Microcontroller-based embedded devices are at the core of Internet-of-Things and Cyber-Physical Systems. The security of these devices is of paramount importance. Among the approaches to securing embedded devices, dynamic firmware analysis gained great attention lately, thanks to its offline nature and low false-positive rates. However, regardless of the analysis and emulation techniques used, existing dynamic firmware analyzers share a major limitation, namely the inability to handle firmware using DMA. It severely limits the types of devices supported and firmware code coverage. We present DICE, a drop-in solution for firmware analyzers to emulate DMA input channels and generate or manipulate DMA inputs. DICE is designed to be hardware-independent, and compatible with common MCU firmware and embedded architectures. DICE identifies DMA input channels as the firmware writes the source and destination DMA transfer pointers into the DMA controller. Then DICE manipulates the input transferred through DMA on behalf of the firmware analyzer. We integrated DICE to the firmware analyzer P2IM (Cortex-M architecture) and a PIC32 emulator (MIPS M4K/M-Class architecture). We evaluated it on 83 benchmarks and sample firmware, representing 9 different DMA controllers from 5 different vendors. DICE detected 33 out of 37 DMA input channels, with 0 false positives. It correctly supplied DMA inputs to 21 out of 22 DMA buffers, which previous firmware analyzers cannot achieve due to the lack of DMA emulation. DICE's overhead is fairly low, it adds 3.4% on average to P2IM execution time. We also fuzz-tested 7 real-world firmware using DICE and compared the results with the original P2IM. DICE uncovered tremendously more execution paths (as much as 79X) and found 5 unique previously-unknown bugs that are unreachable without DMA emulation. All our source code and dataset are publicly available.
翻译:以微控制器为基础的嵌入装置位于互联网缓冲2 和网络-物理系统的核心。 这些装置的安全至关重要。 在确保嵌入装置的方法中,动态固态分析近来受到极大关注,原因是其离线性质和低假阳性率。 然而,无论使用何种分析和模拟技术,现有的动态固态分析器都有一个重大限制,即无法使用 DMA 处理固态软件。它严重限制了所支持的装置类型和固态代码覆盖。我们介绍了 DICE, 用于公司软件分析器的投放解决方案, 以模拟 DMA 输入频道, 生成或操作 DMA 输入器。 DICE 设计DM 与通用的硬性分析器DMA 共享一个重大限制, 用于模拟磁性分析器输入器( Clas-M 输入渠道) 无法生成或操作 DIM 。 DICE 之前, DMA 将DMA 传输到 DMA 初始分析器的DMA 输入器 。 我们将DICE 的硬件分析器解成 ODM-M-MDM-Mex-Mex-MS-MDDMDD 系统 的缺失分析器, 也在前被正确操作中, 23MICIM IM IM IM IM 。