Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati

Similar documents
Inception: System-Wide Security Testing of Real-World Embedded Systems Software

FiE on Firmware Finding Vulnerabilities in Embedded Systems using Symbolic Execution. Drew Davidson Ben Moench Somesh Jha Thomas Ristenpart

Lecture Notes: FIE on Firmware: Finding Vulnerabilities in Embedded Systems using Symbolic Execution

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices

FiE on Firmware Finding Vulnerabilities in Embedded Systems using Symbolic Execution. Drew Davidson Ben Moench Somesh Jha Thomas Ristenpart

ECE254 Lab3 Tutorial. Introduction to Keil LPC1768 Hardware and Programmers Model. Irene Huang

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Baggy bounds with LLVM

Buffer overflow background

Secure Software Development: Theory and Practice

Lecture 4 September Required reading materials for this class

CprE 288 Introduction to Embedded Systems Course Review for Exam 3. Instructors: Dr. Phillip Jones

ARM TrustZone for ARMv8-M for software engineers

Introduction to software exploitation ISSISP 2017

1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques

Arm TrustZone Armv8-M Primer

15-411: LLVM. Jan Hoffmann. Substantial portions courtesy of Deby Katz

ECE 471 Embedded Systems Lecture 22

Security Testing of Software on Embedded Devices Using x86 Platform

ECE254 Lab3 Tutorial. Introduction to MCB1700 Hardware Programming. Irene Huang

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Charm: Facilitating Dynamic Analysis of Device Drivers of Mobile Systems

ARM Architecture and Assembly Programming Intro

Pointer Analysis for C/C++ with cclyzer. George Balatsouras University of Athens

A program execution is memory safe so long as memory access errors never occur:

Program SoC using C Language

Buffer overflow prevention, and other attacks

Honours/Master/PhD Thesis Projects Supervised by Dr. Yulei Sui

UniSan: Proactive Kernel Memory Initialization to Eliminate Data Leakages

Protection and Mitigation of Software Bug Exploitation

Code: analysis, bugs, and security

Black Box Debugging of Embedded Systems

The Low-Level Bounded Model Checker LLBMC

COSC345 Software Engineering. Basic Computer Architecture and The Stack

Dynamic Dispatch and Duck Typing. L25: Modern Compiler Design

SoK: Eternal War in Memory

VA Smalltalk 9: Exploring the next-gen LLVM-based virtual machine

Coverage-guided Fuzzing of Individual Functions Without Source Code

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

IoT and Security: ARM v8-m Architecture. Robert Boys Product Marketing DSG, ARM. Spring 2017: V 3.1

How Software Executes

McSema: Static Translation of X86 Instructions to LLVM

esi-risc Development Suite Getting Started Guide

in memory: an evolution of attacks Mathias Payer Purdue University

CSE 565 Computer Security Fall 2018

Symbolic Execution for Bug Detection and Automated Exploit Generation

Embedded/Connected Device Secure Coding. 4-Day Course Syllabus

logistics: ROP assignment

Compiler Construction: LLVMlite

Targeting LLVM IR. LLVM IR, code emission, assignment 4

Towards Automatic Generation of Vulnerability- Based Signatures

ARM Cortex-M and RTOSs Are Meant for Each Other

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Memory corruption countermeasures

CS-527 Software Security

0x1A Great Papers in Computer Security

ARM Cortex-M4 Programming Model

Inject malicious code Call any library functions Modify the original code

Black Hat Webcast Series. C/C++ AppSec in 2014

CODE TIME TECHNOLOGIES. Abassi RTOS. Porting Document. ARM Cortex-M3 CCS

Resilient IoT Security: The end of flat security models

Automated Software Analysis Techniques For High Reliability: A Concolic Testing Approach. Moonzoo Kim

Practical Malware Analysis

Runtime Defenses against Memory Corruption

Bug Finding with Under-approximating Static Analyses. Daniel Kroening, Matt Lewis, Georg Weissenbacher

Lecture Notes: Unleashing MAYHEM on Binary Code

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Introduction to Micro-controller Software. Gary J. Minden September 3, 2013

Putting it All Together

Smartphone (in) Security

Multitasking. Embedded Systems

Malware

Exploits and gdb. Tutorial 5

Undefined Behaviour in C

Basic Buffer Overflows

Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Is Exploitation Over? Bypassing Memory Protections in Windows 7

