From Library Portability to Para-rehosting: Natively Executing Microcontroller Software on Commodity Hardware

TL;DR

This paper introduces pararehosting, a systematic approach to rehost microcontroller firmware on commodity hardware by abstracting MCU functionalities and replacing hardware-specific logic, enabling easier bug detection and testing.

Contribution

It proposes a portable MCU abstraction (PMCU) and HAL-based peripheral replacement, facilitating seamless rehosting of MCU OSs on x86 hardware with high reusability and efficiency.

Findings

Successfully rehosted nine MCU OSs including FreeRTOS, Mbed OS, Zephyr, LiteOS.

Discovered 28 previously unknown bugs using dynamic analysis tools.

Confirmed 5 bugs with CVE, others verified by vendors.

Abstract

Finding bugs in microcontroller (MCU) firmware is challenging, even for device manufacturers who own the source code. The MCU runs different instruction sets than x86 and exposes a very different development environment. This invalidates many existing sophisticated software testing tools on x86. To maintain a unified developing and testing environment, a straightforward way is to re-compile the source code into the native executable for a commodity machine (called rehosting). However, ad-hoc re-hosting is a daunting and tedious task and subject to many issues (library-dependence, kernel-dependence and hardware-dependence). In this work, we systematically explore the portability problem of MCU software and propose pararehosting to ease the porting process. Specifically, we abstract and implement a portable MCU (PMCU) using the POSIX interface. It models common functions of the MCU cores. For peripheral specific logic, we propose HAL-based peripheral function replacement, in which high-level hardware functions are replaced with an equivalent backend driver on the host. These backend drivers are invoked by well-designed para-APIs and can be reused across many MCU OSs. We categorize common HAL functions into four types and implement templates for quick backend development. Using the proposed approach, we have successfully rehosted nine MCU OSs including the widely deployed Amazon FreeRTOS, ARM Mbed OS, Zephyr and LiteOS. To demonstrate the superiority of our approach in terms of security testing, we used off-the-shelf dynamic analysis tools (AFL and ASAN) against the rehosted programs and discovered 28 previously-unknown bugs, among which 5 were confirmed by CVE and the other 19 were confirmed by vendors at the time of writing.