Awesome

AIM

This is the repo for AIM: Automatic Interrupt Modeling for Dynamic Firmware Analysis, an IEEE Transactions on Dependable and Secure Computing paper.

A preliminary version of paper can be found here

Tested angr version: 8.20.7.27 (9.2.40 and 9.2.55 may also be supported).

Setup

Create a virtual environement:

mkvirtualenv angr_9.2.40 -p /usr/bin/python3.8

Install dependencies in the virtual environment:

pip install angr==9.2.40 pandas monkeyhex IPython pygraphviz

Make the following modifications to angr (8, 20, 7, 27):

• in angr/analyses/ddg.py comment 744-746

#if state.history.jumpkind == 'Ijk_FakeRet' and le(final_states) > 1:

# Skip fakerets if there are other control flow transitions available

# continue

• add

allow_arch_optimizations = True

to line 78 at ./pyvex/lifting/__init__.py

so that the context looks like

if opt_level < 0:

allow_arch_optimizations = False

opt_level = 0

  

allow_arch_optimizations = True

for lifter in lifters[arch.name]:

For angr 9.2.55, the same changes are needed, but at slightly diffrent places:

• angr/analyses/ddg.py +772

• pyvex/lifting/lift_function.py +98

There is also an angr bug in hanlding floating point (angr version 8.20.7.27)

claripy/fp.py +357

fp -> fp.value

Run Experiemnts

Show usage by ./analysis.py -h

usage: analysis.py [-h] [-m] [-b] [-u] firmware_name result_folder

  

Help

  

positional arguments:

firmware_name firware name

result_folder folder to store results

  

optional arguments:

-h, --help show this help message and exit

-m, --no-mmio-printing

do not print MMIO

-b, --baseline -b: baseline mode 1, which uses P2IM's dumb interrupt

model. -bb: baseline mode 2, which fires no interrupt

-u, --unit-test mode for unit test cases

Launch experiments by ./analysis.py plc_r1 result_folder_name.

To collect evalaution results, you can use the script under eval.

Technical Support

Contact Bo Feng at Zhejiang University by bo.feng [at] zju.edu.cn.

Consider Citing our paper

@ARTICLE{aim_interrupt_modeling,
  author={Feng, Bo and Luo, Meng and Liu, Changming and Lu, Long and Kirda, Engin},
  journal={IEEE Transactions on Dependable and Secure Computing}, 
  title={AIM: Automatic Interrupt Modeling for Dynamic Firmware Analysis}, 
  year={2024},
  volume={21},
  number={4},
  pages={3866-3882},
  keywords={Microprogramming;Hardware;Codes;Software;Firing;Registers;Fuzzing;Embedded device;firmware;testing;peripheral;interrupt;symbolic execution},
  doi={10.1109/TDSC.2023.3339569}}