Computer Science ›› 2026, Vol. 53 ›› Issue (7): 406-413.doi: 10.11896/jsjkx.250600072

• Information Security • Previous Articles     Next Articles

VxSymRe:VxWorks Firmware Function Symbol Recovery System Based on Binary CodeSimilarity Detection

LIU Yicong1, MI Qingrong2, GENG Yangyang2, MA Rongkuan2, JIA Yan3, CAO Yan1   

  1. 1 School of Cyber Science and Engineering,Zhengzhou University,Zhengzhou 450002,China
    2 School of Cyberspace Security,Information Engineering University,Zhengzhou 450001,China
    3 College of Cryptology and Cyber Science,Nankai University,Tianjin 300071,China
  • Received:2025-06-11 Revised:2025-09-07 Online:2026-07-15 Published:2026-07-10
  • About author:LIU Yicong,born in 2002,postgra-duate,is a member of CCF(No.V1718G).His main research interests include software automated testing and reverse engineering.
    GENG Yangyang,born in 1994,Ph.D.His main research interests include embedded system security and CPS security.
  • Supported by:
    Open Foundation of Key Laboratory of Cyberspace Security,Ministry of Education of China(KLCS20240211).

Abstract: VxWorks firmware is widely used in critical domains such as aerospace,industrial control,and military equipment.However,to meet security and size optimization requirements,symbol tables are often stripped from released firmware versions.This significantly increases the difficulty of understanding function semantics during reverse engineering and security analysis.To address this issue,this paper presents VxSymRe-an automated function symbol recovery system specifically designed for VxWorks firmware.The system first extracts VxWorks function samples from complete ELF files and object files,and then constructs a function feature vector database that spans multiple versions,architectures,and compiler combinations.During firmware analysis,an automated preprocessing pipeline identifies the firmware version,architecture,and load base address,which enables accurate function boundary recognition.Subsequently,functions are represented via semantic-oriented graphs,and fixed-dimensional feature vectors are generated using a graph neural network.Function symbol recovery is performed through cosine similarity-based matching.Experimental results show that using both ELF and object files for database construction increases the number of function samples by 42.49% compared to using ELF files alone.In terms of preprocessing,VxSymRe is capable of correctly handling firmware from various vendors with diverse configurations.For symbol recovery,VxSymRe achieves function symbol recovery counts that are 20.86×,17.96×,and 118.2× higher than the baseline methods on three representative test samples.

Key words: VxWorks, Function symbol recovery, Binary code similarity detection, Firmware security analysis

CLC Number: 

  • TP316
[1]HAMBARDE P,VARMA R,JHA S.The survey of real timeoperating system:RTOS [C]//Proceedings of the 2014 International Conference on Electronic Systems,Signal Processing and Computing Technologies.New York:IEEE,2014:34-39.
[2]ZHANG Z,LV Z,MO J,NIU S.Vulnerabilities analysis and solution of VxWorks [C]//Proceedings of the 2nd International Conference on Teaching and Computational Science.Paris:Atlantis Press,2014:94-97.
[3]Armis.Urgent/11 [EB/OL].[2025-05-24].https://www.armis.com/research/urgent-11/.
[4]HUANG J,YANG K,WANG G,et al.TaiE:Function identification for monolithic firmware [C]//Proceedings of the 32nd IEEE/ACM International Conference on Program Comprehension.New York:IEEE/ACM,2024:403-414.
[5]ZHU W Z,YU Z,WANG J S,et al.Dive into VxWorks-Based IoT device:Debug the undebugable device [C]//Proceedings of Black Hat Asia 2019.2019.
[6]CHEN L,CAI Q,MA Z,et al.Sfuzz:Slice-based fuzzing for real-time operating systems [C]//Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM,2022:485-498.
[7]Wind River.VxWorks:Industry Leading RTOS for EmbeddedSystems [EB/OL].(2025-05-24)[2025-05-24].https://www.windriver.com/products/vxworks.
[8]SÁNCHEZ-GORDÓN M,COLOMO-PALACIOS R.Security as culture:a systematic literature review of DevSecOps [C]//Proceedings of the IEEE/ACM 42nd International Conference on Software Engineering Workshops.New York:IEEE/ACM,2020:266-269.
[9]LU H J,MATZ M,HUBICKA J,et al.System V Application Binary Interface:AMD64 Architecture Processor Supplement [EB/OL].https://raw.githubusercontent.com/wiki/hjl-tools/x86-psabi/x86-64-psABI-1.0.pdf.
[10]GAO J,YANG X,FU Y,et al.Vulseeker-Pro:Enhanced semantic learning based binary vulnerability seeker with emulation [C]//Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.New York:ACM,2018:803-808.
[11]XU X,LIU C,FENG Q,et al.Neural network-based graph embedding for cross-platform binary code similarity detection [C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security.New York:ACM,2017:363-376.
[12]GAO J,YANG X,FU Y,et al.Vulseeker:A semantic learning based vulnerability seeker for cross-platform binary [C]//Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering.New York:ACM/IEEE,2018:896-899.
[13]MASSARELLI L,DI LUNA G A,PETRONI F,et al.Investigating graph embedding neural networks with unsupervised features extraction for binary analysis [C]//Proceedings of the 2nd Workshop on Binary Analysis Research(BAR).New York:IEEE,2019:1-11.
[14]LI Y,GU C,DULLIEN T,et al.Graph matching networks for learning the similarity of graph structured objects [C]//Proceedings of the 36th International Conference on Machine Learning(ICML).PMLR,2019:3835-3845.
[15]HE H,LIN X,WENG Z,et al.Code is not natural language:Unlock the power of semantics-oriented graph representation for binary code similarity detection [C]//Proceedings of the 33rd USENIX Security Symposium(USENIX Security 24).Philadelphia:USENIX Association,2024.
[16]SU Z,XU X,HUANG Z,et al.Source code foundation models are transferable binary analysis knowledge bases [C]//Procee-dings of the Thirty-eighth Annual Conference on Neural Information Processing Systems(NeurIPS).New York:NeurIPS,2024.
[17]SCHÜTZE H,MANNING C D,RAGHAVAN P.Introduction to Information Retrieval [M].Cambridge:Cambridge University Press,2008:234-265.
[18]MASSARELLI L,DI LUNA G A,PETRONI F,et al.SAFE:Self-attentive function embeddings for binary similarity [C]//Proceedings of Detection of Intrusions and Malware,and Vulnerability Assessment(DIMVA 2019).Cham:Springer,2019:309-329.
[19]PEI K,ZHOU X,YANG J,et al.Learning approximate execution semantics from traces for binary function similarity [J].IEEE Transactions on Software Engineering,2023,49(4):2776-2790.
[20]LI Y,GU C,DULLIEN T,et al.Graph matching networks for learning the similarity of graph structured objects [C]//Proceedings of the 36th International Conference on Machine Learning(ICML).PMLR,2019:3835-3845.
[21]ReFirm Labs.Binwalk:Firmware analysis tool [EB/OL].(2025-05-24)[2025-05-24].https://github.com/ReFirmLabs/binwalk.
[22]ZHU R,ZHANG B,MAO J,et al.A methodology for determining the image base of ARM-based industrial control system firmware [J].International Journal of Critical Infrastructure Protection,2017,16:26-35.
[23]National Security Agency.Ghidra:Software reverse engineering(SRE) framework [EB/OL].(2019-03-05)[2025-05-24].https://ghidra-sre.org/.
[24]GNU Project.objdump:Display information from object files[EB/OL].(2025-05-24)[2025-05-24].https://sourceware.org/binutils/docs/binutils/objdump.html.
[1] WEI Youyuan, SONG Jianhua, ZHANG Yan. Survey of Binary Code Similarity Detection Method [J]. Computer Science, 2025, 52(6): 365-380.
[2] ZHANG Feng-Xia (Department of Computer Science, Shangqiu Normal College, Henan Shangqiu 476000). [J]. Computer Science, 2007, 34(8): 281-282.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!