Tue 09.06.22
9:30A EDT/6:30A PDT | 1 Hour 30 Minute Event
Tue 09.06.22
9:30A EDT/6:30A PDT
1 Hour 30 Minute Event
Tue 09.06.22
9:30A EDT/6:30A PDT | 1 Hour 30 Minute Event
Tue 09.06.22
9:30A EDT/6:30A PDT
1 Hour 30 Minute Event
ABSTRACT
Microcontrollers, or MCU for short, are commonly used for building modern Internet of Things (IoT) and embedded devices. As MCUs control security-critical operations in automobiles, industrial control systems (ICS), smart homes, etc., MCU security is of pivotal importance. However, MCU firmware, which contains the whole software stack of the MCU, has vulnerabilities just as computer software does. Existing proven automated vulnerability discovering techniques, such as fuzzing and dynamic symbolic execution, cannot be applied to MCU firmware because there lack platforms where firmware can execute while being tested. As a result, firmware vulnerability remains undiscovered and unfixed before the firmware is deployed to real-world devices. These vulnerabilities, once exploited by attackers, can cause severe security and safety consequences, such as data breach, property loss, or even human injury. In this thesis, I propose three novel systems to conduct automated, scalable, and hardware-independent (i.e., not using any hardware) firmware testing in emulated environments. First, I present P2IM, an automated firmware testing framework that empowers fuzzers to test firmware in a generic emulator which does not emulate any of the diverse peripherals. To cope with the unemulated peripherals, P2IM adopts a novel technique that automatically models processor-peripheral interfaces, i.e., memory-mapped peripheral registers and interrupts, instead of emulating each peripheral. P2IM improved code coverage by 7 to 30 times and found 7 previously-unknown, security-critical vulnerabilities when testing 10 real-world firmware using an off-the-shelf fuzzer. Second, I propose AIM, an Automatic Interrupt Modeling mechanism for dynamic firmware analysis, to better test firmware that heavily uses interrupts. AIM adopts a technique called Just-In-Time interrupt firing, which fires interrupts right before where the firmware execution could be influenced by the interrupt, to cover different code paths that are dependent on the interrupt. Last, as existing works fail to test stateful firmware that uses state machines, I propose FirmSym to solve this problem. FirmSym recovers state machines from the firmware by program analysis techniques and uses it to guide dynamic symbolic execution (DSE).
ABOUT THE SPEAKER
Bo Feng is a PhD candidate in the Khoury College of Computer Sciences at Northeastern University. He is advised by Prof. Long Lu. His research focuses on securing IoT and embedded devices through automated firmware testing. He has been an intern at Samsung Research America and AT&T Labs Research. Prior to joining Northeastern, he received his bachelor’s degree in computer science from Wuhan University.
COMMITTEE
Long Lu, Associate Professor, Northeastern University
Engin Kirda, Professor, Northeastern University
Guevara Noubir, Professor, Northeastern University
Manuel Egele, Associate Professor, Boston University
Join the Zoom here: https://northeastern.zoom.us/j/97576244245?pwd=ZnJGTC81Zit4d3hjaU1BcTVCMWdyUT09
Password: 309157
ABSTRACT
Microcontrollers, or MCU for short, are commonly used for building modern Internet of Things (IoT) and embedded devices. As MCUs control security-critical operations in automobiles, industrial control systems (ICS), smart homes, etc., MCU security is of pivotal importance. However, MCU firmware, which contains the whole software stack of the MCU, has vulnerabilities just as computer software does. Existing proven automated vulnerability discovering techniques, such as fuzzing and dynamic symbolic execution, cannot be applied to MCU firmware because there lack platforms where firmware can execute while being tested. As a result, firmware vulnerability remains undiscovered and unfixed before the firmware is deployed to real-world devices. These vulnerabilities, once exploited by attackers, can cause severe security and safety consequences, such as data breach, property loss, or even human injury. In this thesis, I propose three novel systems to conduct automated, scalable, and hardware-independent (i.e., not using any hardware) firmware testing in emulated environments. First, I present P2IM, an automated firmware testing framework that empowers fuzzers to test firmware in a generic emulator which does not emulate any of the diverse peripherals. To cope with the unemulated peripherals, P2IM adopts a novel technique that automatically models processor-peripheral interfaces, i.e., memory-mapped peripheral registers and interrupts, instead of emulating each peripheral. P2IM improved code coverage by 7 to 30 times and found 7 previously-unknown, security-critical vulnerabilities when testing 10 real-world firmware using an off-the-shelf fuzzer. Second, I propose AIM, an Automatic Interrupt Modeling mechanism for dynamic firmware analysis, to better test firmware that heavily uses interrupts. AIM adopts a technique called Just-In-Time interrupt firing, which fires interrupts right before where the firmware execution could be influenced by the interrupt, to cover different code paths that are dependent on the interrupt. Last, as existing works fail to test stateful firmware that uses state machines, I propose FirmSym to solve this problem. FirmSym recovers state machines from the firmware by program analysis techniques and uses it to guide dynamic symbolic execution (DSE).
ABOUT THE SPEAKER
Bo Feng is a PhD candidate in the Khoury College of Computer Sciences at Northeastern University. He is advised by Prof. Long Lu. His research focuses on securing IoT and embedded devices through automated firmware testing. He has been an intern at Samsung Research America and AT&T Labs Research. Prior to joining Northeastern, he received his bachelor’s degree in computer science from Wuhan University.
