BINARM: Scalable and Efficient Detection of Vulnerabilities in Firmware Images of Intelligent Electronic Devices | SpringerLink
Skip to main content
Springer Nature Link
Log in

BINARM: Scalable and Efficient Detection of Vulnerabilities in Firmware Images of Intelligent Electronic Devices

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10885))

Abstract

There is a widespread adoption of intelligent electronic devices (IEDs) in modern-day smart grid deployments. Consequently, any vulnerabilities in IED firmware might greatly affect the security and functionality of the smart grid. Although general-purpose techniques exist for vulnerability detection in firmware, they usually cannot meet the specific needs, e.g., they lack the domain knowledge specific to IED vulnerabilities, and they are often not efficient enough for handling larger firmware of IEDs. In this paper, we present BinArm, a scalable approach to detecting vulnerable functions in smart grid IED firmware mainly based on the ARM architecture. To this end, we build comprehensive databases of vulnerabilities and firmware that are both specific to smart grid IEDs. Then, we propose a multi-stage detection engine to minimize the computational cost of function matching and to address the scalability issue in handling large IED firmware. Specifically, the proposed engine takes a coarse-to-fine grained multi-stage function matching approach by (i) first filtering out dissimilar functions based on a group of heterogeneous features; (ii) further filtering out dissimilar functions based on their execution paths; and (iii) finally identifying candidate functions based on fuzzy graph matching. Our experiments show that BinArm accurately identifies vulnerable functions with an average accuracy of 0.92. The experimental results also show that our detection engine can speed up the existing fuzzy matching approach by three orders of magnitude. Finally, as a practical framework, BinArm successfully detects 93 real-world CVE vulnerability entries, the majority of which have been confirmed, and the detection takes as little as 0.09 s per function on average.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 7549
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 9437
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Linksys WRT32X with 39 kb size contains 47,025 functions, whereas NI PMU1_0_11 firmware comprises 226,496 functions and is 256 kb large.

References

  1. IEC 61850 - Communication Networks and Systems for Power Utility Automation. https://webstore.iec.ch/publication/6028. Accessed 2018

  2. WIN32/INDUSTROYER: A New Threat for Industrial Control Systems. https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

  3. NIST/SEMATECH e-Handbook of Statistical Methods (2015). http://www.itl.nist.gov/div898/handbook/

  4. ARM Instruction Reference (2017). http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0068b/CIHEDHIF.html

  5. Common Vulnerabilities and Exposures (2017). https://nvd.nist.gov/

  6. ICS-CERT: Critical Infrastructure Sectors (2017). https://www.dhs.gov/critical-infrastructure-sectors

  7. IDA Pro (2017). https://www.hex-rays.com/products/ida/

  8. NI PMU1_0_11.lvappimg (2017). http://digital.ni.com/public.nsf/allkb/5391E8424944D0BC86257E45000B025C

  9. ReadyNAS Firmware Image v6.1.6 (2017). http://www.downloads.netgear.com/files/GDC/READYNAS-100/ReadyNASOS-6.1.6-arm.zip

  10. Security Intelligence (2017). https://securityintelligence.com/attacks-targeting-industrial-control-systems-ics-up-110-percent/

  11. Alrabaee, S., Shirani, P., Wang, L., Debbabi, M.: FOSSIL: a resilient and efficient system for identifying FOSS functions in malware binaries. ACM Trans. Priv. Secur. (TOPS) 21(2), 8 (2018)

    Google Scholar 

  12. Caballero, J., Lin, Z.: Type inference on executables. ACM Comput. Surv. (CSUR) 48(4), 65 (2016)

    Article  Google Scholar 

  13. Chen, B., Dong, X., Bai, G., Jauhar, S., Cheng, Y.: Secure and efficient software-based attestation for industrial control devices with arm processors. In: ACSAC (2017)

    Google Scholar 

  14. Chen, D.D., Egele, M., Woo, M., Brumley, D.: Towards automated dynamic analysis for Linux-based embedded firmware. In: NDSS (2016)

    Google Scholar 

  15. Cheng, L., Tian, K., Yao, D.D.: Orpheus: enforcing cyber-physical execution semantics to defend against data-oriented attacks (2017)

