Ying Zhang,Bo Yu

DOI: https://doi.org/10.1109/icpads60453.2023.00137

2023-01-01

Abstract:In recent years, numerous attacks on IoT device firmware caused by component vulnerabilities have occurred, they has attracted a great deal of attention from security researchers. Thus, identifying the component and version information in IoT device firmware is of great significance for conducting large-scale IoT device firmware vulnerability correlation analysis, security risk assessment and emergency response of the IoT. Existing methods may not dig deeper into the features of version information, resulting in missing recognition information, leading to insufficient recognition accuracy. Alternatively, existing methods rely on features such as CFG, which makes it difficult to accurately match components between different versions, leading to recognition errors. For these reasons, in this paper, we propose a taint analysis-based version identification method for IoT firmware components. Firstly, we use the feature information extracted from the binary file as the source point for taint analysis, then we perform reverse flow analysis based on the data flow of function calls, and then we find the memory address of the version information as the sink to identify the version information of the component. To evaluate our approach, we collected 312,330 firmware components from 10161 real firmware from 11 different vendors covering various architectures such as MIPS, ARM, X86, and PowerPC and various operating systems such as Linux and FreeBSD (32/64 bit). The experiments demonstrate that the FirmCVI does not require manually building a large-scale database, and achieves an average identification accuracy of up to 96.07% for IoT device firmware component versions, false positives within 5%. And the average time taken to identify component versions is about 0.19 seconds, which is 10 times more efficient than existing version identification tools. It provides powerful data and technical support for IOT device firmware vulnerability correlation analysis.

Binbin Zhao,Shouling Ji,Jiacheng Xu,Yuan Tian,Qiuyang Wei,Qinying Wang,Chenyang Lyu,Xuhong Zhang,Changting Lin,Jingzheng Wu,Raheem Beyah

DOI: https://doi.org/10.1145/3533767.3534366

2022-01-01

Abstract:As the core of IoT devices, firmware is undoubtedly vital. Currently, the development of IoT firmware heavily depends on third-party components (TPCs), which significantly improves the development efficiency and reduces the cost. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will turn back influence the security of IoT firmware. Currently, existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs at version-level in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the usage of TPCs and the corresponding vulnerabilities in firmware. More specifically, we perform an analysis on 34,136 firmware images, including 11,086 publicly accessible firmware images, and 23,050 private firmware images from TSmart. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security issues for different kinds of firmware from various vendors, and discovers some well-known vulnerabilities are still deeply rooted in many firmware images. We also find that the TPCs used in firmware have fallen behind by five years on average. Besides, we explore the geographical distribution of vulnerable devices, and confirm the security situation of devices in several regions, e.g., South Korea and China, is more severe than in other regions. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.

Wei Xie,Yikun Jiang,Yong Tang,Yuanming Gao,Ning Ding

DOI: https://doi.org/10.1109/icpads.2017.00104

2017-01-01

Abstract:With the development of Internet of Things(IoT), more and more smart devices are connected into the Internet. The security and privacy issues of IoT devices have received increasingly academic and industrial attentions. Vulnerability detection is the key technology to protect IoT devices from zeroday attacks. However, traditional methods and tools of vulnerability detection cannot be directly used in analyzing IoT firmware. This paper firstly reviews related works on vulnerability detection in IoT firmware, previous researches are classified into four types i.e. static analysis, symbolic execution, fuzzing on emulators and comprehensive testing. Then, this paper points out that the specificity of vulnerability detection in IoT firmware is to detect logical flaws in embedded binaries which are built on the MIPS architecture. Finally, this paper proposes a method based on fuzzing and static analysis to detect authentication bypass flaws in IoT embedded binary servers. The proposed method is proved to be effective by verifying known CVEs as well as discovering unknown ones.

Bo Yu ,Yongyi Zhang,Runhao Liu,Zhoushi Sheng

DOI: https://doi.org/10.1145/3542637.3543705

2022-01-01

Abstract:Component vulnerability matching offers an approach for discovering vulnerabilities existing in IoT firmware. In this work, A component composition analysis and reliability assessment (C2ARA) is developed to improve the component vulnerability matching. The C2ARA method employs a knowledge graph for discovering the components and their relationships from the extracted file system of the firmware. The key to the proposed method is to discover vulnerabilities from the component composition extracted from IoT firmware file systems, rather than only the information provided by CVE databases and firmware vendor. The results of the experiment with a large-scale dataset demonstrate the effectiveness of the C2ARA method.

