From Library Portability to Para-rehosting: Natively Executing Open-source Microcontroller OSs on Commodity Hardware

Abstract

Finding bugs in microcontroller (MCU) firmwareis challenging, even for device manufacturers who own thesource code. The MCU runs different instruction sets than x86and exposes a very different development environment. Thisinvalidates many existing sophisticated software testing tools onx86. To maintain a unified developing and testing environment,a straightforward way is to re-compile the source code into thenative executable for a commodity machine (called rehosting).However, ad-hoc re-hosting is a daunting and tedious task and subject to many issues (library-dependence, kernel-dependenceand hardware-dependence). In this work, we systematically ex-plore the portability problem of MCU software and propose para-rehosting to ease the porting process. Specifically, we abstract andimplement a portable MCU (PMCU) using the POSIX interface. It models common functions of the MCU cores. For peripheralspecific logic, we propose HAL-based peripheral function re-placement, in which high-level hardware functions are replacedwith an equivalent backend driver on the host. These backenddrivers are invoked by well-designed para-APIs and can be reusedacross many MCU OSs. We categorize common HAL functionsinto four types and implement templates for quick backenddevelopment. Using the proposed approach, we have successfully rehosted nine MCU OSs including the widely deployed AmazonFreeRTOS, ARM Mbed OS, Zephyr and LiteOS. To demonstratethe superiority of our approach in terms of security testing, weused off-the-shelf dynamic analysis tools (AFL and ASAN) againstthe rehosted programs and discovered 24 previously-unknownbugs, among which 5 were confirmed by CVE and others wereconfirmed by vendors.

Publication
28th Network and Distributed System Security Symposium, NDSS’21 (accepted)
Date