Fig 6 - uploaded by Dominik Maier
Content may be subject to copyright.
Large scale testing of discovered Shannon baseband crashes over time, per phone model and firmware image. Each black dot is an image tested, with state interpolated between. "Crash" indicates that the image crashed when receiving the input. "No crash" means the image did not crash when receiving the input. "Timeouts" occur when the emulator could not retrieve and process the input in time. "Emulation Error" means FIRMWIRE was not able to boot the firmware. "Unknown" indicates other types of errors.

Large scale testing of discovered Shannon baseband crashes over time, per phone model and firmware image. Each black dot is an image tested, with state interpolated between. "Crash" indicates that the image crashed when receiving the input. "No crash" means the image did not crash when receiving the input. "Timeouts" occur when the emulator could not retrieve and process the input in time. "Emulation Error" means FIRMWIRE was not able to boot the firmware. "Unknown" indicates other types of errors.

Context in source publication

Context 1
... showcase the results of our longitudinal study in Figure 6. We omit the results for LTE RRC #4, as this vulnerability only affects MediaTek chipsets, and all tested versions prior to August 2021 turned out to be vulnerable. ...

Citations

... However, it is also constrained by human assumptions, making it unsuitable for complex devices like Ethernet and USB DMA. FirmWire [29] offers human-crafted peripheral models for baseband firmware. ...
Article
Full-text available
As IoT devices with microcontroller (MCU)-based firmware become more common in our lives, memory corruption vulnerabilities in their firmware are increasingly targeted by adversaries. Fuzzing is a powerful method for detecting these vulnerabilities, but it poses unique challenges when applied to IoT devices. Direct fuzzing on these devices is inefficient, and recent efforts have shifted towards creating emulation environments for dynamic firmware testing. However, unlike traditional software, firmware interactions with peripherals that are significantly more diverse presents new challenges for achieving scalable full-system emulation and effective fuzzing. This paper reviews 27 state-of-the-art works in MCU-based firmware emulation and its applications in fuzzing. Instead of classifying existing techniques based on their capabilities and features, we first identify the fundamental challenges faced by firmware emulation and fuzzing. We then revisit recent studies, organizing them according to the specific challenges they address, and discussing how each specific challenge is addressed. We compare the emulation fidelity and bug detection capabilities of various techniques to clearly demonstrate their strengths and weaknesses, aiding users in selecting or combining tools to meet their needs. Finally, we highlight the remaining technical gaps and point out important future research directions in firmware emulation and fuzzing.
... While prior work suspected that some chipset vulnerabilities tend to propagate across many generations [4], [5], along with speculation that vulnerabilities in chipset firmware are more severe than driver vulnerabilities [6], there is a significant lack of empirical evidence to support these claims on a large scale. Existing studies have primarily relied on limited case studies or anecdotal evidence, leaving a considerable gap in our understanding of the true prevalence and impact of these vulnerabilities. ...
... As a result, developers of such software typically only support and enhance the latest (few) version(s) of this branch. In contrast, chipset firmware and drivers are often specific to each chipset model [4]. This means that CMs might develop entirely new firmware and drivers for chipsets at different price points, and for each new chipset generation. ...
... Potential technical measures that could reduce the severity gap between drivers and firmware include defense techniques such as process isolation and memory-tagging for address sanitization. These are already deployed in Android itself [53] and thus promote driver security, but are often missing in chipset firmware [4]. Ensure completeness of AOSP security bulletins. ...
Preprint
Vulnerabilities in Android smartphone chipsets have severe consequences, as recent real-world attacks have demonstrated that adversaries can leverage vulnerabilities to execute arbitrary code or exfiltrate confidential information. Despite the far-reaching impact of such attacks, the lifecycle of chipset vulnerabilities has yet to be investigated, with existing papers primarily investigating vulnerabilities in the Android operating system. This paper provides a comprehensive and empirical study of the current state of smartphone chipset vulnerability management within the Android ecosystem. For the first time, we create a unified knowledge base of 3,676 chipset vulnerabilities affecting 437 chipset models from all four major chipset manufacturers, combined with 6,866 smartphone models. Our analysis revealed that the same vulnerabilities are often included in multiple generations of chipsets, providing novel empirical evidence that vulnerabilities are inherited through multiple chipset generations. Furthermore, we demonstrate that the commonly accepted 90-day responsible vulnerability disclosure period is seldom adhered to. We find that a single vulnerability often affects hundreds to thousands of different smartphone models, for which update availability is, as we show, often unclear or heavily delayed. Leveraging the new insights gained from our empirical analysis, we recommend several changes that chipset manufacturers can implement to improve the security posture of their products. At the same time, our knowledge base enables academic researchers to conduct more representative evaluations of smartphone chipsets, accurately assess the impact of vulnerabilities they discover, and identify avenues for future research.
