Abstract
Internet-of-Things (IoT) devices play a central role in the modern digital landscape by providing uninterrupted convenience, but their history has been marked by the opportunities they provide bad actors desiring to exploit them. Vulnerable firmware remains a major factor in exploiting IoT devices. Persistent storage interfaces, which allow data retention even after power loss, can exacerbate this problem. This work examines and informs on the security impact of persistent storage through the lens of security-critical sanitization bypass flaws, computed attack surface spread, and the presence of command injection vulnerabilities; three facets of firmware code that can influence its susceptibility to exploitation. The assessment is established upon manually annotated call sequences that allow reasoning about path sanitization in order to formulate well-founded observations. We assemble a dataset of 100 IoT firmware images from four well-known vendors and initially find 68 devices whose persistent storage receives attacker-controllable input in over 4800 unique unsanitized paths. Furthermore, we discovered 77 instances of sanitization bypass flaws in 32 devices. In addition, we create the taint spread metric to assess the impact of tainted persistent storage on a firmware’s attack surface; in one alarming instance we find tainted data to affect over 1500 firmware code locations. Finally, we leverage the modeled call sequences to detect and exploit seven 0-day command injection vulnerabilities in five acquired devices and five assigned PSVs.
A. Lounis and A. Andreoli—The first two authors contributed equally to this work.
The authors gratefully acknowledge the support and collaboration of the Communication Security Establishment (CSE).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Dataset available through email correspondence with first two listed authors.
- 2.
- 3.
Converts human-readable IPv4 string into an address structure.
- 4.
PSV-2023-0150, PSV-2023-0151, PSV-2023-0152, PSV-2023-0153, PSV-2023-0154.
References
Hackers update Cisco IOS XE backdoor to hide infected devices—bleepingcomputer.com. https://www.bleepingcomputer.com/news/security/hackers-update-cisco-ios-xe-backdoor-to-hide-infected-devices/. Accessed 06 Dec 2023
Andreoli, A., Lounis, A., Debbabi, M., Hanna, A.: On the prevalence of software supply chain attacks: empirical study and investigative framework. Forensic Sci. Int. Digit. Invest. 44, 301508 (2023)
Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 2017), pp. 1093–1110 (2017)
Lei, C., Zhang, Z., Hu, C., Das, A.: Mirai variant V3G4 targets IoT devices—unit42.paloaltonetworks.com. https://unit42.paloaltonetworks.com/mirai-variant-v3g4/. Accessed 06 Dec 2023
Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS, vol. 1, p. 1 (2016)
Chen, J., et al.: IoTFuzzer: discovering memory corruptions in IoT through app-based fuzzing. In: NDSS (2018)
Chen, L., et al.: Sharing more and checking less: leveraging common input keywords to detect bugs in embedded systems. In: 30th USENIX Security Symposium (USENIX Security 2021), pp. 303–319 (2021)
Cheng, K., et al.: DTaint: detecting the taint-style vulnerability in embedded device firmware. In: 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 430–441. IEEE (2018)
Cheng, K., et al.: Detecting vulnerabilities in Linux-based embedded firmware with SSE-based on-demand alias analysis. In: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 360–372 (2023)
Clements, A.A., et al.: HALucinator: firmware re-hosting through abstraction layer emulation. In: 29th USENIX Security Symposium (USENIX Security 2020), pp. 1201–1218 (2020)
Costin, A., Zarras, A., Francillon, A.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pp. 437–448 (2016)
Gao, Z., et al.: Faster and better: detecting vulnerabilities in Linux-based IoT firmware with optimized reaching definition analysis (2024). https://doi.org/10.14722/ndss.2024.24346
Gui, Z., Shu, H., Kang, F., Xiong, X.: FIRMCORN: vulnerability-oriented fuzzing of IoT firmware via optimized virtual execution. IEEE Access 8, 29826–29841 (2020)
