In order to effectively detect and analyze the backdoors this paper introduces a method named Backdoor Analysis based on Sensitive flow tracking and Concolic Execution(BASEC).BASEC uses sensitive flow tracking to ef...In order to effectively detect and analyze the backdoors this paper introduces a method named Backdoor Analysis based on Sensitive flow tracking and Concolic Execution(BASEC).BASEC uses sensitive flow tracking to effectively discover backdoor behaviors, such as stealing secret information and injecting evil data into system, with less false negatives. With concolic execution on predetermined path, the backdoor trigger condition can be extracted and analyzed to achieve high accuracy. BASEC has been implemented and experimented on several software backdoor samples widespread on the Internet, and over 90% of them can be detected. Compared with behavior-based and system-call-based detection methods, BASEC relies less on the historical sample collections, and is more effective in detecting software backdoors, especially those injected into software by modifying and recompiling source codes.展开更多
Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have...Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have analyzed firmware in an emulation environment that does not require actual devices and is efficient for repeated experiments.However,these studies focused only on major firmware architectures and rarely considered exotic firmware.In addition,because of the diversity of firmware,the emulation success rate is not high in terms of large-scale analyses.In this study,we propose the adaptive emulation framework for multi-architecture(AEMA).In the field of automated emulation frameworks for IoT firmware testing,AEMA considers the following issues:(1)limited compatibility for exotic firmware architectures,(2)emulation instability when configuring an automated environment,and(3)shallow testing range resulting from structured inputs.To tackle these problems,AEMAcan emulate not onlymajor firmware architectures but also exotic firmware architectures not previously considered,such as Xtensa,ColdFire,and reduced instruction set computer(RISC)version five,by implementing a minority emulator.Moreover,we applied the emulation arbitration technique and input keyword extraction technique for emulation stability and efficient test case generation.We compared AEMA with other existing frameworks in terms of emulation success rates and fuzz testing.As a result,AEMA succeeded in emulating 864 out of 1,083 overall experimental firmware and detected vulnerabilities at least twice as fast as the experimental group.Furthermore,AEMAfound a 0-day vulnerability in realworld IoT devices within 24 h.展开更多
Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzi...Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions.In general,we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug.Based on this observation,we propose a hybrid fuzzing method assisted by static analysis for binary programs.The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths.For this purpose,we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs’weights.The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing.To evaluate the effectiveness of our method,we design and implement a prototype system,namely SHFuzz.The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.展开更多
基金Supported in part by the National Natural Science Foundation of China(61272493)the Specialized Research Fund for the Doctoral Program of Higher Education of China(20113402120026)Oversea Academic Training Funds of University of Science and Technology of China
文摘In order to effectively detect and analyze the backdoors this paper introduces a method named Backdoor Analysis based on Sensitive flow tracking and Concolic Execution(BASEC).BASEC uses sensitive flow tracking to effectively discover backdoor behaviors, such as stealing secret information and injecting evil data into system, with less false negatives. With concolic execution on predetermined path, the backdoor trigger condition can be extracted and analyzed to achieve high accuracy. BASEC has been implemented and experimented on several software backdoor samples widespread on the Internet, and over 90% of them can be detected. Compared with behavior-based and system-call-based detection methods, BASEC relies less on the historical sample collections, and is more effective in detecting software backdoors, especially those injected into software by modifying and recompiling source codes.
基金This work was supported by the Ministry of Science and ICT(MSIT)Korea,under the Information Technology Research Center(ITRC)support program(IITP-2022-2018-0-01423)+2 种基金supervised by the Institute for Information&Communications Technology Planning&Evaluation(IITP)by MSIT,Korea under the ITRC support program(IITP-2021-2020-0-01602)supervised by the IITP.
文摘Internet of things(IoT)devices are being increasingly used in numerous areas.However,the low priority on security and various IoT types have made these devices vulnerable to attacks.To prevent this,recent studies have analyzed firmware in an emulation environment that does not require actual devices and is efficient for repeated experiments.However,these studies focused only on major firmware architectures and rarely considered exotic firmware.In addition,because of the diversity of firmware,the emulation success rate is not high in terms of large-scale analyses.In this study,we propose the adaptive emulation framework for multi-architecture(AEMA).In the field of automated emulation frameworks for IoT firmware testing,AEMA considers the following issues:(1)limited compatibility for exotic firmware architectures,(2)emulation instability when configuring an automated environment,and(3)shallow testing range resulting from structured inputs.To tackle these problems,AEMAcan emulate not onlymajor firmware architectures but also exotic firmware architectures not previously considered,such as Xtensa,ColdFire,and reduced instruction set computer(RISC)version five,by implementing a minority emulator.Moreover,we applied the emulation arbitration technique and input keyword extraction technique for emulation stability and efficient test case generation.We compared AEMA with other existing frameworks in terms of emulation success rates and fuzz testing.As a result,AEMA succeeded in emulating 864 out of 1,083 overall experimental firmware and detected vulnerabilities at least twice as fast as the experimental group.Furthermore,AEMAfound a 0-day vulnerability in realworld IoT devices within 24 h.
基金the National Key Research and Development Program of China under Grant No.2016QY07X1404National Natural Science Foundation of China(NSFC)under Grant No.61602035 and 61772078+1 种基金Beijing Science and Technology Project under Grant No.Z191100007119010,CCF-NSFOCUS Kun-Peng Scientific Research FoundationOpen Found of Key Laboratory of Network Assessment Technology,Institute of Information Engineering,Chinese Academy of Sciences.
文摘Fuzzing is an effective technique to find security bugs in programs by quickly exploring the input space of programs.To further discover vulnerabilities hidden in deep execution paths,the hybrid fuzzing combines fuzzing and concolic execution for going through complex branch conditions.In general,we observe that the execution path which comes across more and complex basic blocks may have a higher chance of containing a security bug.Based on this observation,we propose a hybrid fuzzing method assisted by static analysis for binary programs.The basic idea of our method is to prioritize seed inputs according to the complexity of their associated execution paths.For this purpose,we utilize static analysis to evaluate the complexity of each basic block and employ the hardware trace mechanism to dynamically extract the execution path for calculating the seed inputs’weights.The key advantage of our method is that our system can test binary programs efficiently by using the hardware trace and hybrid fuzzing.To evaluate the effectiveness of our method,we design and implement a prototype system,namely SHFuzz.The evaluation results show SHFuzz discovers more unique crashes on several real-world applications and the LAVA-M dataset when compared to the previous solutions.
