计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (6): 423-433.doi: 10.11896/jsjkx.230500087

• 信息安全 • 上一篇    下一篇

基于函数调用指令特征分析的固件指令集架构识别方法

贾凡, 尹小康, 盖贤哲, 蔡瑞杰, 刘胜利   

  1. 信息工程大学网络空间安全教育部重点实验室 郑州 450001
  • 收稿日期:2023-05-13 修回日期:2023-10-16 出版日期:2024-06-15 发布日期:2024-06-05
  • 通讯作者: 蔡瑞杰(wsxcrj@163.com)
  • 作者简介:(winmale.alwayswin@qq.com)

Function-call Instruction Characteristic Analysis Based Instruction Set Architecture Recognization Method for Firmwares

JIA Fan, YIN Xiaokang, GAI Xianzhe, CAI Ruijie, LIU Shengli   

  1. The Key Laboratory of Cyberspace Security, the Ministry of Education,Information Engineering University,Zhengzhou,450001,China
  • Received:2023-05-13 Revised:2023-10-16 Online:2024-06-15 Published:2024-06-05
  • About author:JIA Fan,born in 1995,postgraduate.His main research interests include embedded device security and reverse engineering techniques.
    CAI Ruijie,born in 1990,Ph.D candidate,lecturer.His main research intere-sts include network security,binary code analysis and vulnerability disco-very.

PDF (PC)

505

摘要: 不同的固件常采用不同的指令集架构,固件指令集架构的识别是对嵌入式固件进行逆向分析和漏洞挖掘的基础。现有研究和相关工具在针对特定类型的嵌入式设备固件指令集架构识别时存在识别正确率低、误报率高的情况。针对上述问题,提出了一种基于函数调用指令特征分析的固件指令集架构识别方法,通过同时利用指令中操作码和操作数所包含的信息识别目标固件中的函数调用指令,将其作为关键特征实现对不同指令集架构的分类,并基于该方法开发了原型系统EDFIR(Embedded Device Firmware Instruction set Recognizer)。实验结果表明,相比IDAPro,Ghidra,Radare2,Binwalk以及ISAdetect这些当前应用最广泛和最新的工作,该方法具有更高的识别正确率、更低的误报率并具备更强的抗干扰能力,其对1 000个真实设备固件的识别正确率高达97.9%,比目前识别效果最好的ISAdetect提升了42.5%。此外,相关实验还证明,即使将分析规模缩小至完整固件的1/50,所提方法仍能保持95.31%的识别正确率,具有良好的识别性能。

关键词: 指令集架构, 分类技术, 逆向分析技术, 嵌入式设备安全, 静态分析技术

Abstract: The recognition of instruction set architecture is a crucial task for conducting security research on embedded devices,and has significant implications.However,existing studies and tools often suffer from low recognition accuracy and high false positive rates when identifying the firmware instruction set architecture of specific types of embedded devices.To address this issue,a new method for recognizing firmware instruction set architecture based on feature analysis of function call instructions is proposed.It identifies function call instructions in the target firmware by simultaneously utilizing the information contained in the operation codes and operands of the instructions,and uses them as key features to classify different instruction set architectures.A prototype system called EDFIR(embedded device firmware instruction set recognizer) has been developed based on this me-thod.Experimental results show that compared to currently widely used and state-of-the-art tools such as IDA Pro,Ghidra,Radare2,Binwalk,and ISA detect,the proposed method has higher recognition accuracy,lower false positive rates,and stronger anti-interference capabilities.It achieves a recognition accuracy of 97.9% on 1 000 real device firmwares,which is 42.5% higher than the best performing ISA detect.Furthermore,experiments demonstrate that even when the analysis scale is reduced to 1/50 of the complete firmware,it can still maintain a recognition accuracy of 95.31%,indicating an excellent recognition performance.

Key words: Instruction set architecture, Classification techniques, Reverse analysis engineering, Embedded device security, Static analysis

中图分类号: 

  • TP391
[1]JITESH U.Shipments of Smart Home Devices Fell in 2022,But a Return to Growth is Expected in 2023,According to IDC[EB/OL].(2023-03-31)[2023-05-11].https://www.idc.com/getdoc.jsp?containerId=prUS50541723.
[2]JUNIPER R L.Smart Home Devices 2020-2025 Market Summary[EB/OL].(2022-04-25)[2023-05-11].https://www.juniperresearch.com/infographics/smart-home-devices-statistics.
[3]The MITRE Corporation.Search results for CVE numbers related to IOT devices[EB/OL].(2020-05-29)[2023-05-11].https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=IOT.
[4]KAI C,QIANG L,LEI W,et al.DTaint:Detecting the Taint-Style Vulnerability in Embedded Device Firmware[C]//2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).IEEE Computer Society,2018.
[5]ZHU X,ZHANG Y,JIANG L,et al.Determining the Base Address of MIPS Firmware based on Absolute Address Statistics and String Reference Matching[J].Computers & Security,2019,88:101504.
[6]POEPLAU S,FRANCILLON A.SymQEMU:Compilation-based symbolic execution for binaries[C]//Network and Distributed System Security Symposium(NDSS 2021).Internet Society,2021.
[7]LYU C,JI S,ZHANG X,et al.Ems:History-driven mutationfor coverage-based fuzzing[C]//29rd Annual Network and Distributed System Security Symposium(NDSS).2022:24-28.
[8]Hex-Rays Corporation.HomepageofIDA Pro[EB/OL].(2023-04-22)[2023-05-11].https://hex-rays.com/ida-pro/.
[9]National Security Agency.Home page of Ghidra[EB/OL].([2023-02-23])[2023-05-11].https://www.nsa.gov/resources/everyone/ghidra/.
[10]ReFirmLabs.Home · ReFirmLabs/binwalk Wiki · GitHub[EB/OL].(2023-03-12)[2023-05-14].https://github.com/ReFirmLabs/binwalk/wiki.
[11]Radare org.radare2[EB/OL].(2023-05-05)[2023-05-11].https://www.radare.org/n/radare2.html.
[12]CHEN D D,WOO M,BRUMLEY D,et al.Towards automated dynamic analysis for linux-based embedded firmware[C]//NDSS.2016:1.1-8.1.
[13]LI Y S.firmware-analysis-plus[EB/OL].(2023-02-02)[2023-05-11].https://github.com/liyansong2018/firmware-analysis-plus.
[14]Capstone Engine org.Home page of capstone[EB/OL].[2020-05-08][2023-05-14].http://www.capstone-engine.org/.
[15]KAIRAJÄRVI S,COSTIN A,HÄMÄLÄINEN T.ISAdetect:Usable automated detection of CPU architecture and endianness for executable binary files and object code[C]//Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy.2020:376-380.
[16]SAHABANDU D,MERTOGUNO S,POOVENDRAN R.ANatural Language Processing Approach for Instruction Set Architecture Identification[J].arXiv:2204.06624,2022.
[17]YUY C,CHEN Z N,GAN S T,et al.Researchon the Technologies of Security Analysis Technologies on the Embedded Device Firmware[J].Chinese Journal of Computers,2021,44(5):859-881.
[18]Power ISA Version 3.1[EB/OL].(2020-05-01)[2023-05-11].https://github.com/Fortr4n/POWERISA/blob/main/Power-ISA_public.v3.1.pdf.
[19]MIPS Architecture for Programmers Volume II-A:The MIPS32 Instruction Set Manual[EB/OL].(2016-12-15)[2023-05-11].https://s3-eu-west-1.amazonaws.com/downloads-mips/documents/MD00086-2B-MIPS32BIS-AFP-6.06.pdf.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发