JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE) ›› 2023, Vol. 58 ›› Issue (9): 39-50.doi: 10.6040/j.issn.1671-9352.0.2022.660

Previous Articles     Next Articles

An automatic protocol vulnerability detection framework for resource-constrained devices of LPWAN

Feixu LI1(),Fei YAN1,*(),Binlin CHENG2,Liqiang ZHANG1   

  1. 1. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan 430072, Hubei, China
    2. School of Cyber Science and Technology, Shandong University, Qingdao 266237, Shandong, China
  • Received:2022-12-08 Online:2023-09-20 Published:2023-09-08
  • Contact: Fei YAN E-mail:whuisstc@gmail.com;yanfei@whu.edu.cn

RichHTML

10

PDF (PC)

452

Abstract:

LPWAN(low power wide area network)as a protocol that emphasizes low power consumption usually runs on resource-constrained devices. On the one hand, limited resources bring serious challenges to the security of protocol implementation. Manufacturers may have trouble balancing security demands and resource consumption. On the other hand, protocol stacks are deployed on constrained devices as bare-metal firmware. The varying hardware characteristics make automatic analysis difficult. Therefore, a protocol stack analysis framework called ProSE is proposed. Based on symbolic execution and taint analysis, ProSE is specifically designed for protocol vulnerability detection on the firmware of constrained devices. LoRaWAN is chosen for analysis due to its popularity. The framework is capable of detecting various types of vulnerability. ProSE successfully detected 20 potential security vulnerabilities in the implementation of LoRaWAN of 6 manufacturers.

Key words: LPWAN, firmware analysis, symbolic execution, taint analysis

CLC Number: 

  • TP309

Fig.1

Structure of LoRaWAN network"

Fig.2

Join procedure of OTAA devices"

Fig.3

Frame structure of LoRaWAN"

Fig.4

System framework of ProSE"

Fig.5

Variable access"

Fig.6

Example of LoRaWAN interface"

Fig.7

Diagram of slicing"

Fig.8

Substituting & backtracking"

Table 1

Detection results"

产品厂商 ABP重放 OTAA重放 join-request重放 ACK欺骗 分析耗时/s
Semtech
Lacuna Space × 704.52
MCCI × 691.08
Heltec × × × × 123.38
Ideetron × × × × 101.67
Arduino × × × × 121.56
IntoYun × × × × 120.34

Fig.9

Average time required by different optimization strategies to complete the execution of an extraction path"

Table 2

The adoption of optimization strategies represented by A-F"

