Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (7): 379-387.doi: 10.11896/jsjkx.240800052

• Information Security • Previous Articles     Next Articles

Accelerating Firmware Vulnerability Discovery Through Precise Localization of IntermediateTaint Sources and Dangerous Functions

ZHANG Guanghua1,2, CHEN Fang1, CHANG Jiyou1, HU Boning1, WANG He2   

  1. 1 School of Information Science and Engineering, Hebei University of Science and Technology, Shijiazhuang 050018, China
    2 School of Cyber Engineering, Xidian University, Xi'an 710126, China
  • Received:2024-08-08 Revised:2024-11-07 Published:2025-07-17
  • About author:ZHANG Guanghua,born in 1979,Ph.D,professor,master supervisor,is a member of CCF(No.51334S).His main research interest is network and information security.
    HU Boning,born in 1978,master,lecturer.Her main research interest is communication network security.
  • Supported by:
    National Natural Science Foundation of China(62072239,62372236) and Postgraduate Innovation Fund Project of Hebei Province(CXZZSS2025076).

PDF (PC)

22

Abstract: Existing methods aim to accurately identify the starting points of taint analysis by recognizing intermediate taint sources and filter safe command hijacking points in certain cases to streamline endpoint analysis,thus reducing the paths to be analyzed and shortening vulnerability mining time.However,these methods spend excessive time identifying intermediate taint sources and fail to fully filter safe dangerous function call points,leading to prolonged overall vulnerability mining times.The ALTSDF scheme addresses these issues by accurately identifying intermediate taint sources and dangerous function locations.To quickly and accurately identify intermediate taint source as the starting point for taint analysis,it collects the parameter strings used at different call sites of each function to form its parameter string set.We then calculate the proportion of this set that overlaps with the shared keyword set.Functions are ranked in descending order of this proportion-the higher the proportion,the more likely the function is an intermediate taint source.When filtering safe dangerous function call points,it statically back-traces parameter types to exclude points where the parameter source is a constant,thus avoiding safe command hijacking and buffer overflow points.To reduce the time spent identifying intermediate taint sources,minimize taint propagation paths to dangerous function calls,and shorten the analysis time,thus speeding up vulnerability discovery.Testing on embedded Web programs in 21 real device firmwares show that ALTSDF significantly reduces the time spent on intermediate taint source inference compared to the FITS tool.It also reduces the taint analysis path by 8% compared to CINDY and ultimately reduces vulnerability mining time by 32% compared to the combined solution of SaTC with FITS and CINDY.These results demonstrate that ALTSDF acce- lerates the identification of vulnerabilities in firmware embedded Web programs.

Key words: IoT security, Static detection of firmware vulnerabilities, Taint analysis, Intermediate taint source

CLC Number: 

