We present a collection of techniques which aim to automagically remove significant (and unnecessary) portions of firmware binaries from common embedded devices to drastically reduce the attack surface of these devices. We present a brief theoretical explanation of Firmware Fat Camp, a collection of "before" and "after" photos of graduates of FFC, along with a set of live demonstrations of FFC in action on common embedded devices.
Modern embedded systems such as VoIP phones, network printers and routers typically ship with all available features compiled into its firmware image. A small subset of these features is activated at any given time on individual devices based on its specific configuration. An even smaller subset of features is actually used, as some unused and insecure features cannot are typically enabled by default and cannot be disabled. However, all embedded devices still contain a large amount of code and data that should never be executed or read according to its current configuration. This unnecessary binary is not simply a waste of memory; it contains vulnerable code and data that can be used by an attacker to exploit the system. This “dead code” provides an ideal attack surface. Automated minimization of this attack surface will significantly improve the security of the device without any impact to the device’s functionality.
We propose a set of methods of hardening existing embedded systems against attack by employing Binary Autotomy or the automated removal of unnecessary binaries from each embedded device according to its current configuration.
The configuration of the embedded device to be protected is analyzed. The firmware binary corresponding to the features enabled in the configuration is kept. The firmware corresponding to features not enabled in the configuration is removed from the firmware image. The firmware to be removed is determined by applying static and dynamic binary code analysis on the original firmware image. This analysis maps each configurable feature with a set of binary executable code within the firmware image. When a particular configuration is analyzed, a list of enabled features is built from this file. Using the feature to code mapping created from the original dynamic and static analysis, autotomic binary reduction simply removes all code that belongs to features that are not enabled, or should not be used, in the particular configuration file in question.
We present quantitative analysis of the effectiveness of Binary Autotomy algorithms on a collection of common embedded devices along with several live demonstrations of embedded devices running post FFC firmware images. How much unnecessary binary can be ripped out of XYZ*? Come and find out!
* XYZ = {Home routers | Enterprise routers | VoIP phones | Printers | Web Cams}