COMMITTEE
Long Lu, Associate Professor, Northeastern University
Engin Kirda, Professor, Northeastern University
Guevara Noubir, Professor, Northeastern University
Manuel Egele, Associate Professor, Boston University
Join the Zoom here: https://northeastern.zoom.us/j/97576244245?pwd=ZnJGTC81Zit4d3hjaU1BcTVCMWdyUT09
Password: 309157
ABSTRACT
Microcontrollers, or MCU for short, are commonly used for building modern Internet of Things (IoT) and embedded devices. As MCUs control security-critical operations in automobiles, industrial control systems (ICS), smart homes, etc., MCU security is of pivotal importance. However, MCU firmware, which contains the whole software stack of the MCU, has vulnerabilities just as computer software does. Existing proven automated vulnerability discovering techniques, such as fuzzing and dynamic symbolic execution, cannot be applied to MCU firmware because there lack platforms where firmware can execute while being tested. As a result, firmware vulnerability remains undiscovered and unfixed before the firmware is deployed to real-world devices. These vulnerabilities, once exploited by attackers, can cause severe security and safety consequences, such as data breach, property loss, or even human injury. In this thesis, I propose three novel systems to conduct automated, scalable, and hardware-independent (i.e., not using any hardware) firmware testing in emulated environments. First, I present P2IM, an automated firmware testing framework that empowers fuzzers to test firmware in a generic emulator which does not emulate any of the diverse peripherals. To cope with the unemulated peripherals, P2IM adopts a novel technique that automatically models processor-peripheral interfaces, i.e., memory-mapped peripheral registers and interrupts, instead of emulating each peripheral. P2IM improved code coverage by 7 to 30 times and found 7 previously-unknown, security-critical vulnerabilities when testing 10 real-world firmware using an off-the-shelf fuzzer. Second, I propose AIM, an Automatic Interrupt Modeling mechanism for dynamic firmware analysis, to better test firmware that heavily uses interrupts. AIM adopts a technique called Just-In-Time interrupt firing, which fires interrupts right before where the firmware execution could be influenced by the interrupt, to cover different code paths that are dependent on the interrupt. Last, as existing works fail to test stateful firmware that uses state machines, I propose FirmSym to solve this problem. FirmSym recovers state machines from the firmware by program analysis techniques and uses it to guide dynamic symbolic execution (DSE).
ABOUT THE SPEAKER
Bo Feng is a PhD candidate in the Khoury College of Computer Sciences at Northeastern University. He is advised by Prof. Long Lu. His research focuses on securing IoT and embedded devices through automated firmware testing. He has been an intern at Samsung Research America and AT&T Labs Research. Prior to joining Northeastern, he received his bachelor’s degree in computer science from Wuhan University.
COMMITTEE
Long Lu, Associate Professor, Northeastern University
Engin Kirda, Professor, Northeastern University
Guevara Noubir, Professor, Northeastern University
Manuel Egele, Associate Professor, Boston University
Join the Zoom here: https://northeastern.zoom.us/j/97576244245?pwd=ZnJGTC81Zit4d3hjaU1BcTVCMWdyUT09
Password: 309157
ABSTRACT
Microcontrollers, or MCU for short, are commonly used for building modern Internet of Things (IoT) and embedded devices. As MCUs control security-critical operations in automobiles, industrial control systems (ICS), smart homes, etc., MCU security is of pivotal importance. However, MCU firmware, which contains the whole software stack of the MCU, has vulnerabilities just as computer software does. Existing proven automated vulnerability discovering techniques, such as fuzzing and dynamic symbolic execution, cannot be applied to MCU firmware because there lack platforms where firmware can execute while being tested. As a result, firmware vulnerability remains undiscovered and unfixed before the firmware is deployed to real-world devices. These vulnerabilities, once exploited by attackers, can cause severe security and safety consequences, such as data breach, property loss, or even human injury. In this thesis, I propose three novel systems to conduct automated, scalable, and hardware-independent (i.e., not using any hardware) firmware testing in emulated environments. First, I present P2IM, an automated firmware testing framework that empowers fuzzers to test firmware in a generic emulator which does not emulate any of the diverse peripherals. To cope with the unemulated peripherals, P2IM adopts a novel technique that automatically models processor-peripheral interfaces, i.e., memory-mapped peripheral registers and interrupts, instead of emulating each peripheral. P2IM improved code coverage by 7 to 30 times and found 7 previously-unknown, security-critical vulnerabilities when testing 10 real-world firmware using an off-the-shelf fuzzer. Second, I propose AIM, an Automatic Interrupt Modeling mechanism for dynamic firmware analysis, to better test firmware that heavily uses interrupts. AIM adopts a technique called Just-In-Time interrupt firing, which fires interrupts right before where the firmware execution could be influenced by the interrupt, to cover different code paths that are dependent on the interrupt. Last, as existing works fail to test stateful firmware that uses state machines, I propose FirmSym to solve this problem. FirmSym recovers state machines from the firmware by program analysis techniques and uses it to guide dynamic symbolic execution (DSE).
ABOUT THE SPEAKER
Bo Feng is a PhD candidate in the Khoury College of Computer Sciences at Northeastern University. He is advised by Prof. Long Lu. His research focuses on securing IoT and embedded devices through automated firmware testing. He has been an intern at Samsung Research America and AT&T Labs Research. Prior to joining Northeastern, he received his bachelor’s degree in computer science from Wuhan University.
COMMITTEE
Long Lu, Associate Professor, Northeastern University
Engin Kirda, Professor, Northeastern University
Guevara Noubir, Professor, Northeastern University
Manuel Egele, Associate Professor, Boston University
Join the Zoom here: https://northeastern.zoom.us/j/97576244245?pwd=ZnJGTC81Zit4d3hjaU1BcTVCMWdyUT09
Password: 309157
