TY - GEN
T1 - Greenhouse
T2 - 32nd USENIX Security Symposium, USENIX Security 2023
AU - Tay, Hui Jun
AU - Zeng, Kyle
AU - Vadayath, Jayakrishna Menon
AU - Raj, Arvind S.
AU - Dutcher, Audrey
AU - Reddy, Tejesh
AU - Gibbs, Wil
AU - Basque, Zion Leonahenahe
AU - Dong, Fangzhou
AU - Smith, Zack
AU - Doupé, Adam
AU - Bao, Tiffany
AU - Shoshitaishvili, Yan
AU - Wang, Ruoyu
N1 - Publisher Copyright:
© (2023) by Usenix Association All rights reserved.
PY - 2023
Y1 - 2023
N2 - As IoT devices grow more widespread, scaling current analysis techniques to match becomes an increasingly critical task. Part of this challenge involves not only rehosting the firmware of these embedded devices in an emulated environment, but to do so and discover real vulnerabilities. Current state-of-the-art approaches for rehosting must account for the discrepancies between emulated and physical devices, and thus generally focus on improving the emulation fidelity. However, this pursuit of fidelity ignores other potential solutions. In this paper, we propose a novel rehosting technique, user-space single-service rehosting, which emulates a single firmware service in user space. We study the rehosting process involved in hundreds of firmware samples to generalize a set of roadblocks that prevent emulation and create interventions to resolve them. Our prototype Greenhouse automatically rehosts 2,841 (39.7%) of our collected 7,140 firmware images from nine different vendors. Our approach sidesteps many of the challenges encountered by previous rehosting techniques and enables us to apply common vulnerability discovery techniques to our rehosted images such as user-space coverage-guided fuzzing. Using these techniques, we find 717 N-day vulnerabilities and 26 zero-day vulnerabilities on a subset of our rehosted firmware services.
AB - As IoT devices grow more widespread, scaling current analysis techniques to match becomes an increasingly critical task. Part of this challenge involves not only rehosting the firmware of these embedded devices in an emulated environment, but to do so and discover real vulnerabilities. Current state-of-the-art approaches for rehosting must account for the discrepancies between emulated and physical devices, and thus generally focus on improving the emulation fidelity. However, this pursuit of fidelity ignores other potential solutions. In this paper, we propose a novel rehosting technique, user-space single-service rehosting, which emulates a single firmware service in user space. We study the rehosting process involved in hundreds of firmware samples to generalize a set of roadblocks that prevent emulation and create interventions to resolve them. Our prototype Greenhouse automatically rehosts 2,841 (39.7%) of our collected 7,140 firmware images from nine different vendors. Our approach sidesteps many of the challenges encountered by previous rehosting techniques and enables us to apply common vulnerability discovery techniques to our rehosted images such as user-space coverage-guided fuzzing. Using these techniques, we find 717 N-day vulnerabilities and 26 zero-day vulnerabilities on a subset of our rehosted firmware services.
UR - http://www.scopus.com/inward/record.url?scp=85176507239&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85176507239&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:85176507239
T3 - 32nd USENIX Security Symposium, USENIX Security 2023
SP - 5791
EP - 5808
BT - 32nd USENIX Security Symposium, USENIX Security 2023
PB - USENIX Association
Y2 - 9 August 2023 through 11 August 2023
ER -