... Existing research efforts that specialize in black-box testing of wireless communication protocol implementations can be categorized into the following high-level categories: (A) Manual analysis or fixed test case-based approaches [10,47,60,61]; (B) Reverse engineering-based approaches [24,26,38,43,54,66]; (C) State machine learning-based approaches [17,23,32,36,48]. Approaches in categories (A) and (B) are either unscalable due to manual effort or ineffective in identifying intricate bugs in complex and stateful protocols that require long execution packet traces to be exercised. ...
... Existing research efforts that specialize in black-box testing of wireless communication protocol implementations can be categorized into the following high-level categories: (A) Manual analysis or fixed test case-based approaches [10,45,57,58]; (B) Reverse engineering-based approaches [23,25,37,41,51,62]; (C) State machine learning-based approaches [16,22,31,35,46]. Approaches in categories (A) and (B) are either unscalable due to manual effort or ineffective in identifying intricate bugs in complex and stateful protocols that require long execution packet traces to be exercised. ...
Preprint
Full-text available
This paper proposes Proteus, a protocol state machine, property-guided, and budget-aware automated testing approach for discovering logical vulnerabilities in wireless protocol implementations. Proteus maintains its budget awareness by generating test cases (i.e., each being a sequence of protocol messages) that are not only meaningful (i.e., the test case mostly follows the desirable protocol flow except for some controlled deviations) but also have a high probability of violating the desirable properties. To demonstrate its effectiveness, we evaluated Proteus in two different protocol implementations, namely 4G LTE and BLE, across 23 consumer devices (11 for 4G LTE and 12 for BLE). Proteus discovered 26 unique vulnerabilities, including 113 instances. Affected vendors have positively acknowledged 12 vulnerabilities through 5 CVEs.
... Even more concerning, recent demonstrations have revealed that mobile basebands are susceptible to exploitation, allowing the triggering of vulnerabilities like remote code execution (RCE) over the air [20], even extending to the latest 5G mobile devices [19]. Over the years, it has become evident that the baseband often suffers from inadequate security engineering, showcasing memory corruption vulnerabilities [18,23,39,66] and non-compliance with cellular specifications [26,31]. Simultaneously, high-privileged malware on a device can inject malicious requests into the baseband, activating security-sensitive functions. ...
... Current approaches involve scrutinizing baseband firmware implementations through reverse engineering (RE) to identify and address undesired behaviors and vulnerabilities in basebands. As of now, only a few tools have been developed for baseband RE, encompassing both static analysis [31,37] and dynamic analysis [26], with some utilizing emulation methods [23,39]. However, these tools come with several limitations, often relying on manual analysis and heuristics, and thus do not generalize well [31,39]. ...
... Regarding CP to AP exploitation (depicted in Figure 10b), it requires an adversary with high privilege, e.g., a compromised baseband, kernel, or the OS, that injects malicious RIL commands to the AP through RIL. This could be achieved through existing RCE exploits [18,23,39,66] or supply chain adversaries. ...
Preprint
In modern mobile devices, baseband is an integral component running on top of cellular processors to handle crucial radio communications. However, recent research reveals significant vulnerabilities in these basebands, posing serious security risks like remote code execution. Yet, effectively scrutinizing basebands remains a daunting task, as they run closed-source and proprietary software on vendor-specific chipsets. Existing analysis methods are limited by their dependence on manual processes and heuristic approaches, reducing their scalability. This paper introduces a novel approach to unveil security issues in basebands from a unique perspective: to uncover vendor-specific baseband commands from the Radio Interface Layer (RIL), a hardware abstraction layer interfacing with basebands. To demonstrate this concept, we have designed and developed BaseMirror, a static binary analysis tool to automatically reverse engineer baseband commands from vendor-specific RIL binaries. It utilizes a bidirectional taint analysis algorithm to adeptly identify baseband commands from an enhanced control flow graph enriched with reconstructed virtual function calls. Our methodology has been applied to 28 vendor RIL libraries, encompassing a wide range of Samsung Exynos smartphone models on the market. Remarkably, BaseMirror has uncovered 873 unique baseband commands undisclosed to the public. Based on these results, we develop an automated attack discovery framework to successfully derive and validate 8 zero-day vulnerabilities that trigger denial of cellular service and arbitrary file access on a Samsung Galaxy A53 device. These findings have been reported and confirmed by Samsung and a bug bounty was awarded to us.
... By performing a comparative analysis of baseband implementations and specifications for cellular devices, Kim et al. found hundreds of mismatches utilizing the proposed BASESPEC approach [23]. Hernandez and Muench et al. [24] proposed and implemented a scalable emulation platform FIRMWIRE for baseband security testing and found new pre-authentication memory corruptions. Yu et al. [25] inspected the security implementation of 5G commercial mobile devices using SecChecker. ...
Article
