BINARM: Scalable and Efficient Detection of Vulnerabilities in Firmware Images of Intelligent Electronic Devices

There is a widespread adoption of intelligent electronic devices (IEDs) in modern-day smart grid deployments. Consequently, any vulnerabilities in IED firmware might greatly affect the security and functionality of the smart grid. Although general-purpose techniques exist for vulnerability detection in firmware, they usually cannot meet the specific needs, e.g., they lack the domain knowledge specific to IED vulnerabilities, and they are often not efficient enough for handling larger firmware of IEDs. In this paper, we present BinArm, a scalable approach to detecting vulnerable functions in smart grid IED firmware mainly based on the ARM architecture. To this end, we build comprehensive databases of vulnerabilities and firmware that are both specific to smart grid IEDs. Then, we propose a multi-stage detection engine to minimize the computational cost of function matching and to address the scalability issue in handling large IED firmware. Specifically, the proposed engine takes a coarse-to-fine grained multi-stage function matching approach by (i) first filtering out dissimilar functions based on a group of heterogeneous features; (ii) further filtering out dissimilar functions based on their execution paths; and (iii) finally identifying candidate functions based on fuzzy graph matching. Our experiments show that BinArm accurately identifies vulnerable functions with an average accuracy of 0.92. The experimental results also show that our detection engine can speed up the existing fuzzy matching approach by three orders of magnitude. Finally, as a practical framework, BinArm successfully detects 93 real-world CVE vulnerability entries, the majority of which have been confirmed, and the detection takes as little as 0.09 s per function on average.