Skip to main content

Leveraging Binary Analysis to Secure the Internet of Things

Periodic Reporting for period 3 - BASTION (Leveraging Binary Analysis to Secure the Internet of Things)

Reporting period: 2018-03-01 to 2019-08-31

"Despite many years of intensive research and development on secure computer systems, the number of successful attacks, and their degree of severity, continues to increase every year. Within the BASTION project, we tackle this challenge and develop methods that leverage binary analysis techniques to improve the security within the Internet of Things (IoT) and other kinds of embedded devices. More specifically, we address the challenge of securing legacy systems given that widely-deployed systems that are critical for our society were developed in an ad-hoc, security-ignorant fashion. This legacy code is heterogeneous and often highly complex and thus represents a constant flow of newly uncovered security issues that adversaries can exploit. Such systems may even use hard- or software components that contain hidden vulnerabilities or backdoors. We concentrate on the software level since this enables us to both analyze a given device for potential security vulnerabilities and add security features to harden the device against future attacks. We focus on issues that pose fundamental research problems and that are crucial for significantly improving computer security; they are, therefore, also of great social and economic value.

Our analysis methods concentrate on binary executables, i.e. the code that is actually executed by the processor. This design choice is based on the fact that we typically do not have access to source code given that we often deal with proprietary systems that we want to analyze. Little to nothing is typically know about the security aspects of such systems and hence we want to analyze them for potential vulnerabilities and obtain insights into their operations. In the first part of the project, we designed an intermediate language to abstract away from the concrete assembly level and this enables an analysis of many different platforms within a unified analysis framework. For example, we used the techniques developed within BASTION to analyze the firmware image used in engine control units (ECUs) within cars to study how the Volkswagen defeat devices (""Dieselgate"") works and also used the same underlying methods to study the microcode within Intel x86 CPUs. Our analysis techniques are based on the whole body of work on program analysis techniques developed in the past three decades: we transferred and extended control- and data-flow analysis techniques and also symbolic execution to our intermediate language and the resulting analysis techniques enable a fine grained and fast analysis of a given binary executable."
"Within WP1 (""Lifting to an Intermediate Language""), we focussed on the design and implementation of an intermediate language (IL) that fits our needs. It turned out that the IL needs to be slightly customized for each analysis target within the lifting process such that the required precision and flexibility can be maintained. Precision is needed such that our subsequent analysis avoids both false positives or false negatives, while flexibility is needed to support different kinds of instruction set architectures (ISAs). We focussed on a wide variety of ISAs such as Intel x86, ARM, MIPS and Infineon Tricore to demonstrate the flexibility of the proposed approac. For each platform, we analyzed different types of binary executables and firmware images. For example, we analyzed complex applications such as web browsers on Intel x86 CPUs, firmware images of programmable logic controllers (PLC, an industrial computer used in factories to control the manufacturing processes), and ECU images of diesel engines powered by a Tricore processor. The main result of WP1 is a lifting framework that enables a lifting of a given binary executable to a representation suitable for subsequent analysis.

In the context of WP 2 (""Adapting Program Analysis Techniques""), WP3 (""Detecting Security Vulnerabilities"") and WP4 (""Retrofitting Security Mechanisms""), the lifting framework is used to analyze the lifted binary code. We focussed on different types of control- and data-flow analysis techniques, symbolic execution, type recovery, taint analysis and related methods to enrich the IL with meta-information that are necessary to perform a precise analysis. In the first part of BASTION, we started to develop and implement the necessary analysis techniques and refined the methods based on different use cases (as outlined above). More specifically, we developed different analysis methods that enable us to either detect potential vulnerabilities in a given binary executable or to retrofit security mechanisms to binary code. Milestone 2 (""First prototype of analysis algorithms"") was achieved successfully and we published several papers to document the results. For now, we focussed on uncovering of undocumented functionality (e.g. defeat device used by Volkswagen and other car manufacturers), detection and prevention of memory corruption vulnerabilities in many different binary contexts (ranging from desktop computer to PLCs) and control-flow integrity (CFI, a general approach to mitigate runtime attacks). The remaining analysis techniques such as the detection of logical vulnerabilities or automated complexity reduction will be covered in the second part of BASTION."
BASTION has significantly improved our understanding of binary analysis techniques and we have published many papers at the leading academic venues in computer security. We were the first to propose advanced runtime protection systems and uncovered several novel vulnerabilities to demonstrate potential attacks. We expect to continue this line of work and continue to advance binary analysis technique to lay foundations for the securing legacy systems.