Detecting And Mitigating Rootkits In Embedded Systems

Networking is pervasive in our daily lives and we often assume the network is secure. With actors ranging from organizations, manufacturers, and nation-states, launching sophisticated attacks the need to ensure the integrity of network equipment is critical. However, attacks on router firmware are numerous and it is easy to demonstrate firmware attacks. In particular, rootkits are an especially troublesome type of attack because they involve malicious code that attackers intentionally make difficult to detect. Much of the recent research in securing network devices focuses on finding vulnerabilities in firmware and web-based management interfaces. Those methods emulate firmware using standard emulation tools such as QEMU, but they do not fully emulate the kernel which is where most rootkit code is stored and from where it runs. Instead, they involve building a custom kernel and emulating the file system, but they cannot readily emulate the hardware portion of an embedded system. In this paper, we develop a framework for detecting and mitigating rootkits in embedded devices using static and dynamic analysis. Our emphasis is on improving the security of commodity routers and networking equipment. Our goal is to develop a system capable of emulating embedded system hardware, to reverse engineer firmware and detect the hardware requirements of embedded systems, and to create a wedge or modify QEMU to emulate the hardware. We will use these emulation techniques to develop progressively sophisticated detection (and eventually protection) technologies to combat rootkits in network devices. We will start with simple methods such as comparing the hash values of trusted firmware and suspect firmware images, perform static analysis, fully emulate the kernel, and use that emulation to perform dynamic analysis paired with network traffic analysis. Since network equipment runs Linux-based firmware, we limit our scope to the investigation of rootkit techniques on Linux-based firmware.