/karonte

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware

Primary LanguagePythonBSD 2-Clause "Simplified" LicenseBSD-2-Clause

Karonte

License

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware.

The master branch provides the latest version of Karonte, ported to python3. For the original implementation and experiments presented in our paper, please checkout the IEEE-SP-20 branch and have a look at our docker container.

Overview

Research paper

We present our approach and the findings of this work in the following research paper:

KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware [PDF]
Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, Giovanni Vigna.
In Proceedings of the IEEE Symposium on Security & Privacy (S&P), May 2020

If you use Karonte in a scientific publication, we would appreciate citations using this Bibtex entry:

@inproceedings{redini_karonte_20,
 author    = {Nilo Redini and Aravind Machiry and Ruoyu Wang and Chad Spensky and Andrea Continella and Yan Shoshitaishvili and Christopher Kruegel and Giovanni Vigna},
 booktitle = {In Proceedings of the IEEE Symposium on Security & Privacy (S&P)},
 month     = {May},
 title     = {KARONTE: Detecting Insecure Multi-binary Interactions in Embedded Firmware},
 year      = {2020}
}

Repository Structure

There are four main directories:

  • tool: Karonte python files
  • firmware: Karonte firmware dataset
  • configs: configuration files to analyze the firmware samples in the dataset
  • eval: scripts to run the various evaluations on Karonte
  • karonte-viz: script to visualize the results produced by Karonte

Run Karonte

To run karonte, from the root directory, just run

SYNOPSIS       python tool/karonte.py JSON_CONFIG_FILE [LOG_NAME]

DESCRIPTION      runs karonte on the firmware sample represented by the JSON_CONFIG_FILE, and save the results in LOG_NAME

EXAMPLE      python tool/karonte.py config/NETGEAR/r_7800.json      It runs karonte on the R7800 NETGEAR firmware

By default, results are saved in /tmp/ with the suffix Karonte.txt.

To inspect the generated alerts, just run:

      python tool/pretty_print.py LOG_NAME

Dataset

You can obtain the dataset that we used to evaluate Karonte at this link.