Security teams for both asset owners and devices manufacturers know this scenario well: a new CVE is released and your team is responsible for verifying whether or not that vulnerability affects the connected devices (IoT, OT, and ICS) in your asset inventory or product portfolio. The trouble is that this process can be disruptive and cumbersome, often requiring devices to be taken offline in order to test them.
High profile vulnerabilities such as Urgent/11 and Ripple20 have reemphasized the need for automated vulnerability detection and verification solutions that are accurate, reliable, scalable, and fast. Such tools and methods must also be able to analyze binaries without source code which is usually unavailable when evaluating embedded firmware. Even when source code is available, static code analyzers such as lint do not provide sufficient information to determine the impact of a potential vulnerability. Simply put, while they can reveal weaknesses in source code, they cannot reveal the whole picture.
Static binary analysis has several limitations where it is manually intensive, time consuming, hard to scale, and can lead to false positives. Techniques like signature-based detection (e.g., YARA), instruction matching, or function hashing may result in false negatives because firmware composition can drastically vary between different platforms, architectures, and tool chains.
To overcome these major obstacles, Finite State’s research team used their extensive years of collective expertise in reversing, emulation, and vulnerability research to develop a novel capability, which we call Focused Emulation. Focused Emulation is a comprehensive automated solution capable of detecting and verifying vulnerabilities in target firmware with the highest degree of accuracy without having to test the physical device. The technique requires no manual intervention and provides information useful for vulnerability remediation. Instead of relying on feature extraction or signature matching, the core technique involves directly emulating the target firmware, and actively triggering the potential vulnerability and observing the effect. To ensure successful emulation, the firmware must first undergo automated preprocessing which includes symbol enrichment, function identification, service identification, and initialization.
In short Focused Emulation allows you to detect and observe specific vulnerabilities in your devices while also also avoiding the disruptive nature of testing on a deployed device and the potential for inaccuracy in passive network traffic detection. The output from Focused Emulation details the exact conditions which led to the vulnerability. This information is essential to vulnerability remediation, and is leveraged by the Finite State platform to inform our in-depth remediation guidance.
Focused Emulation Explained
There are several different emulation strategies available depending upon the desired fidelity to performance tradeoff and available target information. Firmware emulation can be a time intensive endeavor with varying requirements and complexities; therefore, it’s important to employ the right approach for the job. For example, one may emulate a section of code, complete binary, or full system all with the assistance of open source projects. Emulating sections of code from a known execution state is straightforward using Unicorn but syscalls, devices, and Operating System (OS) interactions will not be available; thus, execution will occur at a reduced fidelity but faster with less overhead. Binary emulation, such as qemu-user, emulates foreign Linux executables, like ARM, as a user process forwarding syscalls, file accesses, and OS interactions to your Linux host, usually Intel. Full system emulation, such as qemu-system, emulates an entire OS and foreign machine providing extremely high fidelity with the restriction to a limited set of preconfigured machines.
Focused Emulation (FE) offers a multi-faceted approach to emulation using one framework to selectively emulate portions of code or an entire binary depending on the available information and desired fidelity. Using FE, machine and OS behaviors such as devices and syscalls can be bypassed for performance or simulated for fidelity. Emulated code that interacts with potentially missing or uninitialized external memory is executed with the assistance of built-in constraint solving. External library or OS functions are also simulated without the assistance of a shared object file or OS installation.
At Finite State, we use FE as a robust emulation and analysis tool to execute firmware for arbitrary OSes, like VxWorks/Linux/Bare Metal, to enable capabilities such as CVE verification at scale and without the need for specialized hardware. We’re continuously expanding our supported firmware and leveraging emulation for future capabilities like software identification and fuzzing.
Automated vulnerability verification with the Finite State Platform
Focused Emulation is a capability available to all users of the Finite State Platform. It offers the highest degree of confidence, next to testing on the actual device, with the convenience of just submitting the firmware to our cloud platform for analysis. Once an exploitable vulnerability has been observed, tested and verified, information about the security issue is immediately reported to assist the customer with hardening their device. This capability is only possible thanks to the significant advancements in device emulation provided by the open source community and the expertise of our researchers. To see this methodology in action, check out our whitepaper on Ripple20 detection or request a demonstration.