:Emulation of other or newer processor architectures is necessary for a wide variety of use cases, from ensuring compatibility to offering a vehicle for computer architecture research. This problem is usually approached using dynamic binary translation, where machine code is translated, on the fly, to the host architecture during program execution. Existing systems, like QEMU, usually focus on translation performance rather than the overall program execution, and extensions, like HQEMU, are limited by their underlying implementation. Conversely, performance-focused systems are typically used for binary instrumentation. E.g., DynamoRIO reuses original instructions where possible, while Instrew utilizes the LLVM compiler infrastructure, but only supports same-architecture code generation. In this short paper, we generalize Instrew to support different guest and host architectures by refactoring the lifter and by implementing target-independent optimizations to re-use host hardware features for emulated code. We demonstrate this flexibility by adding support for RISC-V as guest architecture and AArch64 as host architecture. Our performance results on SPEC CPU2017 show significant improvements compared to QEMU, HQEMU as well as the original Instrew.

Ioannis Angelakopoulos,G. Stringhini,Manuel Egele

Abstract:The Linux-based firmware running on Internet of Things (IoT) devices is complex and consists of user level programs as well as kernel level code. Both components have been shown to have serious security vulnerabilities, and the risk linked to kernel vulnerabilities is particularly high, as these can lead to full system compromise. However, previous work only focuses on the user space component of embedded firmware. In this paper, we present Firm ware Sol uti o n ( FirmSolo ), a system designed to incorporate the kernel space into firmware analysis. FirmSolo features the Kernel Configuration Reverse Engineering (K.C.R.E.) process that leverages information (i.e., exported and required symbols and version magic) from the kernel modules found in firmware images to build a kernel that can load the modules within an emulated environment. This capability allows downstream analysis to broaden their scope into code executing in privileged mode. We evaluated FirmSolo on 1,470 images containing 56,688 kernel modules where it loaded 64% of the kernel modules. To demonstrate how FirmSolo aids downstream analysis, we integrate it with two representative analysis systems; the TriforceAFL kernel fuzzer and Firmadyne, a dynamic firmware analysis tool originally devoid of kernel mode analysis capabilities. Our TriforceAFL experiments on a subset of 75 kernel modules discovered 19 previously-unknown bugs in 11 distinct proprietary modules. Through Firmadyne we confirmed the presence of these previously-unknown bugs in 84 firmware images. Furthermore, by using FirmSolo , Firmadyne confirmed a previously-known memory corruption vulnerability in five different versions of the closed-source Kcodes’ NetUSB module across 15 firmware images.

Engineering,Computer Science

Jiaqi Gu,Ruoyao Wang,Jian Wang,Jinmei Lai,Qinghua Duan

DOI: https://doi.org/10.1109/ASICON.2017.8252498

2017-01-01

Abstract:Projects involving both software design and hardware design are usually retarded by expensive equipments, complex simulation and challenging modification. In order to retrench the designers' time and economic costs in SW/HW (Software/Hardware) co-design simulation, this paper demonstrates a remote embedded simulation system to help multiple users manage and simulate their SW/HW co-design projects remotely while scheduling the access to on-chip FPGA resources. We built a small-scale, high-concurrent multiuser management service system on board. The system offers TCP/IP connection and transmission, flexible Wi-Fi network, secure multiuser information and files management, real-time task progress notification, compilation and execution of multiple programming languages, run-time FPGA configuration and simulation, which considerably augments the exploitability for embedded simulation service. Meanwhile, we offer users a supporting PC (Personal Computer) application to attain pertinent features, which has a multithreading GUI (Graphical User Interface). In order to verify this design, we deploy a prototype on a Xilinx Zynq (TM)-7000 AP (All Programmable) SoC (System on Chips) Z-7010 on a ZYBO Board. We apply an image processing SW/HW co-design project to our prototype. The experiment result demonstrates the system's portability and efficacy when dealing with remote access, and flexibility when simulating SW/HW co-design projects through PR (Partial Reconfiguration) technique within reasonable latency. The latency for the end-to-end reconfiguration of a 306.60KB partial bitfile is 8.819ms.

Wei Li,Xiaohui Luo,Yiran Zhang,Qingkai Meng,Fengyuan Ren

DOI: https://doi.org/10.1007/978-3-031-12597-3_1

2022-01-01

Abstract:Emulation of Instruction Set Architecture (ISA) is necessary for a wide variety of use cases, such as providing the compatibility to execute programs compiled for a different ISA. This issue is usually solved using Dynamic Binary Translation (DBT), where guest machine code is translated to host ISA on runtime and Just-in-time (JIT) compilation is performed to achieve high-performance emulation. QEMU, a famous emulator, is developed to solve this issue, where Tiny Code Generator (TCG) is constructed to translate guest binary code to TCG Intermediate Representation (IR), and then generate target ISA machine code from TCG IR. Due to the limitations of TCG, some extensions, such as HQEMU, use LLVM as the backend to optimize programs and generate high-performance machine code. However, HQEMU is limited by its underlying implementation. That is, HQEMU still translates guest binary code to TCG IR at first. In this paper, we develop a novel, LLVM-based emulator, where guest machine code is directly lifted to LLVM IR to reduce the extra overhead and produce high-quality machine code. We evaluate our DBT emulator using BYTEmark benchmark and demonstrating its ability to outperform the de facto standard QEMU DBT system. The evaluation results confirm that our emulator delivers an average speedup of 3.3x over QEMU across BYTEmark benchmark compiled for x86-64 running on an ARMv8 platform, meanwhile, demonstrate that our user-level DBT emulator can significantly reduce the overhead to run a program on a cross-ISA system.

lei xu,wenzhi chen,zonghui wang

DOI: https://doi.org/10.1007/978-3-642-54900-7_37

2014-01-01

Abstract:In common sense, virtualization technology is adopted to offer several isolated execution environments and makes better use of computational resources which has been an important enabler for cloud computing. However, in embedded systems, the significance of virtualization does not come into the picture. The extensive utilization of mobile smart devices has led to a series of issues such as security, power consumption and performance limitation. Mobile virtualization can offer an effective approach in addressing these challenges. In this paper, we discuss how mobile virtualization addresses these challenges and then present a detail analysis of mainstream mobile virtualization solutions: Para-virtualization, Hardware-Assisted Full virtualization and Microkernel Hypervisor. At last, we carry out a series of performance comparison between these solutions and make some suggestions for further research.

Yunfang Tai,Wanwei Cai,Qi Liu,Ge Zhange

DOI: https://doi.org/10.1109/TrustCom.2013.124

2013-01-01

Abstract:Virtualization is one of the hot topics in operating systems. However, virtualization on MIPS servers remains stagnant after the first attempt was done in late 1990s. The previous solutions seem not to meet the needs of modern servers and many aspects of them can still be improved. This paper introduces KVM-Loongson, an efficient virtualization solution for MIPS based on KVM. Paravirtualization is adopted to improve the performance of CPU virtualization and the clock accuracy. It can also reduce the memory virtualization overheads which are caused by three factors existing in virtualization on MIPS. Our experience also reveals that hardware virtualization support for MIPS is still needed on the aspect of efficiency. The whole work is done on boards with Loongson-3A CPUs which are quad core processors based on MIPS64 ISA. Performance evaluations show that programs of SPEC CINT2000 on the virtual machine can achieve averaging 94% their performance on the native machine when running single virtual machine.