Authentication and data protection (both integrity and confidentiality) between the network and cellular devices are two fundamental security features in LTE and IMS networks. The first is implemented via authentication and key agreement mechanisms and can be compromised by relaying authentication parameters. The second security feature builds on the first one and is activated through corresponding security setup procedures. This work intends to investigate whether these basic security procedures are securely implemented and deployed in commercial networks. We analyzed the de facto situation of these security features in three major operators in China and found several new and previously disclosed configuration and implementation flaws that do not conform to specifications. These vulnerabilities allow attackers to disable LTE and IMS data protection mechanisms. We further propose novel proof-of-concept attacks to exploit the identified vulnerabilities including IMEI and Phone Number Catching , SMS and Call Impersonation and Interception attacks. To show the urgency of addressing these security issues and thus secure the real-world telecom networks, we successfully demonstrated these attacks in practice using open-source SDR tools as they have serious implications. For instance, the interception attacks undermine the widely-used SMS verification code security mechanism. We also discuss countermeasures to resist the proposed attacks.
... Tools like DoLTEst [25] improve the detection of implementation flaws by concentrating on negative testing with a deterministic oracle derived from specification analysis. BaseSAFE [24] and FIRMWIRE [15] use fuzzing against LTE firmware to discover vulnerabilities, such as buffer overflows, which can then be verified through over-the-air testing. ...
Preprint
Full-text available
Security flaws and vulnerabilities in cellular networks lead to severe security threats given the data-plane services that are involved, from calls to messaging and Internet access. While the 5G Standalone (SA) system is currently being deployed worldwide, practical security testing of User Equipment (UE) has only been conducted and reported publicly for 4G/LTE and earlier network generations. In this paper, we develop and present the first open-source based security testing framework for 5G SA User Equipment. To that end, we modify the functionality of open-source suites (Open5GS and srsRAN) and develop a broad set of test cases for the 5G NAS and RRC layers. We apply our testing framework in a proof-of-concept manner to 5G SA mobile phones and provide detailed insights from our experiments. While being a framework in development, the results of our experiments presented in this paper can assist other researchers in the field and have the potential to improve 5G SA security.
... Modifying/patching such system calls will result in achieving more EFFs, and finally, expand the coverage. In a previous study, external elements that are not necessarily required for testing were disabled or simply access-patterned to implement appropriate responses [49]. In system call emulation, there are limitations due to unnecessary parts, but by leveraging techniques that can be improved together, potential candidates (e.g. ...
Article
Full-text available
Fuzzing is a practical approach for finding bugs in various software. So far, a number of fuzzers have been introduced based on new ideas towards enhancing the efficiency in terms of increasing code coverage or execution speed. The majority of such work predicates under the assumption that they have sound executable binary or source code to transform the target program as a whole. However, in legacy systems, source codes are often unavailable and even worse, some binaries do not provide a sound executable environment (e.g., partially recovered firmware). In this paper, we provide FT-Framework: fuzzability testing framework based on forced execution for binaries such as firmware chunks recovered in abnormal way so that they are hard to execute/analyze from intended booting phase. The essence of our work is to automatically classify functions inside a binary which we can apply coverage-guided fuzzing via forced execution. We evaluate FT-Framework using PX4 and ArduPilot firmwares which is based on 32-bit ARM architecture and demonstrate the efficacy of this approach and limitations.
... Cao et al. [6], Johnson et al. [29], and Zhou [62], all leverage symbolic execution to learn satisfying values to bypass peripheral checks. Hernandez et al. [27] achieve full-system emulation of closed-source Shannon baseband firmware by adding missing architectural and peripheral support in QEMU, they later demonstrate that such an approach can be extended to other basebands [26]. In contrast to the aforementioned approaches, Milburn et al. [38] build a custom emulator and peripheral models to rehost an automotive instrument cluster; they use their emulator to aid in reverse-engineering the firmware's UDS commands. ...
... Mera et al. [37] highlight this difficulty in their evaluationto test their approach on both ARM and MIPS32-based devices, they need to build separate prototypes of their tool for two different forks of QEMU, as neither variant supports both architectures. Hernandez et al. [26] note the current impossibility of porting their baseband rehosting framework to work with Qualcomm basebands, due to lack of architecture support in the PANDA [14] QEMU fork. ...
Preprint
Full-text available
In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto open-problem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis. We show that the flexibility afforded by our approach does not lead to a performance trade-off -- MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors -- none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.
Article
This paper proposes LATTE, the first static binary taint analysis that is powered by a large language model (LLM). LATTE is superior to the state of the art (e.g., Emtaint, Arbiter, Karonte) in three aspects. First, LATTE is fully automated while prior static binary taint analyzers need rely on human expertise to manually customize taint propagation rules and vulnerability inspection rules. Second, LATTE is significantly effective in vulnerability detection, demonstrated by our comprehensive evaluations. For example, LATTE has found 37 new bugs in real-world firmware, which the baselines failed to find. Moreover, 10 of them have been assigned CVE numbers. Lastly, LATTE incurs remarkably low engineering cost, making it a cost-efficient and scalable solution for security researchers and practitioners. We strongly believe that LATTE opens up a new direction to harness the recent advance in LLMs to improve vulnerability analysis for binary programs.