Computer Science

Computer Science ›› 2024, Vol. 51 ›› Issue (6): 423-433.doi: 10.11896/jsjkx.230500087

• Information Security • Previous Articles     Next Articles

Function-call Instruction Characteristic Analysis Based Instruction Set Architecture Recognization Method for Firmwares

JIA Fan, YIN Xiaokang, GAI Xianzhe, CAI Ruijie, LIU Shengli   

  1. The Key Laboratory of Cyberspace Security, the Ministry of Education,Information Engineering University,Zhengzhou,450001,China
  • Received:2023-05-13 Revised:2023-10-16 Online:2024-06-15 Published:2024-06-05
  • About author:JIA Fan,born in 1995,postgraduate.His main research interests include embedded device security and reverse engineering techniques.
    CAI Ruijie,born in 1990,Ph.D candidate,lecturer.His main research intere-sts include network security,binary code analysis and vulnerability disco-very.

PDF (PC)

499

Abstract: The recognition of instruction set architecture is a crucial task for conducting security research on embedded devices,and has significant implications.However,existing studies and tools often suffer from low recognition accuracy and high false positive rates when identifying the firmware instruction set architecture of specific types of embedded devices.To address this issue,a new method for recognizing firmware instruction set architecture based on feature analysis of function call instructions is proposed.It identifies function call instructions in the target firmware by simultaneously utilizing the information contained in the operation codes and operands of the instructions,and uses them as key features to classify different instruction set architectures.A prototype system called EDFIR(embedded device firmware instruction set recognizer) has been developed based on this me-thod.Experimental results show that compared to currently widely used and state-of-the-art tools such as IDA Pro,Ghidra,Radare2,Binwalk,and ISA detect,the proposed method has higher recognition accuracy,lower false positive rates,and stronger anti-interference capabilities.It achieves a recognition accuracy of 97.9% on 1 000 real device firmwares,which is 42.5% higher than the best performing ISA detect.Furthermore,experiments demonstrate that even when the analysis scale is reduced to 1/50 of the complete firmware,it can still maintain a recognition accuracy of 95.31%,indicating an excellent recognition performance.

Key words: Instruction set architecture, Classification techniques, Reverse analysis engineering, Embedded device security, Static analysis

CLC Number: 

