Embedded devices have become ubiquitous, and they are used in a range of privacy-sensitive and security-critical applications. Most of these devices run proprietary software (firmware), and little documentation is available about the software’s inner workings. Firmware, like any piece of software, is susceptible to a wide range of errors. These include memory corruption bugs, command injection vulnerabilities, and application logic flaws. Embedded device vendors typically do not provide source code for their proprietary firmware. Hence, all analysis has to be performed directly on binary code. This is challenging because binary code lacks the high-level, semantically rich information about data structures and control constructs that are present in a program’s source code. To address the analysis challenges, we have developed angr. angr is an open-source binary analysis platform that implements many static analysis techniques and supports symbolic execution of binaries.
In this talk, we will discuss some of the inner workings and design choices in angr. A common limitation of many contemporary techniques to detect vulnerabilities in binary code is that they only find shallow bugs and struggle to exercise deeper code paths. To drive the analysis deeper into a program, we introduce novel techniques to improve the scalability of our system. These techniques frequently rely on interesting compositions of different analysis approaches, in a way that leverages the advantages of each individual approach while compensating for their respective limitations. We will also cover a novel detection model that allows us to identify authentication bypass vulnerabilities (or, less formally, backdoors), an important class of logic flaws. To automatically find backdoors, we introduce the concept of input determinism, which captures an attacker’s ability to determine the input necessary to execute privileged operations of the device. Finally, we will shed some light on angr as an integral component in the automated vulnerability finding, exploitation, and patching engine that participates in DARPA’s Cyber Grand Challenge (CGC), the first competition where autonomous programs participate in a capture-the-flag competition.
Christopher Kruegel is a Professor of Computer Science at UC Santa Barbara. He is also a co-founder of Lastline, a company that develops innovative solutions to detect and mitigate advanced malware (APTs) and targeted threats. Christopher’s research interests focus on computer and communications security, with an emphasis on malware analysis and detection, web security, and intrusion detection. He has published more than 100 peer-reviewed papers in top computer security conferences and has been the recipient of the NSF CAREER Award, MIT Technology Review TR35 Award for young innovators, IBM Faculty Award, and several best paper awards. He regularly serves on program committees of leading computer security conferences and speaks at industry venues such as BlackHat and RSAC.