The USB protocol has become ubiquitous, supporting devices from high-poweredcomputing devices to small embedded devices and control systems. USB's greatestfeature, its openness and expandability, is also its weakness, and attacks suchas BadUSB exploit the unconstrained functionality afforded to these devices asa vector for compromise. Fundamentally, it is virtually impossible to knowwhether a USB device is benign or malicious. This work introduces FirmUSB, aUSB-specific firmware analysis framework that uses domain knowledge of the USBprotocol to examine firmware images and determine the activity that they canproduce. Embedded USB devices use microcontrollers that have not been wellstudied by the binary analysis community, and our work demonstrates how liftersinto popular intermediate representations for analysis can be built, as well asthe challenges of doing so. We develop targeting algorithms and use domainknowledge to speed up these processes by a factor of 7 compared tounconstrained fully symbolic execution. We also successfully find maliciousactivity in embedded 8051 firmwares without the use of source code. Finally, weprovide insights into the challenges of symbolic analysis on embeddedarchitectures and provide guidance on improving tools to better handle thisimportant class of devices.
展开▼