Automatic Binary Analysis and Instrumentation of Embedded Firmware for a Control-Flow Integrity Solution

The growing number of connected embedded systems has enabled the so-called IoT (Internet of Things), nowadays present in numerous scenarios of our daily life: from mobile phones, televisions, wearable devices to surveillance systems, medical devices, transport and industrial control systems. Since they often exercise control of critical infrastructures, such devices naturally become the target of cyber-attacks, which undermine to take possession not only of the data exchanged by them, but also of their control functionalities, breaking into possible software vulnerabilities present within the executed code. The goal could be gaining complete access to the device, but also altering its behavior by injecting malicious code or making it unusable. Applications executed on embedded systems are generally written in C and C++ languages, which provide high performance, but could also introduce bugs that can be exploited to corrupt memory, whose management is entirely entrusted to the programmer. Secure programming rules should be followed when writing code, to avoid common problems such as pointer ambiguity, memory leakage and buffer overflow. By exploiting these coding errors, an attacker can override the contents of a memory location, whether they are local variables, data structures or return addresses of a function, to change the instructions execution flow. This is one of the basic principles of an advanced exploit paradigm, called Code-Reuse Attack (CRA). CRA are implemented through attack techniques like Return-Oriented Programming (ROP) or Jump-Oriented Programming (JOP), that harness the execution of malicious actions by reorganizing snippets of few machine instructions (called gadgets) already present in memory. In the common threat model, the attacker, through memory corruption, is able to force the execution of the code to be hijacked towards a chain of these gadgets, which in its entirety produces a malware execution. Control-flow Integrity (CFI) solutions proof that it is possible to mitigate the effects of these attacks by adopting protection mechanisms that safeguard the integrity of the execution flow. Through the computation of the Control-Flow Graph (CFG), it is possible to determine the set of valid destinations for all machine code instructions involving a control-flow transfer (such as branches, calls and returns). The aim of this thesis is to provide an automatic tool capable of extracting the CFG and instrumenting the binary code of the program in such a way that it is resilient to memory corruption problem. The tool is responsible of the offline part of a hybrid CFI technique for protecting embedded systems, which involves the presence of a reconfigurable hardware in the chip. The technique also provides a careful edge classification, that helps to narrow control-flow transfers needing protection. In this way, the instrumentation overhead in terms of code memory occupation and execution time is minimized. A Python script is developed to accomplish this expectation, with the support of r2pipe module that handle the interaction with the reverse-engineering framework Radare2.