Abstract for HONS 04/15
Applying Bytecode Level Automatic Exploit Generation to Embedded Systems
Matthew Ruffell
Department of Computer Science and Software Engineering
University of Canterbury
Abstract
Finding vulnerabilities in software is a difficult task, typically undertaken by experts. Developers have
little of the required knowledge to find complex vulnerabilities in their software products before release.
Automation of vulnerability discovery and proof of concept exploit generation is key to enable developers
to check and fix software vulnerabilities in the development process. Research in this field is currently
directed at automatically generating exploits for software developed for general purpose computers. Embedded
systems occupy a significant portion of the market and lack typical security features found on general
purpose computers. In this report, we implement automatic exploit generation for embedded systems
firmwares, by extending an existing dynamic analysis framework called Avatar. We discuss several techniques
to discover vulnerabilities and generate exploits, and evaluate our solution by generating exploits
for three vulnerable firmwares written for a popular ARM Cortex-M3 microcontroller.