Operation Mango: Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services

Authors: 

Wil Gibbs, Arvind S Raj, Jayakrishna Menon Vadayath, Hui Jun Tay, Justin Miller, Akshay Ajayan, Zion Leonahenahe Basque, Audrey Dutcher, and Fangzhou Dong, Arizona State University; Xavier Maso, unaffiliated; Giovanni Vigna and Christopher Kruegel, UC Santa Barbara; Adam Doupé, Yan Shoshitaishvili, and Ruoyu Wang, Arizona State University

Abstract: 

The rise of IoT (Internet of Things) devices has created a system of convenience, which allows users to control and automate almost everything in their homes. But this increase in convenience comes with increased security risks to the users of IoT devices, partially because IoT firmware is frequently complex, feature-rich, and very vulnerable. Existing solutions for automatically finding taint-style vulnerabilities significantly reduce the number of binaries analyzed to achieve scalability. However, we show that this trade-off results in missing significant numbers of vulnerabilities. In this paper, we propose a new direction: scaling static analysis of firmware binaries so that all binaries can be analyzed for command injection or buffer overflows. To achieve this, we developed MANGODFA, a novel binary data-flow analysis leveraging value analysis and data dependency analysis on binary code. Through key algorithmic optimizations in MANGODFA, our prototype Mango achieves fast analysis without sacrificing precision. On the same dataset used in prior work, Mango analyzed 27× more binaries in a comparable amount of time to the state-of-the-art in Linux-based user-space firmware taint-analysis SaTC. Mango achieved an average per-binary analysis time of 8 minutes compared to 6.56 hours for SaTC. In addition, Mango finds 56 real vulnerabilities that SaTC does not find in a set of seven firmware. We also performed an ablation study demonstrating the performance gains in Mango come from key algorithmic improvements.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {298258,
author = {Wil Gibbs and Arvind S Raj and Jayakrishna Menon Vadayath and Hui Jun Tay and Justin Miller and Akshay Ajayan and Zion Leonahenahe Basque and Audrey Dutcher and Fangzhou Dong and Xavier Maso and Giovanni Vigna and Christopher Kruegel and Adam Doup{\'e} and Yan Shoshitaishvili and Ruoyu Wang},
title = {Operation Mango: Scalable Discovery of {Taint-Style} Vulnerabilities in Binary Firmware Services},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {7123--7139},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/gibbs},
publisher = {USENIX Association},
month = aug
}