IEmu: Interrupt modeling from the logic hidden in the firmware

Abstract

The security of embedded firmware has become a critical issue in light of the rapid development of the Internet of Things. Current security analysis approaches, such as dynamic analysis, still face bottlenecks and difficulties due to the wide variety of devices and systems. Recent dynamic analysis approaches for embedded firmware have attempted to provide a general solution but heavily rely on detailed device manuals. Meanwhile, approaches that do not rely on manuals have randomness in interrupt triggering, which weakens emulation fidelity and dynamic analysis efficiency. In this paper, we propose a redundant-check-based embedded firmware interrupt modeling and security analysis method that does not rely on commercial manuals. This method involves reverse engineering the control flow of firmware binary and accurately extracting the correct interrupt triggering rules to emulate embedded firmware. We have implemented functional prototypes on QEMU, called IEmu, and evaluated it with 26 firmware in different MCUs. Our results demonstrate significant advantages compared to the recent state-of-the-art approach. On average, IEmu has improved interrupt path exploration efficiency by 2.4 times and fuzz testing coverage by 19%. IEmu restored the interrupt triggering logic in the manual, and emulated three firmware where the state-of-the-art emulator have limitations and found vulnerabilities.