面向物联网设备固件的硬编码漏洞检测方法

doi:10.11959/j.issn.2096-109x.2022070

网络与信息安全学报 ›› 2022, Vol. 8 ›› Issue (5): 98-110.doi: 10.11959/j.issn.2096-109x.2022070

面向物联网设备固件的硬编码漏洞检测方法

穆超¹, 王鑫¹, 杨明¹, 张恒², 陈振娅¹, 吴晓明¹

¹ 齐鲁工业大学（山东省科学院）山东省计算中心（国家超级计算济南中心）山东省计算机网络重点实验室，山东济南 250014
² 江苏海洋大学计算机工程学院，江苏连云港 222005

修回日期:2022-09-02 出版日期:2022-10-15 发布日期:2022-10-01
作者简介:穆超（1990- ），男，山东济南人，齐鲁工业大学（山东省科学院）助理研究员，主要研究方向为物联网安全与数据安全
王鑫（1992- ），男，山东邹平人，博士，齐鲁工业大学（山东省科学院）副研究员，主要研究方向为工业互联网安全与数据隐私保护
杨明（1981- ），男，山东东营人，博士，齐鲁工业大学（山东省科学院）研究员，主要研究方向为密码学、云安全、大数据安全、物联网安全
张恒（1981- ），男，江苏连云港人，博士，江苏海洋大学教授，主要研究方向为系统安全与控制和人工智能算法安全
陈振娅（1983- ），女，山东菏泽人，齐鲁工业大学（山东省科学院）副研究员，主要研究方向为数据安全与隐私保护
吴晓明（1981- ），男，山东滨州人，博士，齐鲁工业大学（山东省科学院）研究员、博士生导师，主要研究方向为物联网安全与信息安全
基金资助:
国家重点研发计划(2021YFF0901301-02);山东省自然科学基金(ZR2021QF057);国家自然科学基金(61873106);江苏省杰出青年科学基金(BK20200049);齐鲁工业大学（山东省科学院）计算机科学与技术学科基础研究加强计划(2021JC02023);工业控制技术国家重点实验室（浙江大学）开放课题(ICT2022B36)

Hardcoded vulnerability detection approach for IoT device firmware

Chao MU¹, Xin WANG¹, Ming YANG¹, Heng ZHANG², Zhenya CHEN¹, Xiaoming WU¹

¹ Shandong Provincial Key Laboratory of Computer Networks, Shandong Computer Science Center (National Supercomputer Center in Jinan),Qilu University of Technology (Shandong Academy of Sciences), Jinan 250014, China
² School of Computer Engineering, Jiangsu Ocean University, Lianyungang 222005, China

Revised:2022-09-02 Online:2022-10-15 Published:2022-10-01
Supported by:
The National Key R＆D Program of China(2021YFF0901301-02);Shandong Provincial Natural Science Foundation(ZR2021QF057);The National Natural Science Foundation of China(61873106);The Natural Science Foundation of Jiangsu Province for Distinguished Young Scholars(BK20200049);QLU/SDAS Computer Science and Technology Fundamental Research Enhancement Program(2021JC02023);Open Research Project of the State Key Laboratory of Industrial Control Technology, Zhejiang University, China(ICT2022B36)

摘要/Abstract

摘要：

随着物联网设备的普及，越来越多有价值的数据产生，依托物联网设备进行大数据分析和挖掘是近年来学术界和工业界关注的热点问题。然而，由于缺乏必要的检测和防护手段，很多物联网设备存在严重的信息安全隐患。特别地，设备硬编码信息与系统加解密、身份认证等功能密切相关，可为核心数据提供机密性保障，一旦被恶意攻击者利用，会产生敏感信息泄露、后门攻击、非授权登录等严重后果。针对该问题，在研究物联网设备中硬编码漏洞表现特征的基础上，提出了一种可执行文件中多类型字符识别定位和硬编码漏洞检测方法。首先，提取固件内容并筛选所有可执行文件作为待分析源，提出特殊格式字符、外部文件引用、密码实现3类硬编码字符的识别与定位；然后，根据函数调用关系对硬编码字符所在函数进行可达性分析，采用中间表示 IR 模型消除指令异构性，并利用数据流分析方法确定字符型和参数型硬编码值；最后，设计符号执行方法确定硬编码漏洞的触发条件，最终输出漏洞检测结果。一方面，所提方法在利用中间表示模型的基础上引入了符号执行的方法，消除了指令架构依赖性，减少了漏洞误报率；另一方面，该方法可融合字符、文件、密码实现 3 类硬编码字符的不同特征表现，增加了漏洞检测的覆盖范围，提升了检测方法的通用性。实验结果表明，所提方法可有效检测多种物联网设备中的字符、文件、密码3类硬编码漏洞，具有较好的检测精度，可为后续安全防护技术的部署提供一定指导。

关键词: 大数据, 物联网安全, 硬编码, 漏洞检测

Abstract:

With the popularization of IoT devices, more and more valuable data is generated.Analyzing and mining big data based on IoT devices has become a hot topic in the academic and industrial circles in recent years.However, due to the lack of necessary detection and protection methods, many IoT devices have serious information security risks.In particular, device hard-coded information is closely related to system encryption and decryption, identity authentication and other functions, which can provide confidentiality protection for core data.Once this information is exploited by malicious attackers, serious consequences such as sensitive information leakage, backdoor attacks, and unauthorized logins will occur.In response to this problem, a multi-type character recognition and positioning scheme was designed and a hard-coded vulnerability detection method in executable files was proposed based on the study of the characteristics of hard-coded vulnerabilities in IoT devices.The proposed method extracted the firmware of IoT devices and filtered all executable files as the source to be analyzed.Then, a solution to identify and locate three types of hard-coded characters was provided.Further, the reachability of the function, where the hard-coded character was located, was analyzed according to the function call relationship.Meanwhile, the instruction heterogeneity was mitigated by an intermediate representation (IR) model.The character and parameter hard-coded values was obtained through a data flow analysis approach.A symbolic execution method was devised to determine the trigger conditions of the hard-coded vulnerabilities, and then the vulnerability detection result was output.On the one hand, the proposed method introduced the method of symbolic execution based on the use of the intermediate representation model, which eliminated the dependency of instruction architecture and reduces the false positive rate of vulnerabilities; On the other hand, this method can integrate characters, files, and cryptographic implementation to realize the different characteristics of three types of hard-coded characters, which increased the coverage of vulnerability detection and improves the versatility of the detection method.The experimental results show that the proposed method can effectively detect three types of hard-coded vulnerabilities of characters, files and cryptographic implementation in various IoT devices, and has good detection accuracy, which can provide certain guidance for the deployment of subsequent security protection technologies.

Key words: big data, IoT security, hard coding, vulnerability detection

中图分类号:

TP393

穆超, 王鑫, 杨明, 张恒, 陈振娅, 吴晓明. 面向物联网设备固件的硬编码漏洞检测方法[J]. 网络与信息安全学报, 2022, 8(5): 98-110.

Chao MU, Xin WANG, Ming YANG, Heng ZHANG, Zhenya CHEN, Xiaoming WU. Hardcoded vulnerability detection approach for IoT device firmware[J]. Chinese Journal of Network and Information Security, 2022, 8(5): 98-110.

图/表 17

图1

图2

图3

图4

图5

图6

表1

表2

图7

图8

图9

图10

图11

图12

图13

图14

图15

参考文献 30

[1]	王鑫 . 面向分布式计算的隐私保护研究[D]. 浙江:浙江大学, 2020.
	WANG X . Research on privacy protection for distributed compu-ting[D]. Zhejiang:Zhejiang University, 2020.
[2]	BURSZTEIN E , COCHRAN G J , DURUMERIC C Z ,et al. Understanding the Mirai Botnet[C]// USENIX Security Symposium. 2017.
[3]	杨毅宇, 周威, 赵尚儒 ,等. 物联网安全研究综述:威胁,检测与防御[J]. 通信学报, 2021,42(8): 188-205.
	YANG Y Y , ZHOU W , ZHAO S R ,et al. Survey of IoT security re-search:threats,detection and defense[J]. Journal on Communica-tions, 2021,42(8): 188-205.
[4]	张玉清, 周威, 彭安妮 . 物联网安全综述[J]. 计算机研究与发展, 2017,54(10): 2130.
	ZHANG Y , ZHOU W , PENG A N . Survey of internet of things se-curity[J]. Journal of Computer Research and Development, 2017,54(10): 2130-2143.
[5]	郑尧文, 文辉, 程凯 ,等. 物联网设备漏洞挖掘技术研究综述[J]. 信息安全学报, 2019,4(5): 61-75.
	ZHENG Y W , WEN H , CHENG K ,et al. A survey of IoT device vulnerability mining techniques[J]. Journal of Cyber Security, 2019,4(5): 61-75.
[6]	CAO X H , SHILA D M , CHENG Y ,et al. Ghost-in-zigbee:Energy depletion attack on zigbee-based wireless networks[J]. IEEE Internet of Things Journal, 2016,3(5): 816-829.
[7]	WEN H , CHEN Q A , LIN Z . Plug-N-Pwned:comprehensive vulnerability analysis of OBD-II dongles as a new over-the-air attack surface in automotive IoT[C]// USENIX Security Symposium. 2020: 949-965.
[8]	CHEN J Y , ZUO C S , DIAO W R ,et al. Your IoTs are (not) mine:on the remote binding between IoT devices and users[C]// 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. 2019: 222-233.
[9]	HE W , GOLLA M , PADHI R ,et al. Rethinking access control and authentication for the home Internet of things (IoT)[C]// USENIX Security Symposium. 2018: 255-272.
[10]	YUAN B , JIA Y , XING L ,et al. Shattered chain of trust:understanding security risks in cross-cloud IoT access delegation[C]// USENIX Security Symposium. 2020: 1183-1200.
[11]	FERNANDES E , RAHMATI A , JUNG J ,et al. Decentralized action integrity for trigger-action IoT platforms[C]// Proceedings 2018 Network and Distributed System Security Symposium. 2018: 1-16.
[12]	ZHANG L , CHEN J , DIAO W ,et al. {CryptoREX}:large-scale analysis of cryptographic misuse in {IoT} Devices[C]// 22nd International Symposium on Research in Attacks,Intrusions and Defenses (RAID 2019). 2019: 151-164.
[13]	ALMAKHDHUB N S , CLEMENTS A A , BAGCHI S ,et al. μRAI:securing embedded systems with return address integrity[C]// Proceedings 2020 Network and Distributed System Security Symposium. 2020: 1-18.
[14]	YAO Y , ZHOU W , JIA Y ,et al. Identifying privilege separation vulnerabilities in IoT firmware with symbolic execution[C]// European Symposium on Research in Computer Security. 2019: 638-657.
[15]	ZHOU J , DU Y , SHEN Z ,et al. Silhouette:efficient protected shadow stacks for embedded systems[C]// USENIX Security Symposium. 2020: 1219-1236.
[16]	MU C , YANG M , CHEN Z ,et al. Research on RSA padding identification method in IoT firmwares[C]// Journal of Physics:Conference Series. 2020:012061.
[17]	Vulnerabilities in foscam IP cameras report[R].
[18]	THOMAS S L , CHOTHIA T , GARCIA F D . Stringer:measuring the importance of static data comparisons to detect backdoors and undocumented functionality[C]// European Symposium on Research in Computer Security. 2017: 513-531.
[19]	SHOSHITAISHVILI Y , WANG R , HAUSER C ,et al. Firmaliceautomatic detection of authentication bypass vulnerabilities in binary firmware[C]// NDSS. 2015: 1-8.
[20]	WANG F , SHOSHITAISHVILI Y . Angr-the next generation of binary analysis[C]// 2017 IEEE Cybersecurity Development (SecDev). 2017: 8-9.
[21]	ZHENG Y , DAVANIAN A , YIN H ,et al. FIRM-AFL:greybox fuzzing of IoT firmware via augmented process emulation[C]// 28th USENIX Security Symposium (USENIX Security 19). 2019: 1099-1114.
[22]	ZADDACH J , BRUNO L , FRANCILLON A ,et al. AVATAR:A framework to support dynamic security analysis of embedded systems' firmwares[C]// NDSS. 2014: 1-16.
[23]	CHEN J Y , DIAO W R , ZHAO Q C ,et al. IoTFuzzer:discovering memory corruptions in IoT through app-based fuzzing[C]// Proceedings 2018 Network and Distributed System Security Symposium. 2018: 1-15.
[24]	REDINI N , MACHIRY A , WANG R ,et al. Karonte:detecting insecure multi-binary interactions in embedded firmware[C]// 2020 IEEE Symposium on Security and Privacy. 2020: 1544-1561.
[25]	CHEN L , WANG Y , CAI Q ,et al. Sharing more and checking less:Leveraging common input keywords to detect bugs in embedded systems[C]// 30th USENIX Security Symposium (USENIX Security 21). 2021: 303-319.
[26]	MU C , WANG X , YANG M ,et al. Vulnerability analysis for iot devices of multi-agent systems:a cryptographic function identification approach[C]// Proceedings of 2021 5th Chinese Conference on Swarm Intelligence and Cooperative Control. 2023: 1510-1519.
[27]	DAVIDSON D , MOENCH B , RISTENPART T ,et al. {FIE} on firmware:Finding vulnerabilities in embedded systems using symbolic execution[C]// 22nd USENIX Security Symposium (USENIX Security 13). 2013: 463-478.
[28]	NETHERCOTE N , SEWARD J . Valgrind:a framework for heavyweight dynamic binary instrumentation[J]. ACM Sigplan Notices, 2007,42(6): 89-100.
[29]	DUONG T , RIZZO J . Here come the⊕ninjas[J]. Unpublished manuscript, 2011,320.
[30]	CHEN D D , EGELE M , WOO M ,et al. Towards automated dynamic analysis for linux-based embedded firmware[C]// Pro- ceedings 2016 Network and Distributed System Security Symposium. 2016: 1-16.

文件类型	代表文件	应用场景	架构组成
可执行	busybox，boa，pppd，	命令操作，Web	MIPS
文件	init，httpd，webs，	服务，初始化，	ARM
（625个）	ucloud，app_default，	授权认证，时间	PowerPC
	cgi，switch等	获取等	X86-64
链接库	libc.so，libcrypto.so，	OpenSSL库，加	MIPS
文件	libgcc.so，libssl.so，	解密操作，协议	ARM
（214个）	libutil.so，libdl.so，	应用，系统语言	PowerPC
	libuClibc.so等	功能等	X86-64

厂商名称	固件架构及数量	特殊格式字符	外部文件引用	密码实现硬编码
360	MIPS(32)	MIPS(13)	MIPS(5)	0
TP-Link	MIPS(52)	MIPS(12)	MIPS(7)	0
	ARM(24)	ARM(8)	ARM(4)
Tenda	MIPS(36)	MIPS(9)	MIPS(3)	MIPS(1)
D-Link	MIPS(7)	MIPS(5)	MIPS(2)	ARM(3)
	ARM(5)	ARM(2)
	ARM(3)	PowerPC(1)	PowerPC(1)	ARM(1)
Western Digital	PowerPC(2)	X86-64(2)	X86-64(1)	X86-64(1)
	X86-64(3)
	MIPS(127)	MIPS(39)	MIPS(17)	MIPS(1)
合计	ARM(32)	ARM(10)	ARM(4)	ARM(4)
	PowerPC(2)	PowerPC(1)	PowerPC(1)	X86-64(1)
	X86-64(3)	X86-64(2)	X86-64(1)

面向物联网设备固件的硬编码漏洞检测方法

Hardcoded vulnerability detection approach for IoT device firmware

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 17

参考文献 30

相关文章 15

Metrics

推荐阅读 0

[1]	胡安祥, 肖达, 郭世臣, 刘胜利. 基于语义冲突的硬编码后门检测方法[J]. 网络与信息安全学报, 2023, 9(1): 150-157.
[2]	李东, 郝艳妮, 彭升辉, 訾瑞杰, 刘西蒙. 国家自然科学基金委员会网络安全现状与展望[J]. 网络与信息安全学报, 2022, 8(6): 92-101.
[3]	单棣斌, 杜学绘, 王文娟, 刘敖迪, 王娜. 基于GNN双源学习的访问控制关系预测方法[J]. 网络与信息安全学报, 2022, 8(5): 40-55.
[4]	李剑, 董廷鲁, 李劼. 基于证据理论物联网安全态势感知方法研究[J]. 网络与信息安全学报, 2022, 8(2): 39-47.
[5]	高振升, 曹利峰, 杜学绘. 基于区块链的访问控制技术研究进展[J]. 网络与信息安全学报, 2021, 7(6): 68-87.
[6]	周家顺, 王娜, 杜学绘. 基于区块链的数据完整性多方高效审计机制[J]. 网络与信息安全学报, 2021, 7(6): 113-125.
[7]	邹德清, 李响, 黄敏桓, 宋翔, 李浩, 李伟明. 基于图结构源代码切片的智能化漏洞检测系统[J]. 网络与信息安全学报, 2021, 7(5): 113-122.
[8]	陈皓, 易平. 基于图神经网络的代码漏洞检测方法[J]. 网络与信息安全学报, 2021, 7(3): 37-45.
[9]	熊钢,葛雨玮,褚衍杰,曹卫权. 基于跨域协同的网络空间威胁预警模式[J]. 网络与信息安全学报, 2020, 6(6): 88-96.
[10]	腾金辉,光焱,舒辉,张冰. 基于流量分析的软件升级漏洞自动检测方法[J]. 网络与信息安全学报, 2020, 6(1): 94-108.
[11]	朱建明,杨鸿瑞. 金融科技中数据安全的挑战与对策[J]. 网络与信息安全学报, 2019, 5(4): 71-79.
[12]	李珍, 邹德清, 王泽丽, 金海. 面向源代码的软件漏洞静态检测综述[J]. 网络与信息安全学报, 2019, 5(1): 1-14.
[13]	苏秋月, 陈兴蜀, 罗永刚. 大数据环境下多源异构数据的访问控制模型[J]. 网络与信息安全学报, 2019, 5(1): 78-86.
[14]	明拓思宇, 陈鸿昶. 文本摘要研究进展与趋势[J]. 网络与信息安全学报, 2018, 4(6): 1-10.
[15]	袁得嵛,王小娟,万建超. “互联网+”对网络空间安全影响及未来发展趋势[J]. 网络与信息安全学报, 2017, 3(5): 1-9.