  • TP309
[1]VAILSHERY L S.Internet of Things(IoT) - statistics & facts[EB/OL].(2024-06-04)[2024-08-03].https://www.statista.com/topics/2637/internet-of-things/.
[2]ANTONAKAKIS M,APRIL T,BAILEY M,et al.Understan-ding the mirai botnet[C]//26th USENIX Security Symposium(USENIX Security 17).USENIX Association,2017:1093-1110.
[3]TEAM T I.150 000 Verkada security cameras hacked-tomake a point[EB/OL].(2021-03-12)[2024-06-28].https://www.threatdown.com/blog/150000-verkada-security-cameras-hacked-to-make-a-point/.
[4]LANGNER R.Stuxnet:Dissecting a cyberwarfare weapon[J].IEEE Security & Privacy,2011,9(3):49-51.
[5]LIU P,ZHENG Y,SUN C,et al.FITS:Inferring Intermediate Taint Sources for Effective Vulnerability Analysis of IoT Device Firmware[C]//the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems.ACM,2023:138-152.
[6]YIN X,CAI R,ZHANG Y,et al.Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis[C]//The 12th International Conference on the Internet of Things.IEEE,2022:65-72.
[7]RAMOS D A,ENGLER D.Under-Constrained symbolic execution:Correctness checking for real code[C]//24th USENIX Security Symposium(USENIX Security 15).USENIX Association,2015:49-64.
[8]CHEN L,WANG Y,CAI Q,et al.Sharing more and checking less:Leveraging common input keywords to detect bugs in embedded systems[C]//30th USENIX Security Symposium(USENIX Security 21).USENIX Association,2021:303-319.
[9]QASEM A,SHIRANI P,DEBBABI M,et al.Automatic Vulnerability Detection in Embedded Devices and Firmware:Survey and Layered Taxonomies[J].ACM Computing Surveys,2021,54(2):1-42.
[10]YAO Y,ZHOU W,JIA Y,et al.Identifying Privilege Separation Vulnerabilities in IoT Firmware with Symbolic Execution[C]//Computer Security-ESORICS 2019:24th European Symposium on Research in Computer Security.Springer,2019:638-657.
[11]ZHOU W,ZHANG L,GUAN L,et al.What Your Firmware Tells You Is Not How You Should Emulate It:A Specification-Guided Approach for Firmware Emulation[C]//the ACM Conference on Computer and Communications Security 2022.ACM,2022:3269-3283.
[12]GAO Z,ZHANG C,LIU H,et al.Faster and Better:Detecting Vulnerabilities in Linux-based IoT Firmware with Optimized Reaching Definition Analysis[C]//NDSS2024.ISOC,2024:1-16.
[13]REDINI N,MACHIRY A,WANG R,et al.Karonte:Detecting insecure multi-binary interactions in embedded firmware[C]//2020 IEEE Symposium on Security and Privacy(SP).IEEE,2020:1544-1561.
[14]CHENG K,LI Q,WANG L,et al.DTaint:detecting the taint-style vulnerability in embedded device firmware[C]//2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).IEEE,2018:430-441.
[15]REFIRMLAB S.binwalk[EB/OL]. (2023-02-02)[2024-06-20].https://github.com/ReFirmLabs/binwalk.
[16]WIKIPEDI A.Global Offset Table[EB/OL]. (2024-09-25)[2024-06-20].https://en.wikipedia.org/wiki/Global_Offset_Table.
[17]AGENCY N S.Ghidra[EB/OL].(2024-06-14)[2024-06-20].https://github.com/NationalSecurityAgency/ghidra.
[1] ZONG Si-jie, QIN Tian, HE Long-bing. Analysis and Application of Secure Boot Algorithm Based on IOT Chip [J]. Computer Science, 2021, 48(11A): 552-556.
[2] ZHANG Jing, ZHOU An-min, LIU Liang, JIA Peng and LIU Lu-ping. Review of Crash Exploitability Analysis Methods [J]. Computer Science, 2018, 45(5): 5-14.
[3] WANG Yun-chao, WEI Qiang and WU Ze-hui. Approach of Android Applications Intent Injection Vulnerability Detection Based on Static Taint Analysis [J]. Computer Science, 2016, 43(9): 192-196.
[4] ZHU Zheng-xin, ZENG Fan-ping and HUANG Xin-yi. Dynamic Symbolic Taint Analysis of Binary Programs [J]. Computer Science, 2016, 43(2): 155-158.
[5] HUANG Ke-zhen,LIAN Yi-feng,CHEN Kai,ZHANG Ying-jun and KANG Kai. Locating Vulnerable Point for Integer Overflow Based on Flag Bits Differences [J]. Computer Science, 2014, 41(12): 19-23.
[6] CHEN Shu,YE Jun-min and ZHANG Fan. Taint Trace with Noninterference Based Approach for Software Trust Analysis [J]. Computer Science, 2013, 40(5): 184-188.
[7] LI Cheng,WEI Qiang,PENG Jian-shan and WANG Qing-xian. Network Software Test Data Generation Based on Decomposition and Reconstruction [J]. Computer Science, 2013, 40(10): 108-113.
[8] TANG He-ping HUANG Shu-guang ZHANG Liang. Dynamic Information Flow Analysis for Vulnerability Exploits Detection [J]. Computer Science, 2010, 37(7): 148-151.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.