基于前后端关联性分析的固件漏洞静态定位方法

doi:10.3969/j.issn.1671-1122.2022.08.006

摘要/Abstract

摘要：

目前大多数物联网设备通过Web服务接口进行远程管理,利用Web服务漏洞发起攻击成为当前物联网设备安全面临的主要威胁之一。文章提出一种针对物联网设备Web服务漏洞的静态挖掘方法,首先基于前端脚本文件与边界二进制程序之间的关联性特征,通过对前后端文件进行关联分析,识别固件中的边界二进制程序,确定在边界二进制程序中针对Web输入数据的起始处理位置。然后利用污点分析技术判断输入数据是否会被漏洞触发函数处理,定位程序中的危险函数区域。最后实现固件漏洞静态方法的原型系统FBIR,并对10款固件进行实验,通过定位危险函数的方式验证45个已知漏洞并挖掘出12个零日漏洞。在漏报率只有14.9%的基础上,与传统人工分析的方法对比,文章所提方法将程序函数分析范围平均缩小了86%。

关键词: 固件漏洞分析, 关联性分析, 边界二进制程序

Abstract:

At present, most IoT devices are remotely managed through Web service interfaces, exploiting Web service vulnerabilities to launch attacks is an important threat facing current IoT devices. This paper proposed a static mining method for Web service vulnerabilities in IoT devices. Firstly, based on the presence of certain correlation characteristics between the front-end script file and the boundary binary program (a binary program specifically designed to process Web service data), the boundary binary program in the firmware was identified by the association analysis of the front-end and back-end files, the Web input data corresponded to the processing position of the boundary binary program. Then the taint analysis technique was used to determine whether the input data will be processed by the vulnerability trigger function. Locate the area of the hazard function that existed in the program. Finally, the prototype system FBIR of the method was realized, and 10 firmwares were tested, 45 known vulnerabilities were verified by locating dangerous functions, and 12 zero-day vulnerabilities were excavated. On the basis of the false negative rate of only 14.9%, the analysis range of program was reduced by 86%.

Key words: firmware vulnerability analysis, correlation analysis, border binary program

中图分类号:

TP309

刘翎翔, 潘祖烈, 李阳, 李宗超. 基于前后端关联性分析的固件漏洞静态定位方法[J]. 信息网络安全, 2022, 22(8): 44-54.

LIU Lingxiang, PAN Zulie, LI Yang, LI Zongchao. Firmware Vulnerability Static Localization Method Based on Front-End and Back-End Correlation Analysis[J]. Netinfo Security, 2022, 22(8): 44-54.

图/表 11

图1

图2

图3

图4

表1

表2

表3

图5

表4

表5

表6

参考文献 15

[1]	YU Yingchao, CHEN Zuoning, GAN Shuitao, et al. Research on the Technologies of Security Analysis Technologies on the Embedded Device Firmware[J]. Chinese Journal of Computers, 2021, 44(5): 859-881.
	于颖超, 陈左宁, 甘水滔, 等. 嵌入式设备固件安全分析技术研究[J]. 计算机学报, 2021, 44(5): 859-881.
[2]	CHEN D D, EGELE M, WOO M, et al. Towards Automated Dynamic Analysis for Linux-Based Embedded Firmware[EB/OL]. (2016-01-01)[2022-03-22]. https://www.researchgate.net/publication/316904631_Towards_Automated_Dynamic_Analysis_for_Linux-based_Embedded_Firmware.
[3]	KIM M, KIM D, KIM E, et al. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis[C]//ACM. Annual Computer Security Applications Conference (ACSAC’20). New York: ACM, 2020: 733-745.
[4]	ZHENG Yaowen, DAVANIAN A, YIN Heng, et al. FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation[C]//USENIX. 28th USENIX Security Symposium. Berkeley: USENIX, 2019: 1099-1114.
[5]	CNCERT/CC, NSFOCUS. 2020 IoT Security Annual Report[EB/OL]. (2021-07-05)[2022-04-08]. https://www.nsfocus.com.cn/html/2021/134_0705/158. html.
	国家互联网应急中心,绿盟科技. 2020物联网安全年报[EB/OL]. (2021- 07-05)[ 2022-04-08]. https://www.nsfocus.com.cn/html/2021/134_0705/158. html.
[6]	CHENG Kai, LI Qiang, WANG Lei, et al. DTaint: Detecting the Taint-Style Vulnerability in Embedded Device Firmware[C]//IEEE. 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). New York: IEEE, 2018: 430-441.
[7]	SHOSHITAISHVILI Y, WANG Ruoyu, SALLS C, et al. SOK: (State of ) the Art of War: Offensive Techniques in Binary Analysis[C]//IEEE. 2016 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2016: 138-157.
[8]	ZHU Lipeng, FU Xiaotong, YAO Yao, et al. FIoT: Detecting the Memory Corruption in Lightweight IoT Device Firmware[C]//IEEE. 2019 18th IEEE International Conference on Trust, Security and Privacy in Computing and Communications. New York: IEEE, 2019: 248-255.
[9]	REDINI N, MACHIRY A, WANG Ruoyu, et al. KARONTE: Detecting Insecure Multi-Binary Interactions in Embedded Firmware[C]//IEEE. 2020 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2020: 1544-1561.
[10]	CHEN Libo, WANG Yanhao, CAI Quanpu, et al. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems[C]//USENIX. 30th USENIX Security Symposium. Berkeley: USENIX, 2021: 303-319.
[11]	WANG Dong, ZHANG Xiaosong, CHEN Ting, et al. Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface[EB/OL].(2019-11-04)[2022-03-10]. https://dl.acm.org/doi/10.1155/2019/5076324.
[12]	WANG Lei, LI Feng, LI Lian, et al. Principle and Practice of Taint Analysis[J]. Journal of Software, 2017, 28(4): 860-882.
	王蕾, 李丰, 李炼, 等. 污点分析技术的原理和实践应用[J]. 软件学报, 2017, 28(4): 860-882.
[13]	DAI Zhonghua, FEI Yongkang, ZHAO Bo, et al. Research on the Localization of Firmware Vulnerability Based on Stain Tracking[J]. Journal of Shandong University(Natural Science), 2016, 51(9): 41-46.
	戴忠华, 费永康, 赵波, 等. 基于污点跟踪的固件漏洞定位研究[J]. 山东大学学报(理学版), 2016, 51(9): 41-46.
[14]	ZHAO Jian, WANG Rui, LI Siqi. Research on Smart Home Vulnerability Mining Technology Based on Taint Analysis[J]. Netinfo Security, 2018, 18(6): 36-44.
	赵健, 王瑞, 李思其. 基于污点分析的智能家居漏洞挖掘技术研究[J]. 信息网络安全, 2018, 18(6): 36-44.
[15]	CELIK Z B, BABUN L, SIKDER A K, et al. Sensitive Information Tracking in Commodity IoT[C]//USENIX. 27th USENIX Security Symposium. Berkeley: USENIX, 2018: 1687-1704.

