An Automated Approach to Re-Hosting Embedded Firmware Through Removing Hardware Dependencies

Firmware emulation allows for firmware to be analyzed in many beneficial ways. It can be used for vulnerability research, debugging, and testing. The process of enabling firmware to execute in an emulator (i.e., re-hosting) is difficult. Each piece of firmware may have many hardware peripherals outside of the micro-controller that it interacts with. These peripherals may not be available at the time of emulation. The current practice is to painstakingly disentangle the dependencies between the firmware and its missing peripherals. A recent solution HALucinator solves this issue by allowing the user to write their own models that emulate the functions that interact with hardware to eliminate the dependency. Discovering which functions need to be replaced and then modeling them to create the replacements is a highly manual and error-prone process. In this report, we introduce a systematic graph-based approach to analyze firmware binaries and determine which functions need to be replaced. Our approach is customizable to balance between the fidelity of the emulation and the amount of effort it will take to achieve the emulation by modeling functions. It does this by trying different levels at which functions can be replaced. We run our algorithm across a number of example firmware from micro-controller development boards. This shows that we are able to generate different solutions that remove a large majority of hardware dependencies. The solutions provide comparable levels of fidelity while reducing the required effort to re-host the firmware.