June 23, 2021

SpywareNews.com

Dedicated Forum to help removing adware, malware, spyware, ransomware, trojans, viruses and more!

ECMO: Peripheral Transplantation to Rehost Embedded Linux Kernels. (arXiv:2105.14295v1 [cs.AR])

Dynamic analysis based on the full-system emulator QEMU is widely used for
various purposes. However, it is challenging to run firmware images of embedded
devices in QEMU, especially theprocess to boot the Linux kernel (we call this
process rehosting the Linux kernel in this paper.) That’s because embedded
devices usually use different system-on-chips (SoCs) from multiple vendors
andonly a limited number of SoCs are currently supported in QEMU.

In this work, we propose a technique calledperipheral transplantation. The
main idea is to transplant the device drivers of designated peripherals into
the Linux kernel binary. By doing so, it can replace the peripherals in the
kernel that are currently unsupported in QEMU with supported ones, thus making
the Linux kernel rehostable. After that, various applications can be built
upon.

We implemented this technique inside a prototype system called ECMO and
applied it to 824 firmware images, which consist of 17 kernel versions, 37
device models, and 24 vendors. The resultshows that ECMO can successfully
transplant peripherals for all the 824 Linux kernels. Among them, 719 kernels
can be successfully rehosted, i.e., launching a user-space shell (87.3% success
rate). The failed cases are mainly because the root file system format (ramfs)
is not supported by the kernel. We further build three applications, i.e.,
kernel crash analysis, rootkit forensic analysis, and kernel fuzzing, based on
the rehosted kernels to demonstrate the usage scenarios of ECMO.