Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g....
Transcript of Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g....
![Page 1: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/1.jpg)
FirmaliceAutomatic Detection of Authentication Bypass
Vulnerabilities in Binary Firmware
Yan Shoshitaishvili
Ruoyu "Fish" Wang
Christopher Kruegel
Giovanni Vigna
UC Santa Barbara
Christophe Hauser
![Page 2: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/2.jpg)
The Rise of Firmware
![Page 3: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/3.jpg)
![Page 4: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/4.jpg)
![Page 5: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/5.jpg)
Emergence of Backdoors
![Page 6: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/6.jpg)
Santamarta, Ruben. "HERE BE BACKDOORS: A Journey Into The Secrets Of Industrial Firmware." Black Hat USA (2012).
Heffner, Craig. "Finding and Reversing Backdoors in Consumer Firmware." EELive! (2014).
Heffner, Craig. "Reverse Engineering a D-Link Backdoor" /dev/ttys0 (2013).
Vanderbeken, Eloi. "TCP/32764 backdoor, or how linksys saved Christmas!" GitHub (2013).
![Page 7: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/7.jpg)
Prompt
Authentication
Success Failure
Backdoore.g. strcmp()
Hard to find.
Missing!
![Page 8: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/8.jpg)
Our Solution: Input Determinism
![Page 9: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/9.jpg)
Prompt
Authentication
Success Failure
Backdoore.g. strcmp()
Easier to find!
Hard to find.
![Page 10: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/10.jpg)
Prompt
Authentication
Success Failure
Backdoore.g. strcmp()
Required input?
➔ Indeterminable
![Page 11: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/11.jpg)
Required input?
➔ Determinable!
Prompt
Authentication
Success Failure
Backdoore.g. strcmp()
![Page 12: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/12.jpg)
Prompt
Authentication
Success Failure
Backdoore.g. strcmp()
Easier to find, but how?
Hard to find.
![Page 13: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/13.jpg)
Security Policies
![Page 14: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/14.jpg)
Se·cu·ri·ty Pol·i·cy
/səˈkyo ͝orədē ˈpäləsē/
noun
1. Identifies sensitive firmware functionality.2. "By which point must a user be authenticated?"3. Description of a logical property of the program.4. Some heuristics for automatic identification.
![Page 15: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/15.jpg)
Firmalice
![Page 16: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/16.jpg)
Inputs:
➔ Firmware Sample➔ Security Policy
Challenges:
➔ Large binary programs➔ Unrelated user input
Analysis Steps:
➔ Static Analysis (backwards program slicing)➔ Dynamic Symbolic Execution➔ Authentication Bypass Check
![Page 17: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/17.jpg)
Static Analysis
![Page 18: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/18.jpg)
Program Dependency Graph
Control Flow Graph
Control Dependency Graph
Data Dependency Graph
![Page 19: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/19.jpg)
Prompt
Authentication
... Failure
Backdoorstrcmp()
...
...
Success
...
...
The CFG
![Page 20: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/20.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Final Slice
![Page 21: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/21.jpg)
Dynamic Symbolic Execution
![Page 22: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/22.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Initial Stage
ID Authenticated Paths
![Page 23: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/23.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 1
ID Authenticated Paths
![Page 24: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/24.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 2
ID Authenticated Paths
![Page 25: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/25.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 3
ID Authenticated Paths
![Page 26: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/26.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 4
ID Authenticated Paths
![Page 27: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/27.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 5
ID Authenticated Paths
![Page 28: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/28.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 6
ID Authenticated Paths
![Page 29: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/29.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 7
ID Authenticated Paths
1 Path 1
![Page 30: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/30.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Path 1
ID Authenticated Paths
1 Path 1
![Page 31: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/31.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 8
ID Authenticated Paths
1 Path 1
![Page 32: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/32.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 9
ID Authenticated Paths
1 Path 1
![Page 33: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/33.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 10
ID Authenticated Paths
1 Path 1
![Page 34: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/34.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 11
ID Authenticated Paths
1 Path 1
![Page 35: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/35.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 12
ID Authenticated Paths
1 Path 1
![Page 36: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/36.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 13
ID Authenticated Paths
1 Path 1
![Page 37: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/37.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 14
ID Authenticated Paths
1 Path 1
2 Path 2
![Page 38: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/38.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Path 2
ID Authenticated Paths
1 Path 1
2 Path 2
![Page 39: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/39.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 15
ID Authenticated Paths
1 Path 1
2 Path 2
![Page 40: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/40.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 16
ID Authenticated Paths
1 Path 1
2 Path 2
![Page 41: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/41.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 17
ID Authenticated Paths
1 Path 1
2 Path 2
![Page 42: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/42.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Step 18
ID Authenticated Paths
1 Path 1
2 Path 2
3 Path 3
![Page 43: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/43.jpg)
Prompt
AuthenticationBackdoorstrcmp()
Success Path 3
ID Authenticated Paths
1 Path 1
2 Path 2
3 Path 3
![Page 44: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/44.jpg)
Authentication Bypass
![Page 45: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/45.jpg)
Path 1
Prompt Authentication Success... ...
Path 2
Prompt Authentication Success... ...
Path 3
Prompt Backdoor Success... ...
![Page 46: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/46.jpg)
Path 1
Path 2
Path 3
Path Constraints
Path Constraints
Path Constraints
input == ???
input == ???
input == "..."
![Page 47: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/47.jpg)
Implementation Details
![Page 48: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/48.jpg)
VEX (Valgrind IR)
PyVEX
angr
x86AMD64
ARMARM64
MIPSMIPS64
PPCPPC64
![Page 49: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/49.jpg)
Backdoor Example
![Page 50: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/50.jpg)
3S Vision N5072
Linux embedded device.
HTTP server for management and video monitoring.
Security Policy➔ Authentication required for footage
access➔ "Image-Type" header
Backdoor➔ Hard-coded user credentials➔ Username: 3sadmin➔ Password: 27988303
Slicing➔ 5m➔ 212 bb
DSE➔ 26m
![Page 51: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/51.jpg)
Summary
➔ New backdoor model: input determinism
➔ Implemented analysis system
➔ Found backdoors in real firmware!
![Page 52: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/52.jpg)
![Page 53: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/53.jpg)
Prompt
Authentication
... Failure
Backdoorstrcmp()
...
...
Success
...
...
Slicing with CFG
![Page 54: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/54.jpg)
Prompt
Authentication
...
Backdoorstrcmp()
...
...
Success
...
Slicing with PDG
...
Failure
![Page 55: Yan Shoshitaishvili Firmalice - NDSS Symposium...Prompt Authentication Success Failure Backdoor e.g. strcmp() Easier to find! Hard to find.](https://reader033.fdocuments.in/reader033/viewer/2022042803/5f4e736db6f9633f2c3bc8c4/html5/thumbnails/55.jpg)
Dell 1130n
Modified VxWorks system.
Includes an SNMP daemon for monitoring and management.
Security Policy➔ Manually identified sensitive memory
regions
Backdoor➔ Specific SNMPv1 community string
would allow configuration without checking authentication
Slicing➔ 14m➔ 532 bb
DSE➔ >11h