面向LPWAN的受限设备协议漏洞自动化检测框架

doi:10.6040/j.issn.1671-9352.0.2022.660

摘要/Abstract

摘要：

低功耗广域网(low power wide area network, LPWAN)作为一个强调低功耗的协议通常运行在资源受限设备上。一方面, 受限的资源给协议实现的安全性带来了严峻的挑战, 厂商通常难以在安全性与资源消耗上进行取舍。另一方面, 协议栈以裸机固件的形式部署在设备上, 各异的硬件特性使得其自动化分析较为困难。因此, 本文专门针对资源受限设备提出了一种基于符号执行与污点分析的协议栈分析框架ProSE, 能够针对固件中存在的协议漏洞进行检测。本文以LPWAN中最具代表性的LoRaWAN协议作为分析对象, 实现了多种漏洞的自动化检测, 并成功检测出6个厂商LoRaWAN实现中存在的20个潜在安全漏洞。

关键词: 低功耗广域网, 固件分析, 符号执行, 污点分析

Abstract:

LPWAN(low power wide area network)as a protocol that emphasizes low power consumption usually runs on resource-constrained devices. On the one hand, limited resources bring serious challenges to the security of protocol implementation. Manufacturers may have trouble balancing security demands and resource consumption. On the other hand, protocol stacks are deployed on constrained devices as bare-metal firmware. The varying hardware characteristics make automatic analysis difficult. Therefore, a protocol stack analysis framework called ProSE is proposed. Based on symbolic execution and taint analysis, ProSE is specifically designed for protocol vulnerability detection on the firmware of constrained devices. LoRaWAN is chosen for analysis due to its popularity. The framework is capable of detecting various types of vulnerability. ProSE successfully detected 20 potential security vulnerabilities in the implementation of LoRaWAN of 6 manufacturers.

Key words: LPWAN, firmware analysis, symbolic execution, taint analysis

中图分类号:

TP309

李飞序,严飞,程斌林,张立强. 面向LPWAN的受限设备协议漏洞自动化检测框架[J]. 《山东大学学报(理学版)》, 2023, 58(9): 39-50.

Feixu LI,Fei YAN,Binlin CHENG,Liqiang ZHANG. An automatic protocol vulnerability detection framework for resource-constrained devices of LPWAN[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2023, 58(9): 39-50.

