Jetset: Targeted firmware rehosting for embedded systems

Evan Johnson; Maxwell Bland; Yi Fei Zhu; Joshua Mason; Stephen Checkoway; Stefan Savage; Kirill Levchenko

Jetset: Targeted firmware rehosting for embedded systems

Evan Johnson, Maxwell Bland, Yi Fei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, Kirill Levchenko

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The ability to execute code in an emulator is a fundamental part of modern vulnerability testing. Unfortunately, this poses a challenge for many embedded systems, where firmware expects to interact with hardware devices specific to the target. Getting embedded system firmware to run outside its native environment, termed rehosting, requires emulating these hardware devices with enough accuracy to convince the firmware that it is executing on the target hardware. However, full fidelity emulation of target devices (which requires considerable engineering effort) may not be necessary to boot the firmware to a point of interest for an analyst (for example, a point where fuzzer input can be injected). We hypothesized that, for the firmware to boot successfully, it is sufficient to emulate only the behavior expected by the firmware, and that this behavior could be inferred automatically. To test this hypothesis, we developed and implemented Jetset, a system that uses symbolic execution to infer what behavior firmware expects from a target device. Jetset can generate devices models for hardware peripherals in C, allowing an analyst to boot the firmware in an emulator (e.g., QEMU). We successfully applied Jetset to thirteen distinct pieces of firmware together representing three architectures, three application domains (power grid, avionics, and consumer electronics), and five different operating systems. We also demonstrate how Jetset-assisted rehosting facilitates fuzz-testing, a common security analysis technique, on an avionics embedded system, in which we found a previously unknown privilege escalation vulnerability.

Original language	English (US)
Title of host publication	Proceedings of the 30th USENIX Security Symposium
Publisher	USENIX Association
Pages	321-338
Number of pages	18
ISBN (Electronic)	9781939133243
State	Published - 2021
Event	30th USENIX Security Symposium, USENIX Security 2021 - Virtual, Online Duration: Aug 11 2021 → Aug 13 2021

Publication series

Name	Proceedings of the 30th USENIX Security Symposium

Conference

Conference	30th USENIX Security Symposium, USENIX Security 2021
City	Virtual, Online
Period	8/11/21 → 8/13/21

ASJC Scopus subject areas

Computer Networks and Communications
Information Systems
Safety, Risk, Reliability and Quality

Library availability

Discover UIUC Full Text

Cite this

@inproceedings{c14ec5024aeb41bcb16af7df21304a1d,

title = "Jetset: Targeted firmware rehosting for embedded systems",

abstract = "The ability to execute code in an emulator is a fundamental part of modern vulnerability testing. Unfortunately, this poses a challenge for many embedded systems, where firmware expects to interact with hardware devices specific to the target. Getting embedded system firmware to run outside its native environment, termed rehosting, requires emulating these hardware devices with enough accuracy to convince the firmware that it is executing on the target hardware. However, full fidelity emulation of target devices (which requires considerable engineering effort) may not be necessary to boot the firmware to a point of interest for an analyst (for example, a point where fuzzer input can be injected). We hypothesized that, for the firmware to boot successfully, it is sufficient to emulate only the behavior expected by the firmware, and that this behavior could be inferred automatically. To test this hypothesis, we developed and implemented Jetset, a system that uses symbolic execution to infer what behavior firmware expects from a target device. Jetset can generate devices models for hardware peripherals in C, allowing an analyst to boot the firmware in an emulator (e.g., QEMU). We successfully applied Jetset to thirteen distinct pieces of firmware together representing three architectures, three application domains (power grid, avionics, and consumer electronics), and five different operating systems. We also demonstrate how Jetset-assisted rehosting facilitates fuzz-testing, a common security analysis technique, on an avionics embedded system, in which we found a previously unknown privilege escalation vulnerability.",

author = "Evan Johnson and Maxwell Bland and Zhu, {Yi Fei} and Joshua Mason and Stephen Checkoway and Stefan Savage and Kirill Levchenko",

