无文件系统嵌入式固件后门检测

doi:10.3969/j.issn.1000-436x.2013.08.018

Abstract

Abstract:

Any embedded system firmware without file system will integrate its system code and user application code into a single file.This setting has brought some additional difficulties to analyze them.Aimed at this kind of firmware,the problem of library function identification was analyzed,and several heuristic methods to recognize some important function relevant with manipulating network socket and character string / memory were proposed.Based on this analysis,the backdoor detection problem of some typical types including unauthorized listener,unintended function,hidden function,outward connection request etc.were discussed,and several backdoors (one is critical level) in a real world firmware were found.The result shows this method of identifying library function can be useful for security analysis to this type of firmware.

Key words: embedded system, firmware, file system, library function identification, backdoor detection

Chao-jian HU,Yi-bo XUE,Liang ZHAO,Zhou-jun LI. Backdoor detection in embedded system firmware without file system[J]. Journal on Communications, 2013, 34(8): 140-145.

Figures/Tables 5

References 12

[1]	ZHANG Y , PAXSON V . Detecting backdoors[A]. USENIX Security Symposium[C]. Denver,Canada, 2000.12.
[2]	HORNG S J , SU M Y , TSAI J G . A dynamic backdoor detection system based on dynamic link libraries[J]. International Journal of Business and Systems Research, 2008,2(3): 244-257.
[3]	WYSOPAL C , ENG C , SHIELDOS T . Static detection of application backdoors[J]. Datenschutz und Datenschutz-DuD, 2010,34(3): 149-155.
[4]	DAI S F , WEI T , ZHANG C ,et al. A framework to eliminate backdoors from response computable authentication[A]. IEEE Symposium on Security and Privacy[C]. San Francisco,USA, 2012. 3-17.
[5]	ELHAM S , NARGES A . Backdoor detection system using artificial neural network and genetic algorithm[A]. International Conference on Computational and Information Sciences[C]. Chengdu,China, 2011. 817-820.
[6]	HOMMES S , STATE R , ENGEL T . Detecting stealthy backdoors with association rule mining[A]. International IFIP TC 6 Conference on Networking[C]. 2012. 161-171.
[7]	GUILFANOV I . FLIRT[EB/OL]. .
[8]	SCHWARZ B , DEBRAY S , ANDREWS G . Disassembly of executable code revisited[A]. IEEE Working Conference on Reverse Engineering[C]. Richmond,USA, 2002. 45-54.
[9]	KRUEGEL C , ROBERTSON W , VALEUR F ,et al. Static disassembly of obfuscated binaries[A]. USENIX Security Symposium[C]. San Diego,USA, 2004. 255-270.
[10]	Modbus IDA[EB/OL]. .
[11]	TAKANEN A , DEMOTT J , MILLER C . Fuzzing for Software Security Testing and Quality Assurance[M]. Artech House Inc, 2008. 22-32.
[12]	DURAN J , NTAFOS S . An evaluation of random testing[J]. IEEE Transactions on Software Engineering, 1984,10(4): 438-444.

Metrics

Recommended 0

No Suggested Reading articles found!

启发式规则	#识别的函数	覆盖率/%
IDA Pro	2 804	75.1
序言/结束语	3 627	97.2
优化效果	823	29.4

函数	类型	字符串交叉引用	参数分析	函数关联分析
accept,bind,connect,getsockname,getsockopt,listen,select,setsockopt,socket	网络套接字		√	√
recv,recvfrom,send,sendto	网络套接字	√
malloc,memset,memcmp,memmove,memcpy	内存		√	√
strcat,strchr,strcmp,strcpy,strcspn,strlen,strncat,strncmp,strncpy,strspn,strstr	字符串	√

Backdoor detection in embedded system firmware without file system

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 12

Related Articles 12

Metrics

Recommended 0

[1]	Rui-zhong DU,Shao-xuan WANG,Jun-feng TIAN. Cloud storage scheme based on closed-box encryption [J]. Journal on Communications, 2017, 38(7): 1-10.
[2]	. Research of cloud disk system construction in campus network [J]. Journal on Communications, 2013, 34(Z2): 25-137.
[3]	Jun LI,Feng-dan LAO,Ren-ming ZOU. Research of cloud disk system construction in campus network [J]. Journal on Communications, 2013, 34(Z2): 133-137.
[4]	. Scheme of node identify authentication in distributed file interaction system [J]. Journal on Communications, 2013, 34(Z1): 3-20.
[5]	Wen-cai HE,Min DU,Zhi-wei CHEN,Pei-he LIU,Yan-yan HAN. Scheme of node identify authentication in distributed file interaction system [J]. Journal on Communications, 2013, 34(Z1): 14-20.
[6]	. Backdoor detection in embedded system firmware without file system [J]. Journal on Communications, 2013, 34(8): 18-145.
[7]	Liang MA,Li LI,Su-bin SHEN. Technique of analyzing device drivers of embedded linux system using UML [J]. Journal on Communications, 2012, 33(Z2): 222-227.
[8]	Huai-liang TAN,Bin YIN. Firmware protocol stack supporting remote boot and storage volumes mapping in IP-SAN [J]. Journal on Communications, 2009, 30(10): 58-67.
[9]	Xiao-nian TONG,Xing-ya AN,Xiao-pang LAN,Jiang-qing WANG. Research and implement of embedded wireless mobile communication system [J]. Journal on Communications, 2008, 29(1): 121-124.
[10]	Yong GAN,Shi-mei SU,Bing ZHOU,De-pei QIAN. Qptimization design of video encoder quantizer for general DSPs [J]. Journal on Communications, 2007, 28(6): 94-98.
[11]	Tao WEN,Ji-yong WANG,Xiao-xia WANG,Xiang ZOU. Model of preemptive embedded systems for optimizing real-time performance [J]. Journal on Communications, 2005, 26(9): 129-134.
[12]	Wen-bo ZHANG,Hai ZHAO,Xiao-ying WANG,Mo GUAN. Research on performance analysis of overloaded EWS based on ARMLinux [J]. Journal on Communications, 2005, 26(8): 88-93.