CSE 504: Compiler Design. Code Generation

Verification & Validation of Open Source

Lecture 3: Instruction Set Architecture

Implementing Secure Software Systems on ARMv8-M Microcontrollers

18-349: Embedded Real-Time Systems Lecture 2: ARM Architecture

Important From Last Time

Analysis of MS Multiple Excel Vulnerabilities

Computer Organization & Assembly Language Programming (CSE 2312)

Design and Implementation Interrupt Mechanism

Securing Real-Time Microcontroller Systems through Customized Memory View Switching

18-600: Recitation #3

Connecting the EDG front-end to LLVM. Renato Golin, Evzen Muller, Jim MacArthur, Al Grant ARM Ltd.

Memory Safety (cont d) Software Security

Computer Architecture and System Software Lecture 07: Assembly Language Programming

How Can You Trust Formally Verified Software?

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Computer Components. Software{ User Programs. Operating System. Hardware

Software Quality is Directly Proportional to Simulation Speed

C and C++ Secure Coding 4-day course. Syllabus

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

20: Exploits and Containment

Transcription:

Inception: System-Wide Security Testing of Real- World Embedded Systems Software Nassim Corteggiani (Maxim Integrated / EURECOM) Giovanni Camurati (EURECOM) Aurélien Francillon (EURECOM) 08/15/18

Embedded Systems Are Everywhere [1] https://community.arm.com/processors/b/bl og/posts/arm-cortex-m3-processor-the-coreof-the-iot 2 Maxim Integrated EURECOM

Embedded Systems Are Everywhere [1] https://community.arm.com/processors/b/bl og/posts/arm-cortex-m3-processor-the-coreof-the-iot Low Power Micro-controllers 3 Maxim Integrated EURECOM

Embedded Systems Are Everywhere Over 32 billions of ARM Cortex M3 shipped in 2018 [1] [1] https://community.arm.com/processors/b/bl og/posts/arm-cortex-m3-processor-the-coreof-the-iot 4 Maxim Integrated EURECOM Low Power Micro-controllers Cover a wide range of fields

Why the Security of Such Systems Matters? 5 Maxim Integrated EURECOM

Why the Security of Such Systems Matters? Highly connected -> large scale attacks 6 Maxim Integrated EURECOM

Why the Security of Such Systems Matters? Highly connected -> large scale attacks Difficulty to patch the code > Mask ROM mask applied on the chip during the fabrication > Off-line devices 7 Maxim Integrated EURECOM

Why the Security of Such Systems Matters? Highly connected -> large scale attacks Difficulty to patch the code > Mask ROM mask applied on the chip during the fabrication > Off-line devices Store sensitive data > Bitcoin wallet > Payment terminal 8 Maxim Integrated EURECOM

Why the Security of Such Systems Matters? Highly connected -> large scale attacks Difficulty to patch the code > Mask ROM mask applied on the chip during the fabrication > Off-line devices Store sensitive data > Bitcoin wallet > Payment terminal Drive sensitive hardware system > Physical damage > Production line outage > Signaling systems (red light) 9 Maxim Integrated EURECOM

Exemple of Recent Security Issues Recent attacks 10 Maxim Integrated EURECOM

Exemple of Recent Security Issues Recent attacks Nintendo Switch Tegra X1 bootrom exploit 2018 > buffer overflow in the USB stack embedded in the mask ROM > Cannot be patched > Give access to the entire software stack 11 Maxim Integrated EURECOM

How Can We Test Such Firmware Programs? Symbolic Execution > High path coverage > Return test case for bugs 12 Maxim Integrated EURECOM

Symbolic Execution Example i = symb_i Int buffer[2] i = <input> int buffer[2] = {0, 1}; 13 Maxim Integrated EURECOM

Symbolic Execution Example i = symb_i Int buffer[2] i = <input> TRUE buffer[i] FALSE int buffer[2] = {0, 1}; if( buffer[i] == 0 ) { 0 i < 2 (0 i < 2) Out of bounds access 14 Maxim Integrated EURECOM