Yongyi Zhang,Bo Yu,Lei Zhou,Qiang Yang

DOI: https://doi.org/10.1145/3689236.3689262

2024-01-01

Abstract:With the development of Internet of Things (IoT) technology, the number and complexity of IoT devices have increased rapidly. As the basic enabling software of IoT devices, firmware provides rich functions such as communication, collection and management. Nevertheless, developers do not fully consider security when developing firmware, leaving the firmware vulnerable to exploitation by malware. IoT firmware security analysis has become the focus of research. However, existing works for the security of firmware pay less attention to nested third-party components (TPCs) including the TPCs directly and indirectly referenced. Meanwhile, these works lack a quantitatively analysis of the complexity brought by TPCs to firmware. In this paper, we propose a nested TPCs identification method and introduce firmware complexity metric at the firmware supply chain level. Then, we propose FirmRadar to automatically and comprehensively analyze IoT firmware characterization, including basic information, TPC characterization, CVE characterization and firmware complexity metric. Based on FirmRadar, we conduct a large-scale analysis of 11,988 firmware from 14 vendors. We successfully identify 5,365 TPCs and detect 516,280 potential vulnerabilities caused by 590 CVEs. We further find that although firmware may reference a large number of TPCs, most of the vulnerabilities are concentrated on a few TPCs. Moreover, by analyzing the nested TPCs in firmware, we discover that the number of TPCs directly referenced is less than the number of TPCs indirectly referenced. Finally, we quantitatively analyze firmware complexity metric of each vendor and find that the firmware referencing more TPCs and TPCs functions does not always contain more vulnerabilities.

Dingding Wang,Muhui Jiang,Rui Chang,Yajin Zhou,Hexiang Wang,Baolei Hou,Lei Wu,Xiapu Luo

DOI: https://doi.org/10.1109/tdsc.2023.3334017

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:IoT devices are becoming popular. Meanwhile, researchers are actively working on improving the security of IoT devices. However, previous works ignore the insecurity caused by a special category of devices, i.e., the End-of-Life (EoL) devices. Once a product becomes End-of-Life, vendors tend to no longer maintain its firmware or software, including fixing bugs and patching vulnerabilities. This makes EoL devices susceptible to attacks. For instance, a report showed that an EoL model with thousands of active devices was exploited to redirect web traffic for malicious purposes. In this paper, we conduct the first empirical study to shed light on the (in)security of EoL devices. To this end, our study performs two types of analysis, including the liveness analysis and the vulnerability analysis . The first one aims to detect the scale of EoL devices that are still alive in the wild. The second one is to evaluate the vulnerabilities existing in (active) EoL devices. We applied our approach to a large number of EoL models from three vendors (i.e., D-Link, Tp-Link, and Netgear) and detect the alive devices in a time period of more than two years . Our study reveals some worrisome facts that were unknown by the community. For instance, there exist a large number (more than 3 million) of active EoL devices. Some devices (more than 1 million) are still alive even after five years since EoL. Furthermore, more than half of the vulnerabilities (182 of 294) are discovered after the EoL date. Although vendors may release security patches after the EoL date, the process is ad hoc and incomplete, with only limited functionality. Furthermore, these patches can have side effects, such as providing valuable information to attackers. In summary, more than 2 million active EoL devices are vulnerable, and nearly half of them are threatened by high-risk vulnerabilities. Attackers can achieve a minimum of 8.67 Tbps DDoS attack by exploiting OS command injection vulnerabilities and compromising a large number of active EoL devices. We believe these facts pose a clear call for more attention to deal with the security issues of EoL devices.

YongLe Chen,Feng Ma,Ying Zhang,YongZhong He,Haining Wang,Qiang Li

2024-06-18

Abstract:The Internet of Things (IoT) has become indispensable to our daily lives and work. Unfortunately, developers often reuse software libraries in the IoT firmware, leading to a major security concern. If vulnerabilities or insecure versions of these libraries go unpatched, a massive number of IoT devices can be impacted. In this paper, we propose the AutoFirm, an automated tool for detecting reused libraries in IoT firmware at a large scale. Specifically, AutoFirm leverages the syntax information (library name and version) to determine whether IoT firmware reuses the libraries. We conduct a large-scale empirical study of reused libraries of IoT firmware, investigating more than 6,900+ firmware and 2,700+ distinct vulnerabilities affecting 11,300+ vulnerable versions from 349 open-source software libraries. Leveraging this diverse information set, we conduct a qualitative assessment of vulnerable library versions to understand security gaps and the misplaced trust of libraries in IoT firmware. Our research reveals that: manufacturers neglected to update outdated libraries for IoT firmware in 67.3\% of cases; on average, outdated libraries persisted for over 1.34 years prior to remediation; vulnerabilities of software libraries have posed server threats to widespread IoT devices.

Cryptography and Security,Software Engineering

Yikun Jiang,Wei Xie,Yong Tang

DOI: https://doi.org/10.1145/3290480.3290491

2018-01-01

Abstract:With the rapid development of network and communication technologies, everything is able to be connected to the Internet. IoT devices, which include home routers, IP cameras, wireless printers and so on, are crucial parts facilitating to build pervasive and ubiquitous networks. As the number of IoT devices around the world increases, the security issues become more and more serious. To handle with the security issues and protect the IoT devices from being compromised, the firmware of devices needs to be strengthened by discovering and repairing vulnerabilities. Current vulnerability detection tools can only help strengthening traditional software, nevertheless these tools are not practical enough for IoT device firmware, because of the peculiarity in firmware's structure and embedded device's architecture. Therefore, new vulnerability detection framework is required for analyzing IoT device firmware. This paper reviews related works on vulnerability detection in IoT firmware, proposes and implements a framework to automatically detect authentication-bypass flaws in a large scale of Linux-based firmware. The proposed framework is evaluated with a data set of 2351 firmware images from several target vendors, which is proved to be capable of performing large-scale and automated analysis on firmware, and 1 known and 10 unknown authentication-bypass flaws are found by the analysis.

Binbin Zhao,Shouling Ji,Jiacheng Xu,Yuan Tian,Qiuyang Wei,Qinying Wang,Chenyang Lyu,Xuhong Zhang,Changting Lin,Jingzheng Wu,Raheem Beyah

DOI: https://doi.org/10.1109/tdsc.2023.3279846

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Currently, the development of IoT firmware heavily depends on third-party components (TPCs) to improve development efficiency. Nevertheless, TPCs are not secure, and the vulnerabilities in TPCs will influence the security of IoT firmware. Existing works pay less attention to the vulnerabilities caused by TPCs, and we still lack a comprehensive understanding of the security impact of TPC vulnerability against firmware. To fill in the knowledge gap, we design and implement FirmSec, which leverages syntactical features and control-flow graph features to detect the TPCs in firmware, and then recognizes the corresponding vulnerabilities. Based on FirmSec, we present the first large-scale analysis of the security risks raised by TPCs on 34,136 firmware images. We successfully detect 584 TPCs and identify 128,757 vulnerabilities caused by 429 CVEs. Our in-depth analysis reveals the diversity of security risks in firmware and discovers some well-known vulnerabilities are still rooted in firmware. Besides, we explore the geographical distribution of vulnerable devices and confirm that the security situation of devices in different regions varies. Our analysis also indicates that vulnerabilities caused by TPCs in firmware keep growing with the boom of the IoT ecosystem. Further analysis shows 2,478 commercial firmware images have potentially violated GPL/AGPL licensing terms.

Yifei Xu,Ting Liu,Pengfei Liu,Hong Sun

DOI: https://doi.org/10.1109/CNS.2018.8433163

2018-01-01

Abstract:The firmware vulnerability is one of the most serious threats for Internet-of-Things (IoT) security. However, it is hard to investigate firmware, due to the lack of source code and the complicated structure. In this paper, a searchbased firmware code analysis method is proposed to associate the program functionalities with the assembly code. In the experiment, the firmware of Siemens PAC4200 power meter is selected to demonstrate how to search the assembly code of device information interface. Moreover, one vulnerability of this interface is shown, which would be exploited to manipulate the data of device.

Zicong Gao,Chao Zhang,Hangtian Liu,Wenhou Sun,Zhizhuo Tang,Liehui Jiang,Jianjun Chen,Yong Xie

DOI: https://doi.org/10.14722/ndss.2024.24346

2024-01-01

Abstract:IoT devices are often found vulnerable, i.e., untrusted inputs may trigger potential vulnerabilities and flow to sensitive operations in the firmware, which could cause severe damage.As such vulnerabilities are in general taint-style, a promising solution to find them is static taint analysis.However, existing solutions have limited efficiency and effectiveness.In this paper, we propose a new efficient and effective taint analysis solution, namely HermeScan, to discover such vulnerabilities, which utilizes reaching definition analysis (RDA) to conduct taint analysis and gets much fewer false negatives, false positives, and time costs.We have implemented a prototype of HermeScan and conducted a thorough evaluation on two datasets, i.e., one 0-day dataset with 30 latest firmware and one N-day dataset with 98 older firmware, and compared with two state-of-theart (SOTA) solutions, i.e., KARONTE and SaTC.In terms of effectiveness, HermeScan, SaTC, and KARONTE find 163, 32, and 0 vulnerabilities in the 0-day dataset respectively.In terms of accuracy, the true positive rates of HermeScan, SaTC, and KARONTE are 81%, 42%, and 0% in the 0-day dataset.In terms of efficiency, HermeScan is 7.5X and 3.8X faster than SaTC and KARONTE on average in finding 0-day vulnerabilities.

Yisen Wang,Jianjing Shen,Jian Lin,Rui Lou

DOI: https://doi.org/10.1109/access.2019.2893733

IF: 3.9

2019-01-01

IEEE Access

Abstract:The security situation of the Internet of Things (IoT) is more serious than ever, and there is an urgent need to detect and patch device vulnerability rapidly. With the astronomical numbers of IoT devices, it is very difficult to execute regular security inspections. Existing vulnerability detection technology based on simple feature matching cannot reach high accuracy to detect firmware vulnerabilities while using a control flow graph matching directly has proven to be too expensive. To address the problem of accurate and efficient, we present a method of staged firmware vulnerability detection based on code similarity. The first stage, function embedding based on neural network is used to analyze the similarities among functions, and large-scale firmware security inspection can be achieved efficiently. The second stage, the similarity among function local call flow graphs is calculated for fine-grained firmware security analysis, and this stage can improve the accuracy of vulnerability detection. We compared our method with state-of-the-art approaches, and the experimental results demonstrate that our method is more accurate. The average retraining time of our method is 1 h, and the real-world firmware vulnerability detection experiment of our method demonstrates that the true positive rate of the top 30 is as high as 86%.

Donglan Liu,Hao Zhang,Rui Wang,Fangzhe Zhang,Lili Sun,Xin Liu,Lei Ma

DOI: https://doi.org/10.3233/JHS-222027

2022-01-01

Journal of High Speed Networks

Abstract:In recent years, with the rapid development of IoT technology, hundreds of millions of IoT devices have been manufactured and applied, and the subsequent IoT attacks have become more and more severe. The complex and diverse architecture of IoT devices, coupled with the lack of security development specifications by IoT device manufacturers, and the widespread misuse and abuse of code, lead to the proliferation of IoT vulnerabilities. The conventional IoT vulnerability detection scheme is expensive to operate, and the implementation technology is complex, which is difficult to be fully promoted. This paper proposes a lightweight IoT firmware vulnerability detection scheme based on homology detection. The processing is converted into a feature vector, which effectively reduces the platform dependence. Combined with the database technology, the storage and retrieval efficiency is increased, and the same-origin vulnerability detection is realized by calculating the cosine similarity of the vector. The experimental results show that this scheme can effectively identify the vulnerabilities in firmware.

