Binary Analysis of USB Device Firmware to Detect Malicious Activity

Uses Domain Knowledge of USB Protocol to Validate Device Firmware Against Its Expected Functionality

This USB-specific firmware analysis framework combines symbolic execution and static analysis to model USB controller firmware binaries and characterize a device’s potential for malicious behavior. The USB protocol is extremely versatile, open, and expandable, allowing numerous devices to transfer both data and power. This openness, however, leaves many computing platforms increasingly vulnerable to malicious attacks that exploit the functionality of USB devices. Available USB vetting systems focus on preventing attacks at the protocol level through sandboxing and virtualization or user authorization, which all rely on the device’s external actions to demonstrate its trustworthiness. Without a deep knowledge of the underlying software behind the devices, however, an observer cannot with certainty ensure that a device is benign.

Researchers at the University of Florida have developed a USB device vetting system that uses domain knowledge of the USB protocol to examine a device’s firmware images and determine its capacity for malicious actions. The framework applies symbolic execution targeting algorithms and static analysis to a device’s firmware binaries, modeling the device against its expected functionality reliably to validate a USB device.

Application

Binary analysis framework that examines USB device firmware to identify potentially malicious behavior

Advantages

• Applies symbolic analysis to the USB device firmware, detecting malicious code and exploits such as the “BadUSB”
• Vets USB controllers by analyzing firmware binaries, eliminating any need for source code
• Utilizes improved targeting algorithms and domain knowledge, speeding up analysis by a factor of seven compared to unconstrained fully symbolic execution
• Builds a model of the device functionality and compares it with an expected device model, generating a report of identified potentially malicious behaviors

Technology

This USB vetting framework analyzes a device’s extracted firmware image to identify signatures relating to USB operation. The firmware image goes through a static analysis stage, which identifies memory addresses and instructions that would be relevant to an attack scenario. This analysis informs semantic slicing of the firmware to improve subsequent symbolic execution, which discovers program paths that interact with the device. This program knowledge, together with the identified signatures and the database of operational information regarding USB devices, supports construction of a recovered model of operation (representing the actual functionality of the device) and an expected model of operation. After comparing these two models and identifying unexpected or unknown behaviors, the analysis framework generates a report detailing this potentially malicious activity for the user.