ucsb-seclab/karonte

Stars
383
Rank 111,321 (Top 3 %)
Language
Python
License
BSD 2-Clause "Sim...
Created almost 5 years ago
Updated about 3 years ago

ucsb-seclab/karonte

ucsb-seclab

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware

Karonte

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware.

The master branch provides the latest version of Karonte, ported to python3. For the original implementation and experiments presented in our paper, please checkout the IEEE-SP-20 branch and have a look at our docker container.

Overview

Research paper

We present our approach and the findings of this work in the following research paper:

KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware [PDF]
Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna.
In Proceedings of the IEEE Symposium on Security & Privacy (S&P), May 2020

If you use Karonte in a scientific publication, we would appreciate citations using this Bibtex entry:

@inproceedings{redini_karonte_20,
 author    = {Nilo Redini and Aravind Machiry and Ruoyu Wang and Chad Spensky and Andrea Continella and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna},
 booktitle = {In Proceedings of the IEEE Symposium on Security & Privacy (S&P)},
 month     = {May},
 title     = {KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware},
 year      = {2020}
}

Repository Structure

There are four main directories:

tool: Karonte python files
firmware: Karonte firmware dataset
configs: configuration files to analyze the firmware samples in the dataset
eval: scripts to run the various evaluations on Karonte
karonte-viz: script to visualize the results produced by Karonte

Run Karonte

To run karonte, from the root directory, just run

SYNOPSIS       python tool/karonte.py JSON_CONFIG_FILE [LOG_NAME]

DESCRIPTION      runs karonte on the firmware sample represented by the JSON_CONFIG_FILE, and save the results in LOG_NAME

EXAMPLE      python tool/karonte.py config/NETGEAR/r_7800.json      It runs karonte on the R7800 NETGEAR firmware

By default, results are saved in /tmp/ with the suffix Karonte.txt.

To inspect the generated alerts, just run:

python tool/pretty_print.py LOG_NAME

Dataset

You can obtain the dataset that we used to evaluate Karonte at this link.

BootStomp

BootStomp: a bootloader vulnerability finder

difuze

Fuzzer for Linux Kernel Drivers

dr_checker

DR.CHECKER : A Soundy Vulnerability Detection Tool for Linux Kernel Drivers

leakless

Function redirection via ELF tricks.

hal-fuzz

Source code of HAL-fuzz

baredroid

packware

Effects of packers on machine-learning-based malware classifiers that use only static analysis

pretender

Automatic modeling of hardware to enable the rehosting of embedded firmware

greed

A symbolic execution engine for EVM smart contract binaries.

agrigento

Agrigento is a tool to identify privacy leaks in Android apps by performing black-box differential analysis on the network traffic.

monolithic-firmware-collection

Repository for monolithic firmware blobs

goldphish

Arbitrage bot for the Ethereum blockchain

popkorn-artifact

boomerang

Exploiting the Semantic Gap in Trusted Execution Environments

sailfish

Data and code for the IEEE S&P'22 paper SAILFISH: Vetting Smart Contract State-Inconsistency Bugs in Seconds

heapster

Identify and test the security of dynamic memory allocators in monolithic firmware images

diane

DiAne is a smart fuzzer for IoT devices

sasi

Signedness-Agnostic Strided-Interval

actor

Source code for ACTOR, an action-guided kernel fuzzer (USENIX 2023 paper)

android_ui_deception

Source code for our "What the App is That? Deception and Countermeasures in the Android User Interface" paper

android_broken_fingers

BullseyePoison

Bullseye Polytope Clean-Label Poisoning Attack

autofacts

Towards Automatically Generating a Sound and Complete Dataset for Evaluating Static Analysis Tools

syml

symbexcel

Neurlux

Code from the paper: Neurlux: Dynamic Malware Analysis Without Feature Engineering

nft-security-study

Code and data of the CCS '22 paper titled "Understanding Security Issues in the NFT Ecosystem"

LoopMC

All code related to the LoopMC paper

chainreactor

ictf-service-samples

Sample services for the 2015 iCTF

regulator-dynamic

shimware

turi

DeepCASE-Dataset

bran

trust.io

A method for automatically protecting the physical interfaces on cyber-physical systems using TrustZone.

hacrs

The human-assisted cyber reasoning system

jackal

Confusum Contractum: Confused Deputy Vulnerabilities in Ethereum Smart Contracts

DeepCASE

iCTF23

An educational CTF centered about the concept of AI and Cybersecurity

conware

Framework for automatically modeling hardware peripherals.

android_device_public

columbus

Source code for Columbus (ICSE 2023 paper)

VenoMave

crush

SECrow

Sources ad Guide for Secure Crowdsourced Location Tracking System paper.

slither-sailfish

Modified Slither for Sailfish

glitch_resistor

cs177-ctfd-oracle-challenges

Plugin for CTFd to manage oracle challenges

invisible-code

heapster-dataset-metadata

Collection of metadata for the firmware images used in Heapster

GUIDE-ENRICHER