基于污点分析与文本语义的固件程序交互关系智能逆向分析方法

doi:10.3969/j.issn.1671-1122.2025.09.007

摘要/Abstract

摘要：

针对嵌入式设备固件程序间交互关系逆向分析自动化程度低、准确率不高、分析效率低等问题，文章提出一种基于污点分析与文本语义的固件程序交互关系智能逆向分析方法。该方法构建了基于污点分析的关联函数代码切片算法，结合大语言模型的语义理解能力，实现了二进制程序中交互信息的精准提取和关联代码片段的智能定位，此外，还设计了面向脚本文件和配置文件的专用交互信息提取方法，有效提升了方法处理非结构化文本数据的能力。实验结果表明，程序间交互关系逆向分析方法的检测准确率达93.2%，研究成果可为理解程序功能、实现通信控制、发现潜在漏洞等应用提供有效支撑。

关键词: 污点分析, 大语言模型, 逆向分析, 程序交互

Abstract:

To address the challenges of low automation, limited accuracy and inefficiency in reverse-engineering interaction relationships among embedded firmware programs, this paper proposed an intelligent reverse analysis method based on taint analysis and textual semantics. The approach introduced a taint-analysis-based associated function code slicing algorithm, which combined with the semantic comprehension capabilities of large language models, enabled precise extraction of interaction-related information from binary programs and intelligent localization of relevant code segments. Furthermore, a dedicated interaction extraction method was designed for script and configuration files, significantly enhancing the ability of method to process unstructured textual data. The experimental results demonstrate that the proposed method achieves an interaction detection accuracy of 93.2%. The findings provide robust support for program functionality comprehension, communication control, and vulnerability discovery in practical applications.

Key words: taint analysis, large language models, reverse analysis, program interaction

中图分类号:

TP309

王磊, 陈炯峄, 王剑, 冯袁. 基于污点分析与文本语义的固件程序交互关系智能逆向分析方法[J]. 信息网络安全, 2025, 25(9): 1385-1396.

WANG Lei, CHEN Jiongyi, WANG Jian, FENG Yuan. Intelligent Reverse Analysis Method of Firmware Program Interaction Relationships Based on Taint Analysis and Textual Semantics[J]. Netinfo Security, 2025, 25(9): 1385-1396.

