FIRMMOD: Generating API Taint Models for Firmware Analysis
摘要
Firmware is an important part of the attack surface for the Internet of Things. Attackers typically inject malicious data through the peripherals. Understanding the impact of attacker-controlled data requires an understanding of where such data flows within software, which is challenging due to the complex peripheral behavior. We present a symbolic execution-based firmware rehosting approach that utilizes MMIO access guided API modeling to avoid the complexity in handling low-level details of peripheral behaviors and to precisely track the flows of the peripheral data registers into the upper layers in the software stack. We have developed FIRMMOD on top of S2E for ARM Cortex M3 and applied it to Amazon FreeRTOS firmware samples. Our results indicate that API modeling is an effective approach for goal-based reachability analysis for firmware. It enables FIRMMOD to achieve up to 2X more code coverage compared to Fuzzware and to detect two known buffer overflow vulnerabilities at the ES WIFI layer.