  • TP391
[1]JITESH U.Shipments of Smart Home Devices Fell in 2022,But a Return to Growth is Expected in 2023,According to IDC[EB/OL].(2023-03-31)[2023-05-11].https://www.idc.com/getdoc.jsp?containerId=prUS50541723.
[2]JUNIPER R L.Smart Home Devices 2020-2025 Market Summary[EB/OL].(2022-04-25)[2023-05-11].https://www.juniperresearch.com/infographics/smart-home-devices-statistics.
[3]The MITRE Corporation.Search results for CVE numbers related to IOT devices[EB/OL].(2020-05-29)[2023-05-11].https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=IOT.
[4]KAI C,QIANG L,LEI W,et al.DTaint:Detecting the Taint-Style Vulnerability in Embedded Device Firmware[C]//2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).IEEE Computer Society,2018.
[5]ZHU X,ZHANG Y,JIANG L,et al.Determining the Base Address of MIPS Firmware based on Absolute Address Statistics and String Reference Matching[J].Computers & Security,2019,88:101504.
[6]POEPLAU S,FRANCILLON A.SymQEMU:Compilation-based symbolic execution for binaries[C]//Network and Distributed System Security Symposium(NDSS 2021).Internet Society,2021.
[7]LYU C,JI S,ZHANG X,et al.Ems:History-driven mutationfor coverage-based fuzzing[C]//29rd Annual Network and Distributed System Security Symposium(NDSS).2022:24-28.
[8]Hex-Rays Corporation.HomepageofIDA Pro[EB/OL].(2023-04-22)[2023-05-11].https://hex-rays.com/ida-pro/.
[9]National Security Agency.Home page of Ghidra[EB/OL].([2023-02-23])[2023-05-11].https://www.nsa.gov/resources/everyone/ghidra/.
[10]ReFirmLabs.Home · ReFirmLabs/binwalk Wiki · GitHub[EB/OL].(2023-03-12)[2023-05-14].https://github.com/ReFirmLabs/binwalk/wiki.
[11]Radare org.radare2[EB/OL].(2023-05-05)[2023-05-11].https://www.radare.org/n/radare2.html.
[12]CHEN D D,WOO M,BRUMLEY D,et al.Towards automated dynamic analysis for linux-based embedded firmware[C]//NDSS.2016:1.1-8.1.
[13]LI Y S.firmware-analysis-plus[EB/OL].(2023-02-02)[2023-05-11].https://github.com/liyansong2018/firmware-analysis-plus.
[14]Capstone Engine org.Home page of capstone[EB/OL].[2020-05-08][2023-05-14].http://www.capstone-engine.org/.
[15]KAIRAJÄRVI S,COSTIN A,HÄMÄLÄINEN T.ISAdetect:Usable automated detection of CPU architecture and endianness for executable binary files and object code[C]//Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy.2020:376-380.
[16]SAHABANDU D,MERTOGUNO S,POOVENDRAN R.ANatural Language Processing Approach for Instruction Set Architecture Identification[J].arXiv:2204.06624,2022.
[17]YUY C,CHEN Z N,GAN S T,et al.Researchon the Technologies of Security Analysis Technologies on the Embedded Device Firmware[J].Chinese Journal of Computers,2021,44(5):859-881.
[18]Power ISA Version 3.1[EB/OL].(2020-05-01)[2023-05-11].https://github.com/Fortr4n/POWERISA/blob/main/Power-ISA_public.v3.1.pdf.
[19]MIPS Architecture for Programmers Volume II-A:The MIPS32 Instruction Set Manual[EB/OL].(2016-12-15)[2023-05-11].https://s3-eu-west-1.amazonaws.com/downloads-mips/documents/MD00086-2B-MIPS32BIS-AFP-6.06.pdf.
[1] FU Jianming, JIANG Yuqian, HE Jia, ZHENG Rui, SURI Guga, PENG Guojun. Cryptocurrency Mining Malware Detection Method Based on Sample Embedding [J]. Computer Science, 2024, 51(1): 327-334.
[2] LIU Xinwei, TAO Chuanqi. Method of Java Redundant Code Detection Based on Static Analysis and Knowledge Graph [J]. Computer Science, 2023, 50(3): 65-71.
[3] DING Xuhui, ZHANG Linlin, ZHAO Kai, WANG Xusheng. Android Application Privacy Disclosure Detection Method Based on Static and Dynamic Combination [J]. Computer Science, 2023, 50(10): 327-335.
[4] ZHANG Guang-hua, GAO Tian-jiao, CHEN Zhen-guo, YU Nai-wen. Study on Malware Classification Based on N-Gram Static Analysis Technology [J]. Computer Science, 2022, 49(8): 336-343.
[5] ZHAO Jing-wen, FU Yan, WU Yan-xia, CHEN Jun-wen, FENG Yun, DONG Ji-bin, LIU Jia-qi. Survey on Multithreaded Data Race Detection Techniques [J]. Computer Science, 2022, 49(6): 89-98.
[6] LI Ming-lei, HUANG Hui, LU Yu-liang, ZHU Kai-long. SymFuzz:Vulnerability Detection Technology Under Complex Path Conditions [J]. Computer Science, 2021, 48(5): 25-31.
[7] CHEN Chen, ZHOU Yu, WANG Yong-chao, HUANG Zhi-qiu. Context-aware Based API Personalized Recommendation [J]. Computer Science, 2021, 48(12): 100-106.
[8] XIE Nian-nian, ZENG Fan-ping, ZHOU Ming-song, QIN Xiao-xia, LV Cheng-cheng, CHEN Zhao. Android Malware Detection with Multi-dimensional Sensitive Features [J]. Computer Science, 2019, 46(2): 95-101.
[9] SIDIKE Pa-erhatijiang, MA Jian-feng, SUN Cong. Fine-grained Control Flow Integrity Method on Binaries [J]. Computer Science, 2019, 46(11A): 417-420.
[10] ZHU Chao-yang, CHEN Xiang-zhou, YAN Long and ZHANG Xin-ming. Research on Software Defect Prediction Based on AIRS Using PCA [J]. Computer Science, 2017, 44(Z6): 483-485.
[11] NING Zhuo, SHAO Da-cheng, CHEN Yong and SUN Zhi-xin. Android Static Analysis System Based on Signature and Data Flow Pattern Mining [J]. Computer Science, 2017, 44(Z11): 317-321.
[12] WEI Miao, WU Yi-jian, SHEN Li-wei, PENG Xin and ZHAO Wen-yun. Finding Type Mismatch Defects of JavaScript Based on Static Analysis [J]. Computer Science, 2017, 44(4): 223-228.
[13] MIAO Xu-dong, WANG Yong-chun, CAO Xing-chen and FANG Feng. Detection Approach for Security Vulnerability Based on Pattern Matching [J]. Computer Science, 2017, 44(4): 109-113.
[14] LV Zhao-jin, SHEN Li-wei and ZHAO Wen-yun. Scenario-oriented Location Method of Android Applications [J]. Computer Science, 2017, 44(2): 216-221.
[15] ZHANG Chi, HUANG Zhiqiu and DING Zewen. Research on Static Analysis Formalism Supporting Abstract Interpretation [J]. Computer Science, 2017, 44(12): 126-130.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.