微信服务号

微信订阅号

2025年3月24日 13:52 星期一
首页 > 过刊浏览>2024年第35卷第8期 >3591-3609. DOI:10.13328/j.cnki.jos.007117
PDF HTML阅读 XML下载 导出引用 引用提醒
FirmDep: 利用动态分析的嵌入式应用托管方案
作者:
作者简介:

吴华茂(1995-), 男, 博士, CCF学生会员, 主要研究领域为嵌入式设备软件, 系统安全;周亚金(1982-), 男, 博士, 研究员, 博士生导师, CCF专业会员, 主要研究领域为区块链安全系统, 软件安全;姜木慧(1994-), 男, 博士, 主要研究领域为网络安全, 系统安全;李金库(1976-), 男, 博士, 教授, 博士生导师, CCF专业会员, 主要研究领域为系统与网络安全, 移动安全, 云计算及其安全, 大数据应用及其安全.

通讯作者:

周亚金, E-mail: yajin_zhou@zju.edu.cn

基金项目:

国家重点研发计划(2022YFE0113200); 国家自然科学基金重点项目(U21A20464)


FirmDep: Embedded Application Rehosting Assisted with Dynamic Analysis
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [26]
    • |
  • 相似文献 [20]
    • | | |
  • 文章评论
    摘要:

    固件托管(firmware rehosting)是一种对嵌入式设备的软硬件进行建模和仿真, 并在仿真环境中运行和分析嵌入式设备软件的技术. 现有的基于全系统仿真的固件托管方案只能预防性地修复已知的软硬件依赖问题, 而无法解决未知的问题. 为应对这一现状, 提出了一种由动态分析辅助的固件托管方案FirmDep. 在托管过程中, FirmDep对被分析应用的执行轨迹和系统状态进行记录. 若目标应用无法被成功托管, FirmDep对执行轨迹进行信息提取和系统状态补全, 并使用多种执行轨迹分析方法识别和仲裁应用的环境依赖问题. 基于PANDA和angr实现了FirmDep的原型系统, 并使用217个来自真实设备固件的嵌入式Web应用对其进行了测试. 结果表明: FirmDep可有效识别嵌入式设备应用的环境依赖问题, 提高固件托管的成功率.

    Abstract:

    Through providing a virtual environment modeled from embedded devices, firmware rehosting enables dynamic analysis on embedded device firmware. Existing full-emulation firmware hosting solutions can only preventatively fix known hardware and software dependencies but cannot address undetected dependencies during the rehosting process. This study proposes FirmDep, an embedded application rehosting solution assisted with dynamic analysis. During the rehosting process, FirmDep records the execution trace and system state of the embedded application to be analyzed. If FirmDep fails to rehost the application, FirmDep extracts information and recover system states from the execution trace, then uses several algorithms to identify and arbitrate the unresolved dependency problems. The prototype system of FirmDep is implemented based on PANDA and angr, and it is tested with embedded Web applications from 217 real-world firmware images. The results show that FirmDep can effectively identify unresolved dependencies of embedded application and improve the success rate of rehosting.

