计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (7): 379-387.doi: 10.11896/jsjkx.240800052

• 信息安全 • 上一篇    下一篇

利用精确中间污点源和危险函数定位加速固件漏洞挖掘

张光华1,2, 陈放1, 常继友1, 胡勃宁1, 王鹤2   

  1. 1 河北科技大学信息科学与工程学院 石家庄 050018
    2 西安电子科技大学网络与信息安全学院 西安 710126
  • 收稿日期:2024-08-08 修回日期:2024-11-07 发布日期:2025-07-17
  • 通讯作者: 胡勃宁(wwhbn@hebust.edu.cn)
  • 作者简介:(xian_software@163.com)
  • 基金资助:
    国家自然科学基金(62072239,62372236);2025年河北省硕士在读研究生创新能力培养资助项目(CXZZSS2025076)

Accelerating Firmware Vulnerability Discovery Through Precise Localization of IntermediateTaint Sources and Dangerous Functions

ZHANG Guanghua1,2, CHEN Fang1, CHANG Jiyou1, HU Boning1, WANG He2   

  1. 1 School of Information Science and Engineering, Hebei University of Science and Technology, Shijiazhuang 050018, China
    2 School of Cyber Engineering, Xidian University, Xi'an 710126, China
  • Received:2024-08-08 Revised:2024-11-07 Published:2025-07-17
  • About author:ZHANG Guanghua,born in 1979,Ph.D,professor,master supervisor,is a member of CCF(No.51334S).His main research interest is network and information security.
    HU Boning,born in 1978,master,lecturer.Her main research interest is communication network security.
  • Supported by:
    National Natural Science Foundation of China(62072239,62372236) and Postgraduate Innovation Fund Project of Hebei Province(CXZZSS2025076).

PDF (PC)

22

摘要: 先前的固件静态污点分析方案通过识别中间污点源来精确污点分析的起点,过滤部分情况的安全的命令劫持类危险函数调用点以精简污点分析的目标终点,减少了待分析的污点传播路径,缩短了漏洞挖掘的时间。但由于其在识别中间污点源时所用时间过长,以及没有实现充分过滤安全的危险函数调用点,导致固件漏洞挖掘的整体时间依旧较长。为改进这一现状,提出了一种利用精确中间污点源和危险函数定位加速固件漏洞分析方案ALTSDF(Accurate Locating of intermediate Taint Sources and Dangerous Functions)。在快速精确识别中间污点源作为污点分析的起点时,收集每个函数在程序中不同调用点处使用的参数字符串构成每个函数的函数参数字符串集合,并计算此集合在前后端共享关键字集合中的占比,根据占比对所有函数进行降序排列,占比越高,则此函数越有可能是中间污点源。在过滤安全的危险函数调用点时,通过函数参数静态回溯分析参数类型,排除参数来源是常量的复杂情况的安全的命令劫持类危险函数调用点和安全的缓冲区溢出类危险函数调用点。最终缩短定位中间污点源所用时间,减少由中间污点源到危险函数调用点所构成的污点传播路径数量,进而缩短将污点分析应用于污点传播路径所需的分析时间,达到缩短漏洞挖掘时间的目的。对21个真实设备固件的嵌入式Web程序进行测试后得出,ALTSDF相比先进工具FITS,在中间污点源推断方面所用时间大幅缩短;在安全的危险函数调用点过滤方面,相比先进工具CINDY,ALTSDF使污点分析路径减少了8%,最终使漏洞挖掘时间相比SaTC结合FITS与CINDY的整合方案缩短32%。结果表明,ALTSDF可加速识别固件嵌入式Web程序中的漏洞。

