FirmFuzz: Automated IoT Firmware Introspection and Analysis


Prashast Srivastava, Hui Peng, Jiahao Li, Hamed Okhravi, Howard Shrobe, Mathias Payer

While the number of IoT devices grows at an exhilarating pace their security remains stagnant. Imposing secure coding standards across all vendors is infeasible. Testing individual devices allows an analyst to evaluate their security post deployment. Any discovered vulnerabilities can then be disclosed to the vendors in order to assist them in securing their products. The search for vulnerabilities should ideally be automated for efficiency and furthermore be device-independent for scalability. We present FirmFuzz, an automated device-independent emulation and dynamic analysis framework for Linux-based firmware images. It employs a greybox-based generational fuzzing approach coupled with static analysis and system introspection to provide targeted and deterministic bug discovery within a firmware image. We evaluate FirmFuzz by emulating and dynamically analyzing 32 images (from 27 unique devices) with a network accessible from the host performing the emulation. During testing, FirmFuzz discovered seven previously undisclosed vulnerabilities across six different devices: two IP cameras and four routers. So far, 4 CVE’s have been assigned.

http://nebelwelt.net/publications/files/19IOTSP.pdf

If you know where the source code is, please leave a Comment on the blog.

MuSupport: A VS Code extension to support Project Mu

Matthew Carlson has written a Visual Studio Code plugin for Microsoft’s Project Mu.

https://github.com/matthewfcarlson/musupport

Matthew: if you’re reading this, please consider also supporting Tianocore/EDK2, not just Project Mu, as there is no Tianocore extension for VSCode, so your project would be useful to another community as well.

For other open source IDE support for UEFI, there’s an Eclipse plugin and Visual Studio-based VisualUEFI. For closed-source IDE support, there is Intel ISS and ARM DS-5. Maybe others, I’m not aware of, if you know of one, please leave a Comment.

https://firmwaresecurity.com/2015/08/15/new-tool-visual-uefi-for-windows/

https://firmwaresecurity.com/2015/10/12/eclipse-edk2-plugin/

checkm8: permanent unpatchable bootrom exploit for hundreds of millions of iOS devices

There is an interesting iOS bootloader exploit that is causing excitement in the iPhone security researcher community:

https://github.com/axi0mX/ipwndfu

DMTF releases SPDM (Security Protocol and Data Model) 0.95 spec

DMTF has a new version of the Security Protocol and Data Model (SPDM) spec.

“The SPDM Specification provides message exchange, sequence diagrams, message formats, and other relevant semantics for authentication, firmware measurement, and certificate retrieval.”

https://www.dmtf.org/content/dmtf-releases-new-wip-update-its-security-protocol-and-data-model-spdm-specification

https://www.dmtf.org/content/dmtf-shares-plans-session-keys-spdm-11
https://www.dmtf.org/sites/default/files/standards/documents/DSP0275_0.95a.zip

Intel: A New Memory Type against Speculative Side Channel Attacks

Intel has a new paper on side channel attacks:

A New Memory Type against Speculative Side Channel Attacks

https://github.com/intelstormteam/Papers/blob/master/2019-A_New_Memory_Type_Against_Speculative_Side_Channel_Attacks_v1.42.pdf

Linaro works with Riscure to secure the TEE ecosystem

Linaro Ltd, the open source collaborative engineering organization developing software for the Arm® ecosystem, today announced together with Riscure their collaboration enabling developers to deliver secure and robust TEE-based solutions. Under the terms of this partnership, Riscure, the globally recognized expert in embedded security research, will contribute to OP-TEE security with regular code review and fuzzing campaigns. OP-TEE is an open source project maintained by the Trusted Firmware project. Both projects are hosted by Linaro and work to provide security for Arm-based solutions. Riscure has created an open-source fuzzing tool specifically designed for OP-TEE.[…]

https://www.linaro.org/news/linaro-works-with-riscure-to-secure-the-tee-ecosystem/

https://www.riscure.com/news/linaro-works-with-riscure-to-secure-the-tee-ecosystem/

SVD-Loader for Ghidra: Simplifying bare-metal ARM reverse engineering

https://github.com/leveldown-security/SVD-Loader-Ghidra

https://leveldown.de/blog/svd-loader/

Nighthawk: Transparent System Introspection from Ring -3

[…]In this paper, we propose an introspection framework called Nighthawk that transparently checks system integrity at runtime. Nighthawk leverages the Intel Management Engine (IME), a co-processor that runs in isolation from the main CPU. By using the IME, our approach has a minimal TCB and incurs negligible overhead on the host system on a suite of indicative benchmarks. We use Nighthawk to check the integrity of the system software and firmware of a host system at runtime. The experimental results show that Nighthawk can detect real-world attacks against the OS, hypervisors, and System Management Mode while mitigating several classes of evasive attacks.[…]

https://link.springer.com/chapter/10.1007%2F978-3-030-29962-0_11

Multiboot-Toolkit: create a multiboot device which works in UEFI or BIOS.

This looks interesting: a boot disk that does a few things. But I’m not sure what this fully does. Little documentation, most of the binaries are provided without source and come pre-zipped. (Be careful with binary-only releases, they might contain malware…) Windows-centric. But it includes multiple bootloaders, dozens of scripts and executables…

The source code (Github site) appears to be new, but there are 2 blog posts >1year old on the topic:

https://github.com/niemtin007/Multiboot-Toolkit

https://niemtin007.blogspot.com/2018/01/how-to-build-multiboot-toolkit-2.html
https://translate.google.com/translate?u=https://niemtin007.blogspot.com/2018/01/how-to-build-multiboot-toolkit-2.html

https://niemtin007.blogspot.com/2017/08/how-to-build-multiboot-toolkit.html
https://translate.google.com/translate?u=https://niemtin007.blogspot.com/2017/08/how-to-build-multiboot-toolkit.html

UEFI-QEMU-Communicator: Talk with UEFI running in QEMU through named pipes

The script can run any arbitrary command and retrieve its exit code, wait for boot and skip the 5-second prompt (and optionally skip startup.nsh), or send reset/shutdown commands. Code written in (almost) pure BASH with no subprocesses spawned. Only print function calls ‘sed’ once.

https://github.com/artem-nefedov/uefi-qemu-communicator

PS: The author also wrote UEFI-GDB.
https://github.com/artem-nefedov/uefi-gdb

INTEL-SA-00290: Intel® Data Direct I/O Technology (Intel® DDIO) and Remote Direct Memory Access (RDMA): VUSec’s NetCAT

From the VUSec site:

NetCAT shows that network-based cache side-channel attacks are a realistic threat. Cache attacks have been traditionally used to leak sensitive data on a local setting (e.g., from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in a SSH session from remote servers with no local access. The root cause of the vulnerability is a recent Intel feature called DDIO, which grants network devices and other peripherals access to the CPU cache. Originally, intended as a performance optimization in fast networks, we show DDIO has severe security implications, exposing servers in local untrusted networks to remote side-channel attacks.

Intel agrees this is a significant vulnerability, having awarded NetCAT a bounty and recommending users to “limit direct access from untrusted networks when DDIO & RDMA are enabled“. This essentially means that in untrusted network environments DDIO and/or RDMA should be disabled to provide security. To the best of our knowledge, this is the first time a major hardware vendor like Intel cautions against using a CPU feature in untrusted local networks.

https://software.intel.com/security-software-guidance/insights/more-information-netcat

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00290.html

VuSec info: