Work-in-Progress: Introspection of the Linux-based Embedded Firmwares

This paper presents a novel approach for virtual machine introspection of the embedded systems based on the unknown revisions of the known kernels. Existing introspection methods require embedding the code into the guest to capture the data for analysis algorithms. When OS image is extracted from the ROM, usually no analysis code can be loaded into the virtual machine. We propose new non-intrusive method for extracting the kernel- and process-level information from such virtual machines. This method is based on the application binary interface, which is small enough and usually non-volatile. Therefore one analysis configuration may be used for different systems with the kernels from the same family without re-tuning them. We also present the analysis framework based on the simulator QEMU. It includes instrumentation and some tools for extracting the process- and kernel-level information from the guest. Our framework may be applied to ROM-based guest systems and enables using of record/replay of the system execution during the analysis. We applied our framework to some public firmwares to evaluate how our method works on the embedded systems with custom Linux kernel.