基于语义冲突的硬编码后门检测方法

doi:10.11959/j.issn.2096-109x.2023015

Abstract

Abstract:

The current router security issues focus on the mining and utilization of memory-type vulnerabilities, but there is low interest in detecting backdoors.Hard-coded backdoor is one of the most common backdoors, which is simple and convenient to set up and can be implemented with only a small amount of code.However, it is difficult to be discovered and often causes serious safety hazard and economic loss.The triggering process of hard-coded backdoor is inseparable from string comparison functions.Therefore, the detection of hard-coded backdoors relies on string comparison functions, which are mainly divided into static analysis method and symbolic execution method.The former has a high degree of automation, but has a high false positive rate and poor detection results.The latter has a high accuracy rate, but cannot automate large-scale detection of firmware, and faces the problem of path explosion or even unable to constrain solution.Aiming at the above problems, a hard-coded backdoor detection algorithm based on string text semantic conflict (Stect) was proposed since static analysis and the think of stain analysis.Stect started from the commonly used string comparison functions, combined with the characteristics of MIPS and ARM architectures, and extracted a set of paths with the same start and end nodes using function call relationships, control flow graphs, and branching selection dependent strings.If the strings in the successfully verified set of paths have semantic conflict, it means that there is a hard-coded backdoor in the router firmware.In order to evaluate the detection effect of Stect, 1 074 collected device images were tested and compared with other backdoor detection methods.Experimental results show that Stect has a better detection effect compared with existing backdoor detection methods including Costin and Stringer: 8 hard-coded backdoor images detected from image data set, and the recall rate reached 88.89%.

Key words: router firmware, hard-coded backdoor, string comparison functions, semantic conflict

CLC Number:

TP393

Anxiang HU, Da XIAO, Shichen GUO, Shengli LIU. Hard-coded backdoor detection method based on semantic conflict[J]. Chinese Journal of Network and Information Security, 2023, 9(1): 150-157.

Figures/Tables 8

References 15

[1]	PAGANINI P . Netgear,Linksys and many other wireless routers have a backdoor security affairs[EB].
[2]	张雄, 李舟军 . 模糊测试技术研究综述[J]. 计算机科学, 2016,43(5): 1-26.
	ZHANG X , LI Z J . Survey of fuzz testing technology[J]. Computer Science, 2016,43(5): 1-26.
[3]	SZOR P . The art of computer virus research and defense[J]. Choice Reviews Online, 2005,43(3): 15-16.
[4]	HEFFNER C . Reverse engineering a d-link backdoor[EB].
[5]	忽朝俭, 薛一波, 赵粮 ,等. 无文件系统嵌入式固件后门检测[J]. 通信学报, 2013,34(8): 140-145.
	HU C J , XUE Y B , ZHAO L ,et al. Backdoor detection in embedded system firmware without file system[J]. Journal on Communications, 2013,34(8): 140-145.
[6]	COSTIN A , ZADDACH J , FRANCILLON A ,et al. A large scale analysis of the security of embedded firmwares[C]// Proceedings of the 23rd USENIX Security Symposium. 2014: 95-110.
[7]	THOMAS S L , CHOTHIA T , GARCIA F D . Stringer:measuring the importance of static data comparisons to detect backdoors and undocumented functionality[M]// Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2017.
[8]	SHOSHITAISHVILI Y , WANG R , HAUSER C ,et al. Firmaliceautomatic detection of authentication bypass vulnerabilities in binary firmware[C]// Proceedings 2015 Network and Distributed System Security Symposium. 2015: 8-11.
[9]	ZYXEL NETWORKS . Zyxel security advisory for hardcoded credential vulnerability \| Zyxel[EB].
[10]	MUENCH M , STIJOHANN J , KARGL F ,et al. What you corrupt is not what you crash:Challenges in fuzzing embedded devices[C]// Network and Distributed System Security Symposium. 2018.
[11]	CHEN D D , EGELE M , WOO M ,et al. Towards automated dynamic analysis for Linux-based embedded firmware[C]// Proceedings of Network and Distributed System Security Sumposium. 2016.
[12]	HEFFNER C . Binwalk:Firmware analysis tool[R]. 2010.
[13]	HEMEL A , KALLEBERG K T , VERMAAS R ,et al. Finding software license violations through binary code clone detection[J]. Proceedings-International Conference on Software Engineering, 2011: 63-72.
[14]	EAGLE C . IDA Pro[R]. 2012.
[15]	SHOSHITAISHVILI Y , WANG R , SALLS C ,et al. SOK:(state of) the art of war:Offensive techniques in binary analysis[C]// 2016 IEEE Symposium on Security and Privacy (SP). 2016: 138-157.

