Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces

Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed that these devices are far from being secure. Moreover, many embedded systems rely on web interfaces for user interaction or administration. Unfortunately, web security is known to be difficult, and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic firmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery within embedded firmware images. We apply our framework to study the security of embedded web interfaces running in Commercial Off-The-Shelf (COTS) embedded devices, such as routers, DSL/cable modems, VoIP phones, IP/CCTV cameras. We introduce a methodology and implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the vendor, device, or architecture. To achieve this goal, our framework performs full system emulation to achieve the execution of firmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we analyze the web interfaces within the firmware using both static and dynamic tools. We also present some interesting case-studies, and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale. We validate our framework by testing it on 1925 firmware images from 54 different vendors. We discover important vulnerabilities in 185 firmware images, affecting nearly a quarter of vendors in our dataset. These experimental results demonstrate the effectiveness of our approach

Defending embedded systems against control flow attacks

ABSTRACT This paper presents a control flow enforcement technique based on an Instruction Based Memory Access Control (IB-MAC) implemented in hardware. It is specifically designed to protect low-cost embedded systems against malicious manipulation of their control flow as well as preventing accidental stack overflows. This is achieved by using a simple hardware modification to divide the stack in a data and a control flow stack (or return stack). Moreover access to the control flow stack is restricted only to return and call instructions, which prevents control flow manipulation. Previous solutions tackled the problem of control flow injection on general purpose computing devices and are rarely applicable to the simpler low-cost embedded devices, that lack for example of a Memory Management Unit (MMU) or execution rings. Our approach is binary compatible with legacy applications and only requires minimal changes to the tool-chain. Additionally, it does not increase memory usage, allows an optimal usage of stack memory and prevents accidental stack corruption at run-time. We have implemented and tested IBMAC on the AVR micro-controller using both a simulator and an implementation of the modified core on a FPGA. The implementation on reconfigurable hardware showed a small resulting overhead in terms of number of gates, and therefore a low overhead of expected production costs

Short Paper: WifiLeaks: Underestimated Privacy Implications of the ACCESS_WIFI_STATE Android Permission

International audienceOn Android, installing an application implies accepting the permissions it requests, and these permissions are then enforced at runtime. In this work, we focus on the privacy implications of the ACCESS_WIFI_STATE permission. For this purpose, we analyzed permissions of the 2700 most popular applications on Google Play and found that the ACCESS_WIFI_STATE permission is used by 41% of them. We then performed a static analysis of 998 applications requesting this permission and based on the results, chose 88 applications for dynamic analysis. Our analyses reveal that this permission is already used by some companies to collect user Personally Identifiable Information (PII). We also conducted an online survey to study users' perception of the privacy risks associated with this permission. This survey shows that users largely underestimate the privacy implications of this permission. As this permission is very common, most users are therefore potentially at risk

WifiLeaks: Underestimated Privacy Implications of the ACCESS_WIFI_STATE Android Permission

A short version has been accepted for publication in: 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC'14) Oxford, United Kingdom, July 23rd -- 25th 2014On Android, users can choose to install an application, or not, based on the permissions it requests. These permissions are later enforced on the application by the system, e.g., when accessing sensitive user data. In this work, we focus on the access to Wi-Fi related information, which is protected by the ACCESS_WIFI_STATE permission. We show that this apparently innocuous network related permission can leak Personally Identifiable Information (PII). Such information is otherwise only accessible by clearly identifiable permissions (such as READ_PHONE_STATE or ACCESS_FINE_LOCATION or ACCESS_COARSE_LOCATION). We analyzed permissions of 2700 applications from Google Play, and found that 41% of them use the ACCESS_WIFI_STATE permission. We then statically analyzed 998 such applications and, based on the results, selected 88 for dynamic analysis. Finally, we conducted an online survey to study the user perception of the privacy risks associated with this permission. Our results demonstrate that users largely underestimate the privacy implications of this permission, in particular because they often cannot realize what private information can be inferred from it. Our analysis further reveals that some companies have already started to abuse this permission to collect personal user information, for example, to get a unique device identifier for tracking across applications or to geolocalize the user without explicitly asking for the dedicated permissions. Because this permission is very common, most users are potentially at risk. There is therefore an urgent need for modification of the privileges granted by this permission as well as a more accurate description of the implications of accepting a permission.Avec Android, les utilisateurs peuvent choisir d'installer ou non une application en fonction des permissions demandées par cette dernière. Ces permissions sont ensuite imposées à l'application par le système d'exploitation, par exemple lors de l'accès à des données sensibles de l'utilisateur. Dans ce travail nous nous intéressons à l'accès aux informations relatives au Wi-Fi, accès protégé par la permission ACCESS_WIFI_STATE. Nous montrons que cette permission de type réseau et d'apparence très anodine, peut être la cause de fuites d'informations personnelles (PII), qui ne seraient sinon accessibles que par des permissions clairement identifiables (telles que READ_PHONE_STATE ou ACCESS_FINE_LOCATION ou ACCESS_COARSE_LOCATION). Nous avons analysé les permissions de 2700 applications du marché Google Play, et nous avons trouvé que 41% d'entres elles demandent la permission ACCESS_WIFI_STATE. Nous avons ensuite analysé de façon statique 998 applications de cet ensemble, et en fonction des résultats, nous en avons sélectionné 88 pour une analyse dynamique plus poussée. Finallement nous avons conduit une enquête en ligne pour étudier la perception qu'ont les utilisateurs des risques associés à cette permission. Nos résultats démontrent que les utilisateurs sous estiment largement les implications en termes de vie privée de cette permission, en particulier parce qu'ils ne peuvent pas réaliser quelles informations privées peuvent en être tirées. Nos analyses montrent par ailleurs que certaines sociétés ont commencé à abuser de cette permission pour collecter des informations personnelles, par exemple pour obtenir un identifiant unique et stable du terminal à des fins de traçage, ou pour géolocaliser l'utilisateur sans avoir à lui demander explicitement l'autorisation. Parce que cette permission est très répendue, la plupart des utilisateurs courrent potentiellement un risque. Il y a donc un besoin urgent de modifier les privilèges associés à cette permission ainsi que de décrire plus précisément les implications que son acceptation peut avoir

