MetaEmu: An Architecture Agnostic Rehosting Framework for Automotive Firmware

TL;DR

MetaEmu is a versatile, architecture-agnostic emulator synthesizer that enables rehosting and security analysis of automotive firmware across multiple architectures, overcoming limitations of existing tools.

Contribution

It introduces a generic VXE synthesis approach from Ghidra definitions and supports multi-architecture rehosting with inter-device analysis, enhancing flexibility and extensibility.

Findings

Successfully emulated five different architectures.

Enabled diverse analyses including fuzzing and symbolic execution.

Achieved performance comparable to existing emulators.

Abstract

In this paper we present MetaEmu, an architecture-agnostic emulator synthesizer geared towards rehosting and security analysis of automotive firmware. MetaEmu improves over existing rehosting environments in two ways: Firstly, it solves the hitherto open-problem of a lack of generic Virtual Execution Environments (VXEs) for rehosting by synthesizing processor simulators from Ghidra's language definitions. In doing so, MetaEmu can simulate any processor supported by a vast and growing library of open-source definitions. In MetaEmu, we use a specification-based approach to cover peripherals, execution models, and analyses, which allows our framework to be easily extended. Secondly, MetaEmu can rehost and analyze multiple targets, each of different architecture, simultaneously, and share analysis facts between each target's analysis environment, a technique we call inter-device analysis. We show that the flexibility afforded by our approach does not lead to a performance trade-off -- MetaEmu lifts rehosted firmware to an optimized intermediate representation, and provides performance comparable to existing emulation tools, such as Unicorn. Our evaluation spans five different architectures, bare-metal and RTOS-based firmware, and three kinds of automotive Electronic Control Unit (ECU) from four distinct vendors -- none of which can be rehosted or emulated by current tools, due to lack of processor support. Further, we show how MetaEmu enables a diverse set of analyses by implementing a fuzzer, a symbolic executor for solving peripheral access checks, a CAN ID reverse engineering tool, and an inter-device coverage tracker.