FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution

TL;DR

FirmUSB is a framework that uses domain-specific knowledge and symbolic execution to analyze USB device firmware, enabling detection of malicious activity in embedded devices without needing source code.

Contribution

It introduces a USB-specific firmware analysis framework that leverages domain knowledge and symbolic execution to identify malicious behaviors in embedded firmware.

Findings

Achieved a 7x speedup in analysis using domain knowledge.

Successfully detected malicious activity in 8051 firmware.

Provided insights into challenges of symbolic analysis on embedded architectures.

Abstract

The USB protocol has become ubiquitous, supporting devices from high-powered computing devices to small embedded devices and control systems. USB's greatest feature, its openness and expandability, is also its weakness, and attacks such as BadUSB exploit the unconstrained functionality afforded to these devices as a vector for compromise. Fundamentally, it is virtually impossible to know whether a USB device is benign or malicious. This work introduces FirmUSB, a USB-specific firmware analysis framework that uses domain knowledge of the USB protocol to examine firmware images and determine the activity that they can produce. Embedded USB devices use microcontrollers that have not been well studied by the binary analysis community, and our work demonstrates how lifters into popular intermediate representations for analysis can be built, as well as the challenges of doing so. We develop targeting algorithms and use domain knowledge to speed up these processes by a factor of 7 compared to unconstrained fully symbolic execution. We also successfully find malicious activity in embedded 8051 firmwares without the use of source code. Finally, we provide insights into the challenges of symbolic analysis on embedded architectures and provide guidance on improving tools to better handle this important class of devices.