FirmAE

FirmAE is a fully-automated framework that performs emulation and vulnerability analysis. FirmAE significantly increases the emulation success rate (From Firmadyne's 16.28% to 79.36%) with five arbitration techniques. We tested FirmAE on 1,124 wireless-router and IP-camera firmware images from top eight vendors.

We also developed a dynamic analysis tool for 0-day discovery, which infers web service information based on the filesystem and kernel logs of target firmware. By running our tool on the succesfully emulation firmware images, we discovered 12 new 0-days which affect 23 devices.

Installation

Note that we tested FirmAE on Ubuntu 18.04.

Clone FirmAE

$ git clone --recursive https://github.com/pr0v3rbs/FirmAE

Run download.sh script.

$ ./download.sh

Run install.sh script.

$ ./install.sh

Usage

Run init.sh script.

$ ./init.sh

Prepare a firmware.

$ wget ftp://ftp.dlink.eu/Products/dir/dir-868l/driver_software/DIR-868L_fw_revB_2-05b02_eu_multi_20161117.zip

Check emulation

$ sudo ./run.sh -c <brand> <firmware>

Run analysis

$ sudo ./run.sh -a <brand> <firmware>

Debug

After a firmware image successfully emulated.

$ sudo ./run.sh -d <brand> <firmware>

Turn on/off arbitration

Check the five arbitrations environment variable in the firmae.config

$ head firmae.config
#!/bin/sh

FIRMAE_BOOT=true
FIRMAE_NETWORK=true
FIRMAE_NVRAM=true
FIRMAE_KERNEL=true
FIRMAE_ETC=true

if (${FIRMAE_ETC}); then
  TIMEOUT=240

Docker

First, prepare a docker image.

$ sudo ./docker-init.sh

Parallel mode

Then, run one of the below commands. -ec checks only the emulation, and -ea checks the emulation and analyzes vulnerabilities.

$ sudo ./docker-helper.py -ec <brand> <firmware>
$ sudo ./docker-helper.py -ea <brand> <firmware>

Debug mode

After a firmware image successfully emulated.

$ sudo ./docker-helper.py -ed <firmware>

Dataset

Google drive - download

CVEs

ASUS: CVE-2019-20082
Belkin: Belkin01
D-Link: CVE-2018-20114, CVE-2018-19986, CVE-2018-19987, CVE-2018-19988, CVE-2018-19989, CVE-2018-19990, CVE-2019-6258, CVE-2019-20084
TRENDNet: CVE-2019-11399, CVE-2019-11400

Authors

This research project has been conducted by SysSec Lab at KAIST.

Citation

We would appreciate if you consider citing our paper when using FirmAE.

@inproceedings{kim:2020:firmae,
  author = {Mingeun Kim and Dongkwan Kim and Eunsoo Kim and Suryeon Kim and Yeongjin Jang and Yongdae Kim},
  title = {{FirmAE}: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis},
  booktitle = {Annual Computer Security Applications Conference (ACSAC)},
  year = 2020,
  month = dec,
  address = {Online}
}

About

Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis

MIT License

Languages

Language:Python 74.1%Language:Shell 14.1%Language:C 9.6%Language:C++ 1.6%Language:Dockerfile 0.5%Language:Makefile 0.2%