Daojing He,Hongjie Gu,Tinghui Li,Yongliang Du,Xiaolei Wang,Sencun Zhu,Nadra Guizani

DOI: https://doi.org/10.1109/mnet.011.2000450

IF: 10.294

2021-03-01

IEEE Network

Abstract:IoT devices are becoming increasingly ubiquitous because they have greatly simplified many aspects of our daily life and our work. However, most firmware in these embedded devices carry various security vulnerabilities, such as hard-cod-ed passwords, cryptographic keys, insecure configurations and backdoors. Recent large-scale attacks have demonstrated that the security vulnerabilities in IoT firmware have posed a severe threat to the Internet infrastructure. In this work, we design a hybrid platform to detect vulnerabilities in IoT firmware, which integrates both offline static detection and online dynamic detection. Our evaluation on real IoT devices shows that the proposed platform can effectively identify various security weaknesses and risks in firmware, such as dangerous processes, exploitable vulnerabilities, and other attack surfaces.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Peng Liu,Yasu Cao,Yujun Yan,Yong Wang

DOI: https://doi.org/10.1109/access.2024.3378533

IF: 3.9

2024-03-27

IEEE Access

Abstract:With the continuous improvement of Internet of Things technology, Internet of Things devices are gradually popularized in people's lives and work, bringing convenience to people, but also there are many security risks. There are more and more types of attacks on IoT devices, and the security of their firmware has become a focus of attention. Aiming at firmware vulnerabilities in devices, a firmware vulnerability detection algorithm based on pattern-specific features and structural features is proposed in this study. The algorithm uses the two-stage method to filter and match the functions precisely, so as to find the functions matching the vulnerability functions. By reducing the local call graph from five layers to three layers, the algorithm operation and detection efficiency are improved, and the accurate matching method of weighted three-layer local call graph is implemented. The experimental results showed that the Top1 index value of the five-layer local call graph ranges from 81.99 to 90.19. The indexes of control flow chart and attribute control flow chart fluctuated greatly, ranging from 61.57 to 91.08 and 54.62 to 87.55, respectively. The Top1 index value of the weighted three-layer local call graph increased by 3.73%, and the average increased by 1.47%, indicating a significant improvement in the whole. It can be concluded that the firmware vulnerability detection algorithm based on the matching of pattern-specific numerical features and structural features can effectively find the function that actually matches the vulnerability function, and improve the efficiency of firmware vulnerability detection.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shen Quanjiang,Song Yan,Yu Xiaohu,Li Tinghui,He Daojing,Yang Guisong

DOI: https://doi.org/10.1109/ICCECE51280.2021.9342303

2021-01-01

Abstract:In recent years, Internet of things security incidents occur frequently, which has threatened the stability of the country, society and personal privacy. As the core of Internet of things equipment system, the security of firmware is very important. In order to design a more reasonable and effective firmware security detection method, the firmware needs to be analyzed in detail. This paper describes the security objectives of firmware from three aspects of confidentiality, integrity and availability, summarizes and analyzes the firmware attack surface, and carries out relevant verification experiments for each attack surface. In order to solve the tedious steps of firmware format identification, unpacking and key information extraction in the process of large-scale firmware security analysis, a firmware security analysis tool is designed and implemented, and large-scale experimental analysis of firmware is carried out from the perspectives of open-source components, weak passwords and hard coding.

Chi Zhang,Yu Wang,Linzhang Wang

DOI: https://doi.org/10.1145/3457913.3457934

2021-01-01

Abstract:Background: Firmware is the enable software of Internet of Things (IoT) devices, and its software vulnerabilities are one of the primary reason of IoT devices being exploited. Due to the limited resources of IoT devices, it is impractical to deploy sophisticated run-time protection techniques. Under an insecure network environment, when a firmware is exploited, it may lead to denial of service, information disclosure, elevation of privilege, or even life-threatening. Therefore, firmware vulnerability detection by fuzzing has become the key to ensure the security of IoT devices, and has also become a hot topic in academic and industrial research. With the rapid growth of the existing IoT devices, the size and complexity of firmware, the variety of firmware types, and the firmware defects, existing IoT firmware fuzzing methods face challenges. Objective: This paper summarizes the typical types of IoT firmware fuzzing methods, analyzes the contribution of these works, and summarizes the shortcomings of existing fuzzing methods. Method: We design several research questions, extract keywords from the research questions, then use the keywords to search for related literature. Result: We divide the existing firmware fuzzing work into real-device-based fuzzing and simulation-based fuzzing according to the firmware execution environment, and simulation-based fuzzing is the mainstream in the future; we found that the main types of vulnerabilities targeted by existing fuzzing methods are memory corruption vulnerabilities; firmware fuzzing faces more difficulties than ordinary software fuzzing. Conclusion: Through the analysis of the advantages and disadvantages of different methods, this review provides guidance for further improving the performance of fuzzing techniques, and proposes several recommendations from the findings of this review.

