Fork me on GitHub

Avatar

Dynamic firmware analysis



Intro

Deprecation notice! Avatar is not supported/developped anymore, it's successor is Avatar² is much better, Avatar² main page and code is currently github
Avatar is an event-based arbitration framework that orchestrates the communication between an emulator and a target physical device. Avatar's goal is to enable complex dynamic analysis of embedded firmware in order to assist in a wide range of security-related activities including (but not limited to) reverse engineering, malware analysis, vulnerability discovery, vulnerability assessment, backtrace acquisition and root-cause analysis of known test cases.

The analysis environment consists of several components:

  • Avatar: a python framework that orchestrate firmware execution and analysis.
  • A communication interface to the target device, for example OpenOCD (if JTAG is available) or our in-memory stub for constrained scenarios.
  • S²E: a symbolic execution and analysis framework based on KLEE and Qemu.

This modular architecture let Avatar perform dynamic analysis of firmware behaviour, such as recording and sandboxing memory accesses, performing live migration of subroutines, symbolically executing specific portion of code as well as detecting vulnerabilities.

Avatar's capabilities have been demonstrated by performing symbolic execution and vulnerability analysis of several devices, including a hard-disk controller, a GSM feature phone and a wireless sensor node.

Features List

    Analysis orchestration via Python 3
    Pristine firmware analysis
    Fully-customizable ARM virtual machines
    Memory and memory-mapped I/O forwarding
    Subroutine migration
    Selective symbolic execution of ARM binaries
    Symbolic annotations in Lua
    IDAPro trace generation
    Porting S2E to an up to date QEMU version
    Control-flow visualization
    Docker-based install
    Vagrant-based install
    Data structure recovery

We are actively looking for people to work on this project with us. Different options are possible (collaboration, internship, visit, post-doc, job...). If you are interested drop an email to aurelien.francillon@eurecom.fr.

Architecture overview



Publications

Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares
Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti
21th Network and Distributed System Security Symposium (NDSS), San Diego (USA), February 2014 (acceptance rate: 18.6%)
PDF Avatar BibTeX
PIE: Parser Identification in Embedded Systems
Lucian Cojocar, Jonas Zaddach, Roel Verdult, Herbert Bos, Aurelien Francillon, Davide Balzarotti
Annual Computer Security Applications Conference (ACSAC)

Download and Installation

You can find our code on GitHub:


Below is the detailed procedure to install all Avatar components on a 64 bits Debian-based system:

S²E

This is the same procedure recommended here by S²E upstream authors.

Please note that 32-bits hosts are NOT supported by S²E, and we additionally recommend using an amd64 Debian Wheezy.

# Install all build-dependencies
sudo apt-get build-dep qemu llvm
sudo apt-get install build-essential flex subversion git gettext liblua5.1-dev libsdl1.2-dev libsigc++-2.0-dev binutils-dev python-docutils python-pygments nasm bison

# Get the source code from github
git clone https://github.com/eurecom-s3/s2e.git

# Make it building out-of-tree
mkdir build
cd build
make -f ../s2e/Makefile

# This will take some time to build...

Avatar

# Install Python3 and dependencies
sudo apt-get install python3 python3-pip

# Install Avatar module from github
sudo pip-3.2 install git+https://github.com/eurecom-s3/avatar-python.git#egg=avatar

Openocd (optional)

# Install all build-dependencies
sudo apt-get build-dep openocd

# Get the source code from github
git clone git://git.code.sf.net/p/openocd/code
cd openocd
git submodule init
git submodule update

# Configure OpenOCD (make sure to enable the driver for your adapter)
autoreconf -i
./configure

# Build and install
make -j 
sudo make install

News

Deprecation notice! AVATAR is dead, long live to Avatar²: checkout Avatar² on github
The Eurecom S3 group will present the Avatar paper at NDSS 2014, on February 24th morning in San Diego (USA).
Jonas Zaddach will present the Avatar project at EPFL, on January 24th afternoon in Lausanne (CH).
Luca Bruno will present the Avatar project at FOSDEM, on February 2nd morning in Bruxelles (BE) - PDF slides.

Avatar?

Spawning from Hinduism, the term avatar is mostly translated with "incarnation" or "appearance". Drawing from this, an homonimous 2009 movie took the same concept to depict a sci-fi scenario where an "Avatar Program" enables humans to explore a remote and hostile alien planet called Pandora without endangering human life, by connecting their mind to an Avatar body (the local alien indigenous people).

A reconnaissance marine in an Avatar body... that's a potent mix!
Gives me the goosebumps!

Avatar, 2009

For more information visit the Wikipedia page. The image in this homepage is "Pandora" by azeemb, licensed under CC BY-NC 3.0.

Authors

Avatar has been developed by Jonas Zaddach and Luca Bruno at EURECOM, under the supervision of Aurelien Francillon and Davide Balzarotti.

Contact

Feel free to contact @jzaddach or @lucabruno on Twitter or zaddach [at] eurecom d0t fr for longer questions.

Other people using Avatar

Applying Bytecode Level Automatic Exploit Generation to Embedded Systems
Matthew Ruffell
Honours Report, Christchurch, New Zealand: University of Canterbury, October 16, 2015
PDF