图/表 11

图1

图2

图3

图4

图5

图6

图7

图8

表1

图9

表2

参考文献 41

1	白若琛, 庞成鑫, 贾佳, 等. 多协议融合LPWAN能源物联网云平台的设计[J]. 计算机科学, 2019, 46 (B06): 589- 592.
	BAI Ruoshen , PANG Chengxin , JIA Jia , et al. Design of cloud platform for energy internet of things based on LPWAN multi protocol[J]. Computer Science, 2019, 46 (B06): 589- 592.
2	PASQUA E. LPWAN emerging as fastest growing IoT communication technology-1.1 billion IoT connections expected by 2023, LoRa and NB-IoT the current market leaders-IoT Analytics[R]. IoT Analytics, 2018 September: 27.
3	吴进, 赵新亮, 赵隽. LoRa物联网技术的调制解调[J]. 计算机工程与设计, 2019, 40 (3): 617- 622.
	WU Jin , ZHAO Xinliang , ZHAO Jun . Modulation and demodulation of LoRa Internet of Things technology[J]. Computer Engineering and Design, 2019, 40 (3): 617- 622.
4	于颖超, 陈左宁, 甘水滔, 等. 嵌入式设备固件安全分析技术研究[J]. 计算机学报, 2021, 44 (5): 859- 881.
	YU Yingchao , CHEN Zuoning , GAN Shuitao , et al. Research on the technologies of security analysis technologies on the embedded device firmware[J]. Chinese Journal of Computers, 2021, 44 (5): 859- 881.
5	ZHENG Y W, DAVANIAN A, YIN H, et al. FIRM-AFL: high-throughput greybox fuzzing of IoT firmware via augmented process emulation[C]//Proceedings of the 28th USENIX Conference on Security Symposium. New York: ACM, 2019: 1099-1114.
6	CHEN Jiongyi, DIAO Wenrui, ZHAO Qingchuan, et al. IoT fuzzer: discovering memory corruptions in IoT through app-based fuzzing[C]//Proceedings 2018 Network and Distributed System Security Symposium. Reston: Internet Society, 2018: 18-21.
7	SCHARNOWSKI T, BARS N, SCHLOEGEL M, et al. Fuzzware: using precise MMIO modeling for effective firmware fuzzing[C]//31st USENIX Security Symposium (USENIX Security 22). Boston: USENIX Association. 2022: 1239-1256.
8	ZHOU Wei, GUAN Le, LIU Peng, et al. Automatic firmware emulation through invalidity-guided knowledge inference (extended version)[EB/OL]. 2021: arXiv: 2107.07759. https://arxiv.org/abs/2107.07759.
9	FENG Bo, MERA A, LU Long. P2IM: scalable and hardware-independent firmware testing via automatic peripheral interface modeling[C]//Proceedings of the 29th USENIX Conference on Security Symposium, New York: ACM, 2020: 1237-1254.
10	REDINI N, MACHIRY A, WANG R Y, et al. Karonte: detecting insecure multi-binary interactions in embedded firmware[C]//2020 IEEE Symposium on Security and Privacy (SP). San Francisco: IEEE, 2020: 1544-1561.
11	REDINI N, MACHIRY A, DAS D, et al. BootStomp: on the security of bootloaders in mobile devices[C]//Proceedings of the 26th USENIX Conference on Security Symposium. New York: ACM, 2017: 781-798.
12	DAVIDSON D, MOENCH B, RISTENPART T, et al. FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution[C]//22nd USENIX Security Symposium (USENIX Security 13), Boston: USENIX Association. 2013: 463-478.
13	SHOSHITAISHVILI Y, WANG R Y, SALLS C, et al. SOK: (state of) the art of war: offensive techniques in binary analysis[C]//2016 IEEE Symposium on Security and Privacy (SP). San Jose: IEEE, 2016: 138-157.
14	SILVA J, RODRIGUES J, ALBERTI A, et al. LoRaWAN—a low power WAN protocol for Internet of Things: a review and opportunities[C]//2017 2nd International Multidisciplinary Conference on Computer and Energy Science (SpliTech), Split, Croatia: IEEE, 2017: 1-6.
15	CHEN D D, EGELE M, WOO M, et al. Towards automated dynamic analysis for linux-based embedded firmware[C]//Proceedings 2016 Network and Distributed System Security Symposium. San Diego: Internet Society, 2016: 1-16.
16	KIM M, KIM D, KIM E, et al. FirmAE: towards large-scale emulation of IoT firmware for dynamic analysis[C]//Annual Computer Security Applications Conference. New York: ACM, 2020: 733-745.
17	于颖超, 甘水滔, 邱俊洋, 等. 二进制代码相似度分析及在嵌入式设备固件漏洞搜索中的应用[J]. 软件学报, 2022, 33 (11): 4137- 4172.
	YU Yingchao , GAN Shuitao , QIU Junyang , et al. Binary code similarity analysis and its applications on embedded device firmware vulnerability search[J]. Journal of Software, 2022, 33 (11): 4137- 4172.
18	杨毅宇, 周威, 赵尚儒, 等. 物联网安全研究综述: 威胁、检测与防御[J]. 通信学报, 2021, 42 (8): 188- 205.
