AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov...
Transcript of AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov...
![Page 1: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/1.jpg)
AVATAR: A Framework for
Dynamic Security Analysis of
Embedded Systems’ Firmwares
Jonas Zaddach ([email protected])
Luca Bruno, Aurélien Francillon, Davide Balzarotti
![Page 2: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/2.jpg)
Outline
• Introduction
• AVATAR overview
• Framework components
• Use cases
• Conclusion
2/24/14 2
![Page 3: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/3.jpg)
Software is everywhere
• Embedded devices are diverse – but all of them
run software
2/24/14 3
![Page 4: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/4.jpg)
Reasons for embedded security
• Embedded devices are ubiquitous
– Even if invisible, they are essential to your life
• Can operate for many years
– Legacy systems, no (security) updates
• Have a large attack surface
– Networking, forgotten debug interfaces, etc
2/24/14 4
![Page 5: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/5.jpg)
Third party security evaluation
• No source code available
• No toolchain available
• No documentation available
• Distinct tools (to flash and debug) for each
manufacturer
2/24/14 5
![Page 6: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/6.jpg)
Wishlist for security evaluation
2/24/14 6
• Typical PC security toolbox
– Advanced debugging techniques
• Tracing
• Fuzzing
• Tainting
• Symbolic Execution
– Integrated tools
• IDA Pro
• GDB
A
B C
D E
≤ 0 > 0
< 8 ≥ 8
0 < x < 8
![Page 7: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/7.jpg)
Challenges
• Advanced dynamic analysis needs
emulation
• Full emulation
– Unknown peripherals
– Firmware fails if peripherals are missing
• Integration
– Support multiple vendors and platforms
2/24/14 7
![Page 8: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/8.jpg)
Outline
• Introduction
• AVATAR overview
• Framework components
• Use cases
• Conclusion
2/24/14 8
![Page 9: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/9.jpg)
AVATAR
• Orchestrate execution between emulator
and device
• Forward peripheral accesses to the device
under analysis
• Do not attempt to emulate peripherals
– No documentation
– Reverse engineering is difficult
2/24/14 9
![Page 10: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/10.jpg)
Avatar overview
2/24/14 10
Emulator
. . .
mov r2, r0
mov r3, r1
add r3, r3, #1
ldr r2, [r2, #0]
cmp r2, r3
. . .
Device
In-memory
stub
Memory
Registers CPU state
Avatar
Analysis script
plugins Analysis
plugins
![Page 11: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/11.jpg)
Avatar overview
2/24/14 11
Emulator
. . .
mov r2, r0
mov r3, r1
add r3, r3, #1
ldr r2, [r2, #0]
cmp r2, r3
. . .
Device
In-memory
stub
Memory
Registers CPU state
Avatar
Analysis script
plugins Analysis
plugins
![Page 12: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/12.jpg)
Avatar overview
2/24/14 12
Emulator
. . .
mov r2, r0
mov r3, r1
add r3, r3, #1
ldr r2, [r2, #0]
cmp r2, r3
. . .
Device
In-memory
stub
Memory
Registers CPU state
Avatar
Analysis script
plugins Analysis
plugins
![Page 13: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/13.jpg)
Avatar overview
2/24/14 13
Emulator
. . .
mov r2, r0
mov r3, r1
add r3, r3, #1
ldr r2, [r2, #0]
cmp r2, r3
. . .
Device
In-memory
stub
Memory
Registers CPU state
Avatar
Analysis script
plugins Analysis
plugins IRQ
![Page 14: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/14.jpg)
Outline
• Introduction
• AVATAR overview
• Framework components
• Use cases
• Conclusion
2/24/14 14
![Page 15: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/15.jpg)
Emulator
2/24/14 15
Emulator Avatar
Configuration
Qemu GDB
Remote Memory
S2E
Qemu
Klee
LLVM
Analysis
plugins
Memory
Registers CPU state
![Page 16: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/16.jpg)
Avatar core
2/24/14 16
Emulator Avatar Device
Configuration
interface
GDB interface
Remote
memory
GDB interface
plugins Analysis
plugins
Analysis script
![Page 17: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/17.jpg)
Embedded target
2/24/14 17
Device
In-memory
stub
Memory
Registers CPU state
Avatar
JTAG
server
![Page 18: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/18.jpg)
Target communication
• Either a debugging interface
– JTAG
– Debug Serial Interface
• Or code injection and a communication
channel
– Custom GDB Stub + Serial Port
2/24/14 18
![Page 19: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/19.jpg)
Bottlenecks
• Emulated execution is much slower than
execution on the real device
– Memory access forwarding through low-
bandwidth channel is the bottleneck
– In one case down to ~10 memory accesses/
sec.
• Interrupts can saturate debug connection
2/24/14 19
![Page 20: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/20.jpg)
Improving performance
• Transfer execution/state
– From the device to the emulator
– From the emulator to the device
• Migrate memory and code snippets
– Keep memory regions in the emulator
– Execute IO-intensive pieces of code on the
device
2/24/14 20
![Page 21: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/21.jpg)
Full separation mode
2/24/14 21
Emulator Device
State
Register
State
Memory
Avatar
![Page 22: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/22.jpg)
Memory access optimization
2/24/14 22
Emulator Device
State
Register
Memory
State
IO Memory
Avatar
![Page 23: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/23.jpg)
Execute code snippets on the
device
2/24/14 23
Emulator Device
State State Avatar
Code
![Page 24: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/24.jpg)
Execute code snippets on the
device
2/24/14 24
Emulator Device
State State
Code
Code
![Page 25: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/25.jpg)
Outline
• Introduction
• AVATAR overview
• Framework components
• Use cases
• Conclusion
2/24/14 25
![Page 26: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/26.jpg)
Use case: Hard Disk
• Recover bootloader protocol with symbolic
execution
– Inject GDB stub
– Instrument flash loading
– Inject symbolic values for
data read from serial port
– Keep track of which input
leads into which code flow
2/24/14 26
http://www.s3.eurecom.fr/docs/ndss14_zaddach.pdf
![Page 27: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/27.jpg)
Use case: GSM Phone
• Search vulnerabilities in SMS decoding routine – Connect through JTAG
– Execute on device until SMS decoding
– Replace SMS payload with symbolic values
– Check for symbolic values in • program counter
• load/store address
2/24/14 27
![Page 28: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/28.jpg)
Use case: Econotag
• Find proof-of-concept bug in user
application
– Connect through JTAG
– Execute on device until Zigbee packet arrives
– Replace payload with symbolic values
– Check for symbolic
values in
• program counter
• load/store address
2/24/14 28
![Page 29: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/29.jpg)
We are adding more devices
2/24/14 29
![Page 30: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/30.jpg)
Outline
• Introduction
• AVATAR overview
• Framework components
• Use cases
• Conclusion
2/24/14 30
![Page 31: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/31.jpg)
Future work
• Enhance state consistency
– DMA memory changes not tracked
• Automatically emulate peripherals
• Improve symbolic execution
– Coherency between HW and SW
– Improve bug-finding strategies
2/24/14 31
![Page 32: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/32.jpg)
Conclusion
• AVATAR is a modular open-source tool to
– Enable dynamic analysis
– And perform symbolic execution
– On embedded devices
– Where only binary code is available
!A first step towards better analysis tools
for embedded systems!
2/24/14 32
![Page 33: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/33.jpg)
Questions?
2/24/14 33
• Thank you for listening!
• Open source on github: https://github.com/eurecom-s3/avatar-python
• Project page:
http://s3.eurecom.fr/tools/avatar/
Thanks to Pascal Sachs and Luka Malisa who built an earlier prototype of the system,
and Lucian Cojocar for applying and extending AVATAR
![Page 34: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/34.jpg)
References
• AVATAR web page: http://www.s3.eurecom.fr/tools/avatar/
• AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares, Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti
• Howard: a dynamic excavator for reverse engineering data structures, Asia Slowinska, Traian Stancescu, Herbert Bos
• KLEE webpage: http://ccadar.github.io/klee/
• S2E webpage: https://s2e.epfl.ch/
• S2E: A Platform for In-Vivo Multi-Path Analysis of Software Systems, italy Chipounov, Volodymyr Kuznetsov, George Candea
• The S2E Platform: Design, Implementation, and Applications, Vitaly Chipounov, Volodymyr Kuznetsov, George Candea
• QEMU webpage: http://qemu.org
• Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations, Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, Herbert Bos
2/24/14 34
![Page 35: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/35.jpg)
Injecting a debugger
2/24/14 35
• Requires writing and executing memory
– Debug menus allow this sometimes
– A code execution vulnerability can be used
• Requires a communication channel
– Serial port, GPIO, Power consumption, …
– GPIO
• Requires an unused memory location in the firmware – Stub is about 3k of code
![Page 36: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/36.jpg)
Full separation mode
2/24/14 36
Emulator Device
State
Register
State
Memory
Avatar
![Page 37: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/37.jpg)
Memory access optimization
2/24/14 37
Emulator Device
State
Register
Memory
State
IO Memory
Avatar
![Page 38: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/38.jpg)
Transfer execution
from emulator to device
2/24/14 38
Emulator Device
State
Register
Memory
State
![Page 39: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/39.jpg)
Transfer execution
from emulator to device
2/24/14 39
Emulator Device
State Avatar State
Register
Memory
![Page 40: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/40.jpg)
Transfer execution
from device to emulator
2/24/14 40
Emulator Device
State State
Register
Memory
![Page 41: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/41.jpg)
Transfer execution
from device to emulator
2/24/14 41
Emulator Device
State
Register
Memory
State Avatar
![Page 42: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/42.jpg)
Software interrupts
• Software Interrupts
– Are issued by an interrupt
instruction in the code
• Can be entirely emulated
– Qemu manages calling of
software interrupt handlers
2/24/14 42
http://home.netcom.com/~swansont/interrupt.jpg
![Page 43: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/43.jpg)
Task completion interrupts
• Triggered by application requests
– Responses aligned with firmware execution
speed
– E.g., signal that a requested DMA transfer has
finished
• Can be forwarded from the device to the
emulator
– A stub on the device traps interrupts and
forwards them
2/24/14 43
![Page 44: AVATAR: A Framework for Dynamic Security …Avatar overview 2/24/14 10 Emulator . . . mov r2, r0 mov r3, r1 add r3, r3, #1 ldr r2, [r2, #0] cmp r2, r3 . . . Device In-memory stub Memory](https://reader034.fdocuments.net/reader034/viewer/2022050123/5f53598cc0328b2fe3511365/html5/thumbnails/44.jpg)
External event interrupts
• Signals an external event – Events aligned to wall-clock instead of execution
time
– E.g., that a time span has elapsed
• Solution depends
– Controllable interrupts can be forwarded
– Uncontrollable interrupts need to be synthesized • Original interrupts are suppressed
• Emulated interrupts are inserted according to emulated execution speed
2/24/14 44