Firmware Simulation Scheme of IoT Devices Based on Dynamic Substitution of Library Functions

doi:10.3969/j.issn.1671-1122.2025.07.005

Abstract

Abstract:

The limited resources of IoT devices make it difficult for traditional vulnerability detection technologies to be effectively applied to these devices. Firmware simulation technology provides a way to solve this problem, but the existing firmware simulation solutions have problems such as strong hardware dependence, high operating costs, and poor portability. In view of the shortcomings of existing simulation solutions, this paper proposed a firmware simulation scheme of IoT devices based on dynamic substitution of library functions. Firstly, a firmware simulation method based on human-computer collaboration was designed. The simulation environment was built through firmware analysis and firmware hosting, and expert experience in the process of firmware file acquisition was introduced. Then, a library function replacement technology based on symbolic execution was designed to extract key information from the previous stage, symbolic execution was used to analyze and guide library function generation, and finally compiled the library function into a dynamic link library to complete the library function replacement. The experimental results show that the simulation speed of the proposed scheme in the article has increased by an average of 80.50% compared to FIRMADYNE, and the optimized symbol execution speed has increased by more than 100% compared to before optimization. At the same time, through vulnerability replication and vulnerability mining verification, the simulation fidelity of this scheme can meet the requirements of vulnerability detection and mining.

Key words: Internet of things, firmware simulation, library function replacement, cross-compilation, vulnerability mining

CLC Number:

TP309

ZHANG Guanghua, CHANG Jiyou, CHEN Fang, MAO Bomin, WANG He, ZHANG Jianyan. Firmware Simulation Scheme of IoT Devices Based on Dynamic Substitution of Library Functions[J]. Netinfo Security, 2025, 25(7): 1053-1062.

Figures/Tables 7

References 24

[1]	KUANG Boyu, FU Anmin, GAO Yansong, et al. FeSA: Automatic Federated Swarm Attestation on Dynamic Large-Scale IoT Devices[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(4): 2954-2969.
[2]	ARTENSTEIN N. Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets[EB/OL]. (2017-07-27) [2024-05-29]. https://blog.exodusintel.com/2017/07/26/broadpwn/.
[3]	MARGOLIS J, OH T T, JADHAV S, et al. An In-Depth Analysis of the Mirai Botnet[C]// IEEE. 2017 International Conference on Software Security and Assurance (ICSSA). New York: IEEE, 2017: 6-12.
[4]	ZHANG Hao, SHEN Shandian, LIU Peng, et al. Review of Firmware Emulators in Embedded Devices[J]. Journal of Computer Research and Development, 2023, 60(10): 2255-2270.
	张浩, 申珊靛, 刘鹏, 等. 嵌入式设备固件仿真器综述[J]. 计算机研究与发展, 2023, 60(10): 2255-2270.
[5]	FENG Xiaotao, ZHU Xiaogang, HAN Qinglong, et al. Detecting Vulnerability on IoT Device Firmware: A Survey[J]. IEEE/CAA Journal of Automatica Sinica, 2022, 10(1): 25-41.
[6]	YU Yingchao, CHEN Zuoning, GAN Shuitao, et al. Research on the Technologies of Security Analysis Technologies on the Embedded Device Firmware[J]. Chinese Journal of Computers, 2021, 44(5): 859-881.
	于颖超, 陈左宁, 甘水滔, 等. 嵌入式设备固件安全分析技术研究[J]. 计算机学报, 2021, 44(5): 859-881.
[7]	TANASACHE F D, SORELLA M, BONOMI S, et al. Building an Emulation Environment for Cyber Security Analyses of Complex Networked Systems[EB/OL]. (2018-10-23) [2024-05-29]. https://doi.org/10.48550/arXiv.1810.09752.
[8]	WRIGHT C, MOEGLEIN W A, BAGCHI S, et al. Challenges in Firmware Re-Hosting, Emulation, and Analysis[J]. ACM Computing Surveys (CSUR), 2022, 54(1): 1-36.
[9]	SCHWARTZ E J, AVGERINOS T, BRUMLEY D. All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (But Might Have Been Afraid to Ask)[C]// IEEE. 2010 IEEE Symposium on Security and Privacy. New York: IEEE, 2010: 317-331.
[10]	FASANO A, BALLO T, MUENCH M, et al. SoK: Enabling Security Analyses of Embedded Systems via Rehosting[C]// ACM. The 2021 ACM Asia Conference on Computer and Communications Security. New York: ACM, 2021: 687-701.
[11]	ZADDACH J, BRUNO L, FRANCILLON A, et al. Avatar: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares[C]// IEEE. 2014 Network and Distributed System Security Symposium. New York: IEEE, 2014: 1-16.
[12]	KAMMERSTETTER M, PLATZER C, KASTNER W. Prospect: Peripheral Proxying Supported Embedded Code Testing[C]// ACM. The 9th ACM Symposium on Information, Computer and Communications Security. New York: ACM, 2014: 329-340.
[13]	BELLARD F. QEMU, a Fast and Portable Dynamic Translator[C]// USENIX. The Annual Conference on USENIX Annual Technical Conference. Berkley: USENIX, 2005: 41-46.
[14]	CHEN D D, EGELE M, WOO M, et al. Towards Automated Dynamic Analysis for Linux-Based Embedded Firmware[C]// IEEE. 2016 Network and Distributed System Security Symposium. New York: IEEE, 2016: 1-16.
[15]	KIM M, KIM D, KIM E, et al. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis[C]// ACM. Annual Computer Security Applications Conference. New York: ACM, 2020: 733-745.
[16]	GUSTAFSON E, MUENCH M, SPENSKY C, et al. Toward the Analysis of Embedded Firmware through Automated Re-Hosting[C]// USENIX. 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). Berkley: USENIX, 2019: 135-150.
[17]	FENG Bo, MERA A, LU Long. {P²IM}: Scalable and Hardware-Independent Firmware Testing via Automatic Peripheral Interface Modeling[C]// USENIX. 29th USENIX Security Symposium. Berkley: USENIX, 2020: 1237-1254.
[18]	CLEMENTS A A, GUSTAFSON E, SCHARNOWSKI T, et al. {HALucinator}: Firmware Re-Hosting through Abstraction Layer Emulation[C]// USENIX. 29th USENIX Security Symposium. Berkley: USENIX, 2020: 1201-1218.
[19]	LI Wenqiang, GUAN Le, LIN Jingqiang, et al. From Library Portability to Para-Rehosting: Natively Executing Microcontroller Software on Commodity Hardware[EB/OL]. (2021-07-04) [2024-05-29]. https://arxiv.org/abs/2107.12867.
[20]	ZHOU Wei, ZHANG Lan, GUAN Le, et al. What Your Firmware Tells You is Not How You Should Emulate It: A Specification-Guided Approach for Firmware Emulation[C]// ACM. The 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022: 3269-3283.
[21]	CAO Chen, GUAN Le, MING Jiang, et al. Device-Agnostic Firmware Execution is Possible: A Concolic Execution Approach for Peripheral Emulation[C]// ACM. Annual Computer Security Applications Conference. New York: ACM, 2020: 746-759.
[22]	ZHOU Wei, GUAN Le, LIU Peng, et al. Automatic Firmware Emulation through Invalidity-Guided Knowledge Inference[C]// USENIX. 30th USENIX Security Symposium. Berkley: USENIX, 2021: 2007-2024.
[23]	SHOSHITAISHVILI Y, WANG Ruoyu, SALLS C, et al. SOK: (State of ) The Art of War: Offensive Techniques in Binary Analysis[C]// IEEE. 2016 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2016: 138-157.
[24]	SCHARNOWSKI T, BARS N, SCHLOEGEL M, et al. Fuzzware: Using Precise {MMIO} Modeling for Effective Firmware Fuzzing[C]// USENIX. 31st USENIX Security Symposium. Berkley: USENIX, 2022: 1239-1256.

