Karonte
Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware.
The master
branch provides the latest version of Karonte, ported to python3. For the original implementation and experiments presented in our paper, please checkout the IEEE-SP-20
branch and have a look at our docker container.
Overview
Research paper
We present our approach and the findings of this work in the following research paper:
KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware
[PDF]
Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna.
In Proceedings of the IEEE Symposium on Security & Privacy (S&P), May 2020
If you use Karonte in a scientific publication, we would appreciate citations using this Bibtex entry:
@inproceedings{redini_karonte_20,
author = {Nilo Redini and Aravind Machiry and Ruoyu Wang and Chad Spensky and Andrea Continella and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna},
booktitle = {In Proceedings of the IEEE Symposium on Security & Privacy (S&P)},
month = {May},
title = {KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware},
year = {2020}
}
Repository Structure
There are four main directories:
- tool: Karonte python files
- firmware: Karonte firmware dataset
- configs: configuration files to analyze the firmware samples in the dataset
- eval: scripts to run the various evaluations on Karonte
- karonte-viz: script to visualize the results produced by Karonte
Run Karonte
To run karonte, from the root directory, just run
SYNOPSIS Â Â Â Â Â python tool/karonte.py JSON_CONFIG_FILE [LOG_NAME]
DESCRIPTION Â Â Â Â Â runs karonte on the firmware sample represented by the JSON_CONFIG_FILE, and save the results in LOG_NAME
EXAMPLE      python tool/karonte.py config/NETGEAR/r_7800.json      It runs karonte on the R7800 NETGEAR firmware
By default, results are saved in /tmp/ with the suffix Karonte.txt.
To inspect the generated alerts, just run:
     python tool/pretty_print.py LOG_NAME
Dataset
You can obtain the dataset that we used to evaluate Karonte at this link.