类型	函数名
格式化字符串函数	sscanf, sprintf, fprintf CsteSystem, doSystem
非格式化字符串函数	strcpy, memcpy, strcat popen, system

厂商	设备名	架构
Cisco	RV110W	MIPS
Cisco	RV130W	ARM
D-Link	DIR-825	MIPS
D-Link	DIR-816	MIPS
Tenda	AX12	MIPS
Tenda	AX3	ARM
TOTOLINK	A3100R	MIPS
TOTOLINK	X5000R	MIPS
TrendNet	TEW-827DRU	MIPS
ASUS	RT-AC86U	ARM

设备名	数据引入函数	边界二进制程序	漏洞数据引入函数	漏洞程序	漏报情况
RV110W	get_cgi nvram_get	httpd blink_diag_led boot_env	get_cgi	httpd	无
RV130W	sub_1D170 nvram_get	httpd blink_diag_led boot_env	sub_1D170	httpd	无
DIR-825	nvram_safe_get get_cgi	httpd rc	nvram_safe_get get_cgi	httpd	无
DIR-816	websGetVar	goahead	websGetVar nvram_bufget	goahead	有
AX12	sub_4151AC sub_425F70 sub_42B5AC	httpd	sub_4151AC	httpd	无
AX3	websGetVar	httpd	websGetVar GetValue	httpd	有
A3100R	websGetVar	ipv6.so wan.so system.so	websGetVar	system.so	无
X5000R	websGetVar	cstecgi.cgi	websGetVar nvram_safe_get	cstecgi.cgi rc	有
TEW-827DRU	getenv	ssi	getenv query_vars safe_getenv	ssi	有
RT-AC86U	sub_1D0F0 nvram_get_int sub_1BDF4 sub_1BE38 nvram_get	httpd asus_sr asus_tty	sub_1BE38	httpd	无

设备名	程序		覆盖数量	未覆盖	漏报率
RV110W	httpd		1	未知	—
RV130W	httpd		2	未知	—
DIR-825	httpd		5	0	0
DIR-816	goahead		7	4	36.3%
AX12	httpd		5	0	0
AX3	httpd		16	7	30.4%
A3100R		system.so	2	0	0
X5000R		cstecgi.cgi	2	0	0
TEW-827DRU		ssi	5	3	37.5%

设备	漏洞编号
RV110W	CVE-2020-3331
RV130W	CVE-2020-3145、CVE-2020-3146
DIR-825	CVE-2020-10216、CVE-2020-10213、CVE-2020-10214、CVE-2019-9122、CVE-2020-10215
DIR-816	CVE-2021-26810、CVE-2021-27113、CVE-2021-27114、CVE-2018-17068、CVE-2018-17066、CVE-2018-20305、CVE-2019-10039
AX12	CVE-2022-25561、CVE-2022-25560、CVE-2022-25556、CVE-2021-45391、CVE-2021-45392
AX3	CVE-2022-24163、CVE-2022-24162、CVE-2022-24160、CVE-2022-24159、CVE-2022-24157、CVE-2022-24155、CVE-2022-24154、CVE-2022-24153、CVE-2022-24151、CVE-2022-24152、CVE-2022-24144、CVE-2022-24143、CVE-2022-24162、CVE-2022-24145、CVE-2022-24147、CVE-2022-24149
A3100R	CVE-2021-44246、CVE-2021-44247
TEW-827DRU	CVE-2020-14076、CVE-2020-14079、CVE-2020-14080、CVE-2020-14077、CVE-2020-14078
X5000R	CVE-2021-45738、CVE-2021-45733