{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,3,27]],"date-time":"2025-03-27T14:30:00Z","timestamp":1743085800424,"version":"3.40.3"},"publisher-location":"Cham","reference-count":53,"publisher":"Springer International Publishing","isbn-type":[{"type":"print","value":"9783030105907"},{"type":"electronic","value":"9783030105914"}],"license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,1,15]],"date-time":"2021-01-15T00:00:00Z","timestamp":1610668800000},"content-version":"vor","delay-in-days":14,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021]]},"abstract":"Abstract<\/jats:title>The goal of this chapter is to introduce the reader to the domain of bug discovery in embedded systems which are at the core of the Internet of Things. Embedded software has a number of particularities which makes it slightly different to general purpose software. In particular, embedded devices are more exposed to software attacks but have lower defense levels and are often left unattended. At the same time, analyzing their security is more difficult because they are very \u201copaque\u201d, while the execution of custom and embedded software is often entangled with the hardware and peripherals. These differences have an impact on our ability to find software bugs in such systems. This chapter discusses how software vulnerabilities can be identified, at different stages of the software life-cycle, for example during development, during integration of the different components, during testing, during the deployment of the device, or in the field by third parties.<\/jats:p>","DOI":"10.1007\/978-3-030-10591-4_11","type":"book-chapter","created":{"date-parts":[[2021,1,14]],"date-time":"2021-01-14T14:06:41Z","timestamp":1610633201000},"page":"183-197","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["Finding Software Bugs in Embedded Devices"],"prefix":"10.1007","author":[{"given":"Aur\u00e9lien","family":"Francillon","sequence":"first","affiliation":[]},{"given":"Sam L.","family":"Thomas","sequence":"additional","affiliation":[]},{"given":"Andrei","family":"Costin","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2021,1,15]]},"reference":[{"unstructured":"Autoelectric. XGecu TL866II. http:\/\/autoelectric.cn\/EN\/TL866_main.html.","key":"11_CR38"},{"doi-asserted-by":"crossref","unstructured":"Zachry Basnight, Jonathan Butts, Juan Lopez Jr., and Thomas Dube. Firmware modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection, 2013.","key":"11_CR57","DOI":"10.1016\/j.ijcip.2013.04.004"},{"unstructured":"Fabrice Bellard. Qemu, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, volume 41, page 46, 2005.","key":"11_CR69"},{"unstructured":"Emma Benoit, Guillaume Heilles, and Philippe Teuwen. Quarkslab blog post: Flash dumping, September 2017. https:\/\/blog.quarkslab.com\/flash-dumping-part-i.html.","key":"11_CR75"},{"unstructured":"Cristian Cadar, Daniel Dunbar, and Dawson Engler. KLEE: Unassisted and Automatic Generation of High-coverage Tests for Complex Systems Programs. In Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI \u201908, 2008.","key":"11_CR120"},{"unstructured":"Giovanni Camurati and Aur\u00e9lien Francillon. Inception: system-wide security testing of real-world embedded systems software. In USENIX Security Symposium, 2018.","key":"11_CR125"},{"doi-asserted-by":"crossref","unstructured":"Daming D Chen, Manuel Egele, Maverick Woo, and David Brumley. Towards automated dynamic analysis for linux-based embedded firmware. In ISOC NDSS 2016, 2016.","key":"11_CR137","DOI":"10.14722\/ndss.2016.23415"},{"issue":"3","key":"11_CR140","doi-asserted-by":"publisher","first-page":"265","DOI":"10.1145\/1961296.1950396","volume":"46","author":"Vitaly Chipounov","year":"2011","unstructured":"Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. S2e: A platform for in-vivo multi-path analysis of software systems. Acm Sigplan Notices, 46(3):265\u2013278, 2011.","journal-title":"Acm Sigplan Notices"},{"doi-asserted-by":"crossref","unstructured":"Lucian Cojocar, Jonas Zaddach, Roel Verdult, Herbert Bos, Aur\u00e9lien Francillon, and Davide Balzarotti. PIE: Parser Identification in Embedded Systems. Annual Computer Security Applications Conference (ACSAC), December 2015.","key":"11_CR150","DOI":"10.1145\/2818000.2818035"},{"unstructured":"SEC Consult. House of Keys: Industry-Wide HTTPS Certificate and SSH Key Reuse Endangers Millions of Devices Worldwide. Blog, Nov, 25, 2015.","key":"11_CR151"},{"unstructured":"Andrei Costin, Jonas Zaddach, Aur\u00e9lien Francillon, and Davide Balzarotti. A Large Scale Analysis of the Security of Embedded Firmwares. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security), August 2014.","key":"11_CR155"},{"doi-asserted-by":"crossref","unstructured":"Andrei Costin, Apostolis Zarras, and Aur\u00e9lien Francillon. Automated Dynamic Firmware Analysis at Scale: A Case Study on Embedded Web Interfaces. In 11th ACM Asia Conference on Computer and Communications Security (ASIACCS, ASIACCS 16, May 2016.","key":"11_CR156","DOI":"10.1145\/2897845.2897900"},{"doi-asserted-by":"crossref","unstructured":"Andrei Costin, Apostolis Zarras, and Aur\u00e9lien Francillon. Towards automated classification of firmware images and identification of embedded devices. In IFIP International Conference on ICT Systems Security and Privacy Protection, pages 233\u2013247. Springer, 2017.","key":"11_CR157","DOI":"10.1007\/978-3-319-58469-0_16"},{"doi-asserted-by":"crossref","unstructured":"Franck Courbon, Sergei Skorobogatov, and Christopher Woods. Reverse engineering flash EEPROM memories using scanning electron microscopy. In Smart Card Research and Advanced Applications - 15th International Conference, CARDIS 2016, pages 57\u201372, 2016.","key":"11_CR158","DOI":"10.1007\/978-3-319-54669-8_4"},{"unstructured":"Ang Cui. Embedded Device Firmware Vulnerability Hunting with FRAK. DefCon 20, 2012.","key":"11_CR161"},{"unstructured":"Ang Cui, Michael Costello, and Salvatore J Stolfo. When Firmware Modifications Attack: A Case Study of Embedded Exploitation. In Proceedings of the 20th Symposium on Network and Distributed System Security, NDSS \u201913. The Internet Society, 2013.","key":"11_CR162"},{"doi-asserted-by":"crossref","unstructured":"Ang Cui and Salvatore J. Stolfo. Defending Embedded Systems with Software Symbiotes. In Robin Sommer, Davide Balzarotti, and Gregor Maier, editors, Recent Advances in Intrusion Detection, volume 6961 of Lecture Notes in Computer Science, pages 358\u2013377. Springer, 2011.","key":"11_CR163","DOI":"10.1007\/978-3-642-23644-0_19"},{"unstructured":"Lyla B Das. Embedded Systems: An Integrated Approach. Pearson Education India, 2012.","key":"11_CR171"},{"unstructured":"Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. FIE on Firmware: Finding Vulnerabilities in Embedded Systems Using Symbolic Execution. In Proceedings of the 22nd USENIX Security Symposium, SEC \u201913, 2013.","key":"11_CR175"},{"unstructured":"Thomas Dullien and Rolf Rolles. Graph-based comparison of executable objects. In Symposium sur la Securite des Technologies de lInformation et des Communications, SSTIC \u201905, 2005.","key":"11_CR191"},{"unstructured":"Elnec. Elnec beeprog2. https:\/\/www.elnec.com\/en\/products\/universal-programmers\/beeprog2\/.","key":"11_CR198"},{"doi-asserted-by":"crossref","unstructured":"Sebastian Eschweiler, Khaled Yakdan, and Elmar Gerhards-Padilla. discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code. In ISOC NDSS 2016, 