Security Analysis of Vendor Customized Code in Firmware of Embedded Device

Despite the increased concerning about embedded system security, the security assessment of commodity embedded devices is far from being adequate. The lack of assessment is mainly due to the tedious, time-consuming, and the very ad hoc reverse engineering procedure of the embedded device firmware. To simplify this procedure, we argue that only a particular part of the entire embedded device’s firmware, as we called vendor customized code, should be thoroughly analyzed. Vendor customized code is usually developed to deal with external inputs and is especially sensitive to attacks compared to other parts of the system. Moreover, vendor customized code is often highly specific and proprietary, which lacks security implementation guidelines. Therefore, the security demands of analyzing this kind of code is urgent. In this paper, we present empirical security analysis of vendor customized code on commodity embedded devices. We first survey the feasibility and limitations of state-of-the-art analysis tools. We focus on investigating typical program analysis tools used for classical security assessment and check their usability on conducting practical embedded devices’ firmware reverse engineering. Then, we propose a methodology of vendor customized code analysis corresponding to both the feature of embedded devices and the usability of current analysis tools. It first locates the vendor customized code part of the firmware through black-box testing and firmware unpacking, and focuses on assessing typical aspects of common weakness of embedded devices in the particularly featured code part. Based on our analysis methodology, we assess five popular embedded devices and find critical vulnerabilities. Our results show that: a) the workload of assessing embedded devices could be significantly reduced according to our analysis methodology and only a small portion of programs on the device are needed to be assessed; b) the vendor customized code is often more error-prone and thus vulnerable to attacks; c) using existing tools to conduct automated analysis for many embedded devices is still infeasible, and manual intervention is essential to fulfil an effective assessment.