ECE PhD Thesis Defense: Ioannis Angelakopoulos

ECE PhD Thesis Defense: Ioannis Angelakopoulos

Title: Improving the Security of Linux-based IoT Firmware Code via Re-hosting and Dynamic Analysis Techniques

Presenter: Ioannis Angelakopoulos

Advisor: Professor Manuel Egele

Chair: TBA

Committee: Professor Manuel Egele, Professor Gianluca Stringhini, Professor David Starobinski, Professor Alan Liu

Google Scholar Link: https://scholar.google.com/citations?user=VL6oIQkAAAAJ&hl=en&authuser=1

Abstract: The popularity of the Internet of Things (IoT) has increased tremendously in the past few decades. Billions of embedded devices and gadgets such as WiFi routers, IP cameras, and smart wearables fill up tech store shelves and find their way into customers' homes and businesses. However, regardless of its growth, the IoT is infamous for its weak security. For this reason, IoT and especially the firmware (software) that runs on these devices has become a prime target for malicious actors. Unfortunately, despite the efforts of the research community to identify and remediate the security issues in IoT firmware, new bugs and vulnerabilities arise on a daily basis.

When it comes to Linux-based IoT firmware vulnerability analysis, the firmware re-hosting (emulation) and dynamic analysis techniques are the most popular. In this thesis, I focus on addressing challenges in both the firmware re-hosting and dynamic analysis domains and propose novel contributions to improve the security posture of IoT firmware. Specifically, I introduce new techniques for (holistic) firmware re-hosting which enable the application of downstream (dynamic) analysis systems on binary Linux-based kernel-level firmware code. I also present methods to enhance the scope of firmware dynamic analysis techniques to detect diverse bugs and vulnerabilities (e.g., memory corruption and deadlock bugs) in binary privileged (kernel-level) Linux-based firmware code. When it comes to improving firmware re-hosting, I propose three approaches; FirmSolo, Pandawan, and FirmDiff. First, I introduce FirmSolo, a firmware re-hosting framework which exposes Linux-based binary IoT kernel modules contained within firmware images to existing downstream analysis. Next, I present Pandawan, a framework whose contribution is twofold; 1) The ability to objectively compare full-system re-hosting approaches based on their emulation capabilities, and 2) The ability to holistically (both the user and privileged level) re-host and analyze IoT firmware. I also discuss FirmDiff, an automated binary diffing framework that enables analysts to improve the fidelity of the IoT kernel module re-hosting process and achieve a more effective analysis. These contributions to firmware re-hosting (specifically of privileged firmware code) instigate the development of novel dynamic firmware analysis techniques. Thus finally, I propose Lock 'n Load (LL) as my contribution to the firmware analysis landscape. LL is a dynamic analysis approach that relies on my firmware re-hosting frameworks to enable the analysis of proprietary binary-only IoT kernel modules for deadlock-related bugs.

In summary, I improve the security of Linux-based IoT firmware by introducing (holistic) re-hosting techniques which expose Linux-based privileged IoT firmware code to downstream analysis, at scale. Furthermore, I apply novel dynamic analysis techniques to privileged IoT firmware code to identify diverse bugs (e.g., deadlock bugs). These contributions are only possible due to the firmware re-hosting and analysis frameworks developed as part of this thesis.