Towards Firmware Analysis of Industrial Internet of Things (IIoT) - Applying Symbolic Analysis to IIoT Firmware Vetting

Geancarlo Palavicini Jr, Josiah Bryan, Eaven Sheets, Megan Kline, John San Miguel

2017

Abstract

Embedded systems and Industrial Internet of Things (IIoT) devices are rapidly increasing in number and complexity. The subset IIoT refers to Internet of Things (IoT) devices that are used in manufacturing and industrial control systems actively being connected to larger networks and the public internet. As a result, cyber-physical attacks are becoming an increasingly common tactic employed to cause economic and physical damage. This work aims to perform near automated firmware analysis on embedded systems, Industrial Control Systems (focusing on Programmable Logic Controllers), Industrial Internet of Things devices, and other cyber-physical systems in search of malicious functionality. This paper explores the use of binary analysis tools such as angr, the cyber reasoning system (CRS) ’Mechanical Phish’, American Fuzzy Lop (AFL), as well as virtualization tools such as OpenPLC, firmadyne, and QEMU to uncover hidden vulnerabilities, find ways to mitigate those vulnerabilities, and enhance the security posture of the Industrial Internet of Things.

References

  1. Almgren, M., Balzarotti, D., Stijohann, J., and Zambon, E. (2015). Runtime-monitoring for industrial control systems. Electronics, 4(3):995 - 1017.
  2. Alves, T. R., Buratto, M., de Souza, F. M., and Rodrigues, T. V. (2014). Openplc: An open source alternative to automation. In Proc. IEEE Global Humanitarian Technology Conf. (GHTC 2014), pages 585-589.
  3. angr (2017). angr-docs. Contributing to the framework.
  4. Bellard, F. (2017). Qemu.
  5. Beresford, D. (2011). Siemens simatic s7-1200 plc systems replay security bypass and denial of service vulnerabilities.
  6. Cert, I. (2014). Siemens s7-1200 plc vulnerabilities.
  7. Chen, D. D., Egele, M., Woo, M., and Brumley, D. (2016). Towards automated dynamic analysis for linux-based embedded firmware. In ISOC Network and Distributed System Security Symposium (NDSS).
  8. Collake, J. and Heffner, C. (2013). Firmware modification kit.
  9. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., and Antipolis, S. (2014). A large-scale analysis of the security of embedded firmwares. In USENIX Security, pages 95-110.
  10. Cruz, T., Barrigas, J., Proenc¸a, J., Graziano, A., Panzieri, S., Lev, L., and Simo˜es, P. (2015). Improving network security monitoring for industrial control systems. In Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on, pages 878-881. IEEE.
  11. Cruz, T., Proenc¸a, J., Simo˜es, P., Aubigny, M., Ouedraogo, M., Graziano, A., and Yasakhetu, L. (2014). Improving cyber-security awareness on industrial control systems: The cockpitci approach. In 13th European Conference on Cyber Warfare and Security ECCWS-2014 The University of Piraeus Piraeus, Greece, page 59.
  12. DARPA (2016). Darpa cyber grand challenge.
  13. devttys0 (2016a). Binwalk. Firmware Analysis Tool.
  14. devttys0 (2016b). Reverse engineering firmware: Linksys wag120n. SquashFS common file system for IoT.
  15. devttys0 (2016c). Sasquatch. Set of patches to the standard unsquashfs utility.
  16. Gupta, A. (2016). Firmware analysis for iot devices.
  17. Janicke, H., Nicholson, A., Webber, S., and Cau, A. (2015). Runtime-monitoring for industrial control systems. Electronics, 4(3):995 - 1017.
  18. lcamtuf (2017). American fuzzy lop.
  19. McLaughlin, S. E., Zonouz, S., Pohly, D., and McDaniel, P. (2014). A trusted safety verifier for process controller code. In NDSS, volume 14.
  20. Modbus (2012). MODBUS Protocol Specification. Modicon, v1.1b3 edition.
  21. OWASP (2016). Iot firmware analysis.
  22. Sadeghi, A. R., Wachsmann, C., and Waidner, M. (2015). Security and privacy challenges in industrial internet of things. In Proc. 52nd ACM/EDAC/IEEE Design Automation Conf. (DAC), pages 1-6.
  23. Shellphish, U. (2016). Mechanical phish. Cyber Reasoning System for DARPA Cyber Grand Challenge.
  24. Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., and Vigna, G. (2015). Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the 2015 Network and Distributed System Security Symposium.
  25. Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., Kruegel, C., and Vigna, G. (2016). Sok: State of the art of war: Offensive techniques in binary analysis. In IEEE Symposium on Security and Privacy.
  26. Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. (2016). Driller: Augmenting fuzzing through selective symbolic execution. In Proceedings of the 2016 Network and Distributed System Security Symposium.
  27. sviehb (2016). Jefferson. JFFS2 filesystem extraction tool.
Download


Paper Citation


in Harvard Style

Palavicini Jr G., Bryan J., Sheets E., Kline M. and San Miguel J. (2017). Towards Firmware Analysis of Industrial Internet of Things (IIoT) - Applying Symbolic Analysis to IIoT Firmware Vetting . In Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: WICSPIT, ISBN 978-989-758-245-5, pages 470-477. DOI: 10.5220/0006393704700477


in Bibtex Style

@conference{wicspit17,
author={Geancarlo Palavicini Jr and Josiah Bryan and Eaven Sheets and Megan Kline and John San Miguel},
title={Towards Firmware Analysis of Industrial Internet of Things (IIoT) - Applying Symbolic Analysis to IIoT Firmware Vetting},
booktitle={Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: WICSPIT,},
year={2017},
pages={470-477},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006393704700477},
isbn={978-989-758-245-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security - Volume 1: WICSPIT,
TI - Towards Firmware Analysis of Industrial Internet of Things (IIoT) - Applying Symbolic Analysis to IIoT Firmware Vetting
SN - 978-989-758-245-5
AU - Palavicini Jr G.
AU - Bryan J.
AU - Sheets E.
AU - Kline M.
AU - San Miguel J.
PY - 2017
SP - 470
EP - 477
DO - 10.5220/0006393704700477