TY - GEN
T1 - Reverse engineering and retrofitting robotic aerial vehicle control firmware using dispatch
AU - Kim, Taegyu
AU - Ding, Aolin
AU - Etigowni, Sriharsha
AU - Sun, Pengfei
AU - Chen, Jizhou
AU - Garcia, Luis
AU - Zonouz, Saman
AU - Xu, Dongyan
AU - Tian, Dave Jing
N1 - Funding Information:
We thank our shepherd, Lin Zhong, and the anonymous reviewers for their valuable comments and suggestions. This work was supported in part by ONR under grant N00014-21-1-2328, DARPA under contract N6600120C4031, National Science Foundation (NSF)’s Secure and Trustworthy Cyberspace (SaTC) and Cyber-Physical Systems (CPS) programs, and the Department of Energy under Award Number DE-OE0000780, Cyber Resilient Energy Delivery Consortium (CREDC). Any opinions, findings, and conclusions in this paper are those of the authors and do not necessarily reflect the views of our sponsors.
Publisher Copyright:
© 2022 ACM.
PY - 2022/6/27
Y1 - 2022/6/27
N2 - Unmanned Aerial Vehicles as a service (UAVaaS) has increased the field deployment of Robotic Aerial Vehicles (RAVs) for different services such as transportation and terrain exploration. These RAVs are controlled by firmware, which is often closed-source, developed by vendors, and flashed into the ROM. While these binary blobs enable off-the-shelf management of RAVs, end users (individuals or organizations) have no idea if the control firmware is designed and implemented correctly, and can only rely on firmware updates from vendors when any vulnerability is discovered. This paper proposes DisPatch, the first reverse engineering and patching framework for understanding and improving controller design and implementation within RAV firmware. DisPatch first decompiles binary instructions and recovers controller functions and core controller variables by combining control theory with program analysis using symbolic execution and data flow analysis. End users can then write a patch in a domain-specific language (DSL), which will be translated and injected into the binary firmware by DisPatch automatically. We have applied DisPatch to two instances of commodity firmware from3DR IRIS+ and MantisQ RAVs and demonstrated 100% and 80.7% accuracy respectively in the controller decompilation. We have also shown the ability to prevent severe controller performance degradation by patching two real-world bugs with in the firmware and without breaking other functionality. Finally, we show that DisPatch introduces less than 0.53% of space overhead and 1.48% of runtime overhead without violating the soft real-time deadlines. DisPatch provides the first step towards an RAV binary firmware reverse engineering and patching system to customize controller design and implementation.
AB - Unmanned Aerial Vehicles as a service (UAVaaS) has increased the field deployment of Robotic Aerial Vehicles (RAVs) for different services such as transportation and terrain exploration. These RAVs are controlled by firmware, which is often closed-source, developed by vendors, and flashed into the ROM. While these binary blobs enable off-the-shelf management of RAVs, end users (individuals or organizations) have no idea if the control firmware is designed and implemented correctly, and can only rely on firmware updates from vendors when any vulnerability is discovered. This paper proposes DisPatch, the first reverse engineering and patching framework for understanding and improving controller design and implementation within RAV firmware. DisPatch first decompiles binary instructions and recovers controller functions and core controller variables by combining control theory with program analysis using symbolic execution and data flow analysis. End users can then write a patch in a domain-specific language (DSL), which will be translated and injected into the binary firmware by DisPatch automatically. We have applied DisPatch to two instances of commodity firmware from3DR IRIS+ and MantisQ RAVs and demonstrated 100% and 80.7% accuracy respectively in the controller decompilation. We have also shown the ability to prevent severe controller performance degradation by patching two real-world bugs with in the firmware and without breaking other functionality. Finally, we show that DisPatch introduces less than 0.53% of space overhead and 1.48% of runtime overhead without violating the soft real-time deadlines. DisPatch provides the first step towards an RAV binary firmware reverse engineering and patching system to customize controller design and implementation.
UR - http://www.scopus.com/inward/record.url?scp=85134048240&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85134048240&partnerID=8YFLogxK
U2 - 10.1145/3498361.3538938
DO - 10.1145/3498361.3538938
M3 - Conference contribution
AN - SCOPUS:85134048240
T3 - MobiSys 2022 - Proceedings of the 2022 20th Annual International Conference on Mobile Systems, Applications and Services
SP - 69
EP - 83
BT - MobiSys 2022 - Proceedings of the 2022 20th Annual International Conference on Mobile Systems, Applications and Services
PB - Association for Computing Machinery, Inc
T2 - 20th ACM International Conference on Mobile Systems, Applications and Services, MobiSys 2022
Y2 - 27 June 2022 through 1 July 2022
ER -