您的位置:山东大学 -> 科技期刊社 -> 《山东大学学报(理学版)》

《山东大学学报(理学版)》 ›› 2023, Vol. 58 ›› Issue (9): 39-50.doi: 10.6040/j.issn.1671-9352.0.2022.660

•   • 上一篇    下一篇

面向LPWAN的受限设备协议漏洞自动化检测框架

李飞序1(),严飞1,*(),程斌林2,张立强1   

  1. 1. 武汉大学国家网络安全学院空天信息安全与可信计算教育部重点实验室, 湖北 武汉 430072
    2. 山东大学网络空间安全学院, 山东 青岛 266237
  • 收稿日期:2022-12-08 出版日期:2023-09-20 发布日期:2023-09-08
  • 通讯作者: 严飞 E-mail:whuisstc@gmail.com;yanfei@whu.edu.cn
  • 作者简介:李飞序(1998—), 男, 硕士研究生, 研究方向为自动化漏洞挖掘. E-mail: whuisstc@gmail.com
  • 基金资助:
    国家自然科学基金资助项目(61872430);国家自然科学基金资助项目(62172144);湖北省重点研发计划项目(2020BAA003);湖北省重点研发计划项目(2021BAA027);湖北省自然科学基金资助项目(2022CFB510)

An automatic protocol vulnerability detection framework for resource-constrained devices of LPWAN

Feixu LI1(),Fei YAN1,*(),Binlin CHENG2,Liqiang ZHANG1   

  1. 1. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, Hubei, China
    2. School of Cyber Science and Technology, Shandong University, Qingdao 266237, Shandong, China
  • Received:2022-12-08 Online:2023-09-20 Published:2023-09-08
  • Contact: Fei YAN E-mail:whuisstc@gmail.com;yanfei@whu.edu.cn

摘要:

低功耗广域网(low power wide area network, LPWAN)作为一个强调低功耗的协议通常运行在资源受限设备上。一方面, 受限的资源给协议实现的安全性带来了严峻的挑战, 厂商通常难以在安全性与资源消耗上进行取舍。另一方面, 协议栈以裸机固件的形式部署在设备上, 各异的硬件特性使得其自动化分析较为困难。因此, 本文专门针对资源受限设备提出了一种基于符号执行与污点分析的协议栈分析框架ProSE, 能够针对固件中存在的协议漏洞进行检测。本文以LPWAN中最具代表性的LoRaWAN协议作为分析对象, 实现了多种漏洞的自动化检测, 并成功检测出6个厂商LoRaWAN实现中存在的20个潜在安全漏洞。

关键词: 低功耗广域网, 固件分析, 符号执行, 污点分析

Abstract:

LPWAN(low power wide area network)as a protocol that emphasizes low power consumption usually runs on resource-constrained devices. On the one hand, limited resources bring serious challenges to the security of protocol implementation. Manufacturers may have trouble balancing security demands and resource consumption. On the other hand, protocol stacks are deployed on constrained devices as bare-metal firmware. The varying hardware characteristics make automatic analysis difficult. Therefore, a protocol stack analysis framework called ProSE is proposed. Based on symbolic execution and taint analysis, ProSE is specifically designed for protocol vulnerability detection on the firmware of constrained devices. LoRaWAN is chosen for analysis due to its popularity. The framework is capable of detecting various types of vulnerability. ProSE successfully detected 20 potential security vulnerabilities in the implementation of LoRaWAN of 6 manufacturers.

Key words: LPWAN, firmware analysis, symbolic execution, taint analysis

中图分类号: 

  • TP309

图1

LoRaWAN网络结构"

图2

OTAA设备入网流程"

图3

LoRaWAN帧结构"

图4

ProSE系统架构"

图5

对变量的访问"

图6

LoRaWAN接口示例"

图7

切片示意图"

图8

替换-回溯法"

表1

检测结果"

产品厂商 ABP重放 OTAA重放 join-request重放 ACK欺骗 分析耗时/s
Semtech
Lacuna Space × 704.52
MCCI × 691.08
Heltec × × × × 123.38
Ideetron × × × × 101.67
Arduino × × × × 121.56
IntoYun × × × × 120.34

图9

不同优化策略完成一次提取路径的执行所需要的平均时间"

表2

不同优化策略采用情况"

