Finding Vulnerabilities in Embedded Software - Christopher Kruegel
Distinguished Cyber Security Lecture Series
Embedded devices have become ubiquitous, and they are used in a range of privacy-sensitive and security-critical applications. Most of these devices run proprietary software (firmware), and little documentation is available about the software's inner workings. Firmware, like any piece of software, is susceptible to a wide range of errors. These include memory corruption bugs, command injection vulnerabilities, and application logic flaws. Embedded device vendors typically do not provide source code for their proprietary firmware. Hence, all analysis has to be performed directly on binary code. This is challenging because binary code lacks the high-level, semantically rich information about data structures and control constructs that are present in a program's source code.
In this talk, we will discuss some of the static and dynamic analysis techniques that we have developed to address the aforementioned challenges. A common limitation of many contemporary techniques to detect vulnerabilities in binary code is that they only find shallow bugs and struggle to exercise deeper code paths. To drive the analysis deeper into a program, we introduce novel techniques to improve the scalability of our system. These techniques frequently rely on interesting compositions of different analysis approaches, in a way that leverages the advantages of each individual approach while compensating for their respective limitations. Another common challenge, specifically for dynamic analysis (fuzzing) techniques, is re-hosting. Re-hosting is the process of migrating firmware from its original hardware environment into a virtualized one where the analysis becomes easier. We discuss our attempts to automate this important but tedious task. Finally, we will briefly cover angr, which is an open-source binary analysis platform that implements many of our analysis techniques. Angr was an integral component in the automated vulnerability finding, exploitation, and patching engine that participated in DARPA's Cyber Grand Challenge (CGC).
About Christopher Kruegel
Christopher Kruegel is a Professor of Computer Science at UC Santa Barbara. He was also a co-founder of Lastline, a company that developed AI-powered network security solutions. After Lastline's acquisition by VMware in 2020, Christopher joined the company as VP Security Service.
Christopher's research interests focus on computer and communications
security, with an emphasis on malware analysis and detection, websecurity, and intrusion detection. He has published more than 100 peer-reviewed papers in top computer security conferences and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators, IBM Faculty Award, and several best paper awards. He regularly serves on program committees of leading computer security conferences and speaks at industry venues such as BlackHat and RSAC.