FirmSolo: Enabling dynamic analysis of binary Linux-based IoT kernel modules

Speaker

Abstract

The Linux-based firmware running on Internet of Things (IoT) devices is complex and consists of user level programs as well as kernel level code. Both components have been shown to have serious security vulnerabilities, and the risk linked to kernel vulnerabilities is particularly high, as these can lead to full system compromise. However, previous work only focuses on the user space component of embedded firmware. In this talk, I present FirmSolo, a system designed to incorporate the kernel space into firmware analysis. FirmSolo, configures and builds custom kernels that can load IoT binary kernel modules within an emulated environment and expose these kernel modules to dynamic analysis. I evaluated FirmSolo on a dataset of 1470 firmware images containing 56,688 kernel modules where it loaded 64% of the kernel modules. To demonstrate FirmSolo's utility in downstream analysis, I integrated FirmSolo with two example dynamic analysis systems, the TriforceAFL kernel fuzzer and Firmadyne. The TriforceAFL experiments on a subset of 75 kernel modules revealed 19 previously unknown bugs on 11 proprietary kernel modules. With Firmadyne I confirmed the presence of these bugs in 84 firmware images and also confirmed the previously known memory corruption vulnerability of the closed-source Kcodes NetUSB kernel module across 15 firmware images.