Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images


In today’s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic !rmware, where the code and data are opaquely intermixed, have traditionally been di#cult to examine and protect. In this paper, we explore the challenges of retro!tting monolithic !rmware images with new security measures. First, we outline the steps any analyst must take to retro!t !rmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects—locating attacker-controlled input, a safe retro!t injection location, and self-checks preventing modi!cations—through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retro!tted !rmware image, once the vulnerability is identi!ed. To evaluate Shimware, we employ both a synthetic evaluation and actual retro!tting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.

In 2019 International Symposium on Resarch in Attacks, Intrusions, and Defenses (RAID ‘19)

Cite it:

  title={Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images},
  author={Gustafson, Eric and Grosen, Paul and Redini, Nilo and Jha, Saagar and Continella, Andrea and Wang, Ruoyu and Fu, Kevin and Rampazzi, Sara and Kruegel, Christopher and Vigna, Giovanni},
  booktitle={Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses},