ASIACCS 2016, ACM Symposium on InformAtion, Computer and Communications Security, May 30-June 3, 2016, Xi'An, China
      
  Embedded devices are becoming more widespread, interconnected, and web-enabled than ever. However, recent studies showed  that  embedded  devices  are  far  from  being  secure. Moreover,  many  embedded  systems  rely  on  web  interfaces for user interaction or administration. Web security is still dicult and therefore the web interfaces of embedded systems represent a considerable attack surface. In this paper, we present the first fully automated framework that applies dynamic rmware analysis techniques to achieve, in a scalable manner, automated vulnerability discovery  within  embedded  rmware  images.  We  apply  our framework to study the security of embedded web interfaces running in Commercial O-The-Shelf (COTS) embedded devices,  such  as  routers,  DSL/cable  modems,  VoIP  phones, IP/CCTV  cameras.  We  introduce  a  methodology  and  implement a scalable framework for discovery of vulnerabilities in embedded web interfaces regardless of the devices' vendor, type, or architecture. To reach this goal, we perform full system emulation to achieve the execution of rmware images in a software-only environment, i.e., without involving any physical embedded devices. Then, we automatically analyze the web interfaces within the rmware using both static and dynamic analysis tools. We also present some interesting case-studies and discuss the main challenges associated with the dynamic analysis of firmware images and their web interfaces and network services. The observations we make in this paper shed light on an important aspect of embedded devices which was not previously studied at a large scale.
Type:
        Conférence
      City:
        Xi'an
      Date:
        2016-05-30
      Department:
        Sécurité numérique
      Eurecom Ref:
        4851
      Copyright:
        © ACM, 2016. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in ASIACCS 2016, ACM Symposium on InformAtion, Computer and Communications Security, May 30-June 3, 2016, Xi'An, China http://dx.doi.org/10.1145/2897845.2897900
      See also:
        
       
 
 
     
                       
                      