优化策略 替换-回溯法 程序切片 路径控制策略
A BFS
B DFS
C BFS
D DFS
E BFS
F DFS
1 白若琛, 庞成鑫, 贾佳, 等. 多协议融合LPWAN能源物联网云平台的设计[J]. 计算机科学, 2019, 46 (B06): 589- 592.
BAI Ruoshen , PANG Chengxin , JIA Jia , et al. Design of cloud platform for energy internet of things based on LPWAN multi protocol[J]. Computer Science, 2019, 46 (B06): 589- 592.
2 PASQUA E. LPWAN emerging as fastest growing IoT communication technology-1.1 billion IoT connections expected by 2023, LoRa and NB-IoT the current market leaders-IoT Analytics[R]. IoT Analytics, 2018 September: 27.
3 吴进, 赵新亮, 赵隽. LoRa物联网技术的调制解调[J]. 计算机工程与设计, 2019, 40 (3): 617- 622.
WU Jin , ZHAO Xinliang , ZHAO Jun . Modulation and demodulation of LoRa Internet of Things technology[J]. Computer Engineering and Design, 2019, 40 (3): 617- 622.
4 于颖超, 陈左宁, 甘水滔, 等. 嵌入式设备固件安全分析技术研究[J]. 计算机学报, 2021, 44 (5): 859- 881.
YU Yingchao , CHEN Zuoning , GAN Shuitao , et al. Research on the technologies of security analysis technologies on the embedded device firmware[J]. Chinese Journal of Computers, 2021, 44 (5): 859- 881.
5 ZHENG Y W, DAVANIAN A, YIN H, et al. FIRM-AFL: high-throughput greybox fuzzing of IoT firmware via augmented process emulation[C]//Proceedings of the 28th USENIX Conference on Security Symposium. New York: ACM, 2019: 1099-1114.
6 CHEN Jiongyi, DIAO Wenrui, ZHAO Qingchuan, et al. IoT fuzzer: discovering memory corruptions in IoT through app-based fuzzing[C]//Proceedings 2018 Network and Distributed System Security Symposium. Reston: Internet Society, 2018: 18-21.
7 SCHARNOWSKI T, BARS N, SCHLOEGEL M, et al. Fuzzware: using precise MMIO modeling for effective firmware fuzzing[C]//31st USENIX Security Symposium (USENIX Security 22). Boston: USENIX Association. 2022: 1239-1256.
8 ZHOU Wei, GUAN Le, LIU Peng, et al. Automatic firmware emulation through invalidity-guided knowledge inference (extended version)[EB/OL]. 2021: arXiv: 2107.07759. https://arxiv.org/abs/2107.07759.
9 FENG Bo, MERA A, LU Long. P2IM: scalable and hardware-independent firmware testing via automatic peripheral interface modeling[C]//Proceedings of the 29th USENIX Conference on Security Symposium, New York: ACM, 2020: 1237-1254.
10 REDINI N, MACHIRY A, WANG R Y, et al. Karonte: detecting insecure multi-binary interactions in embedded firmware[C]//2020 IEEE Symposium on Security and Privacy (SP). San Francisco: IEEE, 2020: 1544-1561.
11 REDINI N, MACHIRY A, DAS D, et al. BootStomp: on the security of bootloaders in mobile devices[C]//Proceedings of the 26th USENIX Conference on Security Symposium. New York: ACM, 2017: 781-798.
12 DAVIDSON D, MOENCH B, RISTENPART T, et al. FIE on firmware: finding vulnerabilities in embedded systems using symbolic execution[C]//22nd USENIX Security Symposium (USENIX Security 13), Boston: USENIX Association. 2013: 463-478.
13 SHOSHITAISHVILI Y, WANG R Y, SALLS C, et al. SOK: (state of) the art of war: offensive techniques in binary analysis[C]//2016 IEEE Symposium on Security and Privacy (SP). San Jose: IEEE, 2016: 138-157.
14 SILVA J, RODRIGUES J, ALBERTI A, et al. LoRaWAN—a low power WAN protocol for Internet of Things: a review and opportunities[C]//2017 2nd International Multidisciplinary Conference on Computer and Energy Science (SpliTech), Split, Croatia: IEEE, 2017: 1-6.
15 CHEN D D, EGELE M, WOO M, et al. Towards automated dynamic analysis for linux-based embedded firmware[C]//Proceedings 2016 Network and Distributed System Security Symposium. San Diego: Internet Society, 2016: 1-16.
16 KIM M, KIM D, KIM E, et al. FirmAE: towards large-scale emulation of IoT firmware for dynamic analysis[C]//Annual Computer Security Applications Conference. New York: ACM, 2020: 733-745.
17 于颖超, 甘水滔, 邱俊洋, 等. 二进制代码相似度分析及在嵌入式设备固件漏洞搜索中的应用[J]. 软件学报, 2022, 33 (11): 4137- 4172.
YU Yingchao , GAN Shuitao , QIU Junyang , et al. Binary code similarity analysis and its applications on embedded device firmware vulnerability search[J]. Journal of Software, 2022, 33 (11): 4137- 4172.
18 杨毅宇, 周威, 赵尚儒, 等. 物联网安全研究综述: 威胁、检测与防御[J]. 通信学报, 2021, 42 (8): 188- 205.
YANG Y Y , ZHOU W , ZHAO S R , et al. Survey of IoT security research: threats, detection and defense[J]. Journal on Communications, 2021, 42 (8): 188- 205.
19 SHOSHITAISHVILI Y, WANG Ruoyu, HAUSER C, et al. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware[C]. NDSS, 2015, 1: 1.1-8.1.
