Description
While vulnerabilities in the firmware of IoT devices have been found
through static analysis, dynamical analysis promises additional
insights. Performing dynamical analysis on such devices requires
purchasing them, and reading their internal memory. The former is costly
for large scale analysis, and the latter impractical for many devices.
We propose emulating the Linux kernel included in firmware images
downloaded from vendors’ websites. We extract the kernel and make use of
QEMU, an open source emulator, to run the kernel in a virtual hardware
environment. Our scope is limited to ARM and ARM64 based devices, with
our data set including mostly home router firmware, as well as a home
automation device. With three devices, we achieved completing the boot
process. This approach allows analysis of memory snapshots of the kernel
at runtime, and may be extended to other architectures in the future. It
leads to reduced cost of dynamical analysis.
|
