Harzer Roller: Linker-Based Instrumentation for Enhanced Embedded Security Testing

TL;DR

Harzer Roller is a hooking-based instrumentation method that enhances security testing of embedded firmware on resource-constrained devices by enabling execution tracing and buffer overflow detection, even without source code access.

Contribution

It introduces a generally architecture-independent hooking technique for embedded firmware, demonstrated on ESP8266, to improve security testing capabilities such as fuzzing and overflow detection.

Findings

Enables execution flow tracing without source code

Detects stack-based buffer overflows effectively

Supports debugging and analysis for security testing

Abstract

Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The SDKs for these new platforms usually include closed-source binaries containing wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available. In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices. With the Harzer Roller, we hook instrumentation code into function call and return. The hooking not only applies to the user application code but to the SDK used to build firmware as well. While we keep the design of the Harzer Rollergenerally architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture. We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows. Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis. This enables better usage of a variety of software security testing methods like fuzzing of wireless protocol implementations or proof-of-concept attack development.