note = "Funding Information: This material is based upon work supported by National Science Foundation awards CNS-1646493 and CNS-1901728, and DARPA award FA8750-16-C-0181. Publisher Copyright: {\textcopyright} 2021 by The USENIX Association. All rights reserved.; 30th USENIX Security Symposium, USENIX Security 2021 ; Conference date: 11-08-2021 Through 13-08-2021",

year = "2021",

language = "English (US)",

series = "Proceedings of the 30th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "321--338",

booktitle = "Proceedings of the 30th USENIX Security Symposium",

}

TY - GEN

T1 - Jetset

T2 - 30th USENIX Security Symposium, USENIX Security 2021

AU - Johnson, Evan

AU - Bland, Maxwell

AU - Zhu, Yi Fei

AU - Mason, Joshua

AU - Checkoway, Stephen

AU - Savage, Stefan

AU - Levchenko, Kirill

N1 - Funding Information: This material is based upon work supported by National Science Foundation awards CNS-1646493 and CNS-1901728, and DARPA award FA8750-16-C-0181. Publisher Copyright: © 2021 by The USENIX Association. All rights reserved.

PY - 2021

Y1 - 2021

N2 - The ability to execute code in an emulator is a fundamental part of modern vulnerability testing. Unfortunately, this poses a challenge for many embedded systems, where firmware expects to interact with hardware devices specific to the target. Getting embedded system firmware to run outside its native environment, termed rehosting, requires emulating these hardware devices with enough accuracy to convince the firmware that it is executing on the target hardware. However, full fidelity emulation of target devices (which requires considerable engineering effort) may not be necessary to boot the firmware to a point of interest for an analyst (for example, a point where fuzzer input can be injected). We hypothesized that, for the firmware to boot successfully, it is sufficient to emulate only the behavior expected by the firmware, and that this behavior could be inferred automatically. To test this hypothesis, we developed and implemented Jetset, a system that uses symbolic execution to infer what behavior firmware expects from a target device. Jetset can generate devices models for hardware peripherals in C, allowing an analyst to boot the firmware in an emulator (e.g., QEMU). We successfully applied Jetset to thirteen distinct pieces of firmware together representing three architectures, three application domains (power grid, avionics, and consumer electronics), and five different operating systems. We also demonstrate how Jetset-assisted rehosting facilitates fuzz-testing, a common security analysis technique, on an avionics embedded system, in which we found a previously unknown privilege escalation vulnerability.

AB - The ability to execute code in an emulator is a fundamental part of modern vulnerability testing. Unfortunately, this poses a challenge for many embedded systems, where firmware expects to interact with hardware devices specific to the target. Getting embedded system firmware to run outside its native environment, termed rehosting, requires emulating these hardware devices with enough accuracy to convince the firmware that it is executing on the target hardware. However, full fidelity emulation of target devices (which requires considerable engineering effort) may not be necessary to boot the firmware to a point of interest for an analyst (for example, a point where fuzzer input can be injected). We hypothesized that, for the firmware to boot successfully, it is sufficient to emulate only the behavior expected by the firmware, and that this behavior could be inferred automatically. To test this hypothesis, we developed and implemented Jetset, a system that uses symbolic execution to infer what behavior firmware expects from a target device. Jetset can generate devices models for hardware peripherals in C, allowing an analyst to boot the firmware in an emulator (e.g., QEMU). We successfully applied Jetset to thirteen distinct pieces of firmware together representing three architectures, three application domains (power grid, avionics, and consumer electronics), and five different operating systems. We also demonstrate how Jetset-assisted rehosting facilitates fuzz-testing, a common security analysis technique, on an avionics embedded system, in which we found a previously unknown privilege escalation vulnerability.

UR - http://www.scopus.com/inward/record.url?scp=85108506467&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85108506467&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85108506467

T3 - Proceedings of the 30th USENIX Security Symposium

SP - 321

EP - 338

BT - Proceedings of the 30th USENIX Security Symposium

PB - USENIX Association

Y2 - 11 August 2021 through 13 August 2021

ER -

Jetset: Targeted firmware rehosting for embedded systems

Abstract

Publication series

Conference

ASJC Scopus subject areas

Library availability

Related links

Fingerprint

Cite this