SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Andrew Fasano; Tiemoko Ballo; Marius Muench; Tim Leek; Alexander Bulekov; Brendan Dolan-Gavitt; Manuel Egele; Aurélien Francillon; Long Lu; Nick Gregory; Davide Balzarotti; William Robertson

doi:10.1145/3433210.3453093

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Andrew Fasano, Tiemoko Ballo, Marius Muench, Tim Leek, Alexander Bulekov, Brendan Dolan-Gavitt, Manuel Egele, Aurélien Francillon, Long Lu, Nick Gregory, Davide Balzarotti, William Robertson

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

69 Downloads (Pure)

Abstract

Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting" poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

Original language	English
Title of host publication	ASIA CCS '21
Subtitle of host publication	Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	687–701
Number of pages	15
ISBN (Electronic)	9781450382878
DOIs	https://doi.org/10.1145/3433210.3453093
Publication status	Published - 4 Jun 2021
Event	ASIA CCS '21: ACM Asia Conference on Computer and Communications Security - Virtual Event, Hong Kong, China Duration: 7 Jun 2021 → 11 Jun 2021

Publication series

Name	ASIA CCS: ACM Symposium on Information, Computer and Communications Security

Conference

Conference	ASIA CCS '21
Abbreviated title	ASIA CCS '21
Country/Territory	China
City	Hong Kong
Period	7/06/21 → 11/06/21

Keywords

classbinary
dynamic program analysis
embedded systems
emulation
firmware security
internet of things
projintersect
projtropics
rehosting
typeconf
typepaper
typetop
virtualization

Access to Document

10.1145/3433210.3453093Licence: Creative Commons: Attribution (CC BY)

FasanoA2021SoKFinal published version, 1.47 MBLicence: Creative Commons: Attribution (CC BY)

https://dl.acm.org/doi/pdf/10.1145/3433210.3453093Licence: Creative Commons: Attribution (CC BY)

Cite this

Fasano, A., Ballo, T., Muench, M., Leek, T., Bulekov, A., Dolan-Gavitt, B., Egele, M., Francillon, A., Lu, L., Gregory, N., Balzarotti, D., & Robertson, W. (2021). SoK: Enabling Security Analyses of Embedded Systems via Rehosting. In ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (pp. 687–701). (ASIA CCS: ACM Symposium on Information, Computer and Communications Security). Association for Computing Machinery (ACM). https://doi.org/10.1145/3433210.3453093

Fasano, Andrew ; Ballo, Tiemoko ; Muench, Marius et al. / SoK : Enabling Security Analyses of Embedded Systems via Rehosting. ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. New York : Association for Computing Machinery (ACM), 2021. pp. 687–701 (ASIA CCS: ACM Symposium on Information, Computer and Communications Security).

@inproceedings{258baaf78ae04502b9bcb4291ed33099,

title = "SoK: Enabling Security Analyses of Embedded Systems via Rehosting",

abstract = "Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call {"}rehosting{"} poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.",

keywords = "classbinary, dynamic program analysis, embedded systems, emulation, firmware security, internet of things, projintersect, projtropics, rehosting, typeconf, typepaper, typetop, virtualization",

author = "Andrew Fasano and Tiemoko Ballo and Marius Muench and Tim Leek and Alexander Bulekov and Brendan Dolan-Gavitt and Manuel Egele and Aur{\'e}lien Francillon and Long Lu and Nick Gregory and Davide Balzarotti and William Robertson",

year = "2021",

month = jun,

day = "4",

doi = "10.1145/3433210.3453093",

language = "English",

series = "ASIA CCS: ACM Symposium on Information, Computer and Communications Security",

publisher = "Association for Computing Machinery (ACM)",

pages = "687–701",

booktitle = "ASIA CCS '21",

address = "United States",

note = "ASIA CCS '21 : ACM Asia Conference on Computer and Communications Security, ASIA CCS '21 ; Conference date: 07-06-2021 Through 11-06-2021",

}

Fasano, A, Ballo, T, Muench, M, Leek, T, Bulekov, A, Dolan-Gavitt, B, Egele, M, Francillon, A, Lu, L, Gregory, N, Balzarotti, D & Robertson, W 2021, SoK: Enabling Security Analyses of Embedded Systems via Rehosting. in ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. ASIA CCS: ACM Symposium on Information, Computer and Communications Security, Association for Computing Machinery (ACM), New York, pp. 687–701, ASIA CCS '21, Hong Kong, China, 7/06/21. https://doi.org/10.1145/3433210.3453093

SoK: Enabling Security Analyses of Embedded Systems via Rehosting. / Fasano, Andrew; Ballo, Tiemoko; Muench, Marius et al.
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. New York: Association for Computing Machinery (ACM), 2021. p. 687–701 (ASIA CCS: ACM Symposium on Information, Computer and Communications Security).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - SoK

T2 - ASIA CCS '21

AU - Fasano, Andrew

AU - Ballo, Tiemoko

AU - Muench, Marius

AU - Leek, Tim

AU - Bulekov, Alexander

AU - Dolan-Gavitt, Brendan

AU - Egele, Manuel

AU - Francillon, Aurélien

AU - Lu, Long

AU - Gregory, Nick

AU - Balzarotti, Davide

AU - Robertson, William

PY - 2021/6/4

Y1 - 2021/6/4

N2 - Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting" poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

AB - Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting" poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

KW - classbinary

KW - dynamic program analysis

KW - embedded systems

KW - emulation

KW - firmware security

KW - internet of things

KW - projintersect

KW - projtropics

KW - rehosting

KW - typeconf

KW - typepaper

KW - typetop

KW - virtualization

U2 - 10.1145/3433210.3453093

DO - 10.1145/3433210.3453093

M3 - Conference contribution

T3 - ASIA CCS: ACM Symposium on Information, Computer and Communications Security

SP - 687

EP - 701

BT - ASIA CCS '21

PB - Association for Computing Machinery (ACM)

CY - New York

Y2 - 7 June 2021 through 11 June 2021

ER -

Fasano A, Ballo T, Muench M, Leek T, Bulekov A, Dolan-Gavitt B et al. SoK: Enabling Security Analyses of Embedded Systems via Rehosting. In ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. New York: Association for Computing Machinery (ACM). 2021. p. 687–701. (ASIA CCS: ACM Symposium on Information, Computer and Communications Security). doi: 10.1145/3433210.3453093

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this