基于软硬件协同形式验证的固件漏洞分析技术

doi:10.11959/j.issn.2096-109x.2016.00071

网络与信息安全学报 ›› 2016, Vol. 2 ›› Issue (7): 59-68.doi: 10.11959/j.issn.2096-109x.2016.00071

基于软硬件协同形式验证的固件漏洞分析技术

张朋辉(),田曦,楼康威

国防科学技术大学电子科学与工程学院，湖南长沙 410003

修回日期:2016-06-27 出版日期:2016-07-15 发布日期:2020-03-26
作者简介:张朋辉（1989-），男，河南安阳人，国防科学技术大学硕士生，主要研究方向为专用集成电路可信性设计、硬件安全性分析。|田曦（1971-），男，湖南长沙人，博士，国防科学技术大学副教授、硕士生导师，主要研究方向为信息安全、可信性设计。|楼康威（1992-），男，浙江金华人，国防科学技术大学硕士生，主要研究方向为专用集成电路可信性设计、电子信息系统信号安全分析。
基金资助:
国家高技术研究发展计划基金资助项目(2015AA2557)

Firmware vulnerability analysis based on formal verification of software and hardware

Peng-hui ZHANG(),Xi TIAN,Kang-wei LOU

School of Electronic Science and Engineering,National University of Defense Technology,Changsha 410003,China

Revised:2016-06-27 Online:2016-07-15 Published:2020-03-26
Supported by:
The National High Technology Research and Development Program(2015AA2557)

摘要/Abstract

摘要：

为了系统高效地分析固件中潜在的安全隐患，提出了一种基于行为时序逻辑 TLA 的软硬件协同形式验证方法。通过对固件工作过程中的软硬件交互机制进行形式建模分析，在动态调整攻击模型的基础上，发现了固件更新过程中存在的安全漏洞，并通过实验证实了该漏洞的存在，从而证明了形式验证方法的可靠性。

关键词: 固件安全, TLA, 形式验证, 漏洞分析, 软硬件协同

Abstract:

In order to analyze the potential vulnerabilities in the firmware systematically and effectively,a formal verification method based on TLA,in a collaborated form of software and hardware was proposed.With this method,the interaction mechanism of software and hardware in the computer boot process was modeled and analyzed.By adjusting the attack model,a secure vulnerability in the update process of the firmware was found,and its existence by an experiment,which proved the reliability of formal verification was demonstrated.

Key words: firmware security, TLA, formal verification, vulnerability analysis, software and hardware collaboration

中图分类号:

TP309

张朋辉,田曦,楼康威. 基于软硬件协同形式验证的固件漏洞分析技术[J]. 网络与信息安全学报, 2016, 2(7): 59-68.

Peng-hui ZHANG,Xi TIAN,Kang-wei LOU. Firmware vulnerability analysis based on formal verification of software and hardware[J]. Chinese Journal of Network and Information Security, 2016, 2(7): 59-68.

图/表 9

图1

图2

图3

图4

图5

表1

图6

图7

图8

参考文献 21

[1]	ZIMMER V , ROTHMAN M , MARISETTY S . Beyond BIOS:developing with the unified extensible firmware interface[M]. Intel Press, 2010.
[2]	BROSSARD J , DEMETRESCU F . Hardware backdooring is prac-tical[J]. BlackHat,Las Vegas,USA, 2009,58(1).
[3]	RONTTI T , JUUSO A M , TAKANEN A . Preventing DoS attacks in NGN networks with proactive specification-based fuzzing[J]. IEEE Communications Magazine, 2012,50(9): 164-170.
[4]	RUI MA , DAGUANG WANG , CHANGZHEN HU , et al. Test data generation for stateful network protocol fuzzing using a rule-based state machine[J]. Tsinghua Science and Technology, 2016,21.
[5]	周仕钧 . 基于二进制补丁比对技术的漏洞特征分析与研究[D]. 昆明：云南大学， 2013.
	ZHOU S J . Holes characteristics analysis and research based on binary patch[D]. Kunming: Yunnan University, 2013.
[6]	KIM S , KIM R Y C , PARK Y B . Software vulnerability detection methodology combined with static and dynamic analysis[J]. Wire-less Personal Communications, 2015:1-17.
[7]	郑宇军，张蓓，薛锦云 . 软件形式化开发关键部件选取的水波优化方法[J]. 软件学报， 2016(4): 933-942.
	ZHENG Y J , ZHANG B , XUE J Y . Water ware optimization method of Software for multination development key components selection[J]. Journal of Software, 2016(4): 933-942.
[8]	CALINESCU R , GHEZZI C , JOHNSON K , et al. Formal verifica-tion with confidence intervals to establish quality of service proper-ties of software systems[J]. IEEE Transactions on Reliability, 2016,65(1):107-125.
[9]	KUMAR S , CHANDRA G , YADAV D . Formal verification of security protocol with B method[C]//IEEE International Confer-ence on Computer and Communication Technology. c2014:161-167.
[10]	LACH J , BINGHAM S , ELKS C , et al. Accessible formal verifica-tion for safety-critical hardware design[C]//Reliability and Main-tainability Symposium,IEEE Computer Society. c2006:29-32.
[11]	CHOI H , YIM M K , LEE J Y , et al. Formal verification of an in-dustrial system-on-a-chip[C]//IEEE International Conference on Computer Design. c2000:453-458.
[12]	LAMPORT L . Specifying systems,the TLA+ language and tools for hardware and software engineers[J]. Software Quality Profes-sional, 2002(4):43.
[13]	CHAUDHURI K , DOLIGEZ D , LAMPORT L , et al. Verifying safety properties with the TLA+ proof system[M]//Automated Reasoning. Berlin Heidelberg:Springer 2010:142-148.
[14]	LU T , MERZ S , WEIDENBACH C . Towards verification of the pastry protocol using TLA+[C]//Formal Techniques for Distrib-uted Systems Proceedings. c2011:244-258.
[15]	KALLENBERG C , BUTTERWORTH J , KOVAH X , et al. Defeat-ing signed BIOS enforcement[J]. EkoParty,Buenos Aires, 2013.
[16]	ZHANG H , MERZ S , GU M . Specifying and verifying PLC sys-tems with TLA+:a case study[J]. Computers ＆ Mathematics with Applications, 2010,60(3):695-705.
[17]	NARAYANA P , CHEN R , ZHAO Y , et al. Automatic vulnerability checking of IEEE 802.16 WiMAX Protocols through TLA+[C]//IEEE Workshop on Secure Network Protocols. c2006:44-49.
[18]	HEASMAN J . Implementing and detecting a PCI rootkit[J]. Re-trieved February, 2006,20:3.
[19]	BUDRUK R , ANDERSON D , SOLARI E . PCI express system architecture[J]. Addison Wesley, 2003.
[20]	YIN Y . Implementation of PCI expansion ROM mechanism[J]. Computer Engineering＆Applications, 2005.
[21]	WOJTCZUK R , RUTKOWSKA J . Attacking SMM memory via Intel CPU cache poisoning[J]. Invisible Things Lab, 2009.

偏移	长度	数值	功能描述
0h	1	55h	ROM文件签名第1个字节
1h	1	AAh	ROM文件签名第2个字节
2h	1	xx	代码文件大小，单位是512 byte
3h	3	xx	INIT函数的入口，固件执行一个FAR CALL跳转到这里
6h～17h	12	xx	保留
18h～19h	2	xx	指向PCI数据结构

基于软硬件协同形式验证的固件漏洞分析技术

Firmware vulnerability analysis based on formal verification of software and hardware

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 9

参考文献 21

相关文章 2

Metrics

推荐阅读 0

[1]	曹琰, 刘龙, 王禹, 王清贤. 基于函数语义分析的软件补丁比对技术[J]. 网络与信息安全学报, 2019, 5(5): 56-63.
[2]	乐德广,章亮,龚声蓉,郑力新,吴少刚. 面向RTF的OLE对象漏洞分析研究[J]. 网络与信息安全学报, 2016, 2(1): 34-45.