Abstract
In this paper, we present MetaEmu, an architecture-agnostic framework geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto open-problem of a lack of generic Virtual Execution Environments (VXEs) by synthesizing processor simulators from Ghidra’s language definitions. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target’s analysis environment, a technique we call inter-device analysis.
We show that the flexibility afforded by our approach does not lead to a performance trade-off—MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors—none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.
We show that the flexibility afforded by our approach does not lead to a performance trade-off—MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors—none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.
Original language | English |
---|---|
Title of host publication | CCS '22 |
Subtitle of host publication | Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security |
Publisher | Association for Computing Machinery (ACM) |
Pages | 515–529 |
ISBN (Print) | 9781450394505 |
DOIs | |
Publication status | Published - 7 Nov 2022 |
Event | CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security - Los Angeles, United States Duration: 7 Nov 2022 → 11 Nov 2022 |
Publication series
Name | Proceedings of the ACM Conference on Computer and Communications Security |
---|---|
Publisher | ACM |
ISSN (Print) | 1543-7221 |
Conference
Conference | CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security |
---|---|
Abbreviated title | CCS'22 |
Country/Territory | United States |
City | Los Angeles |
Period | 7/11/22 → 11/11/22 |
Keywords
- automotive
- dynamic program analysis
- firmware
- emulation