基于软硬件协同形式验证的固件漏洞分析技术

doi:10.11959/j.issn.2096-109x.2016.00071

Abstract

Abstract:

In order to analyze the potential vulnerabilities in the firmware systematically and effectively,a formal verification method based on TLA,in a collaborated form of software and hardware was proposed.With this method,the interaction mechanism of software and hardware in the computer boot process was modeled and analyzed.By adjusting the attack model,a secure vulnerability in the update process of the firmware was found,and its existence by an experiment,which proved the reliability of formal verification was demonstrated.

Key words: firmware security, TLA, formal verification, vulnerability analysis, software and hardware collaboration

CLC Number:

TP309

Peng-hui ZHANG,Xi TIAN,Kang-wei LOU. Firmware vulnerability analysis based on formal verification of software and hardware[J]. Chinese Journal of Network and Information Security, 2016, 2(7): 59-68.

Figures/Tables 9

References 21

[1]	ZIMMER V , ROTHMAN M , MARISETTY S . Beyond BIOS:developing with the unified extensible firmware interface[M]. Intel Press, 2010.
[2]	BROSSARD J , DEMETRESCU F . Hardware backdooring is prac-tical[J]. BlackHat,Las Vegas,USA, 2009,58(1).
[3]	RONTTI T , JUUSO A M , TAKANEN A . Preventing DoS attacks in NGN networks with proactive specification-based fuzzing[J]. IEEE Communications Magazine, 2012,50(9): 164-170.
[4]	RUI MA , DAGUANG WANG , CHANGZHEN HU , et al. Test data generation for stateful network protocol fuzzing using a rule-based state machine[J]. Tsinghua Science and Technology, 2016,21.
[5]	周仕钧 . 基于二进制补丁比对技术的漏洞特征分析与研究[D]. 昆明：云南大学， 2013.
	ZHOU S J . Holes characteristics analysis and research based on binary patch[D]. Kunming: Yunnan University, 2013.
[6]	KIM S , KIM R Y C , PARK Y B . Software vulnerability detection methodology combined with static and dynamic analysis[J]. Wire-less Personal Communications, 2015:1-17.
[7]	郑宇军，张蓓，薛锦云 . 软件形式化开发关键部件选取的水波优化方法[J]. 软件学报， 2016(4): 933-942.
	ZHENG Y J , ZHANG B , XUE J Y . Water ware optimization method of Software for multination development key components selection[J]. Journal of Software, 2016(4): 933-942.
[8]	CALINESCU R , GHEZZI C , JOHNSON K , et al. Formal verifica-tion with confidence intervals to establish quality of service proper-ties of software systems[J]. IEEE Transactions on Reliability, 2016,65(1):107-125.
[9]	KUMAR S , CHANDRA G , YADAV D . Formal verification of security protocol with B method[C]//IEEE International Confer-ence on Computer and Communication Technology. c2014:161-167.
[10]	LACH J , BINGHAM S , ELKS C , et al. Accessible formal verifica-tion for safety-critical hardware design[C]//Reliability and Main-tainability Symposium,IEEE Computer Society. c2006:29-32.
[11]	CHOI H , YIM M K , LEE J Y , et al. Formal verification of an in-dustrial system-on-a-chip[C]//IEEE International Conference on Computer Design. c2000:453-458.
[12]	LAMPORT L . Specifying systems,the TLA+ language and tools for hardware and software engineers[J]. Software Quality Profes-sional, 2002(4):43.
[13]	CHAUDHURI K , DOLIGEZ D , LAMPORT L , et al. Verifying safety properties with the TLA+ proof system[M]//Automated Reasoning. Berlin Heidelberg:Springer 2010:142-148.
[14]	LU T , MERZ S , WEIDENBACH C . Towards verification of the pastry protocol using TLA+[C]//Formal Techniques for Distrib-uted Systems Proceedings. c2011:244-258.
[15]	KALLENBERG C , BUTTERWORTH J , KOVAH X , et al. Defeat-ing signed BIOS enforcement[J]. EkoParty,Buenos Aires, 2013.
[16]	ZHANG H , MERZ S , GU M . Specifying and verifying PLC sys-tems with TLA+:a case study[J]. Computers ＆ Mathematics with Applications, 2010,60(3):695-705.
[17]	NARAYANA P , CHEN R , ZHAO Y , et al. Automatic vulnerability checking of IEEE 802.16 WiMAX Protocols through TLA+[C]//IEEE Workshop on Secure Network Protocols. c2006:44-49.
[18]	HEASMAN J . Implementing and detecting a PCI rootkit[J]. Re-trieved February, 2006,20:3.
[19]	BUDRUK R , ANDERSON D , SOLARI E . PCI express system architecture[J]. Addison Wesley, 2003.
[20]	YIN Y . Implementation of PCI expansion ROM mechanism[J]. Computer Engineering＆Applications, 2005.
[21]	WOJTCZUK R , RUTKOWSKA J . Attacking SMM memory via Intel CPU cache poisoning[J]. Invisible Things Lab, 2009.

Metrics

Recommended 0

No Suggested Reading articles found!

偏移	长度	数值	功能描述
0h	1	55h	ROM文件签名第1个字节
1h	1	AAh	ROM文件签名第2个字节
2h	1	xx	代码文件大小，单位是512 byte
3h	3	xx	INIT函数的入口，固件执行一个FAR CALL跳转到这里
6h～17h	12	xx	保留
18h～19h	2	xx	指向PCI数据结构

Firmware vulnerability analysis based on formal verification of software and hardware

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 21

Related Articles 2

Metrics

Recommended 0

[1]	Yan CAO, Long LIU, Yu WANG, Qingxian WANG. Software patch comparison technology through semantic analysis on function [J]. Chinese Journal of Network and Information Security, 2019, 5(5): 56-63.
[2]	De-guang LE,Liang ZHANG,Sheng-rong GONG,Li-xin ZHENG,Shao-gang WU. Research on OLE object vulnerability analysis for RTF file [J]. Chinese Journal of Network and Information Security, 2016, 2(1): 34-45.