基于语义冲突的硬编码后门检测方法

doi:10.11959/j.issn.2096-109x.2023015

网络与信息安全学报 ›› 2023, Vol. 9 ›› Issue (1): 150-157.doi: 10.11959/j.issn.2096-109x.2023015

基于语义冲突的硬编码后门检测方法

胡安祥¹, 肖达², 郭世臣¹, 刘胜利¹

¹ 数学工程与先进计算国家重点实验室，河南郑州 450001
² 郑州工业应用技术学院信息工程学院，河南郑州 451100

修回日期:2022-05-11 出版日期:2023-02-25 发布日期:2023-02-01
作者简介:胡安祥（1996- ），男，江西景德镇人，数学工程与先进计算国家重点实验室硕士生，主要研究方向为网络空间安全和逆向工程
肖达（1981- ），男，江西吉安人，博士，郑州工业应用技术学院副教授，主要研究方向为网络空间安全和漏洞挖掘
郭世臣（1998- ），男，河南辉县人，数学工程与先进计算国家重点实验室硕士生，主要研究方向为网络空间安全和逆向工程
刘胜利（1973- ），男，河南周口人，博士，数学工程与先进计算国家重点实验室教授、博士生导师，主要研究方向为网络空间安全
基金资助:
科技委基础加强项目(2019-JCJQ-ZD-113)

Hard-coded backdoor detection method based on semantic conflict

Anxiang HU¹, Da XIAO², Shichen GUO¹, Shengli LIU¹

¹ State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
² School of Information Engineering, Zhengzhou University of Industry Technology, Zhengzhou 451100, China

Revised:2022-05-11 Online:2023-02-25 Published:2023-02-01
Supported by:
Science＆Technology Commission Foundation Strengthening Project(2019-JCJQ-ZD-113)

摘要/Abstract

摘要：

路由器安全问题主要聚焦于内存型漏洞的挖掘与利用，对后门的检测与发现的研究较少。硬编码后门是较常见的后门之一，设置简单方便，仅仅需要少量代码就能实现，然而却难以被发现，往往造成严重的危害和损失。硬编码后门的触发过程离不开字符串比较函数，因此硬编码后门的检测借助于字符串比较函数，主要分为静态分析方法和符号执行方法。前者自动化程度较高，但存在较高的误报率，检测效果不佳；后者准确率高，但无法自动化大规模检测固件，面临着路径爆炸甚至无法约束求解的问题。针对上述问题，在静态分析的基础上，结合污点分析的思想，提出了基于语义冲突的硬编码后门检测方法——Stect。Stect从常用的字符串比较函数出发，结合MIPS和ARM体系结构的特点，利用函数调用关系、控制流图和分支选择依赖的字符串，提取出具有相同起点和终点的路径集合，如果验证成功的路径集合中的字符串具有语义冲突，则判定路由器固件中存在硬编码后门。为了评估 Stect 对路由器硬编码后门的检测效果，对收集的1 074个设备固件进行了测试，并与其他的后门检测方法进行了对比。实验结果表明，相比现有的后门检测方法Costin和Stringer，Stect具有更好的检测效果：从数据集中成功检测出8个固件后门口令，召回率达到88.89%。

关键词: 路由器固件, 硬编码后门, 字符串比较函数, 语义冲突

Abstract:

The current router security issues focus on the mining and utilization of memory-type vulnerabilities, but there is low interest in detecting backdoors.Hard-coded backdoor is one of the most common backdoors, which is simple and convenient to set up and can be implemented with only a small amount of code.However, it is difficult to be discovered and often causes serious safety hazard and economic loss.The triggering process of hard-coded backdoor is inseparable from string comparison functions.Therefore, the detection of hard-coded backdoors relies on string comparison functions, which are mainly divided into static analysis method and symbolic execution method.The former has a high degree of automation, but has a high false positive rate and poor detection results.The latter has a high accuracy rate, but cannot automate large-scale detection of firmware, and faces the problem of path explosion or even unable to constrain solution.Aiming at the above problems, a hard-coded backdoor detection algorithm based on string text semantic conflict (Stect) was proposed since static analysis and the think of stain analysis.Stect started from the commonly used string comparison functions, combined with the characteristics of MIPS and ARM architectures, and extracted a set of paths with the same start and end nodes using function call relationships, control flow graphs, and branching selection dependent strings.If the strings in the successfully verified set of paths have semantic conflict, it means that there is a hard-coded backdoor in the router firmware.In order to evaluate the detection effect of Stect, 1 074 collected device images were tested and compared with other backdoor detection methods.Experimental results show that Stect has a better detection effect compared with existing backdoor detection methods including Costin and Stringer: 8 hard-coded backdoor images detected from image data set, and the recall rate reached 88.89%.

