Computer Science ›› 2022, Vol. 49 ›› Issue (9): 326-332.doi: 10.11896/jsjkx.220200163

• Information Security • Previous Articles     Next Articles

Strcmp-like Function Identification Method Based on Data Flow Feature Matching

HU An-xiang, YIN Xiao-kang, ZHU Xiao-ya, LIU Sheng-li   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China
  • Received:2022-02-25 Revised:2022-06-03 Online:2022-09-15 Published:2022-09-09
  • About author:HU An-xiang,born in 1996,master.His main research interests include cyber security and embedded network device.
    LIU Sheng-li,born in 1973,Ph.D,professor.His main research interests include network device security and network attack detection.
  • Supported by:
    Foundation Strengthening Key Project of Science & Technology Commission(2019-JCJQ-ZD-113).

Abstract: Embedded devices have become visible everywhere,and they are used in a range of security-critical and privacy-sensitive applications.However,recent studies show that many embedded devices have backdoor,of which hard-coded backdoor(password backdoor) is the most common.In the triggering process of password backdoor,strcmp-like functions are necessary and important absolutely.However,the current identification of strcmp-like functions mainly relies on function signature and control flow feature matching.The former can't recognize user-defined strcmp-like functions,and the identify effect is greatly affected by the compile environment.The latter has high false positive rate and false negative rate.To solve the above problems,this paper proposes a novel strcmp-like recognition technology CMPSeek.This method builds a model for strcmp-like function identification based on the analysis of control flow and data flow characteristics,which is used to identify strcmp-like functions in binary programs,and is suitable for stripped binary programs.Furthermore,ARM,MIPS,PPC and x86/64 instruction sets are supported by converting binary codes to the intermediate language representation VEX IR codes.Experimental results show that CMPSeek has better results in accuracy rate and recall rate than FLIRT and SaTC in the absence of source code,function name and other information.

Key words: Function identification, Data flow analysis, Feature matching, Strcmp-like function, Binary program

CLC Number: 