设备厂商	设备型号	架构
Tenda	AC15	ARMEL
D-Link	DIR-600	MIPSEL
D-Link	DIR-859	MIPS
D-Link	DIR-823G	MIPSEL
D-Link	DIR-619L	MIPS
Cisco	RV160	ARMEB
Huawei	HG532	MIPS
Netgear	R9000	ARMEL
Netgear	R6400	ARMEB
LBT	T310	MIPSEL

设备型号	FIRMADYNE/s	RLEmu/s	提升幅度
AC15	72.0644	8.2368	88.57%
DIR-600	66.7150	9.8483	85.24%
DIR-859	81.0538	10.6115	86.91%
DIR-823G	67.1768	8.5844	87.22%
DIR-619L	69.3207	8.2919	88.04%
RV160	135.1891	87.3373	35.40%
HG532	68.5444	6.6619	90.28%
R9000	97.1509	16.4884	83.03%
R6400	100.3214	11.5311	88.51%
T310	78.9124	22.2200	71.84%
平均	83.6448	18.9811	80.50%

设备型号	漏洞编号	漏洞类型
AC15	CVE-2018-5767	缓存区溢出
DIR-600	CVE-2017-12945	命令注入
DIR-859	CVE-2019-20215	命令注入
DIR-823G	CVE-2023-26612	缓存区溢出
DIR-619L	CVE-2023-43860	缓存区溢出
RV160	CVE-2021-1291	命令注入
HG532	CVE-2017-17215	命令注入
R9000	CVE-2019-20760	未授权绕过
R6400	CVE-2021-27239	缓存区溢出

设备型号	优化前/s	优化后/s
AC15	30.9345	3.0886
DIR-600	11.0636	1.2096
DIR-859	9.3243	2.4153
DIR-823G	3.3545	2.2387
DIR-619L	116.9600	4.3361
RV160	超时	9.0045
HG532	11.0931	3.7199
R9000	超时	4.7995
R6400	超时	0.7975
T310	48.3806	4.1960

设备型号	初次仿真/s	后续仿真/s	提升幅度
AC15	8.2368	5.1482	37.50%
DIR-600	9.8483	8.6387	12.28%
DIR-859	10.6115	8.1962	22.76%
DIR-823G	8.5844	6.3457	26.08%
DIR-619L	8.2919	3.9558	52.29%
RV160	87.3373	78.3328	10.31%
HG532	6.6619	2.9420	55.84%
R9000	16.4884	11.6889	29.11%
R6400	11.5311	10.7336	6.92%
T310	22.2200	18.0240	18.88%
平均	18.9811	15.4005	27.20%