Symbolic Execution Example i = symb_i Int buffer[2] i = <input> TRUE buffer[i] FALSE int buffer[2] = {0, 1}; if( buffer[i] == 0 ) { buffer[i] = 0xDEADBEEF; } TRUE 0 i < 2 buffer[i] == 0 FALSE (0 i < 2) i = 0 buffer[i] == 0xDEADBEAF (i = 0) Out of bounds access 15 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: 16 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. 17 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations 18 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage 19 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code 20 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code Clang 21 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code Clang LLVM bit-code 22 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Klee as a basis Inception is based on Klee a symbolic virtual machine: > Widely deployed, efficient and based on the LLVM framework. > Find memory safety violations > High code coverage C/C++ source code Clang LLVM bit-code Klee 23 Maxim Integrated EURECOM

Why testing source code instead of binary code? Source VS Binary 24 Maxim Integrated EURECOM

Why testing source code instead of binary code? Source VS Binary char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 25 Maxim Integrated EURECOM

Why testing source code instead of binary code? Source VS Binary char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 26 Maxim Integrated EURECOM

Why testing source code instead of binary code? Source ( Klee/Clang ) VS Binary (SE2, angr, BAP) char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } define i8 @getelement(i32 %index){ entry: %0 = load i32* %index.addr %1 = getelementptr inbounds [2 x i8]* @b1, i32 0, i32 %0 %2 = load i8* %1 ret i8 %2 } 27 Maxim Integrated EURECOM b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 define i8 @getelement(i32 index) { entry: store i32 %index, i32* @R0 store i32 268436792, i32* @R2 %R2_1 = load i32* @R2 %R0_1 = load i32* @R0 %R2_2 = add i32 %R2_1, %R0_1 %R3_0 = inttoptr i32 %R2_2 to i32* %R3_1 = bitcast i32* %R3_0 to i8* %R3_2 = load i8* %R3_1

Why testing source code instead of binary code? Source ( Klee/Clang ) VS Binary (SE2, angr, BAP) char b1[2]; char b2[2]; char getelement(int index) { return b1[index]; } define i8 @getelement(i32 %index){ entry: %0 = load i32* %index.addr %1 = getelementptr inbounds [2 x i8]* @b1, i32 0, i32 %0 %2 = load i8* %1 ret i8 %2 } 28 Maxim Integrated EURECOM b1:.space 2 b2:.space 2 getelement(int): ldr r2,.l3 add r3, r2, r0 ldrb r0, [r3] bx lr.l3:.word b1 define i8 @getelement(i32 index) { entry: store i32 %index, i32* @R0 store i32 268436792, i32* @R2 %R2_1 = load i32* @R2 %R0_1 = load i32* @R0 %R2_2 = add i32 %R2_1, %R0_1 %R3_0 = inttoptr i32 %R2_2 to i32* %R3_1 = bitcast i32* %R3_0 to i8* %R3_2 = load i8* %R3_1

Source vs Binary When source available testing binary is possible however: > Types are lost > Corruption will be detected later if at all > Worse on embedded systems See: Muench et. al. What you corrupt is not what you crash, NDSS 2018 Goal of Inception: improve testing for firmware during development > Limit requirements on code 29 Maxim Integrated EURECOM

Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware? 1000 100 10 98 108 80 22 1 STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 Number of functions including assembly instructions in real world embedded software 30 Maxim Integrated EURECOM

Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware? 1000 100 10 22 98 108 80 Assembly code : > Multithreading > Optimizations > Side channel counter-measures > Hardware features e.g. ultra low power mode 1 STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Functions2 Number of functions including assembly instructions in real world embedded software 31 Maxim Integrated EURECOM

Major Challenges For Symbolic Execution of Firmware Programs Is C/C++ Support Enough To Test Real World Firmware? 3000 2500 2000 1500 1000 500 0 Challenge 1 : STM32(demos) FreeRTOS(STM32) Mbed OS ChibiOS Assembly code : > Multithreading > Optimizations > Side channel counter-measures > Hardware features e.g. ultra low power mode Firmware source code contains a mix of C/C++, assembly and binary Functions with inline asm Functions2 Presence of assembly instructions in real world embedded software 32 Maxim Integrated EURECOM

Major Challenges For Symbolic Execution of Firmware Programs Hardware environment 33 Maxim Integrated EURECOM

Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O 34 Maxim Integrated EURECOM

Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O Memory Peripherals #define UART_STATUS 0x40000000 #define UART_DATA 0x40000004 char* RX_BUFFER = 0x20000000; while(!*uart_status) { char* data = (char*)uart_data; strncpy(rx_buffer++, data, 4); } 35 Maxim Integrated EURECOM Internal/external memory Internal/external peripherals

Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O Memory Peripherals > Interrupt driven programs Interrupt Controller #define UART_STATUS 0x40000000 #define UART_DATA 0x40000004 char* RX_BUFFER = 0x20000000; while(!*uart_status) { char* data = (char*)uart_data; strncpy(rx_buffer++, data, 4); } 36 Maxim Integrated EURECOM void interrupt_handler() { } Internal/external memory Internal/external peripherals

Major Challenges For Symbolic Execution of Firmware Programs Hardware environment Hardware interactions > Memory Mapped I/O Memory Peripherals > Interrupt driven programs #define UART_STATUS 0x40000000 #define UART_DATA 0x40000004 char* RX_BUFFER = 0x20000000; while(!*uart_status) { char* data = (char*)uart_data; strncpy(rx_buffer++, data, 4); } Challenge 2 : Interrupt Controller Firmware programs highly interact with their hardware environment 37 Maxim Integrated EURECOM void interrupt_handler() { } Internal/external memory Internal/external peripherals

Building A Symbolic Executor For Firmware Programs 38 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code 39 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code ARM Backend ELF 40 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code ARM Backend ELF Inception translator: > Lift assembly directives and binary code in LLVM bit-code > Merge lifted bit-code with other High-IR : obtained from C/C++ Glue-IR : glue code Low-IR : lifted assembly/binary Inception Translator LLVM bit-code Mixed IR 41 Maxim Integrated EURECOM

Building A Symbolic Executor For Firmware Programs Firmware (C/C++, asm, binary) Clang LLVM bit-code ARM Backend ELF Inception translator: > Lift assembly directives and binary code in LLVM bit-code > Merge lifted bit-code with other High-IR : obtained from C/C++ Glue-IR : glue code Low-IR : lifted assembly/binary > Support Cortex M3 ISA Inception Translator LLVM bit-code Mixed IR Modified Klee 42 Maxim Integrated EURECOM

Challenge 1 : Supporting C/C++/Asm/Binary code Inception-translator 52 Maxim Integrated EURECOM

Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: 1000045C: 80 B4 push {r7} 1000045E: 83 B0 sub sp, #0xc 53 Maxim Integrated EURECOM

Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: 1000045C: 80 B4 push {r7} 1000045E: 83 B0 sub sp, #0xc %a = alloca i32 store i32 4, i32* %a %0 = load i32* %a %call = call i32 @boo(i32 %0) ret void } High IR 54 Maxim Integrated EURECOM

Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: 1000045C: 80 B4 push {r7} 1000045E: 83 B0 sub sp, #0xc %a = alloca i32 store i32 4, i32* %a %0 = load i32* %a %call = call i32 @boo(i32 %0) ret void } High IR "boo+0": ; preds = %entry %R7_1 = load i32* @R7 %SP1 = load i32* @SP %SP2 = sub i32 %SP1, 4 %SP3 = inttoptr i32 %SP2 to i32* store i32 %R7_1, i32* %SP3 store i32 %SP2, i32* @SP %SP4 = load i32* @SP %SP5 = add i32 %SP4, -13 %SP6 = add i32 %SP5, 1 Low IR 55 Maxim Integrated EURECOM

Inception Translator : Merging High-IR and Low-IR int a = 4; boo(a); <boo>: 1000045C: 80 B4 push {r7} 1000045E: 83 B0 sub sp, #0xc %a = alloca i32 store i32 4, i32* %a %0 = load i32* %a %call = call i32 @boo(i32 %0) ret void } High IR define i32 @boo(i32 %a){ entry: store i32 %a, i32* @R0 br label %"boo+0" Glue IR "boo+0": ; preds = %entry %R7_1 = load i32* @R7 %SP1 = load i32* @SP %SP2 = sub i32 %SP1, 4 %SP3 = inttoptr i32 %SP2 to i32* store i32 %R7_1, i32* %SP3 store i32 %SP2, i32* @SP %SP4 = load i32* @SP %SP5 = add i32 %SP4, -13 %SP6 = add i32 %SP5, 1 Low IR 56 Maxim Integrated EURECOM

Unified Memory Layout 57 Maxim Integrated EURECOM

Unified Memory Layout High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 58 Maxim Integrated EURECOM Execution path

Unified Memory Layout Allocate Low IR memory : stack, virtual CPU registers, heap High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 59 Maxim Integrated EURECOM Execution path

