Shimware: Toward Practical Security Retrofitting for Monolithic Firmware Images


In today’s era of the Internet of Things, we are surrounded by security- and safety-critical, network-connected devices. In parallel with the rise in attacks on such devices, we have also seen an increase in devices that are abandoned, reached the end of their support periods, or will not otherwise receive future security updates. While this issue exists for a wide array of devices, those that use monolithic firmware, where the code and data are opaquely intermixed, have traditionally been difficult to examine and protect. In this paper, we explore the challenges of retrofitting monolithic firmware images with new security measures. First, we outline the steps any analyst must take to retrofit firmware, and show that previous work is missing crucial aspects of the process, which are required for a practical solution. We then automate three of these aspects—locating attacker-controlled input, a safe retrofit injection location, and self-checks preventing modifications—through the use of novel automated program analysis techniques. We assemble these analyses into a system, Shimware, that can simplify and facilitate the process of creating a retrofitted firmware image, once the vulnerability is identified. To evaluate Shimware, we employ both a synthetic evaluation and actual retrofitting of three case study devices: a networked bench power supply, a Bluetooth-enabled cardiac implant monitor, and a high-end programmable logic controller (PLC). Not only could our system identify the correct sources of input, injection locations, and self-checks, but it injected payloads to correct serious safety and security-critical vulnerabilities in these devices.

Conference paper
In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID)