Dynamic analysis of IoT systems based on full-system emulation in QEMU

The sweeping evolution of the Internet of Things (IoT) requires the development of methods and tools for analyzing such devices. A significant part of similar devices run under operating systems (OS) of the Linux family. Direct application of existing tools for analyzing software (SW) of this class of devices is not always possible. In the process of researching embedded Linux OS, the ELF (embedded linux fuzz) tool was created, which is presented in this work. The article deals with the analysis of systems built exclusively on the basis of Linux kernels. ELF environment is designed for dynamic analysis of devices based on full-system emulation in QEMU. ELF was based on the following aspects: performing software testing and analysis of real devices in an environment as close as possible to their «native» execution environment; integration with existing fuzzing tools; the ability to conduct distributed analysis.

1. Binwalk. URL: https://github.com/ReFirmLabs/binwalk, accessed 17.10.2021.

2. C. Simmonds. Mastering Embedded Linux Programming. Second Edition. Packt Publishing, 2017, 983 p.

3. Pin - A Dynamic Binary Instrumentation Tool. URL: https://www.intel.com/content/www/us/en/developer/articles/tool/pin-a-dynamic-binary-instrumentation-tool.html, accessed 17.10.2021.

4. DynamoRIO. https://dynamorio.org/, accessed 17.10.2021.

5. M. Sharma, N. Agarwal, and S.R.N. Reddy. Design and development of daughter board for USB-UART communication between Raspberry Pi and PC. In Proc. of the International Conference on Computing, Communication & Automation, 2015, pp. 944-948

6. F. Bellard. QEMU, a fast and portable dynamic translator. In Proc. of the USENIX Annual Technical Conference, 2005, pp. 41-46.

7. D. D. Chen, M. Egele et al. Towards automated dynamic analysis for Linux-based embedded firmware. In Proc. of the Network and Distributed System Security Symposium (NDSS), 2016, pp. 1-16.

8. Y. Zheng, A. Davanian et al. FIRMAFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In Proc. of the 28th USENIX Security Symposium (USENIX Sec), 2019, pp. 1099-1114.

9. LuaQEMU. URL: http://github.com/Comsecuris/luaqemu, accessed 17.10.2021.

10. J. Zaddach, L. Bruno et al. Avatar: A framework to support dynamic security analysis of embedded systems firmwares. In Proc. of the Network and Distributed System Security Symposium (NDSS), 2014, pp. 1-16.

11. M.Muench, D. Nisi et al. Avatar2: A Multi-Target Orchestration Platform. In Proc. of the Workshop on Binary Analysis Research, 2018, pp. 1-11.

12. TriforceAFL. URL: https://github.com/nccgroup/TriforceAFL, accessed 17.10.2021.

13. J. Chen, W. Diao et al. IoTFuzzer: Discovering memory corruptions in IoT through app-based fuzzing. In Proc. of the Network and Distributed System Security Symposium (NDSS), 2018, pp. 1-15.

14. Metasploit. URL: https://www.metasploit.com/, accessed 17.10.2021.

15. A. Henderson, LK. Yan et al. DECAF: A Platform-Neutral Whole-System Dynamic Binary Analysis Platform. IEEE Transactions on Software Engineering, vol. 43, issue 2, 2017, pp. 164-184.

16. M. Zalewski. American Fuzzy Lop. URL: http://lcamtuf.coredump.cx/afl/, accessed 17.10.2021.

17. J. Pereyda. Boofuzz Documentation, Release 0.4.0, 2021. URL: https://buildmedia.readthedocs.org/media/pdf/boofuzz/latest/boofuzz.pdf, accessed 17.10.2021.

18. Sulley. URL: https://github.com/OpenRCE/sulley, accessed 17.10.2021.

19. P. Dovgalyuk. Deterministic Replay of System’s Execution with Multi-target QEMU Simulator for Dynamic Analysis and Reverse Debugging. In Proc. of the 16th European Conference on Software Maintenance and Reengineerin, 2012, pp. 553-556.

20. fuzzer-test-suite. https://github.com/google/fuzzer-test-suite, accessed 17.10.2021.

21. NIST Test Suites. https://samate.nist.gov/SRD/testsuite.php, accessed 17.10.2021.

22. CTP/OSCE Prep – Boofuzzing Vulnserver for EIP Overwrite. https://h0mbre.github.io/Boofuzz_to_EIP_Overwrite/, accessed 17.10.2021.