关键词: 物联网安全, 固件漏洞静态检测, 污点分析, 中间污点源

Abstract: Existing methods aim to accurately identify the starting points of taint analysis by recognizing intermediate taint sources and filter safe command hijacking points in certain cases to streamline endpoint analysis,thus reducing the paths to be analyzed and shortening vulnerability mining time.However,these methods spend excessive time identifying intermediate taint sources and fail to fully filter safe dangerous function call points,leading to prolonged overall vulnerability mining times.The ALTSDF scheme addresses these issues by accurately identifying intermediate taint sources and dangerous function locations.To quickly and accurately identify intermediate taint source as the starting point for taint analysis,it collects the parameter strings used at different call sites of each function to form its parameter string set.We then calculate the proportion of this set that overlaps with the shared keyword set.Functions are ranked in descending order of this proportion-the higher the proportion,the more likely the function is an intermediate taint source.When filtering safe dangerous function call points,it statically back-traces parameter types to exclude points where the parameter source is a constant,thus avoiding safe command hijacking and buffer overflow points.To reduce the time spent identifying intermediate taint sources,minimize taint propagation paths to dangerous function calls,and shorten the analysis time,thus speeding up vulnerability discovery.Testing on embedded Web programs in 21 real device firmwares show that ALTSDF significantly reduces the time spent on intermediate taint source inference compared to the FITS tool.It also reduces the taint analysis path by 8% compared to CINDY and ultimately reduces vulnerability mining time by 32% compared to the combined solution of SaTC with FITS and CINDY.These results demonstrate that ALTSDF acce- lerates the identification of vulnerabilities in firmware embedded Web programs.

Key words: IoT security, Static detection of firmware vulnerabilities, Taint analysis, Intermediate taint source

中图分类号: 

  • TP309
[1]VAILSHERY L S.Internet of Things(IoT) - statistics & facts[EB/OL].(2024-06-04)[2024-08-03].https://www.statista.com/topics/2637/internet-of-things/.
[2]ANTONAKAKIS M,APRIL T,BAILEY M,et al.Understan-ding the mirai botnet[C]//26th USENIX Security Symposium(USENIX Security 17).USENIX Association,2017:1093-1110.
[3]TEAM T I.150 000 Verkada security cameras hacked-tomake a point[EB/OL].(2021-03-12)[2024-06-28].https://www.threatdown.com/blog/150000-verkada-security-cameras-hacked-to-make-a-point/.
[4]LANGNER R.Stuxnet:Dissecting a cyberwarfare weapon[J].IEEE Security & Privacy,2011,9(3):49-51.
[5]LIU P,ZHENG Y,SUN C,et al.FITS:Inferring Intermediate Taint Sources for Effective Vulnerability Analysis of IoT Device Firmware[C]//the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems.ACM,2023:138-152.
[6]YIN X,CAI R,ZHANG Y,et al.Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis[C]//The 12th International Conference on the Internet of Things.IEEE,2022:65-72.
[7]RAMOS D A,ENGLER D.Under-Constrained symbolic execution:Correctness checking for real code[C]//24th USENIX Security Symposium(USENIX Security 15).USENIX Association,2015:49-64.
[8]CHEN L,WANG Y,CAI Q,et al.Sharing more and checking less:Leveraging common input keywords to detect bugs in embedded systems[C]//30th USENIX Security Symposium(USENIX Security 21).USENIX Association,2021:303-319.
[9]QASEM A,SHIRANI P,DEBBABI M,et al.Automatic Vulnerability Detection in Embedded Devices and Firmware:Survey and Layered Taxonomies[J].ACM Computing Surveys,2021,54(2):1-42.
[10]YAO Y,ZHOU W,JIA Y,et al.Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution[C]//Computer Security-ESORICS 2019:24th European Symposium on Research in Computer Security.Springer,2019:638-657.
[11]ZHOU W,ZHANG L,GUAN L,et al.What Your Firmware Tells You Is Not How You Should Emulate It:A Specification-Guided Approach for Firmware Emulation[C]//the ACM Conference on Computer and Communications Security 2022.ACM,2022:3269-3283.
[12]GAO Z,ZHANG C,LIU H,et al.Faster and Better:Detecting Vulnerabilities in Linux-based IoT Firmware with Optimized Reaching Definition Analysis[C]//NDSS2024.ISOC,2024:1-16.
[13]REDINI N,MACHIRY A,WANG R,et al.Karonte:Detecting insecure multi-binary interactions in embedded firmware[C]//2020 IEEE Symposium on Security and Privacy(SP).IEEE,2020:1544-1561.
[14]CHENG K,LI Q,WANG L,et al.DTaint:detecting the taint-style vulnerability in embedded device firmware[C]//2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).IEEE,2018:430-441.
[15]REFIRMLAB S.binwalk[EB/OL]. (2023-02-02)[2024-06-20].https://github.com/ReFirmLabs/binwalk.
[16]WIKIPEDI A.Global Offset Table[EB/OL]. (2024-09-25)[2024-06-20].https://en.wikipedia.org/wiki/Global_Offset_Table.
[17]AGENCY N S.Ghidra[EB/OL].(2024-06-14)[2024-06-20].https://github.com/NationalSecurityAgency/ghidra.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发