Emulating firmware of microcontrollers is challenging due to the lack of
peripheral models. Existing work finds out how to respond to peripheral read
operations by analyzing the target firmware. This is problematic because the
firmware sometimes does not contain enough clues to support the emulation or
even contains misleading information (e.g. buggy firmware). In this work, we
propose a new approach that builds peripheral models from the peripheral
specification. Using NLP, we translate peripheral behaviors in human language
(documented in chip manuals) into a set of structured condition-action rules.
By checking, executing, and chaining them at runtime, we can dynamically
synthesize a peripheral model for each firmware execution. The extracted
condition-action rules might not be complete or even be wrong. We, therefore,
propose incorporating symbolic execution to quickly pinpoint the root cause.
This assists us in the manual correction of the problematic rules. We have
implemented our idea for five popular MCU boards spanning three different chip
vendors. Using a new edit-distance-based algorithm to calculate trace
differences, our evaluation against a large firmware corpus confirmed that our
prototype achieves much higher fidelity compared with state-of-the-art
solutions. Benefiting from the accurate emulation, our emulator effectively
avoids false positives observed in existing fuzzing work. We also designed a
new dynamic analysis method to perform driver code compliance checks against
the specification. We found some non-compliance which we later confirmed to be
bugs caused by race conditions.