20 HERNANDEZ G, FOWZE F, TIAN D, et al. FirmUSB: vetting USB device firmware using domain informed symbolic execution[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2017: 2245-2262.
21 WEN Haohuang, LIN Zhiqiang, ZHANG Yinqian. FirmXray: detecting bluetooth link layer vulnerabilities from bare-metal firmware[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2020: 167-180.
22 FOWZE F , TIAN D , HERNANDEZ G , et al. ProXray: protocol model learning and guided firmware analysis[J]. IEEE Transactions on Software Engineering, 2021, 47 (9): 1907- 1928.
23 CADAR C, DUNBAR D, ENGLER D R. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs[C]. 8th USENIX Symposium on Operating Systems Design and Implementation. New York: ACM, 2008: 209-224.
24 CADAR C , GANESH V , PAWLOWSKI P M , et al. EXE: automatically generating inputs of death[J]. ACM Transactions on Information and System Security, 2008, 12 (2): 1- 38.
25 CHA S K, AVGERINOS T, REBERT A, et al. Unleashing mayhem on binary code[C]//2012 IEEE Symposium on Security and Privacy. San Francisco: IEEE, 2012: 380-394.
26 CHIPOUNOV V , KUZNETSOV V , CANDEA G . S2E: a platform for in-vivo multi-path analysis of software systems[J]. ACM Sigplan Notices, 2011, 46 (3): 265- 278.
27 GODEFROID P , LEVIN M Y , MOLNAR D . SAGE: whitebox fuzzing for security testing[J]. Communications of the ACM, 2012, 55 (3): 40- 44.
28 STEPHENS N, GROSEN J, SALLS C, et al. Driller: augmenting fuzzing through selective symbolic execution[C]//Proceedings 2016 Network and Distributed System Security Symposium. Reston: Internet Society, 2016: 1-16.
29 BUTUN I , PEREIRA N , GIDLUND M . Security risk analysis of LoRaWAN and future directions[J]. Future Internet, 2018, 11 (1): 3.
30 MILLER R. Lora security building a secure lora solution[R]. MWR Labs Whitepaper, 2016: 1-18.
31 ELDEFRAWY M , BUTUN I , PEREIRA N , et al. Formal security analysis of LoRaWAN[J]. Computer Networks, 2019, 148, 328- 339.
32 BUTUN I, PEREIRA N, GIDLUND M. Analysis of LoRaWAN v1.1 security: research paper[C]//Proceedings of the 4th ACM MobiHoc Workshop on Experiences with the Design and Implementation of Smart Objects. New York: ACM, 2018: 1-6.
33 DÖNMEZ T C M , NIGUSSIE E . Security of LoRaWAN v1.1 in backward compatibility scenarios[J]. Procedia Computer Science, 2018, 134, 51- 58.
34 RAMOS D A, ENGLER D. Under-constrained symbolic execution: correctness checking for real code[C]//Proceedings of the 24th USENIX Conference on Security Symposium. New York: ACM, 2015: 49-64.
35 ENGLER D, DUNBAR D. Under-constrained execution: making automatic code destruction easy and scalable[C]//Proceedings of the 2007 International Symposium on Software Testing and Analysis. New York: ACM, 2007: 1-4.
36 MCCI Catena. MCCI LoRaWAN LMIC Library[EB/OL]. [2022-08-17]. https://github.com/mcci-catena/arduino-lmic.
37 YANG Xueying. LoRaWAN: vulnerability analysis and practical exploitation[D]. Delft: Delft University of Technology, 2017.
38 TOMASIN S, ZULIAN S, VANGELISTA L. Security analysis of LoRaWAN join procedure for Internet of Things networks[C]//2017 IEEE Wireless Communications and Networking Conference Workshops (WCNCW). San Francisco: IEEE, 2017: 1-6.
39 SIMDNE Z. Security threat analysis and countermeasures for lorawan join procedure[EB/OL]. [2022-09-02]. https://thesis.unipd.it/bitstream/20.500.12608/27531/1/zulian_simone_tesi.
40 YEGIN A, DELCLEF J, LE GOURRIEREC M. Technical recommendations for preventing state synchronization issues around LoRaWAN 1.0. x join procedure[EB/OL]. https://resources.lora-alliance.org/home/technical-recommendations-for-preventing-state-synchronization-issues-around-lorawan-1-0-x-join-procedure.
41 YEGIN A, SELLER O. LoRaWAN L2 1.0.4 specification (TS001-1.0.4)[EB/OL]. https://lora-alliance.org/resource_hub/lorawan-104-specification-package/.
[1] Bo ZHAO,Jing QIN,Jinlu LIU. An encryption scheme supporting wildcard and fuzzy search [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2023, 58(9): 28-38.
[2] Jiao LYU,Xi ZHANG,Jing QIN. Time-controlled designated tester proxy re-encryption with keyword search scheme [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2023, 58(9): 16-27.
[3] Xiuzhen CHENG,Weifeng LYU,Minghui XU,Runyu PAN,Dongxiao YU,Chenxu WANG,Yong YU,Xue XIAO. Meta computing: a new computing paradigm under zero trust [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2023, 58(9): 1-15.
