Ground Truth: 18 vendors, 6000 firmware images, 2.7 million binaries, and a flaw in the Linux/MIPS stack

We present data on recent work conducted at CITL concerning embedded devices, IoT, and home routers. This data, generated from an analysis of over 6000 firmware images from 18 vendors (over 2.7 million binaries total), shows:

  • Over the lifetime of a single product, it is more common for a vendor to regress software hardening features than add new ones;
  • All major vendors failed to apply the most basic hardening uniformly;
  • Images built for newer architectures tend to have more hardening than images built for older architectures;
  • However, comparing firmware released in 2012 to 2018, while many hardening protections became enabled, ASLR was lower across the board.
  • The data also reveals a disturbing trend: the consistent presence of executable stacks in binaries from Linux/MIPS firmware. We discuss our investigation of this phenomena, and how an old flaw in Linux’ support for the MIPS FPU specification has resulted in a universal DEP bypass, and how subsequent attempts to fix this have resulted in the recent addition of a universal ASLR bypass.

Lastly, we remark on the utility of large empirical studies in assessing the overall state of security–a topic often discussed, but rarely backed by data.

Presented by