| 引用本文: |
-
芦笑瑜,宋思静,许嘉诚,纪守领,程鹏,魏强.嵌入式系统固件托管技术研究综述[J].信息安全学报,已采用 [点击复制]
- Lu Xiaoyu,Song Sijing,Xu Jiacheng,Ji Shouling,Cheng Peng,Wei Qiang.Review of the Research on Embedded System Firmware Rehosting[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 嵌入式系统凭借在成本、体积、功耗、鲁棒性和实时性等方面的优势,已广泛应用于工业控制、智能家居、医疗设备等关键领域,其安全性直接关系到国家基础设施和公民生命财产安全。然而,嵌入式系统面临严峻的安全形势。一方面,受制于研发成本和系统资源等因素,嵌入式系统普遍存在固件漏洞且安全防护机制较为薄弱。另一方面,嵌入式系统固件更新机制不健全导致已知漏洞长期暴露,形成持续性攻击面。为深入高效地开展嵌入式系统固件动态安全分析,学术界和工业界对固件托管技术进行了深入的研究。本文首先概要介绍了嵌入式系统的硬件架构以及固件的类型、安全威胁和防护,并分析了基于固件托管开展动态安全分析的流程、技术和优势。然后从5个方面总结并阐述了固件托管技术的主要技术挑战。接着提出了全新的多层次多维度的技术分类体系:首先根据固件的完整性将固件托管技术分为整体托管和局部托管,其中整体托管根据外设模拟的方法进一步细分为硬件代理和软件建模两类,而软件建模可根据建模依据进一步分为基于技术手册、基于固件逻辑、基于交互记录和基于状态信息的建模方法,局部托管则根据局部对象的类型和特点进行细分,包括应用层程序托管、系统内核组件托管等。基于全新的分类体系,本文梳理了固件托管领域近10年的研究工作,分析总结了不同技术的优势和局限。最后对未来有价值的研究方向进行了展望。 |
| 关键词: 嵌入式系统 固件安全 固件托管 动态分析 模糊测试 |
| DOI: |
| 投稿时间:2025-03-03修订日期:2025-05-08 |
| 基金项目:国家自然科学基金重大项目(U62293511) |
|
| Review of the Research on Embedded System Firmware Rehosting |
|
Lu Xiaoyu1, Song Sijing1, Xu Jiacheng2, Ji Shouling3, Cheng Peng2, Wei Qiang1
|
| (1.College of Cyberspace Security, Information Engineering University;2.College of Control Science and Engineering, Zhejiang University;3.College of Computer Science and Technology, Zhejiang University) |
| Abstract: |
| Embedded systems, with their advantages in cost, size, power consumption, robustness, and real-time performance, have been widely deployed in critical domains such as industrial control systems, smart home devices, and medical equipment. Their security directly impacts national infrastructure and public safety. However, embedded systems are faced with se-vere security challenges. On one hand, constrained by development costs and limited system resources, these systems often contain firmware vulnerabilities and exhibit inadequate security mechanisms. On the other hand, the lack of robust firmware update mechanisms leads to prolonged exposure to known vulnerabilities, creating persistent attack surfaces. In order to conduct in-depth and efficient dynamic security analysis of embedded system firmware, both academia and industry have conducted extensive research on firmware rehosting technologies. In this paper, we first briefly introduce the general hardware architecture of embedded systems alongside the classifications, security threats and defensive mechanisms of firmware, and analyze the processes, techniques and advantages of conducting dynamic security analysis based on rehosting. Then we summarize and elaborate on the main technical challenges of firmware rehosting from five aspects. Subsequently, a new, multi-level and multi-dimensional technical taxonomy is proposed: firmware rehosting techniques are primarily classified into holistic rehosting and partial rehosting based on the integrity of firmware, and the holistic approach is further subdivided into hardware proxying and software modeling which comprises four distinct modeling paradigms: specification-based, firmware-based, recording-based and state-based modeling, while the partial rehosting is classified according to the characteristics of target components, such as application program, kernel com-ponent and so on. Furthermore, based on this brand new technical taxonomy, we comprehensively review and analyze the research progress of firmware rehosting over the past decade, summarizing the advantages and limitations of different technologies. Last but not least, we provide an outlook on the future valuable research directions in the field of firmware rehosting. |
| Key words: embedded system firmware security firmware rehosting dynamic analysis fuzzing |