Unified Memory Layout Allocate Low IR memory : stack, virtual CPU registers, heap Fill gaps in global data sections When no C/C++ symbols point to this area High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 60 Maxim Integrated EURECOM Execution path

Unified Memory Layout Allocate Low IR memory : stack, virtual CPU registers, heap Fill gaps in global data sections When no C/C++ symbols point to this area Allocate High-IR objects at location defined in the ELF symbols table High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 61 Maxim Integrated EURECOM Execution path

Low IR Hardware Mechanisms Emulation Challenge we solved: > Indirect calls (Indirect Call Promotion) > Seamless hardware mechanisms (Context switching) > Supervisor call > Update specific registers values (LR, MSP, PSP, BASEPRI, ITSTATE, ) Emulation High IR Glue IR : lower the level of semantic Low IR Glue IR : higher the level of semantic High IR 62 Maxim Integrated EURECOM Execution path

Challenge 2 : Hardware interactions Inception-analyzer 63 Maxim Integrated EURECOM

The Inception System Overview Mixed Bytecode Klee-based Symbolic Virtual Machine config.json ELF 64 Maxim Integrated EURECOM

The Inception System Overview Mixed Bytecode Klee-based Symbolic Virtual Machine Globals Memory Mapped stack Data are allocated according to the information present in the symbol table User configuration (config.json): - Local memory - Redirected memory - Symbolic memory config.json heap ELF 65 Maxim Integrated EURECOM

The Inception System Overview: Inception debugger Mixed Bytecode Klee-based Symbolic Virtual Machine Globals Memory Mapped stack USB 3.0 link Custom Inception Debugger config.json heap Jtag ELF Real Device 66 Maxim Integrated EURECOM

The Inception System Overview: Inception debugger Globals Inspired by Surrogates and Avatar Memory Mapped USB 3.0 link Custom Inception Debugger Zaddach et. al. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares, NDSS 2014 Koscher et. al. SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems, WOOT 2015 stack heap Jtag Real Device 67 Maxim Integrated EURECOM

The Inception System Overview: Inception debugger Mixed Bytecode Klee-based Symbolic Virtual Machine Globals Memory Mapped stack USB 3.0 link Custom Inception Debugger config.json Interrupt Controller heap Jtag ELF Real Device 68 Maxim Integrated EURECOM

Evaluation 69 Maxim Integrated EURECOM

Performance Average IO per second 80000 70000 60000 50000 40000 30000 20000 10000 0 Reads Writes Buffered Reads Inception Surrogates Average time to complete 1 10 6 read or write requests for SURROGATES and Inception. Average runtime [ms] 10000 1000 100 10 1 0,1 Wget Ping UART Inception Native Performance comparison between native execution and Inception. * Current bottleneck is bit-code execution 70 Maxim Integrated EURECOM

Bug Detection Average number of detected vuln. 4 3 2 % of detected bugs 100% 80% 60% 40% 1 20% 0 0 1 2 3 4 5 0% Division by Zero Null Pointer Dereference Use After Free Free Memory Not on Heap Heap-Based Buffer Overflow Integer Overflow Detected Undetected Evolution of corruption detection vs. number of assembly functions in the EXPACT XML parser (4 vulnerabilities [1], symbolic inputs, and a timeout of 90s). Detected Undetected Corruption detection of real-world security flaws based on FreeRTOS and the Juliet 1.3 test suites. [1] MUENCH et. al. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In NDSS 2018. 71 Maxim Integrated EURECOM

Verification Intensive verification of the lifter and the modified Klee > 53K tests comparison between Inception and native > 1562 tests based on NIST Juliet 1.3 tests suite > 40 tests based on the Klockwork tests suite > Several demos for the STM32 L152RE and the LPC1850 DB1 boards > 1 Mbed TLS test suite > Several embedded operating systems (FreeRTOS, mini-arm-os) 72 Maxim Integrated EURECOM

Conlusion Extends analysis to mixed languages: assembly, C/C++, binary Fit well in chip life-cycle : > test without hardware > FPGA-based design > silicium Already used on proprietary real world Mask ROM code at Maxim > Bugs found before mask manufacturing Inception is open-sourced: > Getting started at https://inception-framework.github.io/inception/ > Github and docker 73 Maxim Integrated EURECOM

Questions? Free icons license : https://icons8.com 74 Maxim Integrated EURECOM

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback