ROOTS 2019 Talk: Harzer Roller: Linker-Based Instrumentation for Enhanced Embedded Security Testing — Katharina Bogad *

Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The software development kits (SDKs) for these new platforms usually include closed-source binaries comprising wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available.

In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices. With the Harzer Roller, we hook instrumentation code into function call and return. The hooking not only applies to the user application code but to the SDK used to build firmware as well. While we keep the design of the Harzer Roller’s general architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture.

We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows. Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis. This…