Brussels / 3 & 4 February 2024


CONFEDSS: Concolic execution and the puzzling practice of peripheral emulation

One of the tasks at the device forensics team of the Netherlands Forensic Institute is the reverse engineering of soft- and hardware devices for the judicial system. This task spans a lot of different abstractions in the IT ecosystem, from network protocols, to filesystems, encryption algorithms etc. One very active topic of research is the reverse engineering of low level firmware. This topic proves to be quite a bit more difficult than a lot of others on the list.

One of the big challenges in the reverse engineering of low-level firmware is the lack of hardware abstractions and known interfaces (e.g. syscall interfaces and libraries with known exported functions). Furthermore, this type of firmware is oftentimes found in on-die ROM, which provides a good incentive to keep it's size small, as this type of memory can be expensive. This usually means there is not a lot of space for (debug) strings either.

These factors making static reverse engineering quite a tough challenge, which in turn makes dynamic reversing more attractive. However, this is not an easy task. The lack of hardware abstractions and the presence of memory-mapped peripherals makes emulation no small feat. Outside of some OSINT and cross-referencing, the best one can do is guess at the working of some of these unknown peripherals. But is there a smarter way of guessing?

In this talk, we present CONFEDSS, a project for Concolic Firmware Emulation using Dynamic State Selection. This project aims to make it easier for reverse engineers to dynamically reverse low-level firmware by emulating it and using dynamic state selection as an approach to peripheral simulation. We will give a detailed insight into the problems usually encountered with low-level emulation and show it's workings with a live demo, which will hopefully inspire you to use it the next time you want to emulate some BIOS logic for exotic hardware or find where that weird driver quirk comes from.


Photo of Jeffrey Rongen Jeffrey Rongen
Luke Serné