Periodic Reporting for period 4 - BASTION (Leveraging Binary Analysis to Secure the Internet of Things)
Reporting period: 2019-09-01 to 2020-02-29
Our analysis methods concentrate on binary executables, i.e. the code that is actually executed by the processor, and especially firmware (i.e. purpose-built software that is tightly-coupled to its hardware). This design choice is based on the fact that we typically do not have access to source code given that we often deal with closed-source systems that we want to analyze (e.g. some kind of embedded system that is not fully documented by the vendor). Little to nothing is typically know about the security aspects of such systems and hence we want to analyze them for potential vulnerabilities and obtain insights into their operations. In the first part of the project, we designed an intermediate language to abstract away from the concrete assembly level and this enables an analysis of many different platforms within a unified analysis framework. For example, we used the techniques developed within BASTION to analyze the firmware image used in engine control units (ECUs) within cars to study how the Volkswagen defeat devices ("Dieselgate") works and also used the same underlying methods to study the microcode within Intel x86 CPUs. Our analysis techniques are based on the whole body of work on program analysis techniques developed in the past three decades: we transferred and extended control- and data-flow analysis techniques and also symbolic execution to our intermediate language and the resulting analysis techniques enable a fine grained and fast analysis of a given binary executable. During this project, we developed several advanced binary analysis techniques that help us to either uncover security vulnerabilities in a given system or helped us to implement generic defense techniques that can protect (embedded) systems against different kinds of attacks.
We used the lifting framework to analyze the lifted binary code and focussed on different types of control- and data-flow analysis techniques, symbolic execution, type recovery, taint analysis and related methods to enrich the IL with meta-information that are necessary to perform a precise analysis. In the first part of BASTION, we started to develop and implement the necessary analysis techniques and refined the methods based on different use cases (as outlined above). More specifically, we developed different analysis methods that enable us to either detect potential vulnerabilities in a given binary executable or to retrofit security mechanisms to binary code. As a result of this project, we published more than 20 scientific papers to document the results - ten of these papers were published at the top academic venues in computer security. We focussed on uncovering of undocumented functionality (e.g. defeat device used by Volkswagen and other car manufacturers), detection and prevention of memory corruption vulnerabilities in many different binary contexts (ranging from desktop computer to PLCs) and control-flow integrity (CFI, a general approach to mitigate runtime attacks). Furthermore, we worked on other analysis techniques such as the detection of logical vulnerabilities or automated complexity reduction methods that enable us to tame the complexity of modern systems. The source code and data sets used for the evaluation of the research prototypes is published at https://github.com/RUB-SysSec