Improving the security of Linux-based IoT firmware code via re-hosting and dynamic analysis techniques
OA Version
Citation
Abstract
The Internet of Things (IoT) comprises of billions of Internet-connected devices and gadgets that run dedicated software, called firmware. Even though these devices are at the forefront of innovation, their firmware is notoriously famous for its numerous security weaknesses. For this reason, IoT firmware has become a prime target for malicious actors. Despite the contributions of prior research works in identifying and remediating the security bugs and vulnerabilities in IoT firmware, through static, dynamic and hybrid analysis techniques, new security issues arise on a daily basis (Claroty, 2022). When it comes to Linux-based IoT firmware vulnerability analysis, dynamic vulnerability analysis techniques that rely on firmware re-hosting (emulation) are the most popular. In this thesis, I focus on addressing challenges in both the firmware re-hosting and dynamic vulnerability analysis domains and propose novel contributions to improve the security posture of IoT firmware. Specifically, I introduce new techniques for firmware re-hosting which enable the application of downstream (dynamic) analysis systems on binary Linux-based kernel-level firmware code. I also present methods to enhance the scope of firmware dynamic analysis techniques to detect diverse bugs and vulnerabilities (e.g., memory corruption and deadlock bugs) in binary privileged (kernel-level) Linux-based firmware code. When it comes to improving firmware re-hosting, I propose three approaches; FirmSolo, Pandawan, and FirmDiff. I first present FirmSolo, a framework designed to re-host the Linux-based binary IoT kernel modules within firmware images, at scale, and expose these modules to existing downstream analysis. The evaluation of FirmSolo not only shows that FirmSolo can successfully re-host the majority of the binary kernel modules in firmware images, but also enable dynamic analysis systems to detect multiple previously-unknown bugs in these modules. Next, I detail Pandawan, a framework whose contribution is twofold; 1) The ability to objectively compare full-system re-hosting approaches based on their emulation capabilities, and 2) The ability to holistically (both the user and privileged level) re-host and analyze IoT firmware. Pandawan’s evaluation demonstrates that Pandawan is able to facilitate the objective comparison of the state-of-the-art re-hosting systems based on emulation-specific metrics (e.g., code coverage) defined by the user. Furthermore, due to its holistic re-hosting and analysis capabilities, Pandawan is able to discover both previously known and unknown bugs in binary IoT kernel modules. Next,I discuss FirmDiff, an automated binary diffing framework that enables analysts to improve the fidelity of the IoT kernel module re-hosting process and achieve a more effective analysis. These contributions to firmware re-hosting (specifically of privileged firmware code) instigate the development of novel firmware analysis techniques. Thus finally, I propose Lock ’n Load (LL) as my contribution to the firmware analysis landscape. LL is a dynamic analysis framework that uses my re-hosting frameworks to enable the analysis of proprietary binary-only IoT kernel modules for deadlock-related bugs. My analysis with LL reveals multiple previously unknown deadlock bugs in multiple binary-only targets. In summary, I improve the security of Linux-based IoT firmware code by introducing (holistic) re-hosting techniques which expose Linux-based privileged IoT firmware code to downstream analysis, at scale. Furthermore, I apply novel dynamic analysis techniques to privileged Linux-based IoT firmware code to detect diverse bugs (e.g., deadlock bugs). These contributions are only possible due to the firmware re-hosting and analysis frameworks developed during my research.
Description
2026
License
Attribution 4.0 International