引用本文
  • 周建华,李丰,许丽丽,杜跃进,霍玮.ITS: 一种基于隐式污点源识别的嵌入式设备漏洞检测方法[J].信息安全学报,已采用    [点击复制]
  • zhoujianhua,lifeng,xulili,duyuejin,huowei.ITS:A Vulnerability Detecting Approach Based on Implicit Taint Source Identification for Embedded Devices[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 8338次   下载 6790  
ITS: 一种基于隐式污点源识别的嵌入式设备漏洞检测方法
周建华, 李丰, 许丽丽, 杜跃进, 霍玮
0
(中国科学院信息工程研究所)
摘要:
随着家用路由器、网络摄像头等嵌入式设备的普及,安全问题也日益突出。针对嵌入式设备常见的攻击手段是利用不受信任的外部输入源构造恶意的web请求或数据报文,触发设备固件代码中的潜在漏洞,达到拒绝服务、命令执行等攻击效果。以污点分析为基础的静态漏洞检测技术由于不依赖于实体设备和输入,近年来被普遍应用于嵌入式设备的安全分析中。但现有技术在识别嵌入式设备后端服务程序里污点源的过程中,通常需要依赖前后端代码间共享的关键字或预设的网络编码字符串等显式的标识信息,导致漏洞检测结果存在误报和漏报。本文将嵌入式设备固件后端代码中获取并处理输入数据但又与前端代码之间不存在显式标识信息的位置统称为隐式污点源。通过分析、归纳隐式污点源在获取和处理输入过程中的二进制代码特征,设计了一种基于隐式污点源识别的嵌入式设备漏洞检测方法(简称ITS)。基于该方法实现的原型系统目前能够支持对缓冲区溢出、命令注入等类型漏洞的检测,并提供对漏洞利用条件的初步判断,在提高检测精度的同时,为安全人员修复漏洞提供优先级指导。实验表明,ITS在5个厂商的10款设备固件上,相比前沿技术SaTC,准确率提升了36.36%(从34.29%提升到70.65%),误报率与SaTC相当,但检测效率提高了1.53倍,并发现了6个未公开漏洞。
关键词:  隐式污点源  漏洞检测  嵌入式设备
DOI:10.19363/J.cnki.cn10-1380/tn.2024.02.23
投稿时间:2022-08-09修订日期:2022-11-08
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目)
ITS:A Vulnerability Detecting Approach Based on Implicit Taint Source Identification for Embedded Devices
zhoujianhua, lifeng, xulili, duyuejin, huowei
(Institute of Information Engineering, Chinese Academy of Sciences)
Abstract:
With the popularity of embedded devices such as routers and web cameras, security issues have become increasingly prominent. A general threat model for embedded devices is to use untrusted user input to construct malicious web requests or data packets, which consequently lead to denial of service or command injection attacks. Static vulnerability detection approaches based on taint analysis has been widely applicated in the security analysis of embedded devices in recent years as they are not dependent on physical devices or dynamic inputs. Unfortunately, when locating taint sources in the back-end binaries, existing techniques usually leverage explicit data identifications, such as common keywords between the front-end files and the back-end binaries of the same device firmware or constant network-encoding strings, resulting in false positives and false negatives in vulnerability detection. There are some locations in the back-end code of embedded device firmware which can acquire and handle input data but have no explicit identification information with the front-end code. We refer to these locations as the implicit taint sources. By analyzing and summarizing the binary code features of the implicit taint sources in the process of acquiring and handling input data, we design and implement a static vulnerability detecting approach based on implicit taint source identification (abbr. ITS). The prototype of ITS now supports detection of buffer overflow and command injection vulnerabilities. It also provides preliminary judgments on the conditions of vulnerability exploitations, which can be used as priority guidance for vulnerability patching without sacrificing the accuracy of vulnerability detection. We evaluated ITS on 10 embedded firmwares collected from 5 popular vendors. Comparing to the state-of the-art work SaTC, ITS improve the accuracy of vulnerability detection from 34.29% to 70.65%. Its false positive rate is similar to SaTC while its efficiency is increased by 1.53x. We have also discovered 6 unknown vulnerabilities.
Key words:  Implicit taint source  Vulnerability detection  Embedded device