Metrics

Recommended 0

No Suggested Reading articles found!

预处理	MIPS	ARM	其他	总数
收集	862	285	44	1 191
解包	814	260	39	1 113
筛选	814	260	0	1 074
后门固件	7	2	0	9

厂商	体系结构	CVE编号
D-Link	MIPS	CVE-2013-6026
NISUTA	MIPS	CVE-2013-7282
NETGEAR	MIPS	CVE-2016-11059
D-Link	MIPS	CVE-2021-21818
D-Link	MIPS	CVE-2021-21820
TOTOLINK	MIPS	CVE-2021-35324
NETGEAR	MIPS	CVE-2021-35973
Juniper	ARM	CVE-2015-7755
Crestron	ARM	CVE-2019-3932

后门检测方法	代表性文献	P	R	F	t	Cv
Stringer	文献[7]	4.56%	11.11%	88.89%	1.73s	37.71%
Costin	文献[6]	11.11%	11.11%	88.89%	757.89s	—
Stect	—	16.67%	88.89%	11.11%	3.67s	97.87%

CVE编号	Stringer	Costin	Stect
CVE-2013-6026	×	×	√
CVE-2013-7282	×	√	√
CVE-2016-11059	×	×	√
CVE-2021-21818	×	×	√
CVE-2021-21820	×	×	√
CVE-2021-35324	×	×	√
CVE-2021-35973	×	×	√
CVE-2015-7755	×	×	×
CVE-2019-3932	√	×	√
注：√表示硬编码后门检测成功，×表示检测失败

Hard-coded backdoor detection method based on semantic conflict

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 8

References 15

Related Articles 15

Metrics

Recommended 0

[1]	Xianyi CHEN, Jun GU, Kai YAN, Dong JIANG, Linfeng XU, Zhangjie FU. Double adversarial attack against license plate recognition system [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 16-27.
[2]	Tianpeng YE, Xiang LIN, Jianhua LI, Xuankai ZHANG, Liwen XU. Personalized lightweight distributed network intrusion detection system in fog computing [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 28-37.
[3]	Lijun ZU, Yalin CAO, Xiaohua MEN, Zhihui LYU, Jiawei YE, Hongyi LI, Liang ZHANG. Adaptive selection method of desensitization algorithm based on privacy risk assessment [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 49-59.
[4]	Ruiqi XIA, Manman LI, Shaozhen CHEN. Identification on the structures of block ciphers using machine learning [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 79-89.
[5]	Jingyi YUAN, Zichuan LI, Guojun PENG. EN-Bypass: a security assessment method on e-mail user interface notification [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 90-101.
[6]	Feng YU, Qingxin LIN, Hui LIN, Xiaoding WANG. Privacy-enhanced federated learning scheme based on generative adversarial networks [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 113-122.
[7]	Chuntao ZHU, Chengxi YIN, Bolin ZHANG, Qilin YIN, Wei LU. Forgery face detection method based on multi-domain temporal features mining [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 123-134.
[8]	Xiaomeng LI, Daidou GUO, Xunfang ZHUO, Heng YAO, Chuan QIN. Carrier-independent screen-shooting resistant watermarking based on information overlay superimposition [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 135-149.
[9]	Zhao CAI, Tao JING, Shuang REN. Survey on Ethereum phishing detection technology [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 21-32.
[10]	Yan PAN, Wei LIN, Yuefei ZHU. Progressive active inference method of protocol state machine [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 81-93.
[11]	Pan YANG, Fei KANG, Hui SHU, Yuyao HUANG, Xiaoshao LYU. Binary program taint analysis optimization method based on function summary [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 115-131.
[12]	Tian XIAO, Zhihao JIANG, Peng TANG, Zheng HUANG, Jie GUO, Weidong QIU. High-performance directional fuzzing scheme based on deep reinforcement learning [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 132-142.
[13]	Chenghao YUAN, Yong LI, Shuang REN. Dynamic multi-keyword searchable encryption scheme [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 143-153.
[14]	Zezhou HOU, Jiongjiong REN, Shaozhen CHEN. Security evaluation for parameters of SIMON-like cipher based on neural network distinguisher [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 154-163.
[15]	Xuejing GUO, Yixiang FANG, Yi ZHAO, Tianzhu ZHANG, Wenchao ZENG, Junxiang WANG. Traditional guidance mechanism based deep robust watermarking [J]. Chinese Journal of Network and Information Security, 2023, 9(2): 175-183.