计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (12): 411-418.doi: 10.11896/jsjkx.241200143

• 信息安全 • 上一篇    下一篇

基于固件修复的工业网关仿真与测试方法

卫子涵1, 麻荣宽1, 李贝贝2, 杨亚辉1, 李卓1, 宋云凯1   

  1. 1 信息工程大学网络空间安全学院 郑州 450001
    2 四川大学网络空间安全学院 成都 610207
  • 收稿日期:2024-12-18 修回日期:2025-03-12 出版日期:2025-12-15 发布日期:2025-12-09
  • 通讯作者: 麻荣宽(rongkuan307@163.com)
  • 作者简介:(q630834743@163.com)

Firmware Recovery Based Emulation and Testing Method for Industrial Gateway

WEI Zihan1, MA Rongkuan1, LI Beibei2, YANG Yahui1, LI Zhuo1, SONG Yunkai1   

  1. 1 School of Cyberspace Security, Information Engineering University, Zhengzhou 450001, China
    2 School of Cyberspace Security, Sichuan University, Chengdu 610207, China
  • Received:2024-12-18 Revised:2025-03-12 Published:2025-12-15 Online:2025-12-09
  • About author:WEI Zihan,born in 2000,postgraduate.His main research interests include IIoT security and reverse engineering.
    MA Rongkuan,born in 1992,Ph.D,lecturer.His main research interests include program analysis,software security,ICS security and Web security.

PDF (PC)

4

摘要: 随着智能制造产业的不断发展,以工业网关为代表的边缘计算设备被广泛应用于工业现场中。因此,工业网关中的程序漏洞也开始威胁工业网络的安全。然而,工业网关功能设计的专用性以及固件提取的低保真度问题,会导致现有安全测试方法难以适用于工业网关的测试。针对以上问题,提出了一种基于固件修复的工业网关仿真与测试方法。首先,在固件文件系统提取的基础上,采用启发式修复方法对文件系统中的重复和错误文件进行资源释放和修复,为测试提供了满足仿真运行需要的文件系统条件;其次,通过启发式干预方法对二进制程序运行时发生的错误进行修复,实现被测程序在仿真环境中运行;最后,设计实现了针对网关固件的模糊测试工具。在评估实验中,通过以上方法对4款真实的工业网关进行了固件文件系统修复,并对其中2款工业网关设备中的重要应用程序进行了仿真运行和模糊测试。实验结果表明,经过修复后的文件系统无序程度平均降低27.2%,且针对工业网关主要服务程序仿真运行效果良好,并在模糊测试中发现了真实工业网关设备中的1个未公开拒绝服务漏洞,证明了该工具的有效性。

关键词: 固件仿真, 工业网关, 物联网安全, 工控安全, 模糊测试

Abstract: With the continuous development of intelligent manufacturing industry,edge computing devices represented by industrial gateways are widely used in industrial sites.At the same time,software vulnerabilities of industrial gateways are beginning to affect the security of industrial networks.However,due to the specialized implementation of industrial gateway and the low-fidelity of firmware extraction,existing methods could not meet the security testing requirements.To address these issues,a firmware recovery based emulation and testing method for industrial gateway is proposed.Firstly,based on the extraction of the firmware filesystem,a heuristic recovery method is employed to free up and repair duplicate and erroneous system files,which provides a file access basis for emulation.Secondly,a heuristic emulation intervention method is adopted to mitigate errors occurring during emulation,which implements test-orientated emulation.Finally,a fuzzer is designed for industrial gateways that can be emulated.In evaluation part,firmware filesystem recovery is performed on four real industrial gateways.The emulations and fuzzing tests are conducted on important applications in two industrial gateways.The evaluation results reveal an average reduction of 27.2% in the degree of chaos for the recovered filesystem,and show a good result for emulation.Moreover,an undisclosed denial of ser-vice vulnerability in real industrial gateway devices is discovered during the fuzzing tests,which proves the effectiveness of the work.

Key words: Firmware emulation, Industrial gateway, Internet of Things security, Industrial control system security, Fuzzing test

中图分类号: 

  • TP393
[1]ANDREW L.The vulnerability of vital systems:how critical infrastructure became a security problem[M]//Securing the Homeland .Routledge,2020:17-39.
[2]LI X F,DING Z G,ZHANG S K,et al.Analysis of critical cloud-native technologies and applications in the CT domain[J].Telecom Engineering Technics and Standardization,2024,37(9):83-88.
[3]ZHENG Y W,WEN H,CHENG K,et al.A Survey of IoT Device Vulnerability Mining Techniques[J].Journal of Cyber Security,2019,4(5):61-75.
[4]CHEN L,WANG Y,LINGHU J,et al.SaTC:Shared-Keyword Aware Taint Checking for Detecting Bugs in Embedded Systems[J].IEEE Transactions on Dependable and Secure Computing,2024,21(4):2421-2433.
[5]SHOSHITAISHVILI Y,WANG R,SALLS C,et al.Sok:(state of) the art of war:Offensive techniques in binary analysis[C]//2016 IEEESymposium on Security and Privacy(SP).IEEE,2016:138-157.
[6]HAQ I U,CABALLERO J.A survey of binary code similarity[J].ACM Computing Surveys,2021,54(3):1-38.
[7]FENG X,ZHU X,HAN Q L,et al.Detecting vulnerability on IoT device firmware:A survey[J].IEEE/CAA Journal of Automatica Sinica,2022,10(1):25-41.
[8]SABBAGHI A,KEYVANPOUR M R.A systematic review of search strategies in dynamic symbolic execution[J].Computer Standards & Interfaces,2020,72:103444.
[9]ECEIZA M,FLORES J L,ITURBE M.Fuzzing the internet of things:A review on the techniques and challenges for efficient vulnerability discovery in embedded systems[J].IEEE Internet of Things Journal,2021,8(13):10390-10411.
[10]TAY H J,ZENG K,VADAYATH J M,et al.Greenhouse:Single-Service Rehosting of Linux-Based Firmware Binaries in User-Space Emulation[C]//32nd USENIX Security Symposium(USENIX Security 23).2023:5791-5808.
[11]BELLARD F.QEMU,a fast and portable dynamic translator[C]//USENIX annual technical conference,FREENIX Track.2005,41(46):10-5555.
[12]KIM M,KIM D,KIM E,et al.Firmae:Towards large-scale emulation of iot firmware for dynamic analysis[C]//Proceedings of the 36th Annual Computer Security Applications Conference.2020:733-745.
[13]CHEN D D,MAVERICK W,DAVID B,et al.Towards Automated Dynamic Analysis for Linux-based Embedded Firmware[C]//Network and Distributed System Security Symposium.2016:1-16.
[14]JOHNSON E,BLANDM,ZHU Y,et al.Jetset:Targeted firmware rehosting for embedded systems[C]//30th USENIX Security Symposium(USENIX Security 21).2021:321-338.
[15]ZADDACH J,BRUNO L,FRANCILLON A,et al.AVATAR:A Framework to Support Dynamic Security Analysis of Embedded Systems Firmwares[C]//NDSS.2014:1-16.
[16]XIN M,WEN H,DENG L,et al.Firmware re-hosting through static binary-level porting[J].arXiv:2107.09856,2021.
[17]The Linux Kernel.UBI FileSystem[EB/OL].[2025-01-12].https://www.kernel.org/doc/html/latest/filesystems/ubifs.html.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发