David Malaschonok (Fraunhofer SIT — ATHENE)
With the advance of IoT technology, embedded systems have become omnipresent in everyday life, taking on ever more security sensitive tasks. Because of this, the security analysis of embedded firmware has reached unprecedented importance.
At the same time, the need to keep production and operation costs low imposes strong resource constraints and optimization pressure on the design of embedded IoT devices. Trade-offs include smaller firmware images that lack debug symbols, and lighter housing that is harder to disassemble. Notably, the cheapest products tend to receive the least amount of vendor support, thus making them more vulnerable, while simultaneously being the least amenable to analysis, thus making it harder for third parties to assess and address the resulting risks.
Knowing which precise microcontroller unit (MCU) is built into a particular device allows insight into its memory map, which is valuable for both static and dynamic analysis of its firmware. However, while it is usually easy to determine the manufacturer and model of an IoT appliance through visual inspection, identifying the MCU at the core of the device is often only possible after destructive disassembly.
To address this problem, we propose an automatic approach to derive the MCU of an embedded device from its firmware image. The approach is based on identifying which addresses the firmware expects to be accessible and finding the most similar MCU memory map in a pre-calculated knowledge base. Our approach does not depend on debug symbols or physical access to any part of the embedded device.
In our evaluation, this approach correctly identifies the precise MCU series 57% of the time and finds the most precise available memory map 44% of the time.