Embedded devices are extremely widespread throughout a large number of applications: from consumer devices such as televisions and routers, to industrial control systems, up to safety-critical systems such as implanted medical devices. Modern embedded devices are interconnected and connected with the Internet. Hence, an important concern is the security of the software running on them. Unfortunately, embedded devices are heterogeneous in the software and hardware they run, and most of the time their firmware is a piece of proprietary software. With no source code available, analysts need to resort to binary reverse engineering to provide a third-party security audit. In order to analyze an unknown firmware, static analysis tools such as disassemblers and decompilers need some information about the layout of the binary file. Particularly, they need to know what is the ISA of the binary and what are the boundaries of the code and data sections. Usually, a firmware extracted from an embedded device does not contain this information, making it difficult to analyze the firmware. In this Thesis, we want to enable the execution of static binary analysis on executables without any metadata about the architecture and section boundaries. We extend ELISA, a state of the art tool, with an approach to classify the architecture of packed binaries. To do this we use a method, based on entropy analysis, to isolate uncompressed parts of the binary. Then we implement an LSTM-based model with heuristics to recognize section boundaries inside a binary. We evaluate our tool on a dataset of binaries extracted from real embedded firmware obtained through web scraping techniques, showing that it outperforms the state of the art.
I dispositivi embedded sono estremamente diffusi in un ampio numero di applicazioni: dai dispotivi consumer come televisioni e router, ai controlli industriali, fino ai sistemi critici come i dispositivi medici. I dispositivi embedded sono interconnessi e connessi con internet. Per questo, un'importante preoccupazione riguarda la sicurezza del loro software. Purtroppo, i dispositivi embedded sono eterogenei a livello di software e di hardware, e il più delle volte il loro firmware è un software proprietario. In assenza di codice sorgente, gli analisti devono affidarsi al reverse engineering del binario per poter eseguire un'analisi di sicurezza di terze parti. Per analizzare un firmware sconosciuto, gli strumenti di analisi statica come disassemblatori e decompilatori hanno bisogno di alcune informazioni riguardo la struttura del binario. In particolare, questi strumenti hanno bisogno di informazioni riguardanti l'ISA del binario e i limiti delle sezioni di codice e dati. Solitamente, un firmware estratto da un sistema embedded non contiene queste informazioni, rendendo difficile l'analisi del firmware. In questa tesi, vogliamo permettere l'esecuzione dell'analisi statica dei binari su eseguibili di cui non si hanno informazioni riguardo l'architettura e i limiti delle sezioni. Abbiamo esteso Elisa, uno strumento dello stato dell'arte, con un approccio per classificare l'architettura dei binari packed. Per fare questo abbiamo utilizzato un metodo, basato sull'analisi dell'entropia, per isolare le parti non compresse del binario. Successivamente abbiamo implementato un modello, basato sulle LSTM, con delle euristiche per riconoscere i limiti delle sezioni all'interno di un binario. Abbiamo valutato il nostro tool su un dataset composto da binari estratti da firmware di sistemi embedded ottenuti tramite tecniche di web scraping, mostrando che il nostro modello migliora lo stato dell'arte.
A methodology to reconstruct information and enable static analysis in raw binaries
REMIGIO, RICCARDO
2018/2019
Abstract
Embedded devices are extremely widespread throughout a large number of applications: from consumer devices such as televisions and routers, to industrial control systems, up to safety-critical systems such as implanted medical devices. Modern embedded devices are interconnected and connected with the Internet. Hence, an important concern is the security of the software running on them. Unfortunately, embedded devices are heterogeneous in the software and hardware they run, and most of the time their firmware is a piece of proprietary software. With no source code available, analysts need to resort to binary reverse engineering to provide a third-party security audit. In order to analyze an unknown firmware, static analysis tools such as disassemblers and decompilers need some information about the layout of the binary file. Particularly, they need to know what is the ISA of the binary and what are the boundaries of the code and data sections. Usually, a firmware extracted from an embedded device does not contain this information, making it difficult to analyze the firmware. In this Thesis, we want to enable the execution of static binary analysis on executables without any metadata about the architecture and section boundaries. We extend ELISA, a state of the art tool, with an approach to classify the architecture of packed binaries. To do this we use a method, based on entropy analysis, to isolate uncompressed parts of the binary. Then we implement an LSTM-based model with heuristics to recognize section boundaries inside a binary. We evaluate our tool on a dataset of binaries extracted from real embedded firmware obtained through web scraping techniques, showing that it outperforms the state of the art.| File | Dimensione | Formato | |
|---|---|---|---|
|
2020_04_Remigio.pdf
Open Access dal 08/04/2021
Descrizione: Testo della tesi
Dimensione
1.84 MB
Formato
Adobe PDF
|
1.84 MB | Adobe PDF | Visualizza/Apri |
I documenti in POLITesi sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/10589/153991