Computer Science 194 – Lecture 23: TPM, Attestation, UEFI; Security: Selinux, HiStar
A new firmware security tool called ‘angr’ was announced at Black Hat Briefings this week:
Angr is a platform-agnostic concolic binary analysis platform developed by the Seclab at the University of California Santa Barbara and their associated CTF team, Shellphish. angr is a multi-architecture binary analysis platform, with the capability to perform dynamic symbolic execution (like Mayhem, KLEE, etc) and various static analyses on binaries. Several challenges must be overcome to do this, and angr has components that meet all of these challenges:
* Loading a binary into the analysis program.
* Translating a binary into an intermediate representation (IR).
* Translating that IR into a semantic representation (i.e., what it does, not just what it is).
* Performing the actual analysis. This could be:
+ A full-program static analysis (i.e., type inference, program slicing).
+ A symbolic exploration of the program’s state space (i.e., “Can we execute it until we find an overflow?”).
+ Some combination of the above (i.e., “Let’s execute only program slices that lead to a memory write, to find an overflow.”)
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Chris Kruegel, Chief Scientist, Lastline
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.