一种面向异构固件的高效靶向分析技术

doi:10.19678/j.issn.1000-3428.0069914

摘要/Abstract

摘要：

嵌入式设备的快速增长和广泛应用, 带来便利的同时也引入了巨大的安全风险, 其中, 固件安全是关键风险点之一。嵌入式设备固件数量多、格式复杂, 且很多经过加密、混淆, 使安全分析人员难以快速有效地解析固件并发现隐藏脆弱点。针对以上问题, 提出一种面向异构固件的高效靶向分析技术。首先, 研究多粒度分析方法、文件自动分类、关键信息输出和靶向提取等技术, 实现深度可控的固件靶向解析; 然后, 建立文件系统特征库, 研究基于特征值匹配的靶向识别技术, 增强混淆固件的识别能力, 扩展文件系统识别范围; 最后, 设计爬虫提取不同厂商固件并构建万级固件库作为基础支撑, 实现基于邻近版本的固件靶向解密。设计实现了FTA自动化固件解析系统并进行测试, 实验结果表明, 与主流固件分析工具Binwalk相比, FTA实现的多粒度分析方法对固件的解析速度平均提升42.59%, 优化输出模式实现固件中目标文件的靶向提取, 扩展了对多种文件系统特征值的识别能力, 为嵌入式系统安全领域中的固件解析工作提供了有力支持。

关键词: 嵌入式设备安全, 固件自动解析, 固件加密解密, 固件靶向分析, 大规模固件分析

Abstract:

The widespread use and diversification of embedded devices have introduced unparalleled convenience and formidable security vulnerabilities, particularly in firmware security. The intricate nature of embedded device firmware, coupled with its sheer volume and the adoption of encryption and obfuscation techniques, presents a formidable challenge for security analysts seeking to uncover hidden vulnerabilities efficiently. In response to this challenge, this study proposes an innovative targeting analysis technique customized to heterogeneous firmware. First, the study explores multi-granularity analysis methods, automatic document categorization, key information extraction, and target delineation techniques to enable nuanced and depth-controllable firmware analysis. Next, it establishes a comprehensive file system feature library and introduces a novel target recognition approach based on eigenvalue matching, enhancing the discernment capabilities for obscure firmware and expanding the breadth of file system identification. Furthermore, the study develops a specialized crawler to procure firmware from diverse vendors, leading to the construction of a 10 000-level firmware library that is crucial for targeted decryption based on neighboring versions. An FTA automated firmware parsing system is conceptualized and empirically validated, showing significant enhancements over mainstream firmware analysis tools such as Binwalk. Specifically, FTA's multi-granular analysis method elevates the firmware parsing speed by an average of 42.59%, whereas the optimized output mode facilitates targeted file extraction and extends recognition capabilities across multiple file system feature values. FTA provides robust support for firmware parsing within the domain of embedded system security.

Key words: embedded device security, firmware automation parsing, firmware encryption and decryption, firmware targeting analysis, large-scale firmware analysis

江子锐, 梁辰, 张子龙, 王奕森. 一种面向异构固件的高效靶向分析技术[J]. 计算机工程, 2025, 51(11): 171-185.

JIANG Zirui, LIANG Chen, ZHANG Zilong, WANG Yisen. An Efficient Targeting Analysis Technique for Heterogeneous Firmware[J]. Computer Engineering, 2025, 51(11): 171-185.

https://www.ecice06.com/CN/Y2025/V51/I11/171

图/表 22

图1 FTA自动化固件解析系统框架

Fig.1 FTA automated firmware parsing system framework

图2 固件组成结构

Fig.2 Firmware composition structure

图3 浅度匹配解析实现流程

Fig.3 Shallow matching parsing implementation flow

图4 深度递归解析实现流程

Fig.4 Deep recursive parsing implementation flow

图5 可扩展文件系统提取方法流程

Fig.5 Extensible file system extraction method flow

图6 Magic值转换识别原理

Fig.6 Magic value conversion recognition principle

图7 固件库构建方法

Fig.7 Firmware library building methodology

图8 固件库基本结构

Fig.8 Firmware library basic structure

图9 常用的固件加密流程

Fig.9 Commonly used firmware encryption flow

图10 基于相邻版本的固件靶向解密方法

Fig.10 Firmware targeted decryption method based on neighboring versions

图11 靶向提取模块测试结果

Fig.11 Targeted extraction module test results

图12 文件自动分类模块测试结果

Fig.12 Automatic document categorization module test results

图13 批量固件解析速度

Fig.13 The speed of batch firmware parsing

参考文献 31

1	中国通信标准化协会. 物联网操作系统安全白皮书[EB/OL]. (2022-09-19)[2024-03-11]. https://blog.nsfocus.net/wp-content/uploads/2022/09/iot-whitepaper.pdf.
	China Communications Standards Association. IoT operating system security white paper[EB/OL]. (2022-09-19)[2024-03-11]. https://blog.nsfocus.net/wp-content/uploads/2022/09/iot-whitepaper.pdf. (in Chinese)
2	MUENCH M, STIJOHANN J, KARGL F, et al. What you corrupt is not what you crash: challenges in fuzzing embedded devices[C]//Proceedings of the Network and Distributed System Security Symposium. Washington D. C., USA: IEEE Press, 2018: 1-10.
3	周诚远, 张慧翔, 李晓辉, 等. 浅析物联网设备固件保护与漏洞分析技术. 保密科学技术, 2022 (2): 45- 50.
	ZHOU C Y , ZHANG H X , LI X H , et al. Analysis on firmware protection and vulnerability analysis technology of Internet of Things equipment. Secrecy Science and Technology, 2022 (2): 45- 50.
4	ANDREI C, JONAS Z, AURELIEN F, et al. A large-scale analysis of the security of embedded firmwares[C]//Proceedings of the 23th USENIX Security Symposium. Berkeley, USA: USENIX, 2014: 95-110.
5	POOJA G , PRIYANKA G , GAYATRI C , et al. Steganography using bin-walk tool & its overview. International Journal of Computer Science and Mobile Computing, 2021, 10 (6): 90- 96.
6	DAVID B, IVAN J, THANASSIS A, et al. BAP: a binary analysis platform[C]//Proceedings of CAV 2011. Berlin, Germany: Springer, 2011: 463-469.
7	HEITMAN C, ARCE I. BARF: a multiplatform open source binary analysis and reverse engineering framework[EB/OL]. (2021-05-26)[2024-03-11]. https://raw.githubusercontent.com/programa-stic/barf-project/master/doc/papers/barf.pdf.
8	HAIDER A , MUHAMMAD S , MALIHA S , et al. DUDE: decryption, unpacking, deobfuscation, and endian conversion framework for embedded devices firmware. IEEE Transactions on Dependable and Secure Computing, 2024, 21 (4): 99- 101.
9	REDINI N, MACHIRY A, WANG R Y. Karonte: detecting insecure multi-binary interactions in embedded firmware[C]//Proceedings of 2020 IEEE Symposium on Security and Privacy. San Francisco, USA: IEEE Press, 2020: 1544-1561.
10	Mitre. Cve-2019-5137[EB/OL]. (2020-03-22)[2024-03-11]. https://nvd.nist.gov/vuln/detail/CVE-2019-5137.
11	TIEN C W, TSAI T T, CHEN I Y, et al. UFO-hidden backdoor discovery and security verification in IoT device firmware[C]//Proceedings of the IEEE International Symposium on Software Reliability Engineering. Memphis, USA: IEEE Press, 2018: 18-23.
12	SHWARTZ O , MATHOV Y , BOHADANA M , et al. Reverse engineering iot devices: effective techniques and methods. IEEE Internet of Things Journal, 2018, 5 (6): 4965- 4976. doi: 10.1109/JIOT.2018.2875240
13	GAMBLIN J. Mirai-Source-Code: leaked mirai source code for research/ioc development purposes[EB/OL]. (2020-02-27)[2024-03-11]. https://github.com/jgamblin/Mirai-Source-Code.
14	COSTIN A, ZARRAS A, FRANCILLON A. Automated dynamic firmware analysis at scale: a case study on embedded web interfaces[C]//Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. New York, USA: ACM Press, 2016: 437-448.
15	ELSABAGH M, JOHNSON R, STAVROU A, et al. FIRMSCOPE: automatic uncovering of privilege-escalation vulnerabilities in pre-installed apps in android firmware[C]//Proceedings of the 29th USENIX Security Symposium. [S. l. ]: USENIX, 2020: 1-10.
16	OBERMAIER J, HUTLE M. Analyzing the security and privacy of cloud-based video surveillance systems[C]//Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security. New York, USA: ACM Press, 2016: 22-28.
17	HEMEL A. Binary analysisng[EB/OL]. (2021-05-25)[2024-03-11]. https://github.com/armijnhemel/binaryanalysisng.
18	DESIGN E. Cryptographic techniques for safer firmware[EB/OL]. (2023-03-05)[2024-03-11]. https://www.electronicdesign.com/technologies/embedded-revolution/article/21163055/neuronicworks-cryptographic-techniques-for-safer-firmware.
19	赵亚新, 郭玉东, 舒辉. 基于JTAG的嵌入式设备固件分析技术. 计算机工程与设计, 2014, 35 (10): 3410- 3415.
	ZHAO Y X , GUO Y D , SHU H . Analysis technology of embedded device firmware based on JTAG. Computer Engineering and Design, 2014, 35 (10): 3410- 3415.
20	PARTNERS P T. How to do firmware analysis. tools, tips, and tricks[EB/OL]. (2021-05-25)[2024-03-11]. https://www.pentestpartners.com/security-blog/how-to-do-firmware-analysis-tools-tips-and-tricks/.
21	于颖超, 陈左宁, 甘水滔, 等. 嵌入式设备固件安全分析技术研究. 计算机学报, 2021, 44 (5): 859- 881.
	YU Y C , CHEN Z N , GAN S T , et al. Research on the technologies of security analysis technologies on the embedded device firmware. Chinese Journal of Computers, 2021, 44 (5): 859- 881.
22	CHEN D D, EGELE M, WOO M, et al. Towards automated dynamic analysis for linux-based embedded firmware[C]//Proceedings of 2016 Network and Distributed System Security Symposium. San Diego, USA: Internet Society, 2016: 1-10.
23	KIM M, KIM D, KIM E, et al. FirmAE: towards large-scale emulation of IoT firmware for dynamic analysis[C]//Proceedings of the Annual Computer Security Applications Conference. New York, USA: ACM Press, 2020: 733-745.
24	朱晓东. 二进制代码相似性分析关键问题研究[D]. 郑州: 战略支援部队信息工程大学, 2021.
	ZHU X D. Research on key problems of binary code similarity analysis[D]. Zhengzhou: Information Engineering University, 2021. (in Chinese)
25	于颖超, 甘水滔, 邱俊洋, 等. 二进制代码相似度分析及在嵌入式设备固件漏洞搜索中的应用. 软件学报, 2022, 33 (11): 4137- 4172.
	YU Y C , GAN S T , QIU J Y , et al. Binary code similarity analysis and its applications on embedded device firmware vulnerability search. Journal of Software, 2022, 33 (11): 4137- 4172.
26	PEWNY J, GARMANY B, GAWLIK R, et al. Cross-architecture bug search in binary executables[C]//Proceedings of the IEEE Symposium on Security and Privacy. San Jose, USA: IEEE Press, 2015: 709-724.
27	PECKOL J K . Embedded systems: a contemporary design tool. [S. l. ]: John Wiley & Sons, Inc., 2019.
28	朱晓东, 尹青, 常瑞, 等. 基于结构化特征库的递进式固件格式解析. 武汉大学学报(理学版), 2017, 63 (2): 125- 132.
	ZHU X D , YIN Q , CHANG R , et al. Structured feature library-based progressive firmware format parsing. Journal of Wuhan University (Natural Science Edition), 2017, 63 (2): 125- 132.
29	CYR B , MAHMOD J , GUIN U . Low-cost and secure firmware obfuscation method for protecting electronic systems from cloning. IEEE Internet of Things Journal, 2019, 6 (2): 3700- 3711. doi: 10.1109/JIOT.2018.2890277
30	ARMIJN H. Introducing the binary analysis tool[EB/OL]. (2013-05-27)[2024-03-11]. http://events.static.linuxfound.org/sites/events/files/als13_hemel_bat.pdf.
31	D-link. D-link series dir-867[EB/OL]. (2022-03-27)[2024-03-11]. https://support.dlink.com/productinfo.aspx?m=DIR-882-US.

选择文件类型/文献管理软件名称

选择包含的内容