优化策略 替换-回溯法 程序切片 路径控制策略
A BFS
B DFS
C BFS
D DFS
E BFS
F DFS
1 白若琛, 庞成鑫, 贾佳, 等. 多协议融合LPWAN能源物联网云平台的设计[J]. 计算机科学, 2019, 46 (B06): 589- 592.
BAI Ruoshen , PANG Chengxin , JIA Jia , et al. Design of cloud platform for energy internet of things based on LPWAN multi protocol[J]. Computer Science, 2019, 46 (B06): 589- 592.
2 PASQUA E. LPWAN emerging as fastest growing IoT communication technology-1.1 billion IoT connections expected by 2023, LoRa and NB-IoT the current market leaders-IoT Analytics[R]. IoT Analytics, 2018 September: 27.
3 吴进, 赵新亮, 赵隽. LoRa物联网技术的调制解调[J]. 计算机工程与设计, 2019, 40 (3): 617- 622.
WU Jin , ZHAO Xinliang , ZHAO Jun . Modulation and demodulation of LoRa Internet of Things technology[J]. Computer Engineering and Design, 2019, 40 (3): 617- 622.
4 于颖超, 陈左宁, 甘水滔, 等. 嵌入式设备固件安全分析技术研究[J]. 计算机学报, 2021, 44 (5): 859- 881.
YU Yingchao , CHEN Zuoning , GAN Shuitao , et al. Research on the technologies of security analysis technologies on the embedded device firmware[J]. Chinese Journal of Computers, 2021, 44 (5): 859- 881.
5 ZHENG Y W, DAVANIAN A, YIN H, et al. FIRM-AFL: high-throughput greybox fuzzing of IoT firmware via augmented process emulation[C]//Proceedings of the 28th USENIX Conference on Security Symposium. New York: ACM, 2019: 1099-1114.
6 CHEN Jiongyi, DIAO Wenrui, ZHAO Qingchuan, et al. IoT fuzzer: discovering memory corruptions in IoT through app-based fuzzing[C]//Proceedings 2018 Network and Distributed System Security Symposium. Reston: Internet Society, 2018: 18-21.
7 SCHARNOWSKI T, BARS N, SCHLOEGEL M, et al. Fuzzware: using precise MMIO modeling for effective firmware fuzzing[C]//31st USENIX Security Symposium (USENIX Security 22). Boston: USENIX Association. 2022: 1239-1256.
8 ZHOU Wei, GUAN Le, LIU Peng, et al. Automatic firmware emulation through invalidity-guided knowledge inference (extended version)[EB/OL]. 2021: arXiv: 2107.07759. https://arxiv.org/abs/2107.07759.
9 FENG Bo, MERA A, LU Long. P2IM: scalable and hardware-independent firmware testing via automatic peripheral interface modeling[C]//Proceedings of the 29th USENIX Conference on Security Symposium, New York: ACM, 2020: 1237-1254.
10 REDINI N, MACHIRY A, WANG R Y, et al. Karonte: detecting insecure multi-binary interactions in embedded firmware[C]//2020 IEEE Symposium on Security and Privacy (SP). San Francisco: IEEE, 2020: 1544-1561.
11 REDINI N, MACHIRY A, DAS D, et al. BootStomp: on the security of bootloaders in mobile devices[C]//Proceedings of the 26th USENIX Conference on Security Symposium. New York: ACM, 2017: 781-798.
12 DAVIDSON D, MOENCH B, RISTENPART T, et al. FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution[C]//22nd USENIX Security Symposium (USENIX Security 13), Boston: USENIX Association. 2013: 463-478.
13 SHOSHITAISHVILI Y, WANG R Y, SALLS C, et al. SOK: (state of) the art of war: offensive techniques in binary analysis[C]//2016 IEEE Symposium on Security and Privacy (SP). San Jose: IEEE, 2016: 138-157.
14 SILVA J, RODRIGUES J, ALBERTI A, et al. LoRaWAN—a low power WAN protocol for Internet of Things: a review and opportunities[C]//2017 2nd International Multidisciplinary Conference on Computer and Energy Science (SpliTech), Split, Croatia: IEEE, 2017: 1-6.
15 CHEN D D, EGELE M, WOO M, et al. Towards automated dynamic analysis for linux-based embedded firmware[C]//Proceedings 2016 Network and Distributed System Security Symposium. San Diego: Internet Society, 2016: 1-16.
