Pandawan: Quantifying Progress in Linux-based Firmware Rehosting

The Internet of Things (IoT) is frequently the epicenter of cyberattacks due to its weak security. Prior works introduce various techniques for analyzing the firmware of IoT devices for bugs and vulnerabilities, especially through firmware re-hosting. However, comparing the emulation outcomes of the different re-hosting approaches can be very challenging. In this paper, we present Firmware Initialization Completion Detection (FICD), a technique that enables the comparison of full-system re-hosting approaches across their re-hosting capabilities. In addition, prior works lack an important capability; they do not focus on both the user and privileged aspect of IoT firmware as a unit. Since prior work is not capable of holistically analyzing (both the user and privileged level) IoT firmware, we develop Pandawan, a framework that enables the holistic re-hosting and analysis of IoT firmware at scale. We use FICD to illustrate Pandawan's re-hosting improvements over the state-of-the-art, such as Firmadyne, FirmAE, and FirmSolo on a dataset of 1,520 firmware images. Our experiments show that Pandawan outperforms these systems, by executing up to 6% more user level programs and 21% more user code basic blocks, on average, than these systems. Furthermore, Pandawan loads 9% more IoT kernel modules and executes 26% more kernel module basic blocks on average than FirmSolo. We also use Pandawan to holistically analyze the firmware images by inspecting the interactions (through system calls) of user level code with kernel module code. Pandawan transforms the system call information into seeds for the TriforceAFL kernel fuzzer to analyze the kernel modules within the firmware images. The TriforceAFL experiment on 479 firmware images with seeds, discovered 16 bugs on 12 binary kernel modules, 6 of which are previously unknown bugs. The bugs affect 8 closed and 4 open source kernel modules.