您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

山东大学学报(理学版) ›› 2016, Vol. 51 ›› Issue (9): 41-46.doi: 10.6040/j.issn.1671-9352.2.2015.245

• • 上一篇    下一篇

基于污点跟踪的固件漏洞定位研究

戴忠华1,2,3,费永康1,2,赵波1,2*,王婷3   

  1. 1. 武汉大学计算机学院, 湖北 武汉 430072; 2.武汉大学空天信息安全与可信计算教育部重点实验室, 湖北 武汉 430072;3.中国信息安全测评中心, 北京 100085
  • 收稿日期:2015-08-17 出版日期:2016-09-20 发布日期:2016-09-23
  • 通讯作者: 赵波(1972— ),男,教授,研究方向为信息系统安全、嵌入式系统.E-mail:zhaobowhu@163.com E-mail:zhonghuadai@itsec.gov.cn
  • 作者简介:戴忠华(1978— ),男,硕士,副研究员,研究方向为信息系统安全.E-mail:zhonghuadai@itsec.gov.cn
  • 基金资助:
    国家重点基础研究发展计划(973计划)项目(2014CB340600);国家自然科学基金重点项目(61332019);国家自然科学基金资助项目(61173138,61272452);国家高技术研究发展计划(863计划)项目(2015AA016002)

Research on the localization of firmware vulnerability based on stain tracking

DAI Zhong-hua1,2,3, FEI Yong-kang1,2, ZHAO Bo1,2*, WANG Ting3   

  1. 1. Computer School, Wuhan University, Wuhan 430072, Hubei, China;
    2. Key Laboratory of Aerospace Information Security and Trusted Computing Ministry of Education, Wuhan 430072, Hubei, China;
    3. China Information Technology Security Evaluation Center, Beijing 100085, China
  • Received:2015-08-17 Online:2016-09-20 Published:2016-09-23

摘要: 在嵌入式设备的漏洞挖掘过程中,由于物理设备资源有限且运行环境封闭,导致由Fuzzing得到的异常无法得到及时确认和利用。以嵌入式固件为研究对象,提出一种基于污点跟踪的固件漏洞定位方法,该方法在仿真环境中进行动态分析,可以快速定位异常位置,判定异常原理,评估利用方法。基于该方法,在路由器、IP摄像头等多款嵌入式设备上进行实验,成功利用了ARM、MIPS架构下多个0day漏洞,对嵌入式设备漏洞挖掘有很好的参考价值。

关键词: 设备仿真, 污点跟踪, 漏洞定位, 动态调试

Abstract: In the process of vulnerability detection, because of the limited physical device and closed operating system, we cant confirm and utilize the bug discovered by Fuzzing test in time. So this paper concentrated on embedded firmware and proposed a firmware vulnerability analysis and utilization method based on stain tracking. The method uses dynamic analysis technique in the simulation environment. With the help of this method, we could rapidly locate the exception position and trace back to the origin, then its possible to assess the corresponding solution rapidly. Furthermore, we did experiments on many devices such as router and IP camera and successfully utilized many 0day bugs on ARM and MIPS architecture. According to the results, the firmware vulnerability analysis and utilization method based on device simulation debugging is referable to vulnerability positioning and utilization of embedded firmware.

Key words: equipment simulation, vulnerability positioning, dynamic analysis, stain tracking

中图分类号: 