Anton, K., Bird, J., Manico, J.: OWASP top ten proactive controls 2018. About this Project. OWASP foundation—owasp.org (2018). https://owasp.org/www-project-proactive-controls/v3/en/0x02-about-project.html. Accessed 06 Dec 2023
Kim, J., Yu, J., Kim, H., Rustamov, F., Yun, J.: FIRM-COV: high-coverage greybox fuzzing for IoT firmware via optimized process emulation. IEEE Access 9, 101627–101642 (2021). https://doi.org/10.1109/ACCESS.2021.3097807
Kim, M., Kim, D., Kim, E., Kim, S., Jang, Y., Kim, Y.: FirmAE: towards large-scale emulation of IoT firmware for dynamic analysis. In: Annual Computer Security Applications Conference, pp. 733–745 (2020)
Li, X., Wei, Q., Wu, Z., Guo, W.: Finding taint-style vulnerabilities in Lua application of IoT firmware with progressive static analysis. Appl. Sci. 13(17), 9710 (2023)
Livshits, B., Chong, S.: Towards fully automatic placement of security sanitizers and declassifiers. Acm Sigplan Not. 48(1), 385–398 (2013)
MITRE: CWE - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) (4.13)—cwe.mitre.org. https://cwe.mitre.org/data/definitions/78.html. Accessed 06 Dec 2023
Neshenko, N., Bou-Harb, E., Crichigno, J., Kaddoum, G., Ghani, N.: Demystifying IoT security: an exhaustive survey on IoT vulnerabilities and a first empirical look on internet-scale IoT exploitations. IEEE Commun. Surv. Tutor. 21(3), 2702–2733 (2019)
Qin, C., et al.: UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router. Comput. Secur. 128, 103157 (2023)
Redini, N., et al.: Karonte: detecting insecure multi-binary interactions in embedded firmware. In: 2020 IEEE Symposium on Security and Privacy (SP), pp. 1544–1561. IEEE (2020)
Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS, vol. 1, p. 1 (2015)
Shoshitaishvili, Y., et al.: SoK: (state of) the art of war: offensive techniques in binary analysis. In: 2016 IEEE Symposium on Security and Privacy (SP), pp. 138–157. IEEE (2016)
Stasinopoulos, A., Ntantogian, C., Xenakis, C.: Commix: automating evaluation and exploitation of command injection vulnerabilities in web applications. Int. J. Inf. Secur. 18, 49–72 (2019)
Stephens, N., et al.: Driller: augmenting fuzzing through selective symbolic execution. In: NDSS, vol. 16, pp. 1–16 (2016)
Topics, T.I.E.: IoT connected devices worldwide 2019–2030. Statista—statista.com (2023). https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide. Accessed 06 Dec 2023
Vadayath, J., et al.: Arbiter: bridging the static and dynamic divide in vulnerability discovery on binary programs. In: 31st USENIX Security Symposium (USENIX Security 2022), pp. 413–430 (2022)
Wang, C., Zhao, S., Peng, J., Zhu, J.: KVFL: key-value-based persistent fuzzing for IoT web servers. Comput. J. bxad110 (2023)
Wu, Y., et al.: Your firmware has arrived: a study of firmware update vulnerabilities (2023)
Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: 2015 IEEE Symposium on Security and Privacy, pp. 797–812. IEEE (2015)
Yun, J., Rustamov, F., Kim, J., Shin, Y.: Fuzzing of embedded systems: a survey. ACM Comput. Surv. 55(7), 1–33 (2022)
Zheng, Y., Davanian, A., Yin, H., Song, C., Zhu, H., Sun, L.: FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In: 28th USENIX Security Symposium (USENIX Security 2019), pp. 1099–1114 (2019)
Zhong, W.: Command Injection. OWASP Foundation—owasp.org. https://owasp.org/www-community/attacks/Command_Injection. Accessed 06 Dec 2023
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Lounis, A., Andreoli, A., Debbabi, M., Hanna, A. (2024). Seum Spread: Discerning Security Flaws in IoT Firmware via Call Sequence Semantics. In: Maggi, F., Egele, M., Payer, M., Carminati, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2024. Lecture Notes in Computer Science, vol 14828. Springer, Cham. https://doi.org/10.1007/978-3-031-64171-8_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-64171-8_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-64170-1
Online ISBN: 978-3-031-64171-8
eBook Packages: Computer ScienceComputer Science (R0)