Automatic Firmware Emulation through Invalidity-guided Knowledge Inference (Extended Version)

TL;DR

This paper introduces uEmu, a novel symbolic execution-based method for emulating firmware with unknown peripherals, significantly improving accuracy and bug detection without manual intervention.

Contribution

uEmu learns to emulate firmware at individual peripheral access points by inferring response rules during symbolic execution, surpassing heuristic-based methods.

Findings

Achieved 95% pass rate in unit tests for peripheral drivers

Discovered new bugs in real-world firmware samples

Outperformed existing heuristic approaches in emulation accuracy

Abstract

Emulating firmware for microcontrollers is challenging due to the tight coupling between the hardware and firmware. This has greatly impeded the application of dynamic analysis tools to firmware analysis. The state-of-the-art work automatically models unknown peripherals by observing their access patterns, and then leverages heuristics to calculate the appropriate responses when unknown peripheral registers are accessed. However, we empirically found that this approach and the corresponding heuristics are frequently insufficient to emulate firmware. In this work, we propose a new approach called uEmu to emulate firmware with unknown peripherals. Unlike existing work that attempts to build a general model for each peripheral, our approach learns how to correctly emulate firmware execution at individual peripheral access points. It takes the image as input and symbolically executes it by representing unknown peripheral registers as symbols. During symbolic execution, it infers the rules to respond to unknown peripheral accesses. These rules are stored in a knowledge base, which is referred to during the dynamic firmware analysis. uEmu achieved a passing rate of 95% in a set of unit tests for peripheral drivers without any manual assistance. We also evaluated uEmu with real-world firmware samples and new bugs were discovered.