Our recent collaborative effort yielded a set of critical vulnerabilities in the popular NicheStack TCP/IP stack, used by several major vendors of embedded systems – including many in operational technology and critical infrastructure – for more than 20 years. The vulnerabilities affect most levels of the stack (from Network to Application layer) and allow for unauthenticated remote code execution in default configurations.
Although this resembles other recent research into TCP/IP stack security – such as Ripple20 and AMNESIA:33 – the main difference is that these vulnerabilities were found using a myriad of techniques, not limited to classic manual/static analysis and fuzzing, but including state-of-the-art binary-only data-flow analysis and symbolic execution. Most importantly, these techniques can and have been useful in other scenarios as well. In the past years, publicly available infrastructure such as Ghidra, AFL and Angr have put within our grasp the “holy grail” of vulnerability research: real-world automated 0-day identification, without reliance on source code and with zero or minimal pre-configuration. We believe that soon these automated techniques will become more common, which should make vulnerability researchers think about writing automated scanners themselves and finding very large-scale vulnerabilities faster.
In this talk, we will use the new NicheStack vulnerabilities (which include buffer overflows, integer overflows, infinite loops, and entropy issues) to showcase contemporary techniques for vulnerability detection and mitigation via firmware image analysis and live network traffic analysis. We will discuss not only the vulnerabilities we found and how they can be exploited, but also the vulnerability discovery trajectory, such as the vulnerabilities we expected to find based on previous research. NicheStack displays most of the TCP/IP anti-patterns that we have observed in different previous research, including RFC mis-implementation and lack of basic bounds checks. We will show how we used data-flow analysis to identify a DNS-based heap overflow. We will introduce data-flow analysis in the context of Ghidra’s P-Code intermediate representation, show the identification of libc functions and the use of function divination (test sets on top of emulation).
We will also discuss how to mitigate these vulnerabilities on networked devices. We will show how it is possible to determine device exposure to already-known vulnerabilities automatically via analysis of binary firmware and function-based diffing. We also discuss the identification of vulnerable devices on the network (which is not easy given the well-known lack of transparency into embedded software components) and the detection of exploit attempts.
To finalize, we will discuss the implications of this type of research – finding and mitigating large-scale vulnerabilities – to ongoing high-level initiatives regarding supply chain vulnerabilities and Software Bill of Materials (SBOM). We hope this research motivates the use of automated techniques to find and squash more bugs at a large scale, thus securing millions or billions of embedded devices at a time.