2016.","key":"11_CR202","DOI":"10.14722\/ndss.2016.23185"},{"doi-asserted-by":"crossref","unstructured":"Qian Feng, Rundong Zhou, Chengcheng Xu, Yao Cheng, Brian Testa, and Heng Yin. Scalable Graph-based Bug Search for Firmware Images. In ACM CCS 2016, 2016.","key":"11_CR212","DOI":"10.1145\/2976749.2978370"},{"unstructured":"Dan Goodin. Record-breaking ddos reportedly delivered by >\u2009145k hacked cameras. Ars Technica, 09 2016.","key":"11_CR241"},{"unstructured":"M\u00e1ria Hatalov\u00e1. Security of small office home routers. PhD thesis, Masarykova univerzita, Fakulta informatiky, 2015.","key":"11_CR259"},{"key":"11_CR261","volume-title":"Embedded systems design","author":"Steve Heath","year":"2002","unstructured":"Steve Heath. Embedded systems design. Newnes, 2002."},{"unstructured":"C Heffner and J Collake. Firmware mod kit-modify firmware images without recompiling, 2015.","key":"11_CR262"},{"unstructured":"Craig Heffner. binwalk \u2013 firmware analysis tool designed to assist in the analysis, extraction, and reverse engineering of firmware images. https:\/\/github.com\/ReFirmLabs\/binwalk.","key":"11_CR263"},{"doi-asserted-by":"crossref","unstructured":"Armijn Hemel, Karl Trygve Kalleberg, Rob Vermaas, and Eelco Dolstra. Finding Software License Violations Through Binary Code Clone Detection. In Proceedings of the 8th Working Conference on Mining Software Repositories, MSR \u201911. ACM, 2011.","key":"11_CR269","DOI":"10.1145\/1985441.1985453"},{"unstructured":"Alex Hern. Revolv devices bricked as Google\u2019s Nest shuts down smart home company. The Guardian, April 2016. https:\/\/www.theguardian.com\/technology\/2016\/apr\/05\/revolv-devices-bricked-google-nest-smart-home.","key":"11_CR271"},{"unstructured":"Hewlett Packard Enterprise (HPE). Internet of things research study \u2013 2015 report, 2015.","key":"11_CR280"},{"unstructured":"Independen Security Evaluators. Exploiting SOHO Routers, April 2013.","key":"11_CR292"},{"doi-asserted-by":"crossref","unstructured":"Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. Prospect: peripheral proxying supported embedded code testing. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 329\u2013340. ACM, 2014.","key":"11_CR312","DOI":"10.1145\/2590296.2590301"},{"doi-asserted-by":"crossref","unstructured":"Jesse D. Kornblum. Identifying Almost Identical Files Using Context Triggered Piecewise Hashing. In Proceedings of the Digital Forensic Workshop, 2006.","key":"11_CR340","DOI":"10.1016\/j.diin.2006.06.015"},{"unstructured":"Karl Koscher, Tadayoshi Kohno, and David Molnar. Surrogates: enabling near-real-time dynamic analyses of embedded systems. In Proceedings of the 9th USENIX Conference on Offensive Technologies. USENIX Association, 2015.","key":"11_CR341"},{"unstructured":"Brian Krebs. KrebsOnSecurity Hit With Record DDoS. Krebs On Security, September 2016.","key":"11_CR344"},{"unstructured":"Brian Krebs. Who Makes the IoT Things Under Attack? Krebs On Security, October 2016.","key":"11_CR345"},{"doi-asserted-by":"crossref","unstructured":"Marius Muench, Dario Nisi, Aur\u00e9lien Francillon, and Davide Balzarotti. Avatar2: A Multi-target Orchestration Platform. In Workshop on Binary Analysis Research (colocated with NDSS Symposium), BAR 18, February 2018.","key":"11_CR429","DOI":"10.14722\/bar.2018.23017"},{"doi-asserted-by":"crossref","unstructured":"Marius Muench, Jan Stijohann, Frank Kargl, Aur\u00e9lien Francillon, and Davide Balzarotti. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In ISOC NDSS 2018, 2018.","key":"11_CR430","DOI":"10.14722\/ndss.2018.23166"},{"unstructured":"Marcus Niemietz and J\u00f6rg Schwenk. Owning your home network: Router security revisited. In 9th Workshop on Web 2.0 Security and Privacy (W2SP) 2015, 2015.","key":"11_CR439"},{"unstructured":"Johannes Obermaier and Stefan Tatschner. Shedding too much light on a microcontroller\u2019s firmware protection. In 11th USENIX Workshop on Offensive Technologies (WOOT 17), Vancouver, BC, 2017. USENIX Association.","key":"11_CR447"},{"doi-asserted-by":"crossref","unstructured":"Vassil Roussev. Data Fingerprinting with Similarity Digests. In IFIP International Conference on Digital Forensics, pages 207\u2013226, 2010.","key":"11_CR507","DOI":"10.1007\/978-3-642-15506-2_15"},{"doi-asserted-by":"crossref","unstructured":"Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In NDSS, 2015.","key":"11_CR528","DOI":"10.14722\/ndss.2015.23294"},{"doi-asserted-by":"crossref","unstructured":"O. Shwartz, Y. Mathov, M. Bohadana, Y. Oren, and Y. Elovici. Reverse engineering iot devices: Effective techniques and methods. IEEE Internet of Things Journal, pages 1\u20131, 2018.","key":"11_CR529","DOI":"10.1007\/978-3-319-75208-2_1"},{"unstructured":"Olivier Thomas and Dmitry Nedospasov. On the impact of automating the ic analysis process. BlackHat 2015, August 2015.","key":"11_CR549"},{"doi-asserted-by":"crossref","unstructured":"Sam L. Thomas, Tom Chothia, and Flavio D. Garcia. Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality. In Proceedings of the 22nd European Symposium on Research in Computer Security, ESORICS \u201917, 2017.","key":"11_CR550","DOI":"10.1007\/978-3-319-66399-9_28"},{"doi-asserted-by":"crossref","unstructured":"Sam L. Thomas and Aur\u00e9lien Francillon. Backdoors: Definition, Deniability and Detection. In Symposium on Research in Attacks, Intrusion, and Defenses (RAID). Springer, September 2018.","key":"11_CR551","DOI":"10.1007\/978-3-030-00470-5_5"},{"doi-asserted-by":"crossref","unstructured":"Sam L. Thomas, Flavio D. Garcia, and Tom Chothia. HumIDIFy: A Tool for Hidden Functionality Detection in Firmware. In Proceedings of the 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA \u201917, 2017.","key":"11_CR552","DOI":"10.1007\/978-3-319-60876-1_13"},{"unstructured":"Andrew Tierney (@cybergibbons). Bypassing code readout protections on microcontrollers, January 2018.","key":"11_CR556"},{"unstructured":"Tjaldur Software Governance Solutions. Binary Analysis Tool (BAT).","key":"11_CR558"},{"doi-asserted-by":"crossref","unstructured":"S. Vasile, D. Oswald, and T. Chothia. Breaking all the things - a systematic survey of firmware extraction techniques for iot devices. In CARDIS, 2018.","key":"11_CR564","DOI":"10.1007\/978-3-030-15462-2_12"},{"unstructured":"Xiaojun Xu, Chang Liu, Qian Feng, Heng Yin, Le Song, and Dawn Song. Neural network-based graph embedding for cross-platform binary code similarity detection. In ACM SIGSAC Conference on Computer and Communications Security, CCS \u201917, 2017.","key":"11_CR585"},{"doi-asserted-by":"crossref","unstructured":"Jonas Zaddach, Luca Bruno, Aur\u00e9lien Francillon, and Davide Balzarotti. Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems\u2019 Firmwares. In NDSS 2014, February 2014.","key":"11_CR591","DOI":"10.14722\/ndss.2014.23229"}],"container-title":["Security of Ubiquitous Computing Systems"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-030-10591-4_11","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,1,14]],"date-time":"2021-01-14T15:23:33Z","timestamp":1610637813000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/978-3-030-10591-4_11"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"ISBN":["9783030105907","9783030105914"],"references-count":53,"URL":"https:\/\/doi.org\/10.1007\/978-3-030-10591-4_11","relation":{},"subject":[],"published":{"date-parts":[[2021]]},"assertion":[{"value":"15 January 2021","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}}]}}