	YANG Y Y , ZHOU W , ZHAO S R , et al. Survey of IoT security research: threats, detection and defense[J]. Journal on Communications, 2021, 42 (8): 188- 205.
19	SHOSHITAISHVILI Y, WANG Ruoyu, HAUSER C, et al. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware[C]. NDSS, 2015, 1: 1.1-8.1.
20	HERNANDEZ G, FOWZE F, TIAN D, et al. FirmUSB: vetting USB device firmware using domain informed symbolic execution[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2245-2262.
21	WEN Haohuang, LIN Zhiqiang, ZHANG Yinqian. FirmXray: detecting bluetooth link layer vulnerabilities from bare-metal firmware[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020: 167-180.
22	FOWZE F , TIAN D , HERNANDEZ G , et al. ProXray: protocol model learning and guided firmware analysis[J]. IEEE Transactions on Software Engineering, 2021, 47 (9): 1907- 1928.
23	CADAR C, DUNBAR D, ENGLER D R. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs[C]. 8th USENIX Symposium on Operating Systems Design and Implementation. New York: ACM, 2008: 209-224.
24	CADAR C , GANESH V , PAWLOWSKI P M , et al. EXE: automatically generating inputs of death[J]. ACM Transactions on Information and System Security, 2008, 12 (2): 1- 38.
25	CHA S K, AVGERINOS T, REBERT A, et al. Unleashing mayhem on binary code[C]//2012 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2012: 380-394.
26	CHIPOUNOV V , KUZNETSOV V , CANDEA G . S2E: a platform for in-vivo multi-path analysis of software systems[J]. ACM Sigplan Notices, 2011, 46 (3): 265- 278.
27	GODEFROID P , LEVIN M Y , MOLNAR D . SAGE: whitebox fuzzing for security testing[J]. Communications of the ACM, 2012, 55 (3): 40- 44.
28	STEPHENS N, GROSEN J, SALLS C, et al. Driller: augmenting fuzzing through selective symbolic execution[C]//Proceedings 2016 Network and Distributed System Security Symposium. Reston: Internet Society, 2016: 1-16.
29	BUTUN I , PEREIRA N , GIDLUND M . Security risk analysis of LoRaWAN and future directions[J]. Future Internet, 2018, 11 (1): 3.
30	MILLER R. Lora security building a secure lora solution[R]. MWR Labs Whitepaper, 2016: 1-18.
31	ELDEFRAWY M , BUTUN I , PEREIRA N , et al. Formal security analysis of LoRaWAN[J]. Computer Networks, 2019, 148, 328- 339.
32	BUTUN I, PEREIRA N, GIDLUND M. Analysis of LoRaWAN v1.1 security: research paper[C]//Proceedings of the 4th ACM MobiHoc Workshop on Experiences with the Design and Implementation of Smart Objects. New York: ACM, 2018: 1-6.
33	DÖNMEZ T C M , NIGUSSIE E . Security of LoRaWAN v1.1 in backward compatibility scenarios[J]. Procedia Computer Science, 2018, 134, 51- 58.
34	RAMOS D A, ENGLER D. Under-constrained symbolic execution: correctness checking for real code[C]//Proceedings of the 24th USENIX Conference on Security Symposium. New York: ACM, 2015: 49-64.
35	ENGLER D, DUNBAR D. Under-constrained execution: making automatic code destruction easy and scalable[C]//Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York: ACM, 2007: 1-4.
36	MCCI Catena. MCCI LoRaWAN LMIC Library[EB/OL]. [2022-08-17]. https://github.com/mcci-catena/arduino-lmic.
37	YANG Xueying. LoRaWAN: vulnerability analysis and practical exploitation[D]. Delft: Delft University of Technology, 2017.
38	TOMASIN S, ZULIAN S, VANGELISTA L. Security analysis of LoRaWAN join procedure for Internet of Things networks[C]//2017 IEEE Wireless Communications and Networking Conference Workshops (WCNCW). San Francisco: IEEE, 2017: 1-6.
39	SIMDNE Z. Security threat analysis and countermeasures for lorawan join procedure[EB/OL]. [2022-09-02]. https://thesis.unipd.it/bitstream/20.500.12608/27531/1/zulian_simone_tesi.
40	YEGIN A, DELCLEF J, LE GOURRIEREC M. Technical recommendations for preventing state synchronization issues around LoRaWAN 1.0. x join procedure[EB/OL]. https://resources.lora-alliance.org/home/technical-recommendations-for-preventing-state-synchronization-issues-around-lorawan-1-0-x-join-procedure.
41	YEGIN A, SELLER O. LoRaWAN L2 1.0.4 specification (TS001-1.0.4)[EB/OL]. https://lora-alliance.org/resource_hub/lorawan-104-specification-package/.

