High-Confidence Vulnerability Detection in IoT Firmware Based on Taint Flow Analysis

doi:10.3969/j.issn.1671-1122.2026.02.012

Abstract

Abstract:

The proliferation of Internet of Things (IoT) devices has led to increasingly severe security challenges posed by embedded firmware vulnerabilities. Current mainstream taint analysis schemes are plagued by significant limitations, including path explosion and high false positive rates. To overcome the limitations of existing solutions, this paper proposed Laptaint, a high-accuracy firmware vulnerability detection scheme based on taint analysis. First, for keyword matching, Laptaint integrated lightweight model and fuzzy matching to enhance keyword identification. This approach precisely recognized input sources, thereby reducing false negatives caused by missing source points. Second, in terms of data flow analysis, a fine-grained taint semantics model was constructed. This model utilized definitional reachability analysis to iteratively trace backward from hazardous function call sites, reaching the taint sources. Finally, for function sanitization, an integrated sanitization verification module validated tainted inputs through four distinct checking logics. Experiments conduct on 30 real-world device firmwares demonstrat Laptaint’s ability to identify vulnerabilities with an 82.02% accuracy rate, outperforming comparable schemes.

Key words: firmware security, vulnerability detection, taint analysis, sanitization validation

CLC Number:

TP309

ZHANG Guanghua, LI Guoyu, WANG He, LI Heng, WU Shaoguang. High-Confidence Vulnerability Detection in IoT Firmware Based on Taint Flow Analysis[J]. Netinfo Security, 2026, 26(2): 325-337.

Figures/Tables 9

References 27

[1]	LIU Lingxiang, PAN Zulie, LI Yang, et al. A Static Localization Method for Firmware Vulnerabilities Based on Front-End and Back-End Correlation Analysis[J]. Netinfo Security, 2022, 22(8): 44-54.
	刘翎翔, 潘祖烈, 李阳, 等. 基于前后端关联性分析的固件漏洞静态定位方法[J]. 信息网络安全, 2022, 22(8):44-54.
[2]	VAILSHERY L S. Topic: Internet of Things (IoT)[EB/OL]. (2024-06-11)[2025-05-13]. https://www.statista.com/topics/2637/internet-of-things/.
[3]	ZHANG Guanghua, CHEN Fang, CHANG Jiyou, et al. Accelerating Firmware Vulnerability Discovery via Precise Intermediate Taint Source and Dangerous Function Localization[J]. Computer Science, 2025, 52(7): 1-12. doi: 10.1063/1.31803 URL
	张光华, 陈放, 常继友, 等. 利用精确中间污点源和危险函数定位加速固件漏洞挖掘[J]. 计算机科学, 2025, 52(7):1-12.
[4]	THREAT I T. 150000 Verkada Security Cameras Hacked—to Make a Point[EB/OL]. (2021-03-12)[2025-05-14]. https://www.threatdown.com/blog/150000-verkada-security-cameras-hacked-to-make-a-point/.
[5]	ANTONAKAKIS M, APRIL T, BAILEY M, et al. Understanding the Mirai Botnet[C]// USENIX. The 26th USENIX Conference on Security Symposium. Berkeley: USENIX, 2017: 1093-1110.
[6]	LANGNER R. Stuxnet: Dissecting a Cyberwarfare Weapon[J]. IEEE Security & Privacy, 2011, 9(3): 49-51.
[7]	WANG Ningchao, CHEN Zuoning, GAN Shuitao, et al. Research on the Technologies of Security Analysis Technologies on the Embedded Device Firmware[EB/OL]. (2023-02-22)[2025-05-14]. https://jglobal.jst.go.jp/en/detail?JGLOBAL_ID=202102221104018110.
[8]	CHEN Libo, WANG Yanhao, CAI Quanpu, et al. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems[C]// USENIX. The 30th USENIX Security Symposium. Berkeley: USENIX, 2021: 303-319.
[9]	SRIVASTAVA P, PENG Hui, LI Jiahao, et al. FirmFuzz: Automated IoT Firmware Introspection and Analysis[C]// ACM. The 2nd International ACM Workshop on Security and Privacy for the Internet-of-Things. New York: ACM, 2019: 15-21.
[10]	GUO Jundong. Research on Automated Vulnerability Discovery Technology for Routers Based on Static Analysis[D]. Beijing: Beijing Jiaotong University, 2024.
	郭俊东. 基于静态分析的路由器自动化漏洞挖掘技术研究[D]. 北京: 北京交通大学, 2024.
[11]	ZHANG Guanghua, CHANG Jiyou, CHEN Fang, et al. Firmware Simulation Scheme of IoT Devices Based on Dynamic Substitution of Library Functions[J]. Netinfo Security, 2025, 25(7): 1053-1062.
	张光华, 常继友, 陈放, 等. 基于库函数动态替换的物联网设备固件仿真方案[J]. 信息网络安全, 2025, 25(7):1053-1062.
[12]	SHOSHITAISHVILI Y, WANG Ruoyu, SALLS C, et al. (State of ) The Art of War: Offensive Techniques in Binary Analysis[C]// IEEE. 2016 IEEE Symposium on Security and Privacy. New York: IEEE, 2016: 138-157.
[13]	ZADDACH J, BRUNO L, BALZAROTTI D, et al. Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares[C]// NDSS. Network and Distributed System Security (NDSS) Symposium. San Diego: NDSS, 2014: 157-173.
[14]	CHEN Jiongyi, DIAO Wenrui, ZHAO Qingchuan, et al. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-Based Fuzzing[C]// NDSS. Network and Distributed System Security Symposium 2018. San Diego: NDSS, 2018: 187-202.
[15]	WEI Zhou, ZHANG Lan, LE Guan, et al. What Your Firmware Tells You is not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation[C]// ACM. The 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022: 3269-3283.
[16]	ZHENG Yaowen, DAVANIAN A, ZHU Hongsong, et al. FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation[C]// USENIX. The 28th USENIX Conference on Security Symposium (SEC’19). Berkeley: USENIX, 2019: 1099-1114.
[17]	SHE Dongdong, CHEN Yizheng, ABHISHEK S, et al. Neutaint: Efficient Dynamic Taint Analysis with Neural Networks[C]// IEEE. The 41th IEEE Symposium on Security and Privacy. New York: IEEE, 2020: 1527-1543.
[18]	QIAN Sang, WANG Yanhao, LIU Yuwei, et al. AirTaint: Making Dynamic Taint Analysis Faster and Easier[C]// IEEE. 2024 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2024: 3998-4014.
[19]	ZHU Yuming, DONG Weiyu. nnTaint: An Optimized Dynamic Taint Analysis Method Based on Neural Network[C]// IEEE. 2022 IEEE 10th International Conference on Information, Communication and Networks (ICICN). New York: IEEE, 2022: 63-70.
[20]	KIM M, KIM D, KIM E, et al. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis[C]// ACM. The 36th Annual Computer Security Applications Conference. New York: ACM, 2020: 733-745.
[21]	GAO Zicong, ZHANG Chao, LIU Hangtian, et al. Faster and Better: Detecting Vulnerabilities in Linux-Based IoT Firmware with Optimized Reaching Definition Analysis[C]// NDSS. Network and Distributed System Security Symposium 2024. San Diego: NDSS, 2024: 564-571.
[22]	REDINI N, MACHIRY A, WANG Ruoyu, et al. Karonte: Detecting Insecure Multi-Binary Interactions in Embedded Firmware[C]// IEEE. 2020 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2020: 1544-1561.
[23]	GIBBS W, RAJ A S, VADAYATH J M, et al. Operation Mango: Scalable Discovery of Taint-Style Vulnerabilities in Binary Firmware Services[C]// USENIX. The 33rd USENIX Conference on Security Symposium. Berkeley: USENIX, 2024: 7123-7139.
[24]	CHENG Kai, ZHENG Yangwen, LIU Tao, et al. Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based on-Demand Alias Analysis[C]// ACM. The 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis. New York: ACM, 2023: 360-372.
[25]	LIU Puzhuo, ZHENG Yaowen, SUN Chengnian, et al. FITS: Inferring Intermediate Taint Sources for Effective Vulnerability Analysis of IoT Device Firmware[C]// ACM. The 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. New York: ACM, 2024: 138-152.
[26]	CHENG Kai, LI Qiang, WANG Lei, et al. DTaint: Detecting the Taint-Style Vulnerability in Embedded Device Firmware[C]// IEEE. 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). New York: IEEE, 2018: 430-441.
[27]	EACMEN P. ReFirmLabs/Binwalk: Firmware Analysis Tool[EB/OL]. [2025-05-17]. https://github.com/ReFirmLabs/binwalk.

