Analyzing the security of closed-source drivers and libraries in embedded systems holds significant importance, given their fundamental role in the supply chain. Unlike x86, embedded platforms lack comprehensive binary manipulating tools, making it difficult for researchers and developers to effectively detect and patch security issues in such closed-source components. Existing works either depend on full-fledged operating system features or suffer from tedious corner cases, restricting their application to bare-metal firmware prevalent in embedded environments. In this paper, we present PIFER (Practical Instrumenting Framework for Embedded fiRmware) that enables general and fine-grained static binary instrumentation for embedded bare-metal firmware. By abusing the built-in hardware exception-handling mechanism of the embedded processors, PIFER can perform instrumentation on arbitrary target addresses. Additionally, We propose an instruction translation-based scheme to guarantee the correct execution of the original firmware after patching. We evaluate PIFER against real-world, complex firmware, including Zephyr RTOS, CoreMark benchmark, and a close-sourced commercial product. The results indicate that PIFER correctly instrumented 98.9% of the instructions. Further, a comprehensive performance evaluation was conducted, demonstrating the practicality and efficiency of our work.

翻译：分析嵌入式系统中闭源驱动与库的安全性具有重要价值，因其在供应链中扮演基础性角色。与x86架构不同，嵌入式平台缺乏全面的二进制操控工具，使得研究人员和开发者难以有效检测并修补此类闭源组件中的安全问题。现有方案或依赖于功能完善的操作系统特性，或受困于繁琐的边界情况处理，限制了其在嵌入式环境中普遍存在的裸机固件上的应用。本文提出PIFER（面向嵌入式固件的实用插桩框架），能够对嵌入式裸机固件实现通用且细粒度的静态二进制插桩。通过利用嵌入式处理器内置的硬件异常处理机制，PIFER可在任意目标地址执行插桩操作。此外，我们提出基于指令翻译的方案，确保补丁后原始固件的正确执行。我们基于真实复杂固件（包括Zephyr RTOS、CoreMark基准测试及某闭源商业产品）对PIFER进行评估。结果表明，PIFER成功对98.9%的指令完成正确插桩。进一步开展的综合性能评估证明了本工作的实用性与高效性。