Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities
A Systematic Study to Identifying Real-World Vulnerabilities in Heterogeneous Embedded Firmware Update Mechanisms
Abstract
Embedded devices are increasingly ubiquitous in our society. Firmware updates are one of the primary mechanisms to mitigate vulnerabilities in embedded systems. However, the firmware update procedure also introduces new attack surfaces, particularly through vulnerable firmware verification procedures. Unlike memory corruption bugs, numerous vulnerabilities in firmware updates stem from incomplete or incorrect verification steps, to which existing firmware analysis methods are not applicable. To bridge this gap, we propose ChkUp, an approach to Check for firmware Update vulnerabilities. ChkUp can resolve the program execution paths during firmware updates using cross-language inter-process control flow analysis and program slicing. With these paths, ChkUp locates firmware verification procedures, examining and validating their vulnerabilities. We implemented ChkUp and conducted a comprehensive analysis on 12,000 firmware images. Then, we validated the alerts in 150 firmware images from 33 device families, leading to the discovery of both zero-day and n-day vulnerabilities. Our findings were disclosed responsibly, resulting in the assignment of 25 CVE IDs and one PSV ID at the time of writing.
Overview of ChkUp
The high-level idea of ChkUp is to statically extract firmware update program execution paths from firmware codebase and pinpointing potential vulnerabilities along these paths based on summarized vulnerability patterns. Subsequently, dynamic vulnerability validation is performed to reduce false alerts. However, three primary challenges remain being addressed to implement this idea: C1. Diverse Programs in Update Paths during extracting firmware update execution paths, C2. Verification Procedure Recognition for vulnerability pattern matching, and C3. Vulnerability Validation to reduce false alerts. To address these challenges, we propose ChkUp (illustrated in Figure below), which comprises four modules:
Execution Path Recovery. To address the challenge C1, ChkUp first creates a UFG that captures the control flow information across programs written in different programming languages. Next, it performs backward program slicing to determine the firmware update execution paths.
Verification Procedure Recognition. ChkUp can identify the essential verification procedures (authenticity, integrity, freshness, and compatibility) in firmware update mechanisms. To tackle the challenge C2, it combines both syntactic and structural features and more sophisticated semantic features based on DFG isomorphism to recognize the verification chains in the firmware update execution paths.
Vulnerability Discovery. ChkUp is capable of detecting both missing and improper verification vulnerabilities in firmware update procedures. With the resolved execution paths and identified verification procedures, the system examines whether secure verification steps are properly utilized in these paths to uncover these vulnerabilities.
Vulnerability Validation. ChkUp verifies vulnerabilities by emulating the firmware image and producing PoC exploits. To overcome the challenge C3, it adopts a patching-based method where the vulnerable procedure is tested using the generated PoCs after its execution dependencies are bypassed through the application of patches.
CVE Details
Firmware Dataset and Source Code
We have released crawled firmware lists to facilitate future research in this field: https://github.com/WUSTL-CSPL/Firmware-Dataset
We are cleaning up our code and will release it soon on this official repository: https://github.com/WUSTL-CSPL/ChkUp
If you find our work helpful, please consider citing our paper:
@inproceedings{wu2024firmware,
title={Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities},
author={Wu, Yuhao and Wang, Jinwen and Wang, Yujie and Zhai, Shixuan and Li, Zihan and He, Yi and Sun, Kun and Li, Qi and Zhang, Ning},
booktitle={USENIX Security Symposium},
year={2024}
}