Digging Deep: Finding 0days in Embedded Systems with Code Coverage Guided Fuzzing

Coverage guided fuzzing becomes a trending technique to discover vulnerabilities in powerful systems such as PC, and is a main contributor to countless 0days in the last few years.

Unfortunately, this breakthrough methodology is not yet applied to find bugs in embedded devices (like network routers, IP cameras, etc). We found some of the reasons as follows:

  • As closed ecosystems, embedded devices usually come without built-in shell access or development facilities such as compiler & debugger. This makes it impossible to introduce a fuzzer to directly run & find bugs inside them.
  • In case available for download (rarely), most embedded firmware are not open source, which limit usage of available guided fuzzers such as AFL & LibFuzzer, as these tools require source code to inject branch instrumentation at compile time.
  • Most existing work focus on Intel architecture, while all embedded devices run on other CPUs such as ARM, MIPS or PowerPC. Our study reveals that fuzzing tools on these architectures are seriously lacking.

This research aims to overcome the mentioned issues to build a new guided fuzzer for embedded systems.

We emulate the firmware so we can put in our fuzzing & debugging tools. We will first explain how we directly extract firmware from physical devices, then emulating them on Virtual Machine with a lot of tricks involving static binary dependency duplication, patching firmware for NVRAM simulation in-order to feed actual response for program configuration.

We will introduce a new powerful dynamic binary instrumentation (DBI) framework that supports all platforms & embedded architectures in use today, including Arm, Arm64, Mips, PowerPC & Sparc (plus, we also support Intel X86). The design & implementation of this framework will be presented in detail, so the audience can also see many other applications of our DBI beyond this project.

We will also discuss how we built an advanced guided fuzzer to run inside emulated firmware. Using our own DBI at the heart, this requires no firmware source code, and can find vulnerabilities in binary-only applications onl all kind of embedded CPUs available.

In a limited time of just few months, our fuzzer has already discovered many 0days in some very popular embedded network devices. Among them, several vulnerabilities allow pre-authenticated remote code execution that affect multi-million users, and can be potentially turned into a new botnet-worm with massive-scale infection. These bugs will be released to public in our talk if the vendors fixes them in time.

The audience can expect a deeply technical, but still entertaining presentation, with many exciting demos.

Location: Jade Ballroom A Date: November 2, 2018 Time: 10:30 am - 11:30 am Nguyen Anh Quynh Kai Jern Lau