  • TP393
[1]PIERLUIGI P.Netgear,Linksys and many other Wireless Rou-ters have a backdoor [EB/OL].(2014-01-04).http://securityaffairs.co/wordpress/20941/hacking/netgear-linkys-routers-back-door.html.
[2]MATHIEU S.Reverse Engineering a D-Link Backdoor[EB/OL].(2013-10-14).https://hackaday.com/2013/10/14/reverse-engineering-a-d-link-backdoor/.
[3]OPERATOR8203.SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7[EB/OL].(2016-01-26).https://seclists.org/fulldisclosure/2016/Jan/26.
[4]ZYXEL N.Zyxel security advisory for hardcoded credential vulnerability|Zyxel[EB/OL].(2021-01-08).https://www.zyxel.com/support/CVE-2020-29583.shtml.
[5]HD M.CVE-2015-7755:Juniper ScreenOS Authentication Backdoor[EB/OL].(2015-12-20).https://www.rapid7.com/blog/post/2015/12/20/cve-2015-7755-juniper-screenos-authentication-backdoor/.
[6]IDA Pro.Hex-ray.IDA F.L.I.R.T.Technology:In-Depth[EB/OL].(2021-07-30).https://hex-rays.com/products/ida/tech/flirt/in_depth/.
[7]REDINI N,MACHIRY A,WANG R,et al.Karonte:Detecting insecure multi-binary interactions in embedded firmware[C]//Proceedings of 2020 IEEE Symposium on Security and Privacy(SP).Piscataway,NJ:IEEE,2020:1544-1561.
[8]CHEN L,WANG Y H,CAI Q P,et al.Sharing More and Che-cking Less:Leveraging Common Input Keywords to Detect Bugs in Embedded Systems[C]//Proceedings of 30th USENIX Secu-rity Symposium(USENIX Security 21).Berkeley,CA:USENIX Association,2021:303-319.
[9]SHOSHITAISHVILI Y,WANG R,HAUSER C,et al.Firma-lice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware[C]//NDSS.2015:1.1-8.1.
[10]THOMAS S L,CHOTHIA T,GARCIA F D.Stringer:measu-ring the importance of static data comparisons to detect backdoors and undocumented functionality[C]//European Sympo-sium on Research in Computer Security.Cham:Springer,2017:513-531.
[11]YIN X K,LU B,CAN R J,et al.Memcpy-Like Function Identification Technique with Control Flow and Data Flow Analysis[J/OL].Journal of Computer Research and Developmen.[2022-06-14].http://kns.cnki.net/kcms/detail/11.1777.TP.20220304.1646.003.html.
[12]ANGR.Python bindings for Valgrind's VEX IR [EB/OL].(2021-05-23).https://github.com/angr/pyvex/.
[13]IDA Pro.Hex-ray.IDAPython documentation [EB/OL].(2021-07-30).https://www.hex-rays.com/wp-content/static/pro-ducts/ida/support/idapython_docs/.
[14]NETWORKX developers.Network analysis in python [EB/OL].https://networkx.org/.
[15]STACK O.Where Developers Learn,Share & Build Careers[EB/OL].https://stackoverflow.com/.
[1] LIU Shuai, RUI Ting, HU Yu-cheng, YANG Cheng-song, WANG Dong. Monocular Visual Odometer Based on Deep Learning SuperGlue Algorithm [J]. Computer Science, 2021, 48(8): 157-161.
[2] CHENG Xi, CAO Xiao-mei. SQL Injection Attack Detection Method Based on Information Carrying [J]. Computer Science, 2021, 48(7): 70-76.
[3] FANG Lei, WU Ze-hui, WEI Qiang. Summary of Binary Code Similarity Detection Techniques [J]. Computer Science, 2021, 48(5): 1-8.
[4] GAO Yu-tong, LEI Wei-min, YUAN Yue. Face Recognition Based on Cluster Analysis in Complex Environment [J]. Computer Science, 2020, 47(7): 111-117.
[5] LI Yue-feng. 3D Retrieval Algorithm Based on Multi-feature [J]. Computer Science, 2019, 46(6A): 266-269.
[6] LIU Zhao-xia, SHAO Feng, JING Yu and QI Rui-hua. Feature Matching Algorithm Based on Visual Feature Constrained Energy Minimization [J]. Computer Science, 2018, 45(5): 228-231.
[7] TANG Jia-lin, ZHENG Jie-feng, LI Xi-ying and SU Bing-hua. Research on Detecting Algorithm of Moving Target in Aerial Video [J]. Computer Science, 2017, 44(Z11): 175-177.
[8] LIU Hong-min, LI Lu and WANG Zhi-heng. Sample Point Group Based Binary Method for Robust Binary Descriptor [J]. Computer Science, 2017, 44(12): 292-297.
[9] ZHU Yong-feng, ZHU Shu-long, ZHANG Jing-jing and ZHU Yong-kang. Monocular Vision Alignment Algorithm Based on ORB [J]. Computer Science, 2016, 43(Z6): 198-202.
[10] ZHANG Xiu-feng, ZHANG Zhen-lin and XIE Hong. Research and Realization of Palmprint ROI Segmentation Algorithm [J]. Computer Science, 2016, 43(Z11): 170-173.
[11] XIAO Chun-bao and FENG Da-zheng. Inlier Selection Algorithm for Feature Matching Based on K Nearest Neighbor Consistency [J]. Computer Science, 2016, 43(1): 290-293.
[12] JIN Xin,NIE Ren-can and ZHOU Dong-ming. Improved Iris Recognition Algorithm Based on PCNN [J]. Computer Science, 2014, 41(Z11): 110-115.
[13] JIN Feng and FENG Da-zheng. Image Feature Detection and Registration Algorithm Based on Mexican hat Function [J]. Computer Science, 2014, 41(2): 280-284.
[14] LI Dan,WANG Zhen-yu,JING Jing and WANG Guo-hao. Recognition of Indirect Jump Targets Based on Trace Constraint [J]. Computer Science, 2013, 40(Z6): 315-319.
[15] . Exploring Multiple Execution Paths Based on Execution Path Driven [J]. Computer Science, 2013, 40(2): 145-147.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!