SURROGATES: Enabling Near-Real-Time Dynamic Analyses of Embedded Systems

Embedded systems are becoming increasingly sophisticated, inter-connected, and pervasive. Unfortunately, securing these systems remains challenging. While powerful dynamic analysis tools have been developed for traditional software, the unique characteristics of embedded systems make it difficult to apply these well-known techniques; prior work has been limited either to small systems or short segments of code. In this paper, we demonstrate a system that is capable of emulating and instrumenting embedded systems in near-real-time, enabling a variety of dynamic analysis techniques. Our approach uses a custom, low-latency FPGA bridge between the host’s PCI Express bus and the system under test, allowing the emulator full access to the system’s peripherals. This provides the emulator with a faithful representation of the environment the firmware normally executes in, enabling additional dynamic analysis techniques such as concolic execution. We discuss the design decisions and engineering tradeoffs made and evaluate our system against prior work.