Key words: router firmware, hard-coded backdoor, string comparison functions, semantic conflict

中图分类号:

TP393

胡安祥, 肖达, 郭世臣, 刘胜利. 基于语义冲突的硬编码后门检测方法[J]. 网络与信息安全学报, 2023, 9(1): 150-157.

Anxiang HU, Da XIAO, Shichen GUO, Shengli LIU. Hard-coded backdoor detection method based on semantic conflict[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 150-157.

图/表 8

图1

图2

图3

图4

表1

表2

表3

表4

参考文献 15

[1]	PAGANINI P . Netgear,Linksys and many other wireless routers have a backdoor security affairs[EB].
[2]	张雄, 李舟军 . 模糊测试技术研究综述[J]. 计算机科学, 2016,43(5): 1-26.
	ZHANG X , LI Z J . Survey of fuzz testing technology[J]. Computer Science, 2016,43(5): 1-26.
[3]	SZOR P . The art of computer virus research and defense[J]. Choice Reviews Online, 2005,43(3): 15-16.
[4]	HEFFNER C . Reverse engineering a d-link backdoor[EB].
[5]	忽朝俭, 薛一波, 赵粮 ,等. 无文件系统嵌入式固件后门检测[J]. 通信学报, 2013,34(8): 140-145.
	HU C J , XUE Y B , ZHAO L ,et al. Backdoor detection in embedded system firmware without file system[J]. Journal on Communications, 2013,34(8): 140-145.
[6]	COSTIN A , ZADDACH J , FRANCILLON A ,et al. A large scale analysis of the security of embedded firmwares[C]// Proceedings of the 23rd USENIX Security Symposium. 2014: 95-110.
[7]	THOMAS S L , CHOTHIA T , GARCIA F D . Stringer:measuring the importance of static data comparisons to detect backdoors and undocumented functionality[M]// Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2017.
[8]	SHOSHITAISHVILI Y , WANG R , HAUSER C ,et al. Firmaliceautomatic detection of authentication bypass vulnerabilities in binary firmware[C]// Proceedings 2015 Network and Distributed System Security Symposium. 2015: 8-11.
[9]	ZYXEL NETWORKS . Zyxel security advisory for hardcoded credential vulnerability \| Zyxel[EB].
[10]	MUENCH M , STIJOHANN J , KARGL F ,et al. What you corrupt is not what you crash:Challenges in fuzzing embedded devices[C]// Network and Distributed System Security Symposium. 2018.
[11]	CHEN D D , EGELE M , WOO M ,et al. Towards automated dynamic analysis for Linux-based embedded firmware[C]// Proceedings of Network and Distributed System Security Sumposium. 2016.
[12]	HEFFNER C . Binwalk:Firmware analysis tool[R]. 2010.
[13]	HEMEL A , KALLEBERG K T , VERMAAS R ,et al. Finding software license violations through binary code clone detection[J]. Proceedings-International Conference on Software Engineering, 2011: 63-72.
[14]	EAGLE C . IDA Pro[R]. 2012.
[15]	SHOSHITAISHVILI Y , WANG R , SALLS C ,et al. SOK:(state of) the art of war:Offensive techniques in binary analysis[C]// 2016 IEEE Symposium on Security and Privacy (SP). 2016: 138-157.