Maoyu Yang,Xu Zhou,Danjun Liu,Lei Zhou,Yong Tang

DOI: https://doi.org/10.1109/eiect60552.2023.10442540

2023-01-01

Abstract:Dynamic taint analysis is a common and efficient technique in program analysis. IoT devices are widespread and generally have weak protection, making them a hotspot for vulnerabilities. Although some dynamic taint analysis tools and frameworks have been proposed for IoT firmware, they all suffer from one or more issues: performance degradation, lack of generality, or being limited to user mode only. We propose a cross-platform, full-system simulation dynamic taint analysis framework for IoT firmware, Firmware Dynamic Taint Analysis Framework (FDTAF). FDTAF provides a novel Virtual Machine Introspection (VMI) combined with bit-level taint propagation at TCG layer of QEMU. Additionally, we provide analysis tools for the generated taint data flow to improve the usability of dynamic taint analysis when analyzing IoT devices. The implementation of FDTAF includes 1680 lines of C++ code, 9490 lines of C code, and 320 lines of Python code. We present a comparison of the applicability of FDTAF and DECAF in firmware analysis and validate the practicality of the analysis framework using real-world vulnerabilities.

Runhao Liu,Bo Yu,Baosheng Wang,Jianbin Ye

DOI: https://doi.org/10.1007/978-3-031-22390-7_23

2022-01-01

Abstract:With the widespread deployment of Internet of Things (IoT) devices, firmware vulnerabilities can result in considerable damage. However, existing firmware fuzzing methods, which rely on program exception signals, can only find memory corruption vulnerabilities that lead to program crashes. Fuzzing also misses vulnerabilities that exist in the execution path but are not triggered. To solve this problem, we propose Anatomist, the first enhanced firmware vulnerability discovery method based on program state abnormality determination with whole-system replay. The Anatomist first identifies the dangerous operation candidates during whole-system replay. Using single-path symbolic tracing, Anatomist determines whether the program states of dangerous operation candidates are abnormal. Also, Anatomist identifies vulnerabilities on the execution path based on program state abnormality determination. We implemented Anatomist and compared the results of Anatomist with those of FirmAFL, the most advanced firmware vulnerability discovery method, on the FirmAFL dataset. The experimental results showed that Anatomist increased the vulnerability discovery speed by 741.64% on average. Additionally, Anatomist successfully found 3 0-day vulnerabilities in 3 firmware, including 2 memory corruption vulnerabilities and 1 logic vulnerability. The experimental results demonstrated that Anatomist augments firmware vulnerability discovery in two aspects. Anatomist can detect untriggered vulnerabilities on the execution path that are missed by fuzzing. In addition, Anatomist can also identify logic vulnerabilities that cannot be detected by fuzzing.

Yao Yao,Wei Zhou,Yan Jia,Lipeng Zhu,Peng Liu,Yuqing Zhang

DOI: https://doi.org/10.1007/978-3-030-29959-0_31

2019-01-01

Abstract:With the rapid proliferation of IoT devices, we have witnessed increasing security breaches targeting IoT devices. To address this, considerable attention has been drawn to the vulnerability discovery of IoT firmware. However, in contrast to the traditional firmware bugs/vulnerabilities (e.g. memory corruption), the privilege separation model in IoT firmware has not yet been systematically investigated. In this paper, we conducted an in-depth security analysis of the privilege separation model of IoT firmware and identified a previously unknown vulnerability called privilege separation vulnerability. By combining loading information extraction, library function recognition and symbolic execution, we developed Gerbil, a firmware-analysis-specific extension of the Angr framework for analyzing binaries to effectively identify privilege separation vulnerabilities in IoT firmware. So far, we have evaluated Gerbil on 106 real-world IoT firmware images (100 of which are bare-metal and RTOS-based device firmware. Gerbil have successfully detected privilege separation vulnerabilities in 69 of them. We have also verified and exploited the privilege separation vulnerabilities in several popular smart devices including Xiaomi smart gateway, Changdi smart oven and TP-Link smart WiFi plug. Our research demonstrates that an attacker can leverage the privilege separation vulnerability to launch a border spectrum of attacks such as malicious firmware replacement and denial of service.