Brussels / 1 & 2 February 2014


The Avatar project - improving embedded security with S2E, KLEE and Qemu

LLVM-powered dynamic security analysis of embedded firmwares

Avatar is a research framework that enables complex dynamic analysis of embedded devices by orchestrating the execution of an emulator together with real hardware. It is built on top of S2E/Qemu, KLEE and LLVM and its main goal is to enable advanced security analysis of pristine ARM source-less firmware, eg. through dynamic tracing or symbolic execution.

This talk will show key features of S2E in enabling runtime binary analysis (using Qemu virtualization and KLEE/LLVM symbolic execution) and how Avatar uses it to orchestrate analysis and execution at the emulator<->device edge.

To address the growing concerns about the security of embedded systems, it is important to perform accurate analysis of firmware binaries, even when the source code or the hardware documentation are not available. Unlike static analysis, dynamic analysis relies on the ability to execute software in a controlled environment, which is however difficult due the lack of documentation and the large variety of subtly different hardware on the market.

In this talk we present Avatar, a framework that enables such complex analysis of embedded devices. In particular we will introduce S2E, a C++ project which leverages several components to do binary emulation, including: * Qemu for machine virtualization * LLVM as the IR of choice * KLEE for symbolic execution of LLVM IR * S2E plugins for hooking into data and control flow

Then we show the Avatar framework, which acts as an analysis driver, context switcher and memory forwarder. Avatar is currently written in Python and on top of basic features, it includes several techniques to improve the system's performance as well as heuristics to help in vulnerability discovery.

Both project are FLOSS. S2E is a research project from EPFL, while Avatar is under development at Eurecom.


Luca Bruno