    Google Scholar 

  16. Cormen, T.H.: Introduction to Algorithms. MIT Press, Cambridge (2009)

    MATH  Google Scholar 

  17. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., Antipolis, S.: A large-scale analysis of the security of embedded firmwares. In: USENIX Security (2014)

    Google Scholar 

  18. David, Y., Yahav, E.: Tracelet-based code search in executables. In: ACM SIGPLAN Notices, vol. 49, pp. 349–360. ACM (2014)

    Article  Google Scholar 

  19. Davidson, D., Moench, B., Ristenpart, T., Jha, S.: FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution. In: USENIX, Security, pp. 463–478 (2013)

    Google Scholar 

  20. Dimitriadou, E., Dolničar, S., Weingessel, A.: An examination of indexes for determining the number of clusters in binary data sets. Psychometrika 67(1), 137–159 (2002)

    Article  MathSciNet  Google Scholar 

  21. Dullien, T., Rolles, R.: Graph-based comparison of executable objects (English version). SSTIC 5, 1–3 (2005)

    Google Scholar 

  22. Egele, M., Woo, M., Chapman, P., Brumley, D.: Blanket execution: dynamic similarity testing for program binaries and components. In: Usenix, Security, pp. 303–317 (2014)

    Google Scholar 

  23. Eschweiler, S., Yakdan, K., Gerhards-Padilla, E.: discovRe: Efficient cross-architecture identification of bugs in binary code. In: NDSS (2016)

    Google Scholar 

  24. Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, vol. 5, p. 6. Symantec Corp., Security Response (2011)

    Google Scholar 

  25. Feng, Q., Zhou, R., Xu, C., Cheng, Y., Testa, B., Yin, H.: Scalable graph-based bug search for firmware images. In: CCS. ACM (2016)

    Google Scholar 

  26. Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: AISEC. ACM (2013)

    Google Scholar 

  27. Griffin, C.: Graph theory: Penn state math 485 lecture notes (2011–2012). http://www.personal.psu.edu/cxg286/Math485.pdf

  28. Groarke, D.G.R.: The Networked Grid 150: The End-to-end Smart Grid Vendor Ecosystem Report and Rankings (2013). https://www.greentechmedia.com/research/report/the-networked-grid-150-report-and-rankings-2013

  29. Han, J., Pei, J., Kamber, M.: Data Mining: Concepts and Techniques. Elsevier, New York (2011)

    MATH  Google Scholar 

  30. Hido, S., Kashima, H.: A linear-time graph kernel. In: ICDM (2009)

    Google Scholar 

  31. Huang, H., Youssef, A.M., Debbabi, M.: BinSequence: fast, accurate and scalable binary code reuse detection. In: ASIACCS. ACM (2017)

    Google Scholar 

  32. Ioffe, S.: Improved consistent sampling, weighted minhash and l1 sketching. In: ICDM (2010)

    Google Scholar 

  33. Khoo, W.M., Mycroft, A., Anderson, R.: Rendezvous: a search engine for binary code. In: MSR (2013)

    Google Scholar 

  34. Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: USENIX Security (2004)

    Google Scholar 

  35. Kwon, Y., Kim, H.K., Koumadi, K.M., Lim, Y.H., Lim, J.I.: Automated vulnerability analysis technique for smart grid infrastructure. In: ISGT 2017 (2017)

    Google Scholar 

  36. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. In: IEEE SP (2011)

    Article  Google Scholar 

  37. Liu, M., Zhang, Y., Li, J., Shu, J., Gu, D.: Security analysis of vendor customized code in firmware of embedded device. In: SecureComm (2016)

    Google Scholar 

  38. Luo, L., Ming, J., Wu, D., Liu, P., Zhu, S.: Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection. In: ACM SIGSOFT (2014)

    Google Scholar 

  39. Mackiewicz, R.: Overview of IEC 61850 and benefits. In: PSCE (2006)

    Google Scholar 

  40. Nazario, J.: Blackenergy DDOS bot analysis. Arbor Networks (2007)

    Google Scholar 

  41. Neichin, G., Cheng, D., Haji, S., Gould, J., Mukerji, D., Hague, D.: 2010 US Smart Grid Vendor Ecosystem (2010)

    Google Scholar 

  42. Oliver, J., Cheng, C., Chen, Y.: TLSH-a locality sensitive hash. In: CTC (2013)

    Google Scholar 

  43. Peng, H., Long, F., Ding, C.: Feature selection based on mutual information criteria of max-dependency, max-relevance, and min-redundancy. IEEE TPAMI 27, 1226–1238 (2005)

