Toward the Analysis of Embedded Firmware through Automated Re-hosting


Eric Gustafson, UC Santa Barbara; Marius Muench, EURECOM; Chad Spensky, Nilo Redini, and Aravind Machiry, UC Santa Barbara; Yanick Fratantonio, Davide Balzarotti, and Aurelien Francillon, EURECOM; Yung Ryn Choe, Sandia National Laboratories; Christopher Kruegel and Giovanni Vigna, UC Santa Barbara


The recent paradigm shift introduced by the Internet of Things (IoT) has brought embedded systems into focus as a target for both security analysts and malicious adversaries. Typified by their lack of standardized hardware, diverse software, and opaque functionality, IoT devices present unique challenges to security analysts due to the tight coupling between their firmware and the hardware for which it was designed. In order to take advantage of modern program analysis techniques, such as fuzzing or symbolic execution, with any kind of scale or depth, analysts must have the ability to execute firmware code in emulated (or virtualized) environments. However, these emulation environments are rarely available and cumbersome to create through manual reverse engineering, greatly limiting the analysis of binary firmware.

In this work, we explore the problem of firmware re-hosting, the process by which firmware is migrated from its original hardware environment into a virtualized one. We show that an approach capable of creating virtual, interactive environments in an automated manner is a necessity to enable firmware analysis at scale. We present the first proof-of-concept system aiming to achieve this goal, called PRETENDER, which uses observations of the interactions between the original hardware and the firmware to automatically create models of peripherals, and allows for the execution of the firmware in a fully-emulated environment. Unlike previous approaches, these models are interactive, stateful, and transferable, meaning they are designed to allow the program to receive and process new input, a requirement of many analyses. We demonstrate our approach on multiple hardware platforms and firmware samples, and show that the models are flexible enough to allow for virtualized code execution, the exploration of new code paths, and the identification of security vulnerabilities.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {242028,
author = {Eric Gustafson and Marius Muench and Chad Spensky and Nilo Redini and Aravind Machiry and Yanick Fratantonio and Davide Balzarotti and Aur{\'e}lien Francillon and Yung Ryn Choe and Christophe Kruegel and Giovanni Vigna},
title = {Toward the Analysis of Embedded Firmware through Automated Re-hosting},
booktitle = {22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019)},
year = {2019},
isbn = {978-1-939133-07-6},
address = {Chaoyang District, Beijing},
pages = {135--150},
url = {},
publisher = {USENIX Association},
month = sep