Avatar is an event-based arbitration framework that orchestrates the communication between an emulator and a target physical device. Avatar's goal is to enable complex dynamic analysis of embedded firmware in order to assist in a wide range of security-related activities including (but not limited to) reverse engineering, malware analysis, vulnerability discovery, vulnerability assessment, backtrace acquisition and root-cause analysis of known test cases.
The analysis environment consists of several components:
Avatar: a python framework that orchestrate firmware execution and analysis. A communication interface to the target device, for example OpenOCD (if JTAG is available) or our in-memory stub for constrained scenarios.
S²E: a symbolic execution and analysis framework based on KLEE and Qemu.
This modular architecture let Avatar perform dynamic analysis of firmware behaviour, such as recording and sandboxing memory accesses, performing live migration of subroutines, symbolically executing specific portion of code as well as detecting vulnerabilities.
Avatar's capabilities have been demonstrated by performing symbolic execution and vulnerability analysis of several devices, including a hard-disk controller, a GSM feature phone and a wireless sensor node.
Avatar has been developed by Jonas Zaddach and Luca Bruno at EURECOM, under the supervision of Aurelien Francillon and Davide Balzarotti.
For further information please http://www.s3.eurecom.fr/tools/avatar/ online.