基于动态执行的基带固件函数安全性分析

Security Analysis of Baseband Firmware Function Based on Dynamic Execution

移动通信设备中的基带固件运行于独立的计算环境,其漏洞既可危及设备安全,又无法通过设备主操作系统的安全机制进行防护,因此其安全性备受攻防研究者的关注。实验中发现,得到的基带固件由于函数重写、调试信息剥离等原因,现有对比工具难以准确识别其危险函数,进而无法进行后续的漏洞发掘工作。本文提出一种基于动态执行的函数安全性分析方法DEx。根据预处理过程得到的基带固件的函数信息和段内容,在交叉编译和虚拟机环境下对基带固件函数实现动态执行。基于运行过程中产生的语义特征,设计优先级排序以对函数的安全性进行分析,识别得到内存拷贝函数。基于DEx方法构造了dyndiff工具,与基于二进制代码相似性方法的主流工具BinDiff对比,dyndiff的危险函数识别率是BinDiff的5.5倍。最后,阐述了本文工作在后续漏洞挖掘工作中的应用。

The baseband firmware in mobile communication devices runs in an independent computing environment,and its vulnerabilities can endanger the security of the device and cannot be protected by the security mechanism of the device's main operating system.Therefore,its security has attracted the attention of attack and defense researchers.In the experiment,it was found that due to function rewriting and debugging information stripping of the obtained baseband firmware,it is difficult for the existing comparison tools to accurately identify its dangerous functions,and subsequent vulnerability discovery work cannot be performed.This paper proposes a function safety analysis method DEx based on dynamic execution.According to the function information and segment content of the baseband firmware obtained in the preprocessing process,the baseband firmware functions are dynamically executed in the cross-compilation and virtual machine environment.Based on the semantic features generated in the running process,the priority ranking is designed to analyze the safety of the function and identify the memory copy function.The tool called dyndiff is constructed based on the DEx method.Compared with the existing mainstream tool BinDiff based on the binary code similarity method,the risk function recognition rate of dyndiff is 5.5 times that of BinDiff.Finally,the application of this work in the follow-up vulnerability mining work is explained.