16 KIM M, KIM D, KIM E, et al. FirmAE: towards large-scale emulation of IoT firmware for dynamic analysis[C]//Annual Computer Security Applications Conference. New York: ACM, 2020: 733-745.
17 于颖超, 甘水滔, 邱俊洋, 等. 二进制代码相似度分析及在嵌入式设备固件漏洞搜索中的应用[J]. 软件学报, 2022, 33 (11): 4137- 4172.
YU Yingchao , GAN Shuitao , QIU Junyang , et al. Binary code similarity analysis and its applications on embedded device firmware vulnerability search[J]. Journal of Software, 2022, 33 (11): 4137- 4172.
18 杨毅宇, 周威, 赵尚儒, 等. 物联网安全研究综述: 威胁、检测与防御[J]. 通信学报, 2021, 42 (8): 188- 205.
YANG Y Y , ZHOU W , ZHAO S R , et al. Survey of IoT security research: threats, detection and defense[J]. Journal on Communications, 2021, 42 (8): 188- 205.
19 SHOSHITAISHVILI Y, WANG Ruoyu, HAUSER C, et al. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware[C]. NDSS, 2015, 1: 1.1-8.1.
20 HERNANDEZ G, FOWZE F, TIAN D, et al. FirmUSB: vetting USB device firmware using domain informed symbolic execution[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2245-2262.
21 WEN Haohuang, LIN Zhiqiang, ZHANG Yinqian. FirmXray: detecting bluetooth link layer vulnerabilities from bare-metal firmware[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020: 167-180.
22 FOWZE F , TIAN D , HERNANDEZ G , et al. ProXray: protocol model learning and guided firmware analysis[J]. IEEE Transactions on Software Engineering, 2021, 47 (9): 1907- 1928.
23 CADAR C, DUNBAR D, ENGLER D R. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs[C]. 8th USENIX Symposium on Operating Systems Design and Implementation. New York: ACM, 2008: 209-224.
24 CADAR C , GANESH V , PAWLOWSKI P M , et al. EXE: automatically generating inputs of death[J]. ACM Transactions on Information and System Security, 2008, 12 (2): 1- 38.
25 CHA S K, AVGERINOS T, REBERT A, et al. Unleashing mayhem on binary code[C]//2012 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2012: 380-394.
26 CHIPOUNOV V , KUZNETSOV V , CANDEA G . S2E: a platform for in-vivo multi-path analysis of software systems[J]. ACM Sigplan Notices, 2011, 46 (3): 265- 278.
27 GODEFROID P , LEVIN M Y , MOLNAR D . SAGE: whitebox fuzzing for security testing[J]. Communications of the ACM, 2012, 55 (3): 40- 44.
28 STEPHENS N, GROSEN J, SALLS C, et al. Driller: augmenting fuzzing through selective symbolic execution[C]//Proceedings 2016 Network and Distributed System Security Symposium. Reston: Internet Society, 2016: 1-16.
29 BUTUN I , PEREIRA N , GIDLUND M . Security risk analysis of LoRaWAN and future directions[J]. Future Internet, 2018, 11 (1): 3.
30 MILLER R. Lora security building a secure lora solution[R]. MWR Labs Whitepaper, 2016: 1-18.
31 ELDEFRAWY M , BUTUN I , PEREIRA N , et al. Formal security analysis of LoRaWAN[J]. Computer Networks, 2019, 148, 328- 339.
32 BUTUN I, PEREIRA N, GIDLUND M. Analysis of LoRaWAN v1.1 security: research paper[C]//Proceedings of the 4th ACM MobiHoc Workshop on Experiences with the Design and Implementation of Smart Objects. New York: ACM, 2018: 1-6.
33 DÖNMEZ T C M , NIGUSSIE E . Security of LoRaWAN v1.1 in backward compatibility scenarios[J]. Procedia Computer Science, 2018, 134, 51- 58.