  • TP309
[1] 张友春, 魏强, 刘增良, 等. 信息系统漏洞挖掘技术体系研究[J]. 通信学报, 2011, 32(2):42-47. ZHANG Youchun, WEI Qiang, LIU Zengliang, et al. Research on information system vulnerability mining technology system[J]. Journal of Communication, 2011, 32(2):42-47.
[2] ZADDACH J, COSTIN A. Embedded devices security and firmware reverse engineering[EB/OL]. [2015-03-04]. http://www.eure com.fr/fr/publication/4109.
[3] 忽朝俭, 薛一波, 赵粮, 等. 无文件系统嵌入式固件后门检测[J]. 通信学报, 2013, 34(8):140-145. HU Zhaojian, XUE Yibo, ZHAO Liang, et al. Embedded firmware backdoor detection without file system[J]. Journal of Communication, 2013, 34(8):140-145.
[4] CUI A, COSTELLO M, STOLFO S J. When firmware modifications attack: a case study of embedded exploitation[C] //NDSS, [S.l.] :[s.n.] , 2013.
[5] BOJINOV H, BURSZTEIN E, LOVETT E, et al. Embedded management interfaces: emerging massive insecurity[J]. Black Hat USA, 2009.
[6] WU S, GUO T, DONG G, et al. Software vulnerability analyses: a road map[J]. Journal of Tsinghua University Science and Technology, 2012, 52(10):1309-1319.
[7] 刘奇旭, 张翀斌, 张玉清, 等. 安全漏洞等级划分关键技术研究[J]. 通信学报, 2012, 33(Z1):79-87. LIU Qixu, ZHANG Chongbin, ZHANG Yuqing, et al. Research on key technologies of security vulnerability classification[J]. Journal of Communication, 2012, 33(Z1):79-87.
[8] CHIPOUNOV V, CANDEA G. Reverse engineering of binary device drivers with RevNIC[C] //Proceedings of the 5th European Conference on Computer Systems. New York:ACM, 2010:167-180.
[9] CUI A, STOLFO S J. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan[C] //Proceedings of the 26th Annual Computer Security Applications Conference. New York:ACM, 2010:97-106.
[10] 朱贯淼, 曾凡平, 袁园,等. 基于污点跟踪的黑盒fuzzing测试[J]. 小型微型计算机系统, 2012, 33(8):1736-1739. ZHU Guanmiao, ZENG Fanping, YUAN Yuan, et al. Black box fuzzing test based on black box tracking[J]. Small and Micro Computer System, 2012, 33(8):1736-1739.
[11] 陈恺, 冯登国, 苏璞睿,等. 基于彩色污点传播的黑盒测试方法[J]. 中国科学:信息科学, 2011(5):526-540. CHEN Kai, FENG Dengguo, SU Purui, et al. Black box testing method based on color black spot spread[J]. Science in China: Information Science, 2011(5):526-540.
[12] 史飞悦, 傅德胜. 缓冲区溢出漏洞挖掘分析及利用的研究[J]. 计算机科学, 2013, 40(11):143-146. SHI Feiyue, FU Desheng. Research on the analysis and utilization of buffer overflow vulnerability[J]. Computer Science, 2013, 40(11):143-146.
[1] 晏燕,郝晓弘. 差分隐私密度自适应网格划分发布方法[J]. 山东大学学报(理学版), 2018, 53(9): 12-22.
[2] 焦鸿儒,秦静. 可实现全部超星量子存取结构的量子秘密共享方案[J]. 山东大学学报(理学版), 2018, 53(9): 62-68.
[3] 许力冬,王明强. 对10轮AES-128的中间相遇攻击[J]. 山东大学学报(理学版), 2018, 53(7): 39-45.
[4] 张建标,李志刚,刘国杰,王超,王玮. 面向Windows环境进程主动动态度量方法[J]. 山东大学学报(理学版), 2018, 53(7): 46-50.
[5] 崔朝阳,孙甲琦,徐松艳,蒋鑫. 适用于集群无人机的自组网安全分簇算法[J]. 山东大学学报(理学版), 2018, 53(7): 51-59.
[6] 刘政,牛芳琳,钱大兴,蔡希彪,郭颖. 基于喷泉码的防窃听编码设计[J]. 山东大学学报(理学版), 2018, 53(7): 60-64.
[7] 刘明明,张敏情,刘佳,高培贤. 一种基于浅层卷积神经网络的隐写分析方法[J]. 山东大学学报(理学版), 2018, 53(3): 63-70.
[8] 阮树骅,瓮俊昊,毛麾,陈雪莲. 云安全风险评估度量模型[J]. 山东大学学报(理学版), 2018, 53(3): 71-76.
[9] 康海燕,黄渝轩,陈楚翘. 基于视频分析的地理信息隐私保护方法[J]. 山东大学学报(理学版), 2018, 53(1): 19-29.
[10] 孟博,鲁金钿,王德军,何旭东. 安全协议实施安全性分析综述[J]. 山东大学学报(理学版), 2018, 53(1): 1-18.
[11] 谭韧,殷肖川,焦贤龙,廉哲,陈玉鑫. 一种软件定义APT攻击移动目标防御网络架构[J]. 山东大学学报(理学版), 2018, 53(1): 38-45.
[12] 孙泽锐,王继军,李国祥,夏国恩. 基于插值图像的可逆信息隐藏算法[J]. 山东大学学报(理学版), 2018, 53(1): 46-52.
[13] 孙亮,陈小春,钟阳,林志鹏,任彤. 基于可信BMC的服务器安全启动机制[J]. 山东大学学报(理学版), 2018, 53(1): 89-94.
[14] 姚克,朱斌瑞,秦静. 基于生物信息的可验证公钥可搜索加密协议[J]. 山东大学学报(理学版), 2017, 52(11): 11-22.
[15] 韩盼盼,秦静. 云计算中可验证的外包数据库加密搜索方案[J]. 山东大学学报(理学版), 2017, 52(9): 41-53.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
No Suggested Reading articles found!