Retrofitting Code into Binary Executables and Firmware to Add New Functionality for Embedded Systems
Navy SBIR 2016.1 - Topic N161-070
ONR - Ms. Lore-Anne Ponirakis - [email protected]
Opens: January 11, 2016 - Closes: February 17, 2016

N161-070 TITLE: Retrofitting Code into Binary Executables and Firmware to Add New Functionality for Embedded Systems

TECHNOLOGY AREA(S): Information Systems

ACQUISITION PROGRAM: FNT-FY17-04 Resilient Hull/Infrastructure Mechanical & Electrical Security

OBJECTIVE: Investigate, design, and develop an automated or semi-automated tool for inserting new instructions and functionality into existing (compiled) binary executables and firmware for embedded systems.

DESCRIPTION: Effectively securing the growing array of embedded devices in use on military platforms is a critical challenge. Aside from their ubiquity, embedded devices increasingly handle larger amounts of privacy-sensitive information as the movement towards the "Internet of Things" (IoT) continues. Furthermore, embedded devices play a central role in critical infrastructure and control key mechanical systems in the industrial, energy, and transportation sectors. In such applications, errors and vulnerabilities in the software running on these devices can have devastating impacts due to their ability to cause failures in the physical world.

A key challenge toward securing embedded devices is that it is difficult to modify their behavior for defensive security purposes: the devices commonly execute proprietary firmware where source code and documentation are unavailable. Given the long lifespans of these components, it is often the case that the original vendor is unavailable or unmotivated (due to lack of cost-effectiveness) to provide updates with new and improved security functionality. An automated or semi-automated tool to allow users to retrofit their own set of instructions into the operation of the firmware would enable security improvements for such legacy devices.

Retrofitting new functionality onto legacy binary code is a challenging task, but not insurmountable [1-3]. With embedded firmware, the lack of OS and library abstractions in conjunction with a variety of poorly documented firmware image formats, some of which must be unpacked [4], renders existing static or dynamic binary analyses extremely challenging to apply. Such methods typically require basic facts about the system under analysis, including how to interact with hardware, how to load the image into memory, where to begin execution, and where untrusted input can be received and processed by the firmware [5].

This SBIR topic encourages the development of a methodology and tool or toolset for reducing the workload in retrofitting binary executables with the ultimate goal of enhancing the security defenses of an embedded system. The resultant tool or toolset should operate statically on a binary image, not operate dynamically in a manner that requires modifying the loader or interface. The tool should accept a binary image as input, integrate the new functionality, and should output an enhanced binary image that has been retrofitted with the new code.

The methodology should encompass all technical aspects of the effort, including but not limited to analysis of binary code formats, binary reverse engineering, binary rewriting, and insertion of new functionality/code into an existing binary. When retrofitting new code, care must be taken to apply the modifications safely and in a manner that impacts the overall system in a predictable fashion. Also very few, if any, assumptions should be made about the information supplied by the original vendor (e.g. debug symbols).

PHASE I: Develop a methodology and toolset for retrofitting new functionality into legacy binary code. Identify, design, implement, and integrate the tools required for the methodology. Develop a limited proof-of-concept for the methodology to prove the feasibility of your approach.

PHASE II: Based on the Phase I effort, further develop and enhance the toolset into a fully functioning prototype for retrofitting legacy code with new functionality. Demonstrate and evaluate the efficacy of the methodology and toolset on legacy embedded binary firmware.

PHASE III DUAL USE APPLICATIONS: Upon successful completion of Phase II, the performer will support the Navy in transitioning the toolset for Navy use. The performer will develop a plan for integrating the toolset and related process into the Navy�s embedded control system security framework. Given the trend toward connecting existing industrial control systems (ICS) to the Internet for ease of management, many ICS that were never designed for outside exposure must now deal with external cyber threats. In such cases, the ICS components are extremely vulnerable. The solicited methodology and toolset can also be used for custom-hardening IoT devices beyond what security the original manufacturer cares to provide. For the above reasons, there exists a sizable market in both the private and public sectors for the solicited methodology and toolset.

REFERENCES:

1. P. O�Sullivan, K. Anand, A. Kothan, M. Smithson, R. Barua, and A. D. Keromytis. Retrofitting Security in COTS Software with Binary Rewriting. In Proceedings of the 26th IFIP International Information Security Conference (SEC), Lucerne, Switzerland, 201

2. V. Chipounov and G. Candea. Reverse Engineering of Binary Device Drivers with RevNIC. In Proceedings of the 5th European Conference on Computer Systems (EuroSys), Paris, France, 2010.

3. A. Cui, M. Costello, and S. J. Stolfo. When Firmware Modifications Attack: A Case Study of Embedded Exploitation. In Proceedings of the 20th Annual Network & Distributed System Security Symposium (NDSS), San Diego, CA, 2013.

4. J. Zaddach and A. Costin. Embedded Devices Security and Firmware Reverse Engineering. Black-Hat USA, 2013.

5. T. Bao, J. Burket, M. Woo, R. Turner, and D. Brumley. BYTEWEIGHT: Learning to Recognize Functions in Binary Code. In Proceedings of the 23rd USENIX Security Symposium, San Diego, CA, 2014.

KEYWORDS: reverse engineering; binary modification; machine code; embedded security; firmware; function recognition

TPOC-1: Ryan Craven

Email: [email protected]

TPOC-2: Sukarno Mertoguno

Email: [email protected]

Questions may also be submitted through DoD SBIR/STTR SITIS website.

** TOPIC AUTHOR (TPOC) **
DoD Notice:  
Between December 11, 2015 and January 10, 2016 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. Their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is
not allowed starting January 11, 2016 , when DoD begins accepting proposals for this solicitation.
However, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS (16.1 Q&A) during the solicitation period for questions and answers, and other significant information, relevant to the SBIR 16.1 topic under which they are proposing.

If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or [email protected]