34 RAMOS D A, ENGLER D. Under-constrained symbolic execution: correctness checking for real code[C]//Proceedings of the 24th USENIX Conference on Security Symposium. New York: ACM, 2015: 49-64.
35 ENGLER D, DUNBAR D. Under-constrained execution: making automatic code destruction easy and scalable[C]//Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York: ACM, 2007: 1-4.
36 MCCI Catena. MCCI LoRaWAN LMIC Library[EB/OL]. [2022-08-17]. https://github.com/mcci-catena/arduino-lmic.
37 YANG Xueying. LoRaWAN: vulnerability analysis and practical exploitation[D]. Delft: Delft University of Technology, 2017.
38 TOMASIN S, ZULIAN S, VANGELISTA L. Security analysis of LoRaWAN join procedure for Internet of Things networks[C]//2017 IEEE Wireless Communications and Networking Conference Workshops (WCNCW). San Francisco: IEEE, 2017: 1-6.
39 SIMDNE Z. Security threat analysis and countermeasures for lorawan join procedure[EB/OL]. [2022-09-02]. https://thesis.unipd.it/bitstream/20.500.12608/27531/1/zulian_simone_tesi.
40 YEGIN A, DELCLEF J, LE GOURRIEREC M. Technical recommendations for preventing state synchronization issues around LoRaWAN 1.0. x join procedure[EB/OL]. https://resources.lora-alliance.org/home/technical-recommendations-for-preventing-state-synchronization-issues-around-lorawan-1-0-x-join-procedure.
41 YEGIN A, SELLER O. LoRaWAN L2 1.0.4 specification (TS001-1.0.4)[EB/OL]. https://lora-alliance.org/resource_hub/lorawan-104-specification-package/.
[1] 赵博,秦静,刘晋璐. 支持通配符和模糊搜索的加密方案[J]. 《山东大学学报(理学版)》, 2023, 58(9): 28-38.
[2] 吕娇,张茜,秦静. 时间可控的指定测试者可搜索代理重加密方案[J]. 《山东大学学报(理学版)》, 2023, 58(9): 16-27.
[3] 成秀珍,吕卫锋,徐明辉,潘润宇,于东晓,王晨旭,禹勇,肖雪. 元计算: 零信任下的新型计算范式[J]. 《山东大学学报(理学版)》, 2023, 58(9): 1-15.
[4] 巫朝霞,王弋. 基于Paillier同态的异质频谱安全拍卖算法[J]. 《山东大学学报(理学版)》, 2021, 56(3): 23-27.
[5] 张超,梁英,方浩汕. 支持隐私保护的社交网络信息推荐方法[J]. 《山东大学学报(理学版)》, 2020, 55(3): 9-18.
[6] 李颖,胡俊. 基于分布式消息驱动的分层可信密码服务框架[J]. 《山东大学学报(理学版)》, 2020, 55(3): 19-27.
[7] 胡俊,刁子朋. vTCM:一种基于物理可信计算环境虚拟化的虚拟可信密码模块[J]. 《山东大学学报(理学版)》, 2019, 54(7): 77-88.
[8] 屈娟,冯玉明,李艳平,李丽. 可证明的基于扩展混沌映射的匿名多服务器身份认证协议[J]. 《山东大学学报(理学版)》, 2019, 54(5): 44-51.
[9] 许佳,蒋鹏. 视觉和物体显著性检测方法[J]. 《山东大学学报(理学版)》, 2019, 54(3): 28-37.
[10] 吴福生,张焕国,倪明涛,王俊. 基于密码协议实现的行为安全分析模型[J]. 《山东大学学报(理学版)》, 2019, 54(3): 18-27.
[11] 谢小杰,梁英,董祥祥. 社交网络用户敏感属性迭代识别方法[J]. 《山东大学学报(理学版)》, 2019, 54(3): 10-17, 27.
[12] 常天天,陈兴蜀,罗永刚,兰晓. 面向Hive的基于安全域的数据隔离保护框架[J]. 《山东大学学报(理学版)》, 2019, 54(3): 1-9.
[13] 毋泽南,田立勤,王志刚. 一种结合滑动窗口和推荐信任的用户行为信任评估[J]. 《山东大学学报(理学版)》, 2019, 54(1): 53-59.
[14] 杜瑶瑶,潘平,令狐金花. 基于信息距离的信息系统等级保护评价方法[J]. 《山东大学学报(理学版)》, 2019, 54(1): 47-52.
[15] 巫朝霞,王佳琪. 一种无线单频谱安全拍卖算法[J]. 《山东大学学报(理学版)》, 2018, 53(11): 51-55.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] 赵君1,赵晶2,樊廷俊1*,袁文鹏1,3,张铮1,丛日山1. 水溶性海星皂苷的分离纯化及其抗肿瘤活性研究[J]. J4, 2013, 48(1): 30 -35 .
[2] 杨永伟1,2,贺鹏飞2,李毅君2,3. BL-代数的严格滤子[J]. 山东大学学报(理学版), 2014, 49(03): 63 -67 .
[3] 李敏1,2,李歧强1. 不确定奇异时滞系统的观测器型滑模控制器[J]. 山东大学学报(理学版), 2014, 49(03): 37 -42 .
[4] 廖明哲. 哥德巴赫的两个猜想[J]. J4, 2013, 48(2): 1 -14 .
[5] 赵同欣1,刘林德1*,张莉1,潘成臣2,贾兴军1. 紫藤传粉昆虫与花粉多型性研究[J]. 山东大学学报(理学版), 2014, 49(03): 1 -5 .
[6] 王开荣,高佩婷. 建立在DY法上的两类混合共轭梯度法[J]. 山东大学学报(理学版), 2016, 51(6): 16 -23 .
[7] 唐风琴1,白建明2. 一类带有广义负上限相依索赔额的风险过程大偏差[J]. J4, 2013, 48(1): 100 -106 .
[8] 程智1,2,孙翠芳2,王宁1,杜先能1. 关于Zn的拉回及其性质[J]. J4, 2013, 48(2): 15 -19 .
[9] 汤晓宏1,胡文效2*,魏彦锋2,蒋锡龙2,张晶莹2,. 葡萄酒野生酿酒酵母的筛选及其生物特性的研究[J]. 山东大学学报(理学版), 2014, 49(03): 12 -17 .
[10] 杨伦,徐正刚,王慧*,陈其美,陈伟,胡艳霞,石元,祝洪磊,曾勇庆*. RNA干扰沉默PID1基因在C2C12细胞中表达的研究[J]. J4, 2013, 48(1): 36 -42 .