A Friend's Eye is A Good Mirror: Synthesizing MCU Peripheral Models from Peripheral Drivers

Authors: 

Chongqing Lei and Zhen Ling, Southeast University; Yue Zhang, Drexel University; Yan Yang and Junzhou Luo, Southeast University; Xinwen Fu, University of Massachusetts Lowell

Abstract: 

The extensive integration of embedded devices within the Internet of Things (IoT) has given rise to significant security concerns. Various initiatives have been undertaken to bolster the security of these devices at the software level, involving the analysis of MCU firmware and the implementation of automatic MCU rehosting methods. However, existing hardware-oriented rehosting techniques often face scalability challenges, while firmware-oriented approaches may have limited universality and fidelity. To address these limitations, we propose Perry, a system that synthesizes faithful and extendable peripheral models for MCUs. By extracting peripheral models from hardware drivers, Perry ensures compatibility and accurate emulation of targeted MCUs. The process involves gathering hardware metadata, analyzing driver code, capturing traces of peripheral accesses, and converting software beliefs into hardware behaviors. Perry is implemented with approximately 19,000 lines of code. A comprehensive evaluation of 75 firmware samples has showcased its effectiveness, consistency, universality, and scalability in generating hardware models for MCUs. Perry can efficiently synthesize hardware models consistent with the actual hardware and achieve a 74.24% unit test passing rate, outperforming the state-of-the-art techniques. The hardware models produced by Perry can faithfully emulate diverse firmware and can be readily expanded with minimal manual intervention. Through case studies, we show that Perry can help reproduce firmware vulnerabilities, discover specification-violation bugs in drivers, and fuzz RTOS for vulnerabilities. These case studies have led to the identification of two specification-violating bugs and the discovery of seven new vulnerabilities, underscoring Perry's potential to enhance various security-focused tasks.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

BibTeX
@inproceedings {298060,
author = {Chongqing Lei and Zhen Ling and Yue Zhang and Yan Yang and Junzhou Luo and Xinwen Fu},
title = {A Friend{\textquoteright}s Eye is A Good Mirror: Synthesizing {MCU} Peripheral Models from Peripheral Drivers},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {7085--7102},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/lei},
publisher = {USENIX Association},
month = aug
}

Presentation Video