From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware

  title={From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware},
  author={Wenqiang Li and Le Guan and Jingqiang Lin and Jiameng Shi and Fengjun Li},
Finding bugs in microcontroller (MCU) firmware is challenging, even for device manufacturers who own the source code. The MCU runs different instruction sets than x86 and exposes a very different development environment. This invalidates many existing sophisticated software testing tools on x86. To maintain a unified developing and testing environment, a straightforward way is to re-compile the source code into the native executable for a commodity machine (called rehosting). However, ad-hoc re… Expand

Figures and Tables from this paper


FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution
A new tool is designed and implemented that builds off the KLEE symbolic execution engine in order to provide an extensible platform for detecting bugs in firmware programs for the popular MSP430 family of microcontrollers and incorporates new techniques for symbolic execution that enable it to verify security properties of the simple firmwares often found in practice. Expand
HALucinator: Firmware Re-hosting Through Abstraction Layer Emulation
This work introduces extensions to existing library matching techniques that are needed to identify library functions in binary firmware, to reduce collisions, and for inferring additional function names, and demonstrates the practicality of HLE for security analysis. Expand
Device-agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation
This work presents Laelaps, a device emulator specifically designed to run diverse software of microcontroller devices, which infers the expected behavior of firmware via symbolic-execution-assisted peripheral emulation and generates proper inputs to steer concrete execution on the fly. Expand
FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution
FirmUSB is introduced, a USB-specific firmware analysis framework that uses domain knowledge of the USB protocol to examine firmware images and determine the activity that they can produce, and insights are provided into the challenges of symbolic analysis on embedded architectures and guidance on improving tools to better handle this important class of devices. Expand
Prospect: peripheral proxying supported embedded code testing
By transparently forwarding peripheral hardware accesses from the original host system into a virtual machine, PROSPECT allows security analysts to run the embedded software implementation without the need to know which and how embedded peripheral hardware components are accessed. Expand
Inception: System-Wide Security Testing of Real-World Embedded Systems Software
Inception is introduced, a framework to perform security testing of complete real-world embedded firmware testing, and Inception Translator generates and merges LLVM bitcode from high-level source code, hand-written assembly, binary libraries, and part of the processor hardware behavior. Expand
Unikernels: library operating systems for the cloud
The Mirage prototype compiles OCaml code into unikernels that run on commodity clouds and offer an order of magnitude reduction in code size without significant performance penalty, and demonstrates that the hypervisor is a platform that overcomes the hardware compatibility issues that have made past library operating systems impractical to deploy in the real-world. Expand
AddressSanitizer: A Fast Address Sanity Checker
The paper presents AddressSanitizer, a new memory error detector that achieves efficiency without sacrificing comprehensiveness, and has found over 300 previously unknown bugs in the Chromium browser and many bugs in other software. Expand
The exokernel operating system architecture
This thesis proposes a new approach, the exokernel architecture, which makes resource management unprivileged but safe by separating management from protection: an exok Kernel protects resources, while untrusted application-level software manages them. Expand
Pin: building customized program analysis tools with dynamic instrumentation
The goals are to provide easy-to-use, portable, transparent, and efficient instrumentation, and to illustrate Pin's versatility, two Pintools in daily use to analyze production software are described. Expand