Chuan Qin (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences; Nanyang Technological University), Cen Zhang (Nanyang Technological University), Yaowen Zheng (Institute of Information Engineering, Chinese Acadamy of Sciences), Puzhuo Liu (Ant Group; Tsinghua University), Jian Zhang (Nanyang Technological University), Yeting Li (Institute of Information Engineering, Chinese Academy of Sciences;University of Chinese Academy of Sciences), Weidong Zhang (Institute of Information Engineering, Chinese Academy of Sciences; School of Cyber Security, University of Chinese Academy of Sciences Beijing, China), Yang Liu (Nanyang Technological University), Limin Sun (Institute of Information Engineering of CAS)
Firmware rehosting is a fundamental emulation technique that enables dynamic analysis of firmware binaries at scale.
Successfully rehosting Linux-based firmware services requires proper emulation of both system-level functionalities like device interfaces and user-space dependencies such as configuration files, inter-process communications.
However, existing solutions inadequately leverage user-space knowledge.
The init routine, which is the first user-space process sets up operating environments, is often incompletely executed, leading to incomplete initialization.
Besides, all emulation failures are treated uniformly, failing to distinguish between direct system-level emulation issues and their indirect effects on user-space dependencies.
To fill this gap, we developed FIRMWELL, a framework which first models firmware rehosting as the coordinated emulation of both the target binary and its user-space dependencies.
It first rehosts the init routine for environment construction and then launches the target, which is a procedure that typically involves more than one hundred processes.
When emulation failures occur, FIRMWELL identifies the blocking process, analyzes incorrectly emulated resources, and applies targeted fixes.
The key strategy is to address user-space dependency failures by correcting the underlying system-level emulation errors, while employing program analysis for precise resource value inference.
In evaluation of 14,049 firmware images, FIRMWELL successfully rehosted 6,490 services, outperforming state-of-the-art by 1.6 - 8x (3,581 for FirmAE, 3,962 for Greenhouse, and 810 for Pandawan), while reducing average rehosting time by 1.8 - 8.4x (12 vs. 22, 74, and 101 minutes).
FIRMWELL was applied to fuzz 1,043 firmware images, uncovering 67 zero-day vulnerabilities with ten assigned CVE identifiers.