基于定义可达性分析的固件漏洞发现技术研究

梅润元; 王衍豪; 李子川; 彭国军

引用本文：

梅润元,王衍豪,李子川,彭国军.基于定义可达性分析的固件漏洞发现技术研究[J].信息安全学报,2025,10(2):1-16 [点击复制]
MEI Runyuan,WANG Yanhao,LI Zichuan,PENG Guojun.Research on Firmware Vulnerability Discovery Technology Based on Reaching Definition Analysis[J].Journal of Cyber Security,2025,10(2):1-16 [点击复制]

本文已被：浏览 207次下载 58次	码上扫一扫！
基于定义可达性分析的固件漏洞发现技术研究
梅润元^1,2, 王衍豪³, 李子川^1,2, 彭国军^1,2
0 字体:加大+\|默认\|缩小-
(1.武汉大学空天信息安全与可信计算教育部重点实验室武汉中国 430072;2.武汉大学国家网络安全学院武汉中国 430072;3.蔚来安徽中国 230031)

摘要:

随着物联网领域的快速发展,大量物联网设备暴露在互联网中,存储着文件系统的物联网设备固件却经常被曝出具有安全漏洞,带来严重安全问题。为应对物联网安全问题,国内外安全研究者们在自动化漏洞发现方面进行了广泛的研究,但是现有研究中漏洞发现的误报率与漏报率仍不理想。本文提出了一种基于定义可达性分析的物联网设备固件自动化漏洞发现技术,基于定义可达性分析方法,结合函数调用路径分析生成的启发式信息,设计了一种反向污点跟踪方法,降低了自动化漏洞发现过程中的误报率。与此同时,在漏洞的漏报率方面,本文通过识别用户输入API函数的函数调用参数特征对用户输入进行扩充,降低了漏洞挖掘系统的漏报率,并通过识别厂商自定义库函数内漏洞的触发点进一步扩大了漏洞的识别范围。基于上述方法,本文设计并实现了一个自动化漏洞挖掘系统FirmRD,经实验测试,在由来自Netgear、TP-Link、D-Link、Tenda四个厂商的49款固件组成的对比数据集中,FirmRD的漏洞识别正确率相较前沿的SaTC框架提高了1.8倍,能够生成数量更多的漏洞警报,且经过人工分析共发现了4个中高危的0-day漏洞;在由6款TOTOLINK固件组成的扩展数据集中,FirmRD以82.93%的正确率发现了68条正确漏洞警报,其中58条警报与1-day漏洞存在关联,其余10条0-day漏洞警报中已有8条得到了厂商的确认。

关键词: 物联网设备漏洞挖掘静态分析污点分析数据流分析

DOI：10.19363/J.cnki.cn10-1380/tn.2025.03.01

投稿时间：2023-05-29修订日期：2023-08-22

基金项目:本课题得到国家自然科学基金(No. 62172308, No. 61972297, No. 62172144), 网络安全学院学生创新资助计划资助。

Research on Firmware Vulnerability Discovery Technology Based on Reaching Definition Analysis

MEI Runyuan^1,2, WANG Yanhao³, LI Zichuan^1,2, PENG Guojun^1,2

(1.Key Laboratory of Aerospace Information Security and Trust Computing, Ministry of Education, Wuhan University, Wuhan 430072, China;2.School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, China;3.NIO, Anhui 230031, China)

Abstract:

With the rapid development of the Internet of Things(IoT) field, a large number of IoT devices are exposed to the Internet, but the firmware of the IoT devices that stores the file system is often found to have security vulnerabilities, causing serious security problems. In order to deal with the security problems of IoT firmware, security researchers from home and abroad have conducted extensive research on automatic vulnerability discovery, but the false positive rate and false negative rate of existing vulnerability discovery methods are still not ideal. In this paper, we propose an automatic vulnerability discovery technology for IoT firmware based on reaching definition analysis method. Based on reaching definition analysis method, a backward tracing taint analysis method is designed with the help of the heuristic information generated by function call path analysis, and the method can reduce the false positive rates of the vulnerability discovery process. At the same time, in term of reducing the false negative rate of the vulnerability discovery process, we expand the user-input by identifying the parameter characteristics of the function calls of user-input API functions. Furthermore, we expand the scope of vulnerability identification by identifying the trigger points of the vulnerabilities in the vendor-defined library functions. Based on the above methods, we designed and implemented an automatic vulnerability discovery system FirmRD. In the experiments, in a comparative dataset composed of 49 firmware from four manufacturers: Netgear, TP-Link, D-Link, and Tenda, the accuracy rate of the vulnerability discovery method of FirmRD has increased by 1.8 times comparing with the cutting-edge framework SaTC, and FirmRD can discover more vulnerability alerts at the same time. After manual analysis, we found 4 middle-risk or high-risk 0-day vulnerabilities in the comparative dataset. In an extensive dataset composed of 6 TOTOLINK firmware, FirmRD found 68 correct vulnerability alerts with an accuracy rate of 82.93%, 58 of which were related to 1-day vulnerabilities, and 8 of the remaining 10 0-day vulnerability alerts have been confirmed by the manufacturer.

Key words: Internet of Things devices vulnerability discovery static analysis taint analysis data flow analysis