HALucinator: Firmware Re-Hosting through Abstraction Layer Emulation

Abstract

Given the increasing ubiquity of online embedded devices, analyzing their firmware is important to security, privacy, and safety. The tight coupling between hardware and firmware and the diversity found in embedded systems makes it hard to perform dynamic analysis on firmware. However, firmware developers regularly develop code using abstractions, such as Hardware Abstraction Layers (HALs), to simplify their job. We leverage such abstractions as the basis for the re-hosting and analysis of firmware. By providing high-level replacements for HAL functions (a process termed High-Level Emulation -- HLE), we decouple the hardware from the firmware. This approach works by first locating the library functions in a firmware sample, through binary analysis, and then providing generic implementations of these functions in a full-system emulator. We present these ideas in a prototype system, HALucinator, able to re-host firmware, and allow the virtual device to be used normally. First, we introduce extensions to existing library matching techniques that are needed to identify library functions in binary firmware, to reduce collisions, and for inferring additional function names. Next, we demonstrate the re-hosting process, through the use of simplified Handlers and Peripheral Models, which make the process fast, flexible, and portable between firmware samples and chip vendors. Finally, we demonstrate the practicality of HLE for security analysis, by supplementing HALucinator with AFL, to locate multiple previously-unknown vulnerabilities in firmware middleware libraries.

Publication
In Proceedings of the 29th USENIX Security Symposium (USENIX ‘20)
Date

Cite it:

@article{ClementsGustafson2020halucinator,
  title={HALucinator: Firmware Re-hosting through Abstraction Layer Emulation},
  author={Clements, Abraham and Gustafson, Eric and Scharnowski, Tobias and Grosen, Paul and Fritz, David and Kruegel, Christopher and Vigna, Giovanni and Bagchi, Saurabh and Payer, Mathias},
  booktitle={Proceedings of the 29th USENIX Security Symposium (USENIX '20)},
  year={2020},
  organization={USENIX Association}
}