Executing code in an emulator is a fundamental part of modern vulnerability testing. However, to emulate embedded system firmware outside its native environment, the emulator must mimic hardware devices with enough accuracy to convince the firmware that it is executing on real hardware.
In Jetset: Targeted Firmware Rehosting for Embedded Systems, UC San Diego CSE/CNS Ph.D. student Evan Johnson, CSE/CNS faculty Stefan Savage, and researchers at the University of Illinois at Urbana-Champaign and Oberlin College develop and implement Jetset, a system that uses symbolic execution to infer what behavior firmware expects from hardware devices. They used Jetset to test whether it was possible to boot firmware in an emulator by automatically inferring how the firmware and hardware interact.
The team successfully applied Jetset to thirteen distinct pieces of firmware together, representing three architectures, three application domains, and five different operating systems. They also demonstrated how Jetset-assisted rehosting facilitates fuzz-testing on an avionics embedded system. Their work will be presented in August 2021 at the USENIX Security Symposium.