Description
Today, more and more devices contain complex digital systems with advanced networking capabilities, from embedded protocols to
complete WiFi protocols. Consequently, these devices present possible attack surfaces for attackers, making their analysis for
security flaws and unintended behavior critical. In order to analyze the security of embedded devices, dynamic analysis tools
like Avatar2 are used to lift the firmware of an embedded system into a virtual environment for more powerful analysis.
This thesis aims to answer how the security of interconnected embedded devices can be analyzed without removing or mocking the
environment they are embedded into in a hardware-in-the-loop (HIL) rehosting analysis. Removing or mocking the environment of an
embedded device, such as network interactions, can hinder the analysis because the real-world data of these interactions would be
lost, limiting the device's functionality. Devices utilizing network controllers, such as CAN or WiFi chip sets, rely especially
heavily on their environment. At the same time, these devices pose a particular challenge for rehosting due to their asynchronous
interactions between the components of the system and harsh timing constraints, both in reaction time and in their communication
between the main processor and its peripherals. This thesis presents two extensions to the Avatar2 framework to facilitate the
rehosting of these devices, a new INTForwarder plugin expanding on Pretender and a novel HWRunner plugin to enable the execution
of functions requiring real-time performance in the hardware target.
These plugins were evaluated on synthetic firmware samples using the Raspberry Pi Pico development board based on the RP2040
microcontroller with CAN and WiFi extensions. The testing applications range from simple examples testing specific types of
asynchronous behavior to firmware samples using CAN, USB, and WiFi controllers, which have strong timing requirements and result
in multiple facets of asynchronous programming to be commonly used. The newly added capabilities to rehost firmware using complex
external peripherals like CAN and USB controllers was shown successfully by using 6 previously impossible-to-rehost synthetic firmware
samples, of which 5 were successfully rehosted using a HIL solution with the proposed extensions.
|
