Presentation Material
Abstract
Low-power, single-purpose embedded devices (e.g., routers and IoT devices) have become ubiquitous. While they automate and simplify many aspects of our lives, recent large-scale attacks have shown that their sheer number poses a severe threat to the Internet infrastructure, which led to the development of an IoT-specific cybercrime underground. Unfortunately, the software on these systems is hardware-dependent, and typically executes in unique, minimal environments with non-standard configurations, making security analysis particularly challenging. Moreover, most of the existing devices implement their functionality through the use of multiple binaries. This multi-binary service implementation renders current static and dynamic analysis techniques either ineffective or inefficient, as they are unable to identify and adequately model the communication between the various executables.
In this talk, we will unveil the inner peculiarities of embedded firmware, we will show why existing firmware analysis techniques are ineffective, and we will present Karonte, a novel static analysis tool capable of analyzing embedded-device firmware by modeling and tracking multi-binary interactions. Our tool propagates taint information between binaries to detect insecure, attacker-controlled interactions, and effectively identify vulnerabilities.
We will then present the results and insights of our experiments. We tested Karonte on 53 firmware samples from various vendors, showing that our prototype tool can successfully track and constrain multi-binary interactions. In doing so, we discovered 46 zero-day bugs, which we disclosed to the responsible entities. We performed a large-scale experiment on 899 different samples, showing that Karonte scales well with firmware samples of different size and complexity, and can effectively and efficiently analyze real-world firmware in a generic and fully automated fashion.
Finally, we will demo our tool, showing how it led to the detection of a previously unknown vulnerability.
AI Generated Summary
This research addresses the challenge of automated security analysis for IoT firmware, which is typically composed of numerous interacting binaries within a minimal, hardware-dependent environment. Traditional static analysis applied to each binary individually generates excessive false positives, while dynamic analysis remains unreliable due to the difficulty of emulating peripherals and system interactions.
The presented solution, Caronte, introduces static multi-binary taint analysis. It first identifies “border binaries” that receive external input using a parsing score based on features like network keyword comparisons. It then constructs a Binary Dependency Graph (BDG) by modeling inter-process communication (IPC) through specialized Communication Paradigm Finders (CPFs). These CPFs detect data sharing via environment variables, files, sockets, or semantic patterns, establishing data keys and flow directions between binaries.
Caronte propagates taint and constraints along the BDG, prioritizing paths that carry tainted data and using taint dependencies to mitigate over-tainting. Its detection module flags vulnerabilities where under-constrained, attacker-controlled data reaches sensitive sinks like memory copies or loop conditions.
Evaluation on 53 real-world devices found 46 new zero-day vulnerabilities, reducing alerts from an average of over 100 per firmware (using per-binary analysis) to just fiveβa two-order-of-magnitude decrease. A larger-scale assessment of 899 firmware samples confirmed the approach’s scalability, with Caronte efficiently analyzing complex dependency graphs and identifying multi-binary vulnerabilities missed by other methods. The tool is publicly released, and discovered vulnerabilities were responsibly disclosed, resulting in CVEs and vendor patches. The work demonstrates that modeling binary interactions is essential for effective and scalable firmware security analysis.