引用本文
  • 梅润元,王衍豪,李子川,彭国军.基于定义可达性分析的固件漏洞发现技术研究[J].信息安全学报,已采用    [点击复制]
  • Mei Runyuan,Wang Yanhao,Li Zichuan,Peng Guojun.Research on Firmware Vulnerability Discovery Technology Based on Reaching Definition Analysis[J].Journal of Cyber Security,Accept   [点击复制]
【打印本页】 【下载PDF全文】 查看/发表评论下载PDF阅读器关闭

过刊浏览    高级检索

本文已被:浏览 6855次   下载 0  
基于定义可达性分析的固件漏洞发现技术研究
梅润元1, 王衍豪2, 李子川1, 彭国军1
0
(1.武汉大学;2.蔚来)
摘要:
随着物联网领域的快速发展,大量物联网设备暴露在互联网中,存储着文件系统的物联网设备固件却经常被曝出具有安全漏洞,带来严重安全问题。为应对物联网安全问题,国内外安全研究者们在自动化漏洞发现方面进行了广泛的研究,但是现有研究中漏洞发现的误报率与漏报率仍不理想。本文提出了一种基于定义可达性分析的物联网设备固件自动化漏洞发现技术,基于定义可达性分析方法,结合函数调用路径分析生成的启发式信息,设计了一种反向污点跟踪方法,降低了自动化漏洞发现过程中的误报率。与此同时,在漏洞的漏报率方面,本文通过识别用户输入API函数的函数调用参数特征对用户输入进行扩充,降低了漏洞挖掘系统的漏报率,并通过识别厂商自定义库函数内漏洞的触发点进一步扩大了漏洞的识别范围。基于上述方法,本文设计并实现了一个自动化漏洞挖掘系统FirmRD,经实验测试,在由来自Netgear、TP-Link、D-Link、Tenda四个厂商的49款固件组成的对比数据集中,FirmRD的漏洞识别正确率相较前沿的SaTC框架提高了1.8倍,能够生成数量更多的漏洞警报,且经过人工分析共发现了4个中高危的0-day漏洞;在由6款TOTOLINK固件组成的扩展数据集中,FirmRD以82.93%的正确率发现了68条正确漏洞警报,其中58条警报与1-day漏洞存在关联,其余10条0-day漏洞警报中已有8条得到了厂商的确认。
关键词:  物联网设备  漏洞挖掘  静态分析  污点分析  数据流分析
DOI:
投稿时间:2023-05-29修订日期:2023-08-22
基金项目:国家自然科学基金项目(面上项目,重点项目,重大项目)
Research on Firmware Vulnerability Discovery Technology Based on Reaching Definition Analysis
Mei Runyuan1, Wang Yanhao2, Li Zichuan1, Peng Guojun1
(1.Wuhan University;2.NIO)
Abstract:
With the rapid development of the Internet of Things(IoT) field, a large number of IoT devices are exposed to the Internet, but the firmware of the IoT devices that stores the file system is often found to have security vulnerabilities, causing serious security problems. In order to deal with the security problems of IoT firmware, security researchers from home and abroad have conducted extensive research on automatic vulnerability discovery, but the false positive rate and false negative rate of existing vulnerability discovery methods are still not ideal. In this paper, we propose an automatic vulnerability discovery technology for IoT firmware based on reaching definition analysis method. Based on reaching definition analysis method, a backward tracing taint analysis method is designed with the help of the heuristic information generated by function call path analysis, and the method can reduce the false positive rates of the vulnerability discovery process. At the same time, in term of reducing the false negative rate of the vulnerability discovery process, we expand the user-input by identifying the parameter characteristics of the function calls of user-input API functions. Furthermore, we expand the scope of vulnerability identification by identifying the trigger points of the vulnerabilities in the vendor-defined library functions. Based on the above methods, we designed and implemented an automatic vulnerability discovery system FirmRD. In the experiments, in a comparative dataset composed of 49 firmware from four manufacturers: Netgear, TP-Link, D-Link, and Tenda, the accuracy rate of the vulnerability discovery method of FirmRD has increased by 1.8 times comparing with the cutting-edge framework SaTC, and FirmRD can discover more vulnerability alerts at the same time. After manual analysis, we found 4 middle-risk or high-risk 0-day vulnerabilities in the comparative dataset. In an extensive dataset composed of 6 TOTOLINK firmware, FirmRD found 68 correct vulnerability alerts with an accuracy rate of 82.93%, 58 of which were related to 1-day vulnerabilities, and 8 of the remaining 10 0-day vulnerability alerts have been confirmed by the manufacturer.
Key words:  Internet of Things devices  vulnerability discovery  static analysis  taint analysis  data flow analysis