    参考文献
    [1] Yu R, Nin F, Zhang Y, et al. Building embedded systems like it’s 1996. In: Proc. of the 2022 Network and Distributed System Security Symp. San Diego: Internet Society, 2022. 1-18. [doi: 10.14722/ndss. 2022.24031]
    [2] 于颖超, 陈左宁, 甘水滔, 等. 嵌入式设备固件安全分析技术研究. 计算机学报, 2021, 44(5): 859-881. [doi: 10.11897/SP.J. 1016.2021.00859]
    Yu YC, Chen ZN, Gan ST, et al. Research on the technologies of security analysis technologies on the embedded device firmware. Chinese Journal of Computers, 2021, 44(5): 859-881 (in Chinese with English abstract). [doi: 10.11897/SP.J.1016.2021.00859]
    [3] Chen DD, Egele M, Woo M, et al. Towards automated dynamic analysis for linux-based embedded firmware. In: Proc. of the 2016 Network and Distributed System Security Symp. San Diego: Internet Society, 2016. 1-16. [doi: 10.14722/ndss.2016.23415]
    [4] Kim M, Kim D, Kim E, et al. FirmAE: Towards large-scale emulation of iot firmware for dynamic analysis. In: Proc. of the 36th Annual Computer Security Applications Conf. Austin: ACM, 2020. 733-745. [doi: 10.1145/3427228. 3427294]
    [5] Zaddach J, Bruno L, Francillon A, et al. Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares. In: Proc. of the 2014 Network and Distributed System Security Symp. San Diego: Internet Society, 2014. 1-16. [doi: 10.14722/ndss.2014.23229]
    [6] Gui ZJ, Shu H, Kang F, et al. FIRMCORN: Vulnerability-oriented fuzzing of iot firmware via optimized virtual execution. IEEE Access, 2020, 8: 29826-29841. [doi: 10.1109/ACCESS.2020.2973043]
    [7] Muench M, Stijohann J, Kargl F, et al. What you corrupt is not what you crash: challenges in fuzzing embedded devices. In: Proc. of the 2018 Network and Distributed System Security Symp. San Diego: Internet Society, 2018. 1-15. [doi: 10.14722/ndss.2018. 23166]
    [8] Costin A, Zarras A, Francillon A. Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. In: Proc. of the 11th ACM on Asia Conf. on Computer and Comm. Security. Xi’an: ACM, 2016. 437-448. [doi: 10.1145/2897845. 2897900]
    [9] Zheng Y, Davanian A, Yin H, et al. FIRM-AFL: High-throughput greybox fuzzing of iot firmware via augmented process emulation. In: Proc. of the 28th USENIX Conf. on Security Symp. USENIX Association, 2019. 1099-1114.
    [10] Srivastava P, Peng H, Li J, et al. FirmFuzz: Automated iot firmware introspection and analysis. In: Proc. of the 2nd Int’l ACM Workshop on Security and Privacy for the Internet-of-things. London: ACM, 2019. 15-21. [doi: 10.1145/3338507.3358616]
    [11] Clements AA, Gustafson E, Scharnowski T, et al. HALucinator: Firmware re-hosting through abstraction layer emulation. In: Proc. of the 29th USENIX Conf. on Security Symp. USENIX Association, 2020. 1201-1218.
    [12] Feng B, Mera A, Lu L. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In: Proc. of the 29th USENIX Conf. on Security Symp. USENIX Association, 2020. 1237-1254.
    [13] Liu Q, Zhang C, Ma L, et al. FirmGuide: Boosting the capability of rehosting embedded linux kernels through model-guided kernel execution. In: Proc. of the 36th IEEE/ACM Intl. Conf. on Automated Software Engineering. Melbourne: IEEE, 2021. 792-804. [doi: 10.1109/ASE51524.2021.9678653]
    [14] Jiang M, Ma L, Zhou Y, et al. ECMO: Peripheral transplantation to rehost embedded linux kernels. In: Proc. of the 2021 ACM SIGSAC Conf. on Computer and Comm. Security. ACM, 2021. 734-748. [doi: 10.1145/3460120.3484753]
    [15] Zhou W, Guan L, Liu P, et al. Automatic firmware emulation through invalidity-guided knowledge inference. In: Proc. of the 30th USENIX Conf. on Security Symp. USENIX Association, 2021. 2007-2024.
    [16] Dolan-Gavitt B, Hodosh J, Hulin P, et al. Repeatable reverse engineering with panda. In: Proc. of the 5th Program Protection and Reverse Engineering Workshop. New York: Association for Comp. Machinery. 2015. 1-11. [doi: 10.1145/2843859. 2843867]
    [17] Bellard F. QEMU, a fast and portable dynamic translator. In: Proc. of the 2005 USENIX Annual Technical Conf. USENIX Association, 2005. 41-46.
    [18] O’Callahan R, Jones C, Froyd N, et al. Engineering record and replay for deployability. In: Proc. of the 2017 USENIX Annual Technical Conf. USENIX Association, 2017. 377-389.
    [19] Shoshitaishvili Y, Wang R, Salls C, et al. SOK: (state of) the art of war: Offensive techniques in binary analysis. In: Proc. of the 2016 IEEE Symp. on Security and Privacy. San Jose: IEEE, 2016. 138-157. [doi: 10.1109/SP.2016.17]
    [20] Intermediate representation—Angr documentation. 2023. https://docs.angr.io/advanced-topics/ir
    [21] FirmDep artifacts. 2023. https://gitlab.com/firmdep/firmdep_artifacts
    [22] Buildroot—Making embedded linux easy. 2023. https://buildroot.org/
    [23] Binwalk. GitHub. 2023. https://github.com/ReFirmLabs/binwalk/wiki/Usage
    [24] W3af—Open source Web application security scanner. 2023. http://w3af.org/
    [25] RouterSploit—Exploitation framework for embedded devices. 2023. https://github.com/threat9/routersploit
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

吴华茂,姜木慧,周亚金,李金库. FirmDep: 利用动态分析的嵌入式应用托管方案.软件学报,2024,35(8):3591-3609

复制
分享
文章指标
  • 点击次数:537
  • 下载次数: 2496
  • HTML阅读次数: 846
  • 引用次数: 0
历史
  • 收稿日期:2023-09-10
  • 最后修改日期:2023-10-30
  • 在线发布日期: 2024-01-05
  • 出版日期: 2024-08-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19728040位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号