多维度评价

Viewed

Full text

Abstract

Cited

Shared

Discussed

产品厂商	ABP重放	OTAA重放	join-request重放	ACK欺骗	分析耗时/s
Semtech	○	√	√	√
Lacuna Space	○	√	√	×	704.52
MCCI	○	√	√	×	691.08
Heltec	×	×	×	×	123.38
Ideetron	×	×	×	×	101.67
Arduino	×	×	×	×	121.56
IntoYun	×	×	×	×	120.34

优化策略	替换-回溯法	程序切片	路径控制策略
A			BFS
B			DFS
C	√		BFS
D	√		DFS
E	√	√	BFS
F	√	√	DFS

[1]	赵博,秦静,刘晋璐. 支持通配符和模糊搜索的加密方案[J]. 《山东大学学报(理学版)》, 2023, 58(9): 28-38.
[2]	吕娇,张茜,秦静. 时间可控的指定测试者可搜索代理重加密方案[J]. 《山东大学学报(理学版)》, 2023, 58(9): 16-27.
[3]	成秀珍,吕卫锋,徐明辉,潘润宇,于东晓,王晨旭,禹勇,肖雪. 元计算: 零信任下的新型计算范式[J]. 《山东大学学报(理学版)》, 2023, 58(9): 1-15.
[4]	巫朝霞,王弋. 基于Paillier同态的异质频谱安全拍卖算法[J]. 《山东大学学报(理学版)》, 2021, 56(3): 23-27.
[5]	张超,梁英,方浩汕. 支持隐私保护的社交网络信息推荐方法[J]. 《山东大学学报(理学版)》, 2020, 55(3): 9-18.
[6]	李颖,胡俊. 基于分布式消息驱动的分层可信密码服务框架[J]. 《山东大学学报(理学版)》, 2020, 55(3): 19-27.
[7]	胡俊,刁子朋. vTCM:一种基于物理可信计算环境虚拟化的虚拟可信密码模块[J]. 《山东大学学报(理学版)》, 2019, 54(7): 77-88.
[8]	屈娟,冯玉明,李艳平,李丽. 可证明的基于扩展混沌映射的匿名多服务器身份认证协议[J]. 《山东大学学报(理学版)》, 2019, 54(5): 44-51.
[9]	许佳,蒋鹏. 视觉和物体显著性检测方法[J]. 《山东大学学报(理学版)》, 2019, 54(3): 28-37.
[10]	吴福生,张焕国,倪明涛,王俊. 基于密码协议实现的行为安全分析模型[J]. 《山东大学学报(理学版)》, 2019, 54(3): 18-27.
[11]	谢小杰,梁英,董祥祥. 社交网络用户敏感属性迭代识别方法[J]. 《山东大学学报(理学版)》, 2019, 54(3): 10-17, 27.
[12]	常天天,陈兴蜀,罗永刚,兰晓. 面向Hive的基于安全域的数据隔离保护框架[J]. 《山东大学学报(理学版)》, 2019, 54(3): 1-9.
[13]	毋泽南,田立勤,王志刚. 一种结合滑动窗口和推荐信任的用户行为信任评估[J]. 《山东大学学报(理学版)》, 2019, 54(1): 53-59.
[14]	杜瑶瑶,潘平,令狐金花. 基于信息距离的信息系统等级保护评价方法[J]. 《山东大学学报(理学版)》, 2019, 54(1): 47-52.
[15]	巫朝霞,王佳琪. 一种无线单频谱安全拍卖算法[J]. 《山东大学学报(理学版)》, 2018, 53(11): 51-55.