Visible to the public Tell Me More Than Just Assembly! Reversing Cyber-Physical Execution Semantics of Embedded IoT Controller Software Binaries

TitleTell Me More Than Just Assembly! Reversing Cyber-Physical Execution Semantics of Embedded IoT Controller Software Binaries
Publication TypeConference Paper
Year of Publication2019
AuthorsSun, Pengfei, Garcia, Luis, Zonouz, Saman
Conference Name2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)
Date Publishedjun
Keywordsalgorithm-level semantics, algorithmic level, Binary codes, binary patching, composability, control algorithm, control algorithm parameters, control engineering computing, critical cyber-physical IoT devices hinges, Cyber physical system, cyber-physical execution semantic information, cyber-physical execution semantics, cyber-physical IoT control application domains, cyber-physical security flaws, data mining, domain-specific reverse engineering framework, domain-specific semantic information, drones, dynamic selective memory protection, embedded binary code, embedded controller software binaries, embedded IoT controller software binaries, Embedded systems, executables, Execution Semantic, firmware, firmware binaries, firmware vulnerability assessment, Heuristic algorithms, high-level algorithmic expressions, Internet of Things, IoT, Linux, Linux kernel controllers versions, Linux Operating System Security, low-level binary symbolic values, memory forensics analysis, Metrics, MISMO, operating system kernels, Predictive Metrics, program verification, pubcrawl, public domain software, Resiliency, reverse engineering, reverse engineering outcomes, Robotics, security, security analysis, security of data, semantic-matching, Semantics, Software, Software algorithms, state estimation algorithms, Symbolic Comparison, Symbolic Expression, targeted memory data attacks
AbstractThe safety of critical cyber-physical IoT devices hinges on the security of their embedded software that implements control algorithms for monitoring and control of the associated physical processes, e.g., robotics and drones. Reverse engineering of the corresponding embedded controller software binaries enables their security analysis by extracting high-level, domain-specific, and cyber-physical execution semantic information from executables. We present MISMO, a domain-specific reverse engineering framework for embedded binary code in emerging cyber-physical IoT control application domains. The reverse engineering outcomes can be used for firmware vulnerability assessment, memory forensics analysis, targeted memory data attacks, or binary patching for dynamic selective memory protection (e.g., important control algorithm parameters). MISMO performs semantic-matching at an algorithmic level that can help with the understanding of any possible cyber-physical security flaws. MISMO compares low-level binary symbolic values and high-level algorithmic expressions to extract domain-specific semantic information for the binary's code and data. MISMO enables a finer-grained understanding of the controller by identifying the specific control and state estimation algorithms used. We evaluated MISMO on 2,263 popular firmware binaries by 30 commercial vendors from 6 application domains including drones, self-driving cars, smart homes, robotics, 3D printers, and the Linux kernel controllers. The results show that MISMO can accurately extract the algorithm-level semantics of the embedded binary code and data regions. We discovered a zero-day vulnerability in the Linux kernel controllers versions 3.13 and above.
DOI10.1109/DSN.2019.00045
Citation Keysun_tell_2019