SoK: Enabling Security Analyses of Embedded Systems via Rehosting

A. Fasano; T. Ballo; M. Muench; T. Leek; A. Bulekov; B. Dolan-Gavitt; M. Egele; A. Francillon; L. Lu; N. Gregory; D. Balzarotti; W. Robertson

doi:10.1145/3433210.3453093

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

A. Fasano, T. Ballo, M. Muench, T. Leek, A. Bulekov, B. Dolan-Gavitt, M. Egele, A. Francillon, L. Lu, N. Gregory, D. Balzarotti, W. Robertson

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

Abstract

Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting"poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

Original language	English
Title of host publication	ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security
Publisher	Association for Computing Machinery, Inc
Pages	687-701
Number of pages	15
ISBN (Electronic)	9781450382878
DOIs	https://doi.org/10.1145/3433210.3453093
Publication status	Published - May 2021
Event	16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021 - Virtual, Online, Hong Kong Duration: 7 Jun 2021 → 11 Jun 2021

Publication series

Name	ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Conference

Conference	16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021
Country/Territory	Hong Kong
City	Virtual, Online
Period	7/06/21 → 11/06/21

Funding

The authors wish to thank the following individuals for their contributions and support: Lindsey Wang, John Wilkinson, Douglas E. Stetson, William Hedberg, and Greta Lepore. This work was in part funded by ONR Awards N00014-15-1-2180 and N00014-19-1-2364; the National Science Foundation under Grants No. CNS-1916398 and CNS-1942793; NWO 628.001.030 \u201CTropics\u201D and NWO NWA-ORC InterSect; and a research contract with Siemens AG. DISTRIBUTION STATEMENT A. Approved for public release. Distribution is unlimited. This material is based upon work supported by the Under Secretary of Defense for Research and Engineering under Air Force Contract No. FA8702-15-D-0001. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Under Secretary of Defense for Research and Engineering, Office of Naval Research, or the National Science Foundation.

Funders	Funder number
Under Secretary of Defense for Research and Engineering
Office of Naval Research	N00014-19-1-2364, N00014-15-1-2180
National Science Foundation	CNS-1916398, 1916398, CNS-1942793
Air Force	FA8702-15-D-0001
NWO	628.001.030

Access to Document

10.1145/3433210.3453093

Persistent URL (handle)

Persistent link

Cite this

Fasano, A., Ballo, T., Muench, M., Leek, T., Bulekov, A., Dolan-Gavitt, B., Egele, M., Francillon, A., Lu, L., Gregory, N., Balzarotti, D., & Robertson, W. (2021). SoK: Enabling Security Analyses of Embedded Systems via Rehosting. In ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (pp. 687-701). (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security). Association for Computing Machinery, Inc. https://doi.org/10.1145/3433210.3453093

Fasano, A. ; Ballo, T. ; Muench, M. et al. / SoK: Enabling Security Analyses of Embedded Systems via Rehosting. ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2021. pp. 687-701 (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security).

@inproceedings{de72e89c884c476582e6bfdd1e114e07,

title = "SoK: Enabling Security Analyses of Embedded Systems via Rehosting",

abstract = "Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call {"}rehosting{"}poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.",

author = "A. Fasano and T. Ballo and M. Muench and T. Leek and A. Bulekov and B. Dolan-Gavitt and M. Egele and A. Francillon and L. Lu and N. Gregory and D. Balzarotti and W. Robertson",

year = "2021",

month = may,

doi = "10.1145/3433210.3453093",

language = "English",

series = "ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security",

publisher = "Association for Computing Machinery, Inc",

pages = "687--701",

booktitle = "ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security",

note = "16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021 ; Conference date: 07-06-2021 Through 11-06-2021",

}

Fasano, A, Ballo, T, Muench, M, Leek, T, Bulekov, A, Dolan-Gavitt, B, Egele, M, Francillon, A, Lu, L, Gregory, N, Balzarotti, D & Robertson, W 2021, SoK: Enabling Security Analyses of Embedded Systems via Rehosting. in ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, Association for Computing Machinery, Inc, pp. 687-701, 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021, Virtual, Online, Hong Kong, 7/06/21. https://doi.org/10.1145/3433210.3453093

SoK: Enabling Security Analyses of Embedded Systems via Rehosting. / Fasano, A.; Ballo, T.; Muench, M. et al.
ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc, 2021. p. 687-701 (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security).

Research output: Chapter in Book / Report / Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - SoK: Enabling Security Analyses of Embedded Systems via Rehosting

AU - Fasano, A.

AU - Ballo, T.

AU - Muench, M.

AU - Leek, T.

AU - Bulekov, A.

AU - Dolan-Gavitt, B.

AU - Egele, M.

AU - Francillon, A.

AU - Lu, L.

AU - Gregory, N.

AU - Balzarotti, D.

AU - Robertson, W.

PY - 2021/5

Y1 - 2021/5

N2 - Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting"poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

AB - Closely monitoring the behavior of a software system during its execution enables developers and analysts to observe, and ultimately understand, how it works. This kind of dynamic analysis can be instrumental to reverse engineering, vulnerability discovery, exploit development, and debugging. While these analyses are typically well-supported for homogeneous desktop platforms (e.g., x86 desktop PCs), they can rarely be applied in the heterogeneous world of embedded systems. One approach to enable dynamic analyses of embedded systems is to move software stacks from physical systems into virtual environments that sufficiently model hardware behavior. This process which we call "rehosting"poses a significant research challenge with major implications for security analyses. Although rehosting has traditionally been an unscientific and ad-hoc endeavor undertaken by domain experts with varying time and resources at their disposal, researchers are beginning to address rehosting challenges systematically and in earnest. In this paper, we establish that emulation is insufficient to conduct large-scale dynamic analysis of real-world hardware systems and present rehosting as a firmware-centric alternative. Furthermore, we taxonomize preliminary rehosting efforts, identify the fundamental components of the rehosting process, and propose directions for future research.

U2 - 10.1145/3433210.3453093

DO - 10.1145/3433210.3453093

M3 - Conference contribution

T3 - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

SP - 687

EP - 701

BT - ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

PB - Association for Computing Machinery, Inc

T2 - 16th ACM Asia Conference on Computer and Communications Security, ASIA CCS 2021

Y2 - 7 June 2021 through 11 June 2021

ER -

Fasano A, Ballo T, Muench M, Leek T, Bulekov A, Dolan-Gavitt B et al. SoK: Enabling Security Analyses of Embedded Systems via Rehosting. In ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security. Association for Computing Machinery, Inc. 2021. p. 687-701. (ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security). doi: 10.1145/3433210.3453093

SoK: Enabling Security Analyses of Embedded Systems via Rehosting

Abstract

Publication series

Conference

Funding

Access to Document

Persistent URL (handle)

Fingerprint

Cite this