Securing Deeply Embedded Systems through Firmware Analysis and Threat Mitigation

Microcontroller-based embedded devices (MCUs) are integral to systems requiring high reliabilityand security, such as industrial control systems and medical devices. Their use has expanded with the rise of IoT technologies in consumer products, making the security of MCU firmware increasingly critical. However, securing MCU firmware presents unique challenges due to the limited resources and perfor- mance constraints compared to high-end microprocessors. Many dynamic testing techniques are not suitable for MCU environments, and existing security methods often target more advanced operating systems. This dissertation introduces three works aimed at improving MCU firmware security in two areas: (1) software analysis to eliminate bugs during development, and (2) threat mitigation to reduce attack risks. It also addresses the challenges of applying these techniques to resource-constrained MCU systems. First, we present IPEA, a decoupled, PC-assisted software testing framework that enhances MCU firmware fuzzing. By offloading resource-intensive analysis tasks to a development PC, IPEA uses lightweight “needle probes” in the firmware to gather execution data without processing it. Implementing this frame- work with a pointer capability-based sanitizer (IPEA-San) and greybox fuzzer (IPEA-Fuzz), we reduced memory overhead by 62.75% and identified seven zero-day vulnerabilities, including in popular IoT li- braries and peripheral drivers. Next, we propose µPFuzz, an improved fuzzing framework for interconnected MCU systems. Unlike traditional fuzzers, µPFuzz injects faults into peer firmware to generate abnormal yet protocol-compliant inputs. This approach is effective for fuzzing firmware requiring structured input formats. Finally, we introduce HARM, a hardware-assisted system for continuous code re-randomization on ARM MCUs, designed to counter code reuse attacks like ROP and JIT-ROP. HARM leverages TrustZone for secure randomization, making it broadly applicable to both bare-metal and RTOS-powered firmware. Our evaluation shows that HARM effectively mitigates code reuse attacks while incurring minimal perfor- mance and energy overhead.