Internet of things (IoT) devices make up 30%of all network-connected endpoints,introducing vulnerabilities and novel attacks that make many companies as primary targets for cybercriminals.To address this increasing th...Internet of things (IoT) devices make up 30%of all network-connected endpoints,introducing vulnerabilities and novel attacks that make many companies as primary targets for cybercriminals.To address this increasing threat surface,every organization deploying IoT devices needs to consider security risks to ensure those devices are secure and trusted.Among all the solutions for security risks,firmware security analysis is essential to fix software bugs,patch vulnerabilities,or add new security features to protect users of those vulnerable devices.However,firmware security analysis has never been an easy job due to the diversity of the execution environment and the close source of firmware.These two distinct features complicate the operations to unpack firmware samples for detailed analysis.They also make it difficult to create visual environments to emulate the running of device firmware.Although researchers have developed many novel methods to overcome various challenges in the past decade,critical barriers impede firmware security analysis in practice.Therefore,this survey is motivated to systematically review and analyze the research challenges and their solutions,considering both breadth and depth.Specifically,based on the analysis perspectives,various methods that perform security analysis on IoT devices are introduced and classified into four categories.The challenges in each category are discussed in detail,and potential solutions are proposed subsequently.We then discuss the flaws of these solutions and provide future directions for this research field.This survey can be utilized by a broad range of readers,including software developers,cyber security researchers,and software security engineers,to better understand firmware security analysis.展开更多
Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have...Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have analyzed firmware in an emulation environment that does not require actual devices and is efficient for repeated experiments.However,these studies focused only on major firmware architectures and rarely considered exotic firmware.In addition,because of the diversity of firmware,the emulation success rate is not high in terms of large-scale analyses.In this study,we propose the adaptive emulation framework for multi-architecture(AEMA).In the field of automated emulation frameworks for IoT firmware testing,AEMA considers the following issues:(1)limited compatibility for exotic firmware architectures,(2)emulation instability when configuring an automated environment,and(3)shallow testing range resulting from structured inputs.To tackle these problems,AEMAcan emulate not onlymajor firmware architectures but also exotic firmware architectures not previously considered,such as Xtensa,ColdFire,and reduced instruction set computer(RISC)version five,by implementing a minority emulator.Moreover,we applied the emulation arbitration technique and input keyword extraction technique for emulation stability and efficient test case generation.We compared AEMA with other existing frameworks in terms of emulation success rates and fuzz testing.As a result,AEMA succeeded in emulating 864 out of 1,083 overall experimental firmware and detected vulnerabilities at least twice as fast as the experimental group.Furthermore,AEMAfound a 0-day vulnerability in realworld IoT devices within 24 h.展开更多
The rise of the Internet of Things(IoT)exposes more and more important embedded devices to the network,which poses a serious threat to people’s lives and property.Therefore,ensuring the safety of embedded devices is ...The rise of the Internet of Things(IoT)exposes more and more important embedded devices to the network,which poses a serious threat to people’s lives and property.Therefore,ensuring the safety of embedded devices is a very important task.Fuzzing is currently the most effective technique for discovering vulnerabilities.In this work,we proposed PS-Fuzz(Protocol State Fuzz),a gray-box fuzzing technique based on protocol state orientation.By instrumenting the program that handles protocol fields in the firmware,the problem of lack of guidance information in common protocol fuzzing is solved.By recording and comparing state transition paths,the program can be quickly booted,thereby greatly improving the efficiency of fuzzing.More importantly,the tool utilizes the synchronous execution of the firmware simulator and the firmware program,which can collect and record system information in the event of a crash from multiple dimensions,providing assistance for further research.Our evaluation results show that for the same vulnerability,the efficiency of PS-Fuzz is about 8 times that of boofuzz under ideal conditions.Even rough instrumentation efficiency can reach 2 times that of boofuzz.In addition,PS-Fuzz can provide at least 6 items more information than boofuzz under the same circumstances.展开更多
