Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities

Yuhao Wu; Jinwen Wang; Yujie Wang; Shixuan Zhai; Zihan Li; Yi He; Kun Sun; Qi Li; Ning Zhang

Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities

Yuhao Wu
, Jinwen Wang
, Yujie Wang
, Shixuan Zhai
, Zihan Li
, Yi He
, Kun Sun
, Qi Li
, Ning Zhang

Department of Computer Science & Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

28 Scopus citations

Abstract

Embedded devices are increasingly ubiquitous in our society. Firmware updates are one of the primary mechanisms to mitigate vulnerabilities in embedded systems. However, the firmware update procedure also introduces new attack surfaces, particularly through vulnerable firmware verification procedures. Unlike memory corruption bugs, numerous vulnerabilities in firmware updates stem from incomplete or incorrect verification steps, to which existing firmware analysis methods are not applicable. To bridge this gap, we propose ChkUp, an approach to Check for firmware Update vulnerabilities. ChkUp can resolve the program execution paths during firmware updates using cross-language inter-process control flow analysis and program slicing. With these paths, ChkUp locates firmware verification procedures, examining and validating their vulnerabilities. We implemented ChkUp and conducted a comprehensive analysis on 12, 000 firmware images. Then, we validated the alerts in 150 firmware images from 33 device families, leading to the discovery of both zero-day and n-day vulnerabilities. Our findings were disclosed responsibly, resulting in the assignment of 25 CVE IDs and one PSV ID at the time of writing.

Original language	English
Title of host publication	Proceedings of the 33rd USENIX Security Symposium
Publisher	USENIX Association
Pages	5627-5644
Number of pages	18
ISBN (Electronic)	9781939133441
State	Published - 2024
Event	33rd USENIX Security Symposium, USENIX Security 2024 - Philadelphia, United States Duration: Aug 14 2024 → Aug 16 2024

Publication series

Name	Proceedings of the 33rd USENIX Security Symposium

Conference

Conference	33rd USENIX Security Symposium, USENIX Security 2024
Country/Territory	United States
City	Philadelphia
Period	08/14/24 → 08/16/24

Cite this

@inproceedings{f1fc7ecde6224aa4a4bccfee4cd9fcd6,

title = "Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities",

abstract = "Embedded devices are increasingly ubiquitous in our society. Firmware updates are one of the primary mechanisms to mitigate vulnerabilities in embedded systems. However, the firmware update procedure also introduces new attack surfaces, particularly through vulnerable firmware verification procedures. Unlike memory corruption bugs, numerous vulnerabilities in firmware updates stem from incomplete or incorrect verification steps, to which existing firmware analysis methods are not applicable. To bridge this gap, we propose ChkUp, an approach to Check for firmware Update vulnerabilities. ChkUp can resolve the program execution paths during firmware updates using cross-language inter-process control flow analysis and program slicing. With these paths, ChkUp locates firmware verification procedures, examining and validating their vulnerabilities. We implemented ChkUp and conducted a comprehensive analysis on 12, 000 firmware images. Then, we validated the alerts in 150 firmware images from 33 device families, leading to the discovery of both zero-day and n-day vulnerabilities. Our findings were disclosed responsibly, resulting in the assignment of 25 CVE IDs and one PSV ID at the time of writing.",

author = "Yuhao Wu and Jinwen Wang and Yujie Wang and Shixuan Zhai and Zihan Li and Yi He and Kun Sun and Qi Li and Ning Zhang",

note = "Publisher Copyright: {\textcopyright} USENIX Security Symposium 2024.All rights reserved.; 33rd USENIX Security Symposium, USENIX Security 2024 ; Conference date: 14-08-2024 Through 16-08-2024",

year = "2024",

language = "English",

series = "Proceedings of the 33rd USENIX Security Symposium",

publisher = "USENIX Association",

pages = "5627--5644",

booktitle = "Proceedings of the 33rd USENIX Security Symposium",

}

Wu, Y, Wang, J, Wang, Y, Zhai, S, Li, Z, He, Y, Sun, K, Li, Q & Zhang, N 2024, Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities. in Proceedings of the 33rd USENIX Security Symposium. Proceedings of the 33rd USENIX Security Symposium, USENIX Association, pp. 5627-5644, 33rd USENIX Security Symposium, USENIX Security 2024, Philadelphia, United States, 08/14/24.

TY - GEN

T1 - Your Firmware Has Arrived

T2 - 33rd USENIX Security Symposium, USENIX Security 2024

AU - Wu, Yuhao

AU - Wang, Jinwen

AU - Wang, Yujie

AU - Zhai, Shixuan

AU - Li, Zihan

AU - He, Yi

AU - Sun, Kun

AU - Li, Qi

AU - Zhang, Ning

PY - 2024

Y1 - 2024

N2 - Embedded devices are increasingly ubiquitous in our society. Firmware updates are one of the primary mechanisms to mitigate vulnerabilities in embedded systems. However, the firmware update procedure also introduces new attack surfaces, particularly through vulnerable firmware verification procedures. Unlike memory corruption bugs, numerous vulnerabilities in firmware updates stem from incomplete or incorrect verification steps, to which existing firmware analysis methods are not applicable. To bridge this gap, we propose ChkUp, an approach to Check for firmware Update vulnerabilities. ChkUp can resolve the program execution paths during firmware updates using cross-language inter-process control flow analysis and program slicing. With these paths, ChkUp locates firmware verification procedures, examining and validating their vulnerabilities. We implemented ChkUp and conducted a comprehensive analysis on 12, 000 firmware images. Then, we validated the alerts in 150 firmware images from 33 device families, leading to the discovery of both zero-day and n-day vulnerabilities. Our findings were disclosed responsibly, resulting in the assignment of 25 CVE IDs and one PSV ID at the time of writing.

AB - Embedded devices are increasingly ubiquitous in our society. Firmware updates are one of the primary mechanisms to mitigate vulnerabilities in embedded systems. However, the firmware update procedure also introduces new attack surfaces, particularly through vulnerable firmware verification procedures. Unlike memory corruption bugs, numerous vulnerabilities in firmware updates stem from incomplete or incorrect verification steps, to which existing firmware analysis methods are not applicable. To bridge this gap, we propose ChkUp, an approach to Check for firmware Update vulnerabilities. ChkUp can resolve the program execution paths during firmware updates using cross-language inter-process control flow analysis and program slicing. With these paths, ChkUp locates firmware verification procedures, examining and validating their vulnerabilities. We implemented ChkUp and conducted a comprehensive analysis on 12, 000 firmware images. Then, we validated the alerts in 150 firmware images from 33 device families, leading to the discovery of both zero-day and n-day vulnerabilities. Our findings were disclosed responsibly, resulting in the assignment of 25 CVE IDs and one PSV ID at the time of writing.

UR - https://www.scopus.com/pages/publications/85203469821

M3 - Conference contribution

AN - SCOPUS:85203469821

T3 - Proceedings of the 33rd USENIX Security Symposium

SP - 5627

EP - 5644

BT - Proceedings of the 33rd USENIX Security Symposium

PB - USENIX Association

Y2 - 14 August 2024 through 16 August 2024

ER -

Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities

Abstract

Publication series

Conference

Other files and links

Fingerprint

Cite this