ProXray: Protocol Model Learning and Guided Firmware Analysis

Abstract

The number of Internet of Things (IoT) has reached 7 billion globally in early 2018 and are nearly ubiquitous in daily life. Knowing whether or not these devices are safe and secure to use is becoming critical. IoT devices usually implement communication protocols such as USB and Bluetooth within firmware to allow a wide range of functionality. Thus analyzing firmware using domain knowledge from these protocols is vital to understand device behavior, detect implementation bugs, and identify malicious components. Unfortunately, due to the complexity of these protocols, there is usually no formal specification available that can help automate the firmware analysis; as a result significant manual effort is currently required to study these protocols and to reverse engineer the device firmware. In this paper, we propose a new firmware analysis methodology using symbolic execution called ProXray, which can learn a protocol model from known firmware, and apply the model to recognize the protocol relevant fields and detect functionality within unknown firmware automatically. After the training phase, ProXray can fully automate the firmware analysis process while supporting user s queries in the form of protocol relevant constraints. We have applied ProXray to the USB and the Bluetooth protocols by learning protocol constraint models from firmware that implement these protocols. We are then able to map protocol fields and identify USB functionality automatically within all 6 unknown USB firmware while achieving more than an order of magnitude speedup in achieving protocol relevant targets in unknown Bluetooth firmware. Our model achieved high coverage of the USB and Bluetooth specifications for several important protocol fields. ProXray provides a new method to apply domain knowledge to firmware analysis automatically.