Firmware Slap: Automating Discovery of Exploitable Vulnerabilities in Firmware

Firmware Slap is a tool that uses concolic analysis and semi-supervised firmware function learning to automate the discovery of exploitable vulnerabilities in firmware.

• Firmware is the weakest link in our devices and demands new methods of finding exploitable vulnerabilities
• Firmware Slap combines concolic analysis and semi-supervised firmware function learning to find exploitable vulnerabilities
• The tool uses under constrained concolic analysis to start from the bottom and work its way up, breaking up each action into separate analysis tasks
• Deidre is a tool released by the NSA that helps understand and model the actions at the bottom level of firmware

The speaker showed a video of finding exploitable bugs in the Almond 3 smart home device using Firmware Slap's concolic analysis tool. The tool was able to represent program states as a set of equations and ask specific questions about those states, such as if a network read or file read could corrupt the program counter or taint a system command. However, the tool failed on larger code bases due to running out of RAM. Under constrained concolic analysis was introduced as a solution to this problem, starting from the bottom and working up to break up each action into separate analysis tasks. The speaker also mentioned the lack of excellent mitigations on the top five most sold routers on Amazon, highlighting the need for tools like Firmware Slap to find and fix vulnerabilities in firmware.

DARPA’s Grand Cyber Challenge foretold an ominous future stricken with machines exploiting our code and automatically compromising our systems. Today, we have the chance to steel ourselves by creating new hope through stronger tools and techniques to find our bugs before our big-brother nation-states can take advantage. The firmware holding our phones, our routers, and our cars is our weakest link and it demands new methods of finding exploitable vulnerabilities. This talk will present Firmware Slap, the culmination of concolic analysis and semi-supervised firmware function learning. Each binary or library in a given firmware provides slices of information to accelerate and enable fault-resistant concolic analysis. These techniques provide a method of knowing where our vulnerabilities are and how we can trigger them.