In recent years,with the development of the natural language processing(NLP)technologies,security analyst began to use NLP directly on assembly codes which were disassembled from binary executables in order to examine...In recent years,with the development of the natural language processing(NLP)technologies,security analyst began to use NLP directly on assembly codes which were disassembled from binary executables in order to examine binary similarity,achieved great progress.However,we found that the existing frameworks often ignored the complex internal structure of instructions and didn’t fully consider the long-term dependencies of instructions.In this paper,we propose firmVulSeeker—a vulnerability search tool for embedded firmware images,based on BERT and Siamese network.It first builds a BERT MLM task to observe and learn the semantics of different instructions in their context in a very large unlabeled binary corpus.Then,a finetune mode based on Siamese network is constructed to guide training and matching semantically similar functions using the knowledge learned from the first stage.Finally,it will use a function embedding generated from the fine-tuned model to search in the targeted corpus and find the most similar function which will be confirmed whether it’s a real vulnerability manually.We evaluate the accuracy,robustness,scalability and vulnerability search capability of firmVulSeeker.Results show that it can greatly improve the accuracy of matching semantically similar functions,and can successfully find more real vulnerabilities in real-world firmware than other tools.展开更多
全球领先的射频识别(RFID)打印机/编码器生产商斑马技术公司2005年12月26日宣布,为其RFID智能标签打印机/编码器提供可免费下载的EPCglobal Gen 2固性升级。班马公司的客户只需要下载并安装固件即可方便地扩展支持Gen 2智能标签打印...全球领先的射频识别(RFID)打印机/编码器生产商斑马技术公司2005年12月26日宣布,为其RFID智能标签打印机/编码器提供可免费下载的EPCglobal Gen 2固性升级。班马公司的客户只需要下载并安装固件即可方便地扩展支持Gen 2智能标签打印/编码标签,不需要更换硬件,也不需要特殊技术支持。展开更多
文摘Internet of things (IoT) devices make up 30%of all network-connected endpoints,introducing vulnerabilities and novel attacks that make many companies as primary targets for cybercriminals.To address this increasing threat surface,every organization deploying IoT devices needs to consider security risks to ensure those devices are secure and trusted.Among all the solutions for security risks,firmware security analysis is essential to fix software bugs,patch vulnerabilities,or add new security features to protect users of those vulnerable devices.However,firmware security analysis has never been an easy job due to the diversity of the execution environment and the close source of firmware.These two distinct features complicate the operations to unpack firmware samples for detailed analysis.They also make it difficult to create visual environments to emulate the running of device firmware.Although researchers have developed many novel methods to overcome various challenges in the past decade,critical barriers impede firmware security analysis in practice.Therefore,this survey is motivated to systematically review and analyze the research challenges and their solutions,considering both breadth and depth.Specifically,based on the analysis perspectives,various methods that perform security analysis on IoT devices are introduced and classified into four categories.The challenges in each category are discussed in detail,and potential solutions are proposed subsequently.We then discuss the flaws of these solutions and provide future directions for this research field.This survey can be utilized by a broad range of readers,including software developers,cyber security researchers,and software security engineers,to better understand firmware security analysis.
基金This work was supported by the Ministry of Science and ICT(MSIT)Korea,under the Information Technology Research Center(ITRC)support program(IITP-2022-2018-0-01423)+2 种基金supervised by the Institute for Information&Communications Technology Planning&Evaluation(IITP)by MSIT,Korea under the ITRC support program(IITP-2021-2020-0-01602)supervised by the IITP.
