Automated Security Analysis of Firmware

Bolandi, Farrokh

January 2022

Internet of Things (IoT) devices are omnipresent in both industries and our homes. These devices are controlled by a software called firmware. Firmware like any other software may contain security vulnerabilities and the sole entity responsible to provide secure firmware is the vendor of the device. There are many analysis reports for individual devices that have found vulnerabilities however this is a manual process and unscalable. Several tools exist today for security analysis but usually with focus on a single aspect of firmware analysis. In this thesis, to better understand challenges with respect to automation of securityfocused analysis of firmware images in largescale, a framework is implemented by combining a number of existing tools using both static and dynamic analysis. A dataset of 241 firmware images from 7 vendors was collected. After evaluation of the framework on the dataset, it was shown that 85 images contained several known vulnerabilities which for some images a high percentage of these already were known before the firmware release date. / Internet of Things (IoT) enheter är allestädes närvarande i både industrier och våra hem. Dessa enheter styrs av en programvara som kallas firmware. Firmware som alla andra programvara kan innehålla säkerhetsbrister och den enda entiet som är ansvarig för att tillhandahålla säker firmware är leverantören av enheten. Det finns många analysrapporter för enskilda enheter som har hittat sårbarheter men detta är en manuell process och oskalbar. Flera verktyg finns idag för säkerhetsanalys men oftast med fokus på en enda aspekt av firmwareanalys. I denna avhandling, för att bättre förstå utmaningar med avseende på automatisering av säkerhet fokuserad analys av firmwarebilder i stor skala, implementeras ett ramverk genom att kombinera ett antal befintliga verktyg med både statisk och dynamisk analys. A datauppsättning av 241 firmwarebilder från 7 leverantörer samlades in. Efter utvärdering av ramverket på datamängden visades det att 85 bilder innehöll flera kända sårbarheter som för vissa bilder en hög andel av dessa redan var kända före releasedatumet för den fasta programvaran.

Firmware Security

Automation

Static Analysis

Dynamic Analysis

Security Vulnerability

Firmwaresäkerhet

automation

statisk analys

dynamisk analys

säkerhet

Elektroteknik och elektronik

GEOGRAPHY OF URBAN WATER SECURITY AND VULNERABILITY: CASE STUDIES OF THREE LOCALITIES IN THE ACCRA-TEMA CITY-REGION, GHANA

Asante-Wusu, Isaac

20 June 2017

No description available.

Geography

Sécurisation d'un lien radio UWB-IR / Security of an UWB-IR Link

Benfarah, Ahmed

10 July 2013

Du fait de la nature ouverte et partagée du canal radio, les communications sans fil souffrent de vulnérabilités sérieuses en terme de sécurité. Dans ces travaux de thèse, je me suis intéressé particulièrement à deux classes d’attaques à savoir l’attaque par relais et l’attaque par déni de service (brouillage). La technologie de couche physique UWB-IR a connu un grand essor au cours de cette dernière décennie et elle est une candidate intéressante pour les réseaux sans fil à courte portée. Mon objectif principal était d’exploiter les caractéristiques de la couche physique UWB-IR afin de renforcer la sécurité des communications sans fil. L’attaque par relais peut mettre à défaut les protocoles cryptographiques d’authentification. Pour remédier à cette menace, les protocoles de distance bounding ont été proposés. Dans ce cadre, je propose deux nouveaux protocoles (STHCP : Secret Time-Hopping Code Protocol et SMCP : Secret Mapping Code Protocol) qui améliorent considérablement la sécurité des protocoles de distance bounding au moyen des paramètres de la radio UWB-IR. Le brouillage consiste en l’émission intentionnelle d’un signal sur le canal lors du déroulement d’une communication. Mes contributions concernant le problème de brouillage sont triples. D’abord, j’ai déterminé les paramètres d’un brouilleur gaussien pire cas contre un récepteur UWB-IR non-cohérent. En second lieu, je propose un nouveau modèle de brouillage par analogie avec les attaques contre le système de chiffrement. Troisièmement, je propose une modification rendant la radio UWB-IR plus robuste au brouillage. Enfin, dans une dernière partie de mes travaux, je me suis intéressé au problème d’intégrer la sécurité à un réseau UWB-IR en suivant l’approche d’embedding. Le principe de cette approche consiste à superposer et à transmettre les informations de sécurité simultanément avec les données et avec une contrainte de compatibilité. Ainsi, je propose deux nouvelles techniques d’embedding pour la couche physique UWB-IR afin d’intégrer un service d’authentification. / Due to the shared nature of wireless medium, wireless communications are more vulnerable to security threats. In my PhD work, I focused on two types of threats: relay attacks and jamming. UWB-IR physical layer technology has seen a great development during the last decade which makes it a promising candidate for short range wireless communications. My main goal was to exploit UWB-IR physical layer characteristics in order to reinforce security of wireless communications. By the simple way of signal relaying, the adversary can defeat wireless authentication protocols. The first countermeasure proposed to thwart these relay attacks was distance bounding protocol. The concept of distance bounding relies on the combination of two sides: an authentication cryptographic side and a distance checking side. In this context, I propose two new distance bounding protocols that significantly improve the security of existing distance bounding protocols by means of UWB-IR physical layer parameters. The first protocol called STHCP is based on using secret time-hopping codes. Whereas, the second called SMCP is based on secret mapping codes. Security analysis and comparison to the state of the art highlight various figures of merit of my proposition. Jamming consists in the emission of noise over the channel while communication is taking place and constitutes a major problem to the security of wireless communications. In a first contribution, I have determined worst case Gaussian noise parameters (central frequency and bandwidth) against UWB-IR communication employing PPM modulation and a non-coherent receiver. The metric considered for jammer optimization is the signal-to-jamming ratio at the output of the receiver. In a second contribution, I propose a new jamming model by analogy to attacks against ciphering algorithms. The new model leads to distinguish various jamming scenarios ranging from the best case to the worst case. Moreover, I propose a modification of the UWB-IR physical layer which allows to restrict any jamming problem to the most favorable scenario. The modification is based on using a cryptographic modulation depending on a stream cipher. The new radio has the advantage to combine the resistance to jamming and the protection from eavesdropping. Finally, I focused on the problem of security embedding on an existing UWB-IR network. Security embedding consists in adding security features directly at the physical layer and sending them concurrently with data. The embedding mechanism should satisfy a compatibility concern to existing receivers in the network. I propose two new embedding techniques which rely on the superposition of a pulse orthogonal to the original pulse by the form or by the position. Performances analysis reveal that both embedding techniques satisfy all system design constraints.

Télécommunications

Communication sans fil

Vulnérabilité de sécurité

Couche physique UWB-IR

Attaque par relais

Protocole délimiteur de distance

Brouillage

Telecommunications

Wireless communication

Security vulnerability

Ultra WideBand Impulse Radio - UWB-IR

Relay attacks

Distance bounding protocol

Jamming

Embedding

621.384 107 2