图/表 10

图1

表1

图2

图3

图4

表2

表3

表4

图5

表5

参考文献 23

[1]	IOT Business News. 5 Game-Changing IoT Trends to Watch in 2025[EB/OL]. (2025-03-12)[2025-05-06]. https://iotbusinessnews.com/2025/03/12/16089-5-game-changing-iot-trends-to-watch-in-2025/.
[2]	360 Digital Security Group·Vulnerability Intelligence Service. (2025). 2024 Annual Cybersecurity Vulnerability Analysis Report[EB/OL]. (2025-02-10)[2025-05-06]. https://cdn.isc.360.com/isc-cxo/2024_Vulnerability_Report.pdf.
	360数字安全集团·漏洞情报服务. (2025). 2024年度网络安全漏洞分报告[EB/OL]. (2025-02-10)[2025-05-06]. https://cdn.isc.360.com/isc-cxo/2024_Vulnerability_Report.pdf.
[3]	JIAO Yongsheng, SHU Hui. Reversing of Interprocess Communication Based on TEMU[J]. Application Research of Computers, 2013, 30(7): 5-10.
	焦永生, 舒辉. 基于TEMU的进程间通信过程逆向[J]. 计算机应用研究, 2013, 30(7): 5-10.
[4]	HENDERSON A, YAN L K, HU X, et al. DECAF: A Platform-Neutral Whole-System Dynamic Binary Analysis Platform[J]. IEEE Transactions on Software Engineering, 2017, 43(2): 164-184.
[5]	LIWY7Z. Taint Aalysis Technology[EB/OL]. (2022-03-03)[2025-05-06]. https://blog.csdn.net/weixin_44442186/article/details/123263226.
	LIWY7Z. 污点分析技术[EB/OL]. (2022-03-03)[2025-05-06]. https://blog.csdn.net/weixin_44442186/article/details/123263226.
[6]	REDINI N, MACHIRY A, WANG R, et al. Karonte: Detecting Insecure Multi-Binary Interactions in Embedded Firmware[C]// IEEE. 2020 IEEE Symposium on Security and Privacy. New York: IEEE, 2020: 1544-1561.
[7]	WU Yuhao, WANG Jinwen, WANG Yujie, et al. Your Firmware Has Arrived: A Study of Firmware Update Vulnerabilities[C]// USENIX. 33rd USENIX Security Symposium. Berkeley: USENIX, 2024: 5627-5644.
[8]	LI Wen, JIANG Ming, LUO Xiapu, et al. POLYCRUISE: A Cross-Language Dynamic Information Flow Analysis[C]// USENIX. 31st USENIX Security Symposium. Berkeley: USENIX, 2022: 2513-2530.
[9]	CHEN Libo, WANG Yanhao, LINGHU Jiaqi, et al. SaTC: Shared-Keyword Aware Taint Checking for Detecting Bugs in Embedded Systems[J]. IEEE Transactions on Dependable and Secure Computing, 2024, 21(4): 2421-2433.
[10]	CHEN Libo, WANG Yanhao, CAI Quanpu, et al. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems[C]// USENIX. 30th USENIX Security Symposium. Berkeley: USENIX, 2021: 303-319.
[11]	ALHANAHNAH M, STEVENS C, CHEN B, et al. IoTCom: Dissecting Interaction Threats in IoT Systems[J]. IEEE Transactions on Software Engineering, 2023, 49(4): 1523-1539.
[12]	WANG Rui, WANG Xiaofeng, ZHANG Kehuan, et al. Towards Automatic Reverse Engineering of Software Security Configurations[C]// ACM. The 15th ACM Conference on Computer and Communications Security. New York: ACM, 2008: 245-256.
[13]	XIAO Yuting, CHEN Jiongyi, HU Yupeng, et al. FIRMRES: Exposing Broken Device-Cloud Access Control in IoT through Static Firmware Analysis[C]// IEEE. The 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. New York: IEEE, 2024: 495-506.
[14]	LI Xixing, WEI Qiang, WU Zehui, et al. Finding Taint-Style Vulnerabilities in Lua Application of IoT Firmware with Progressive Static Analysis[EB/OL]. (2023-08-28) [2025-05-06]. https://www.mdpi.com/2076-3417/13/17/9710.
[15]	LIU Puzhuo, SUN Chengnian, ZHENG Yaowen, et al. LLM-Powered Static Binary Taint Analysis[J]. ACM Transactions on Software Engineering and Methodology, 2025, 34(3): 1-36.
[16]	LIU Hangtian, ZHENG Lei, GAN Shuitao, et al. EAGLEYE: Exposing Hidden Web Interfaces in IoT Devices via Routing Analysis[EB/OL]. (2025-02-24)[2025-05-06]. https://dx.doi.org/10.14722/ndss.2025.240399.
[17]	CHEN Yi, YAO Yepeng, WANG Xiaofeng, et al. Bookworm Game: Automatic Discovery of LTE Vulnerabilities through Documentation Analysis[C]// IEEE. The 2021 IEEE Symposium on Security and Privacy. New York: IEEE, 2021: 1770-1787.
[18]	TIAN Junfeng, XING Wenjing, LI Zhen. BVDetector: A Program Slice-Based Binary Code Vulnerability Intelligent Detection System[EB/OL]. (2020-02-20)[2025-05-06]. https://www.sciencedirect.com/science/article/pii/S0950584920300392.
[19]	LEMOS R, HEINRICH T, MAZIERO C A, et al. Is It Safe? Identifying Malicious Apps through the Use of Metadata and Inter-Process Communication[C]// IEEE. The 2022 IEEE International Systems Conference SysCon. New York: IEEE, 2022: 1-8.
[20]	LI Meijian, WANG Yongjun, XIE Peidai, et al. Reverse Analysis of Secure Communication Protocol Based on Taint Analysis[EB/OL]. (2014-05-22)[2025-05-06]. https://ieeexplore.ieee.org/document/6992222.
[21]	JI Yang, LEE S, DOWING E, et al. RAIN: Refinable Attack Investigation with On-demand Inter-Process Information Flow Tracking[C]// ACM. The 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 311-326.
[22]	COLE E. Static Taint Analysis of Binary Executables Using Architecture-Neutral Intermediate Representation[R]. St. Louis: Washington University in St. Louis, WUCSE-2019-1177, 2019.
[23]	LIU N F, LIN K, HEWITT J, et al. Lost in the Middle: How Language Models Use Long Contexts[J]. Transactions of the Association for Computational Linguistics, 2024, 12: 157-173.

交互类型	关键API函数	其他关联API函数	数据关联
套接字	bind、connect	sendto、send、sendmsg、 recvfrom、recv、recvmsg	IP地址和端口，或文件路径
共享内存	shmat、shm_open	shmget、mmap	共享内存段标识、文件路径
文件读写	open、fopen	read、fread、fgets、 write、fwrite、fprintf	文件路径
环境变量获取与设置	getenv、setenv、putenv	—	环境变量名
NVRAM	nvram_get、acosNvramConfig_get、nvram_set、acosNvramConfig_set	—	NVRAM存储键
命名管道	mkfifo	open、fopen、read、 write、fread、fwrite	文件路径
命令行参数传递	—	—	命令行参数

测试部分	平均用时/min	平均交互信息数量/条	平均准确率
基于关联函数代码切片的程序交互关系智能提取	63	81	94.1%
基于配置文件与脚本文件的程序交互关系智能提取	47	147	92.7%
完整系统	732	228	93.2%

交互类型系统	套接字	共享内存	文件读写	环境变量获取与设置	NVRAM	命名管道	命令行参数传递
KARONTE	√	—	√	√	—	—	—
ChkUp	√	√	√	√	√	—	—
SaTC	—	—	—	√	√	—	—
FIRMRES	√	—	—	—	—	—	—
LATTE	√	—	√	√	—	—	—
ProtocolFormat	√	—	—	—	—	—	—
TEMU	√	√	√	—	—	√	—
本文系统	√	√	√	√	√	√	√

模型	第一次测试				第二次测试
模型	原始条目/条	筛选后条目 /条	条目可用率	模型分析时间 /min	原始条目/条	筛选后条目 /条	条目可用率	模型分析时间/min
DeepSeek-V3	567	256	45.1%	40.3	567	257	45.3%	40.7
Qwen3-235B- A22B	576	301	52.3%	71.9	644	340	52.8%	68.6
Hunyuan-A13B-Instruct	280	49	17.5%	33.6	374	92	24.5%	39.8

字段	值
发送端	lighttpd
接收端	prog.fcgi
数据关联	/var/prog.fcgi.socket-0
交互类型	socket
交互内容	文件中未体现交互内容