DolphinAtack: Inaudible Voice Commands

Speech recognition (SR) systems such as Siri or Google Now have become an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems(VCS). Prior work on attacking VCS shows that the hidden voice commands that are incomprehensible to people can control the systems. Hidden voice commands, though hidden, are nonetheless audible. In this work, we design a completely inaudible attack, DolphinAttack, that modulates voice commands on ultrasonic carriers (e.g., f > 20 kHz) to achieve inaudibility. By leveraging the nonlinearity of the microphone circuits, the modulated low frequency audio commands can be successfully demodulated, recovered, and more importantly interpreted by the speech recognition systems. We validate DolphinAttack on popular speech recognition systems, including Siri, Google Now, Samsung S Voice, Huawei HiVoice, Cortana and Alexa. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an Audi automobile. We propose hardware and software defense solutions. We validate that it is feasible to detect DolphinAttack by classifying the audios using supported vector machine (SVM), and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.Comment: 15 pages, 17 figure

Attacking and Protecting Constrained Embedded Systems from Control Flow Attacks

The security of low-end embedded systems became a very important topic as they are more connected and pervasive. This thesis explores software attacks in the context of embedded systems such as wireless sensor networks. These devices usually employ a micro-controller with very limited computing capabilities and memory availability, and a large variety of architectures. In the first part of this thesis we show the possibility of code injection attacks on Harvard architecture devices, which was largely believed to be infeasible. In the second part we describe attacks on existing software-based attestation techniques. These techniques are used to detect compromises of WSN Nodes. We propose a new method for software-based attestation that is immune of the vulnerabilities in previous protocols. Finally, in the last part of this thesis we present a hardware-based technique that modifies the memory layout to prevent control flow attacks, and has a very low overhead.La sécurité des systèmes embarqués très contraints est un domaine qui prend de l'importance car ceux-ci ont tendance à être toujours plus connectés et présents dans de nombreuses applications industrielles aussi bien que dans la vie de tous les jours. Cette thèse étudie les attaques logicielles dans le contexte des systèmes embarqués communicants par exemple de type réseaux de capteurs. Ceux-ci, reposent sur diverses architectures qui possèdent souvent, pour des raisons des coût, des capacités de calcul et de mémoire très réduites. Dans la première partie de cette thèse nous montrons la faisabilité de l'injection de code dans des micro-contrôleurs d'architecture Harvard, ce qui était, jusqu'à présent, souvent considéré comme impossible. Dans la seconde partie nous étudions les protocoles d'attestation de code. Ceux-ci permettent de détecter les équipements compromis dans un réseau de capteurs. Nous présentons plusieurs attaques sur les protocoles d'attestation de code existants. De plus nous proposons une méthode améliorée permettant d'éviter ces attaques. Finalement, dans la dernière partie de cette thèse, nous proposons une modification de l'architecture mémoire d'un micro-contrôleur. Cette modification permet de prévenir les attaques de manipulation du flot de contrôle, tout en restant très simple a implémenter