文摘Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have analyzed firmware in an emulation environment that does not require actual devices and is efficient for repeated experiments.However,these studies focused only on major firmware architectures and rarely considered exotic firmware.In addition,because of the diversity of firmware,the emulation success rate is not high in terms of large-scale analyses.In this study,we propose the adaptive emulation framework for multi-architecture(AEMA).In the field of automated emulation frameworks for IoT firmware testing,AEMA considers the following issues:(1)limited compatibility for exotic firmware architectures,(2)emulation instability when configuring an automated environment,and(3)shallow testing range resulting from structured inputs.To tackle these problems,AEMAcan emulate not onlymajor firmware architectures but also exotic firmware architectures not previously considered,such as Xtensa,ColdFire,and reduced instruction set computer(RISC)version five,by implementing a minority emulator.Moreover,we applied the emulation arbitration technique and input keyword extraction technique for emulation stability and efficient test case generation.We compared AEMA with other existing frameworks in terms of emulation success rates and fuzz testing.As a result,AEMA succeeded in emulating 864 out of 1,083 overall experimental firmware and detected vulnerabilities at least twice as fast as the experimental group.Furthermore,AEMAfound a 0-day vulnerability in realworld IoT devices within 24 h.
基金This work is funded by the National Key Research and Development Plan(Grant No.2018YFB0803504)the National Natural Science Foundation of China(Nos.62072130,61702223,61702220,61871140,61872420,U1636215)+3 种基金the Guangdong Province Key Area R&D Program of China(No.2019B010137004)the Guangdong Basic and Applied Basic Research Foundation(No.2020A1515010450)Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme(2019)the Opening Project of Shanghai Trusted Industrial Control Platform(TICPSH202003014-ZC).
文摘The rise of the Internet of Things(IoT)exposes more and more important embedded devices to the network,which poses a serious threat to people’s lives and property.Therefore,ensuring the safety of embedded devices is a very important task.Fuzzing is currently the most effective technique for discovering vulnerabilities.In this work,we proposed PS-Fuzz(Protocol State Fuzz),a gray-box fuzzing technique based on protocol state orientation.By instrumenting the program that handles protocol fields in the firmware,the problem of lack of guidance information in common protocol fuzzing is solved.By recording and comparing state transition paths,the program can be quickly booted,thereby greatly improving the efficiency of fuzzing.More importantly,the tool utilizes the synchronous execution of the firmware simulator and the firmware program,which can collect and record system information in the event of a crash from multiple dimensions,providing assistance for further research.Our evaluation results show that for the same vulnerability,the efficiency of PS-Fuzz is about 8 times that of boofuzz under ideal conditions.Even rough instrumentation efficiency can reach 2 times that of boofuzz.In addition,PS-Fuzz can provide at least 6 items more information than boofuzz under the same circumstances.
文摘In recent years,with the development of the natural language processing(NLP)technologies,security analyst began to use NLP directly on assembly codes which were disassembled from binary executables in order to examine binary similarity,achieved great progress.However,we found that the existing frameworks often ignored the complex internal structure of instructions and didn’t fully consider the long-term dependencies of instructions.In this paper,we propose firmVulSeeker—a vulnerability search tool for embedded firmware images,based on BERT and Siamese network.It first builds a BERT MLM task to observe and learn the semantics of different instructions in their context in a very large unlabeled binary corpus.Then,a finetune mode based on Siamese network is constructed to guide training and matching semantically similar functions using the knowledge learned from the first stage.Finally,it will use a function embedding generated from the fine-tuned model to search in the targeted corpus and find the most similar function which will be confirmed whether it’s a real vulnerability manually.We evaluate the accuracy,robustness,scalability and vulnerability search capability of firmVulSeeker.Results show that it can greatly improve the accuracy of matching semantically similar functions,and can successfully find more real vulnerabilities in real-world firmware than other tools.
文摘全球领先的射频识别(RFID)打印机/编码器生产商斑马技术公司2005年12月26日宣布,为其RFID智能标签打印机/编码器提供可免费下载的EPCglobal Gen 2固性升级。班马公司的客户只需要下载并安装固件即可方便地扩展支持Gen 2智能标签打印/编码标签,不需要更换硬件,也不需要特殊技术支持。
