My coauthors and I will be presenting the paper "Recovering Peripheral Maps and Protocols to Expedite Firmware Reverse Engineering" at the Annual Computer Security Applications Conference (ACSAC) in December. Below is a preview of the abstract:
Reverse engineering firmware binaries is vital to security due to the risks involved with manipulating the physical world. Automating the analysis of firmware relies on effective modeling of the interactions between software and hardware, especially when there is no intermediary operating system. Unfortunately, analysts still struggle with handling off-the-shelf firmware because information about the target hardware is limited. Driven by the need for better reverse engineering, we developed a method to expedite tasks, such as rehosting, by automatically recovering which peripheral registers and protocols the firmware uses. Our key technical contribution is the definition and use of "access chains" within the firmware to accurately identify the implemented protocol for each set of in-use peripheral registers. We implemented a prototype, ProtoReveal, and extensively evaluated it on 412 firmware samples from 6 manufacturer websites, covering 35 microcontrollers, and 82 protocols (SPI, UART, etc.) for ARM and MIPS. ProtoReveal surpasses previous binary analysis techniques at identifying protocols, achieving 92% accuracy. Furthermore, we demonstrate that by integrating ProtoReveal with an existing security framework, we can precisely skip over modeling the peripherals and protocols that are never used, even if they are available in the hardware, reducing the time to automatically rehost the firmware for fuzz testing by 99% without sacrificing any effectiveness.