Search for: All records

The recent paradigm shift introduced by the Internet of Things (IoT) has brought embedded systems into focus as a target for both security analysts and malicious adversaries. Typified by their lack of standardized hardware, diverse software, and opaque functionality, IoT devices present unique challenges to security analysts due to the tight coupling between their firmware and the hardware for which it was designed. In order to take advantage of modern program analysis techniques, such as fuzzing or symbolic execution, with any kind of scale or depth, analysts must have the ability to execute firmware code in emulated (or virtualized) environments. However, these emulation environments are rarely available and cumbersome to create through manual reverse engineering, greatly limiting the analysis of binary firmware. In this work, we explore the problem of firmware re-hosting, the process by which firmware is migrated from its original hardware environment into a virtualized one. We show that an approach capable of creating virtual, interactive environments in an automated manner is a necessity to enable firmware analysis at scale. We present the first proof-of-concept system aiming to achieve this goal, called PRETENDER, which uses observations of the interactions between the original hardware and the firmware to automatically create models of peripherals, and allows for the execution of the firmware in a fully-emulated environment. Unlike previous approaches, these models are interactive, stateful, and transferable, meaning they are designed to allow the program to receive and process new input, a requirement of many analyses. We demonstrate our approach on multiple hardware platforms and firmware samples, and show that the models are flexible enough to allow for virtualized code execution, the exploration of new code paths, and the identification of security vulnerabilities. 

Given the increasing ubiquity of online embedded devices, analyzing their firmware is important to security, privacy, and safety. The tight coupling between hardware and firmware and the diversity found in embedded systems makes it hard to perform dynamic analysis on firmware. However, firmware developers regularly develop code using abstractions, such as Hardware Abstraction Layers (HALs), to simplify their job. We leverage such abstractions as the basis for the re-hosting and analysis of firmware. By providing high-level replacements for HAL functions (a process termed High-Level Emulation – HLE), we decouple the hardware from the firmware. This approach works by first locating the library functions in a firmware sample, through binary analysis, and then providing generic implementations of these functions in a full-system emulator. We present these ideas in a prototype system, HALucinator, able to re-host firmware, and allow the virtual device to be used normally. First, we introduce extensions to existing library matching techniques that are needed to identify library functions in binary firmware, to reduce collisions, and for inferring additional function names. Next, we demonstrate the re-hosting process, through the use of simplified handlers and peripheral models, which make the process fast, flexible, and portable between firmware samples and chip vendors. Finally, we demonstrate the practicality of HLE for security analysis, by supplementing HALucinator with the American Fuzzy Lop fuzzer, to locate multiple previously-unknown vulnerabilities in firmware middleware libraries. 

Abstract We report on the development and extensive characterization of co-sputtered tantala–zirconia (Ta 2 O 5 -ZrO 2 ) thin films, with the goal to decrease coating Brownian noise in present and future gravitational-wave detectors. We tested a variety of sputtering processes of different energies and deposition rates, and we considered the effect of different values of cation ratio η = Zr/(Zr + Ta) and of post-deposition heat treatment temperature T a on the optical and mechanical properties of the films. Co-sputtered zirconia proved to be an efficient way to frustrate crystallization in tantala thin films, allowing for a substantial increase of the maximum annealing temperature and hence for a decrease of coating mechanical loss φ c . The lowest average coating loss was observed for an ion-beam sputtered sample with η = 0.485 ± 0.004 annealed at 800 °C, yielding φ ¯ c = 1.8 × 1 0 − 4 rad. All coating samples showed cracks after annealing. Although in principle our measurements are sensitive to such defects, we found no evidence that our results were affected. The issue could be solved, at least for ion-beam sputtered coatings, by decreasing heating and cooling rates down to 7 °C h −1 . While we observed as little optical absorption as in the coatings of current gravitational-wave interferometers (0.5 parts per million), further development will be needed to decrease light scattering and avoid the formation of defects upon annealing. 

We search for gravitational-wave (GW) transients associated with fast radio bursts (FRBs) detected by the Canadian Hydrogen Intensity Mapping Experiment Fast Radio Burst Project, during the first part of the third observing run of Advanced LIGO and Advanced Virgo (2019 April 1 15:00 UTC–2019 October 1 15:00 UTC). Triggers from 22 FRBs were analyzed with a search that targets both binary neutron star (BNS) and neutron star–black hole (NSBH) mergers. A targeted search for generic GW transients was conducted on 40 FRBs. We find no significant evidence for a GW association in either search. Given the large uncertainties in the distances of our FRB sample, we are unable to exclude the possibility of a GW association. Assessing the volumetric event rates of both FRB and binary mergers, an association is limited to 15% of the FRB population for BNS mergers or 1% for NSBH mergers. We report 90% confidence lower bounds on the distance to each FRB for a range of GW progenitor models and set upper limits on the energy emitted through GWs for a range of emission scenarios. We find values of order 10⁵¹–10⁵⁷erg for models with central GW frequencies in the range 70–3560 Hz. At the sensitivity of this search, we find these limits to be above the predicted GW emissions for the models considered. We also find no significant coincident detection of GWs with the repeater, FRB 20200120E, which is the closest known extragalactic FRB.