    Article  Google Scholar 

  44. Pewny, J., Garmany, B., Gawlik, R., Rossow, C., Holz, T.: Cross-architecture bug search in binary executables. In: IEEE SP (2015)

    Google Scholar 

  45. Rad, B.B., Masrom, M., Ibrahim, S.: Opcodes histogram for classifying metamorphic portable executables malware. In: ICEEE (2012)

    Google Scholar 

  46. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: DIMVA (2008)

    Google Scholar 

  47. Series, I.: Business blackout. https://www.lloyds.com/~/media/files/news-and-insight/risk-insight/2015/business-blackout/business-blackout20150708.pdf

  48. Shirani, P., Wang, L., Debbabi, M.: BinShape: scalable and robust binary library function identification using function shape. In: DIMVA (2017)

    Chapter  Google Scholar 

  49. Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS (2015)

    Google Scholar 

  50. Shu, X., Yao, D., Ramakrishnan, N.: Unearthing stealthy program attacks buried in extremely long execution paths. In: CCS. ACM (2015)

    Google Scholar 

  51. Shwartz, O., Mathov, Y., Bohadana, M., Elovici, Y., Oren, Y.: Opening Pandora’s box: effective techniques for reverse engineering IoT devices. In: Eisenbarth, T., Teglia, Y. (eds.) CARDIS 2017. LNCS, vol. 10728, pp. 1–21. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75208-2_1

    Chapter  Google Scholar 

  52. Slowinska, A., Stancescu, T., Bos, H.: Body armor for binaries: preventing buffer overflows without recompilation. In: USENIX Annual Technical Conference, pp. 125–137 (2012)

    Google Scholar 

  53. Wang, T., Wei, T., Lin, Z., Zou, W.: Intscope: automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: NDSS (2009)

    Google Scholar 

  54. Xu, X., Liu, C., Feng, Q., Yin, H., Song, L., Song, D.: Neural network-based graph embedding for cross-platform binary code similarity detection. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 363–376. ACM (2017)

    Google Scholar 

  55. Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: AVATAR: a framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS (2014)

    Google Scholar 

  56. Zaddach, J., Costin, A.: Embedded devices security and firmware reverse engineering. Black-Hat USA (2013)

    Google Scholar 

  57. Zheng, Y., Ott, W., Gupta, C., Graur, D.: A scale-free method for testing the proportionality of branch lengths between two phylogenetic trees. arXiv preprint arXiv:1503.04120 (2015)

  58. Zhu, R., Zhang, B., Mao, J., Zhang, Q., Tan, Y.-A.: A methodology for determining the image base of arm-based industrial control system firmware. Int. J. Crit. Infrastruct. Prot. 16, 26–35 (2017)

    Article  Google Scholar 

Download references

Acknowledgement

We would like to thank our shepherd, Dr. Yan Shoshitaishvili, and the anonymous reviewers for the invaluable comments. This research is the result of a fruitful collaboration between members of the Security Research Centre (SRC) of Concordia University, Hydro-Québec, and Thales Canada under the NSERC/Hydro-Québec/Thales Senior Industrial Research Chair in Smart Grid Security: Detection, Prevention, Mitigation and Recovery from Cyber-Physical Attacks.

Author information

Authors and Affiliations

  1. Security Research Centre, Concordia University, Montreal, Canada

    Paria Shirani, Leo Collard, Mourad Debbabi, Lingyu Wang & Aiman Hanna

  2. Institut de recherche d’Hydro-Québec, Montreal, Canada

    Basile L. Agba

  3. Thales Canada Inc., Montreal, Canada

    Bernard Lebel

Authors
  1. Paria Shirani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Leo Collard
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Basile L. Agba
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bernard Lebel
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Mourad Debbabi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Lingyu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Aiman Hanna
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Paria Shirani .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Cristiano Giuffrida

  2. CEA, Palaiseau, France

    Sébastien Bardin

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shirani, P. et al. (2018). BINARM: Scalable and Efficient Detection of Vulnerabilities in Firmware Images of Intelligent Electronic Devices. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93411-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93410-5

  • Online ISBN: 978-3-319-93411-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics