Andrew Fasano, Zachary Estrada, Luke Craig, Ben Levy, Jordan McLeod, Jacques Becker, Elysia Witham, Cole DiLorenzo, Caden Kline, Ali Bobi (MIT Lincoln Laboratory), Dinko Dermendzhiev (Georgia Institute of Technology), Tim Leek (MIT Lincoln Laboratory), William Robertson (Northeastern University)
Firmware rehosting enables firmware execution and dynamic analysis. Prior rehosting work has taken a “one-size-fitsall” approach, where expert knowledge is baked into a tool and then applied to all input firmware. Penguin takes a new, targetcentric approach, building a whole-system rehosting environment tailored to the specific firmware being analyzed. A rehosting environment is specified by a configuration file that represents a series of transformations applied to the emulation environment. The initial rehosting configuration is derived automatically from analyzing the filesystem of an extracted firmware image, providing target-specific values such as directories, pseudofiles, and NVRAM keys. This approach allows Penguin to rehost systems from a wide variety of vendors. In tests on 13,649 embedded Linux firmware images from 69 different vendors and 8 architectures, Penguin was able to build rehosting environments that work for 75% more firmware than the prior state of the art. We implement a configuration minimizer that finds required transformations and show that most firmware require only a small number of transformations, with variation across vendors.