Hybrid Firmware Analysis for Known Mobile and IoT Security Vulnerabilities

Pengfei Sun, Luis Garcia, Gabriel Salles-Loustau, Saman Zonouz

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations

Abstract

Mobile and IoT operating systems-and their ensuing software updates-are usually distributed as binary files. Given that these binary files are commonly closed source, users or businesses who want to assess the security of the software need to rely on reverse engineering. Further, verifying the correct application of the latest software patches in a given binary is an open problem. The regular application of software patches is a central pillar for improving mobile and IoT device security. This requires developers, integrators, and vendors to propagate patches to all affected devices in a timely and coordinated fashion. In practice, vendors follow different and sometimes improper security update agendas for both mobile and IoT products. Moreover, previous studies revealed the existence of a hidden patch gap: several vendors falsely reported that they patched vulnerabilities. Therefore, techniques to verify whether vulnerabilities have been patched or not in a given binary are essential. Deep learning approaches have shown to be promising for static binary analyses with respect to inferring binary similarity as well as vulnerability detection. However, these approaches fail to capture the dynamic behavior of these systems, and, as a result, they may inundate the analysis with false positives when performing vulnerability discovery in the wild. In particular, they cannot capture the fine-grained characteristics necessary to distinguish whether a vulnerability has been patched or not. In this paper, we present PATCHECKO, a vulnerability and patch presence detection framework for executable binaries. PATCHECKO relies on a hybrid, cross-platform binary code similarity analysis that combines deep learning-based static binary analysis with dynamic binary analysis. PATCHECKO does not require access to the source code of the target binary nor that of vulnerable functions. We evaluate PATCHECKO on the most recent Google Pixel 2 smartphone and the Android Things IoT firmware images, within which 25 known CVE vulnerabilities have been previously reported and patched. Our deep learning model shows a vulnerability detection accuracy of over 93%. We further prune the candidates found by the deep learning stage-which includes false positives-via dynamic binary analysis. Consequently, PATCHECKO successfully identifies the correct matches among the candidate functions in the top 3 ranked outcomes 100% of the time. Furthermore, PATCHECKO's differential engine distinguishes between functions that are still vulnerable and those that are patched with an accuracy of 96%.

Original languageEnglish (US)
Title of host publicationProceedings - 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2020
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages373-384
Number of pages12
ISBN (Electronic)9781728158099
DOIs
StatePublished - Jun 2020
Event50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2020 - Valencia, Spain
Duration: Jun 29 2020Jul 2 2020

Publication series

NameProceedings - 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2020

Conference

Conference50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2020
Country/TerritorySpain
CityValencia
Period6/29/207/2/20

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Hardware and Architecture
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality

Keywords

  • Deep Learning
  • Dynamic Analysis
  • Firmware Vulnerabilities
  • IoT
  • Mobile
  • Patch

Fingerprint

Dive into the research topics of 'Hybrid Firmware Analysis for Known Mobile and IoT Security Vulnerabilities'. Together they form a unique fingerprint.

Cite this