预处理	MIPS	ARM	其他	总数
收集	862	285	44	1 191
解包	814	260	39	1 113
筛选	814	260	0	1 074
后门固件	7	2	0	9

厂商	体系结构	CVE编号
D-Link	MIPS	CVE-2013-6026
NISUTA	MIPS	CVE-2013-7282
NETGEAR	MIPS	CVE-2016-11059
D-Link	MIPS	CVE-2021-21818
D-Link	MIPS	CVE-2021-21820
TOTOLINK	MIPS	CVE-2021-35324
NETGEAR	MIPS	CVE-2021-35973
Juniper	ARM	CVE-2015-7755
Crestron	ARM	CVE-2019-3932

后门检测方法	代表性文献	P	R	F	t	Cv
Stringer	文献[7]	4.56%	11.11%	88.89%	1.73s	37.71%
Costin	文献[6]	11.11%	11.11%	88.89%	757.89s	—
Stect	—	16.67%	88.89%	11.11%	3.67s	97.87%

CVE编号	Stringer	Costin	Stect
CVE-2013-6026	×	×	√
CVE-2013-7282	×	√	√
CVE-2016-11059	×	×	√
CVE-2021-21818	×	×	√
CVE-2021-21820	×	×	√
CVE-2021-35324	×	×	√
CVE-2021-35973	×	×	√
CVE-2015-7755	×	×	×
CVE-2019-3932	√	×	√
注：√表示硬编码后门检测成功，×表示检测失败

基于语义冲突的硬编码后门检测方法

Hard-coded backdoor detection method based on semantic conflict

在线阅读

pdf下载

可视化

摘要/Abstract

引用本文

使用本文

图/表 8

参考文献 15

相关文章 15

Metrics

推荐阅读 0

[1]	陈先意, 顾军, 颜凯, 江栋, 许林峰, 付章杰. 针对车牌识别系统的双重对抗攻击[J]. 网络与信息安全学报, 2023, 9(3): 16-27.
[2]	叶天鹏, 林祥, 李建华, 张轩凯, 许力文. 面向雾计算的个性化轻量级分布式网络入侵检测系统[J]. 网络与信息安全学报, 2023, 9(3): 28-37.
[3]	祖立军, 曹雅琳, 门小骅, 吕智慧, 叶家炜, 李泓一, 张亮. 基于隐私风险评估的脱敏算法自适应方法[J]. 网络与信息安全学报, 2023, 9(3): 49-59.
[4]	夏锐琪, 李曼曼, 陈少真. 基于机器学习的分组密码结构识别[J]. 网络与信息安全学报, 2023, 9(3): 79-89.
[5]	袁静怡, 李子川, 彭国军. EN-Bypass：针对邮件代发提醒机制的安全评估方法[J]. 网络与信息安全学报, 2023, 9(3): 90-101.
[6]	余锋, 林庆新, 林晖, 汪晓丁. 基于生成对抗网络的隐私增强联邦学习方案[J]. 网络与信息安全学报, 2023, 9(3): 113-122.
[7]	朱春陶, 尹承禧, 张博林, 殷琪林, 卢伟. 基于多域时序特征挖掘的伪造人脸检测方法[J]. 网络与信息安全学报, 2023, 9(3): 123-134.
[8]	李晓萌, 郭玳豆, 卓训方, 姚恒, 秦川. 载体独立的抗屏摄信息膜叠加水印算法[J]. 网络与信息安全学报, 2023, 9(3): 135-149.
[9]	蔡召, 荆涛, 任爽. 以太坊钓鱼诈骗检测技术综述[J]. 网络与信息安全学报, 2023, 9(2): 21-32.
[10]	潘雁, 林伟, 祝跃飞. 渐进式的协议状态机主动推断方法[J]. 网络与信息安全学报, 2023, 9(2): 81-93.
[11]	杨盼, 康绯, 舒辉, 黄宇垚, 吕小少. 基于函数摘要的二进制程序污点分析优化方法[J]. 网络与信息安全学报, 2023, 9(2): 115-131.
[12]	肖天, 江智昊, 唐鹏, 黄征, 郭捷, 邱卫东. 基于深度强化学习的高性能导向性模糊测试方案[J]. 网络与信息安全学报, 2023, 9(2): 132-142.
[13]	袁承昊, 李勇, 任爽. 多关键词动态可搜索加密方案[J]. 网络与信息安全学报, 2023, 9(2): 143-153.
[14]	侯泽洲, 任炯炯, 陈少真. 基于神经网络区分器的SIMON-like算法参数安全性评估[J]. 网络与信息安全学报, 2023, 9(2): 154-163.
[15]	郭学镜, 方毅翔, 赵怡, 张天助, 曾文超, 王俊祥. 基于传统引导机制的深度鲁棒水印算法[J]. 网络与信息安全学报, 2023, 9(2): 175-183.