硬件	配置
CPU	Intel(R) Xeon(R) CPU E5-2686 v4 @2.30 GHz
内存	503 GB
硬盘	3 TB

固件品牌及数量	SaTc				Mango				Laptaint
	警告		漏洞		警告		漏洞		警告		漏洞
	cmdi	bof	cmdi	bof	cmdi	bof	cmdi	bof	cmdi	bof	cmdi	bof
TP-Link(8)	0	2	0	1	11	55	5	35	7	40	5	32
D-Link(8)	0	27	0	11	7	32	3	19	5	24	3	18
NetGear(7)	12	144	8	45	73	694	36	348	47	394	35	327
Tenda(7)	6	117	5	71	78	56	50	25	52	32	48	25
总计	18	290	13	128	169	837	94	427	111	490	91	402

固件品牌及数量	SaTc		Mango		Laptaint
固件品牌及数量	FP	TP	FP	TP	FP	TP
TP-Link(8)	50%	50%	39.40%	60.60%	21.28%	78.72%
D-Link(8)	59.26%	40.74%	43.59%	56.41%	27.59%	72.41%
NetGear(7)	66.03%	33.97%	59.46%	50.06%	17.47%	82.53%
Tenda(7)	38.22%	61.78%	44.03%	55.97%	13.10%	86.90%
平均	54.23%	45.77%	48.22%	51.78%	17.98%	82.02%

固件品牌及数量	SaTc		Mango		Laptaint
	时间		时间		时间
	cmdi	bof	cmdi	bof	cmdi	bof
TP-Link(8)	12h28min	16h49min	19h40min	21h12min	24h10min	22h31min
D-Link(8)	67h14min	71h32min	12h7min	29h40min	11h57min	31h49min
NetGear(7)	58h28min	84h9min	27h19min	35h6min	27h49min	32h22min
Tenda(7)	37h30min	61h38min	18h12min	24h23min	15h30min	25h22min
总计	175h40min	234h8min	77h18min	110h21min	79h26min	112h4min

方案	TOTAL	TP	FP	TPR	FPR	时间
Laptaint(true)	601	493	108	82.02%	17.98%	191h30min
Laptaint(false)	487	343	154	70.43%	29.57%	185h49min