ProXray: Protocol Model Learning and Guided Firmware Analysis

ProXray: Protocol Model Learning and Guided Firmware Analysis

The number of Internet of Things (IoT) has reached 7 billion globally in early 2018 and are nearly ubiquitous in daily life. Knowing whether or not these devices are safe and secure to use is becoming critical. IoT devices usually implement communication protocols such as USB and Bluetooth within fi...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on software engineering 2021-09, Vol.47 (9), p.1907-1928
Main Authors: Fowze, Farhaan, Tian, Dave, Hernandez, Grant, Butler, Kevin, Yavuz, Tuba
Format: Article
Language:eng
Subjects:
Analytical models
Automation
Bluetooth
Constraint modelling
Data buses
Domains
Feature extraction
Firmware
Formal specifications
Hidden Markov models
Internet of Things
Learning
Microprogramming
model extraction
Protocol
Protocol learning
Protocols
Query processing
symbolic execution
Universal Serial Bus
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:The number of Internet of Things (IoT) has reached 7 billion globally in early 2018 and are nearly ubiquitous in daily life. Knowing whether or not these devices are safe and secure to use is becoming critical. IoT devices usually implement communication protocols such as USB and Bluetooth within firmware to allow a wide range of functionality. Thus analyzing firmware using domain knowledge from these protocols is vital to understand device behavior, detect implementation bugs, and identify malicious components. Unfortunately, due to the complexity of these protocols, there is usually no formal specification available that can help automate the firmware analysis; as a result significant manual effort is currently required to study these protocols and to reverse engineer the device firmware. In this paper, we propose a new firmware analysis methodology using symbolic execution called ProXray, which can learn a protocol model from known firmware, and apply the model to recognize the protocol relevant fields and detect functionality within unknown firmware automatically. After the training phase, ProXray can fully automate the firmware analysis process while supporting user's queries in the form of protocol relevant constraints. We have applied ProXray to the USB and the Bluetooth protocols by learning protocol constraint models from firmware that implement these protocols. We are then able to map protocol fields and identify USB functionality automatically within all 6 unknown USB firmware while achieving more than an order of magnitude speedup in reaching protocol relevant targets in unknown Bluetooth firmware. Our model achieved high coverage of the USB and Bluetooth specifications for several important protocol fields. ProXray provides a new method to apply domain knowledge to firmware analysis automatically.
ISSN:0098-5589
1939-3520