[4] Zhao-xia WU,Yi WANG. A safe auction algorithm for heterogeneous spectrum based on Paillier homomorphism [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2021, 56(3): 23-27.
[5] Chao ZHANG,Ying LIANG,Hao-shan FANG. Social network information recommendation method of supporting privacy protection [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2020, 55(3): 9-18.
[6] Ying LI,Jun HU. Hierarchical trusted cryptography service framework based on distributed message drive [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2020, 55(3): 19-27.
[7] Jun HU,Zi-peng DIAO. vTCM: a virtualized trusted cryptography module based on the virtualization of physical trusted computing environment [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(7): 77-88.
[8] Juan QU,Yu-ming FENG,Yan-ping LI,Li LI. An anonymous and provably remote user authentication protocol using extended chaotic maps for multi-server system [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(5): 44-51.
[9] Jia XU,Peng JIANG. A survey of visual saliency and salient object detection methods [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(3): 28-37.
[10] Fu-sheng WU,Huan-guo ZHANG,Ming-tao NI,Jun WANG. Security analysis model of behavior based on cryptographic protocols implement at source code level [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(3): 18-27.
[11] Xiao-jie XIE,Ying LIANG,Xiang-xiang DONG. Sensitive attribute iterative inference method for social network users [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(3): 10-17, 27.
[12] Tian-tian CHANG,Xing-shu CHEN,Yong-gang LUO,Xiao LAN. Security domain-based data isolation protection framework for Hive [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(3): 1-9.
[13] Ze-nan WU,Li-qin TIAN,Zhi-gang WANG. A user behavior trust evaluation combined with sliding window and recommended trust [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(1): 53-59.
[14] Yao-yao DU,Ping PAN,Jin-hua LINGHU. Evaluation method of information system grade protection based on DIT [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2019, 54(1): 47-52.
[15] Zhao-xia WU,Jia-qi WANG. Wireless single spectrum secure auction algorithm [J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2018, 53(11): 51-55.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
[1] ZHAO Jun1, ZHAO Jing2, FAN Ting-jun1*, YUAN Wen-peng1,3, ZHANG Zheng1, CONG Ri-shan1. Purification and anti-tumor activity examination of water-soluble asterosaponin from Asterias rollestoni Bell[J]. J4, 2013, 48(1): 30 -35 .
[2] YANG Yong-wei1, 2, HE Peng-fei2, LI Yi-jun2,3. On strict filters of BL-algebras#br#[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 63 -67 .
[3] LI Min1,2, LI Qi-qiang1. Observer-based sliding mode control of uncertain singular time-delay systems#br#[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 37 -42 .
[4] Ming-Chit Liu. THE TWO GOLDBACH CONJECTURES[J]. J4, 2013, 48(2): 1 -14 .
[5] ZHAO Tong-xin1, LIU Lin-de1*, ZHANG Li1, PAN Cheng-chen2, JIA Xing-jun1. Pollinators and pollen polymorphism of  Wisteria sinensis (Sims) Sweet[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 1 -5 .
[6] WANG Kai-rong, GAO Pei-ting. Two mixed conjugate gradient methods based on DY[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2016, 51(6): 16 -23 .
[7] TANG Feng-qin1, BAI Jian-ming2. The precise large deviations for a risk model with extended negatively upper orthant dependent claim  sizes[J]. J4, 2013, 48(1): 100 -106 .
[8] CHENG Zhi1,2, SUN Cui-fang2, WANG Ning1, DU Xian-neng1. On the fibre product of Zn and its property[J]. J4, 2013, 48(2): 15 -19 .
[9] TANG Xiao-hong1, HU Wen-xiao2*, WEI Yan-feng2, JIANG Xi-long2, ZHANG Jing-ying2, SHAO Xue-dong3. Screening and biological characteristics studies of wide wine-making yeasts[J]. JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE), 2014, 49(03): 12 -17 .
[10] YANG Lun, XU Zheng-gang, WANG Hui*, CHEN Qi-mei, CHEN Wei, HU Yan-xia, SHI Yuan, ZHU Hong-lei, ZENG Yong-qing*. Silence of PID1 gene expression using RNA interference in C2C12 cell line[J]. J4, 2013, 48(1): 36 -42 .
Copyright 2018 © Editorial office of JOURNAL OF SHANDONG UNIVERSITY(NATURAL SCIENCE)
Supported by Beijing Magtech Co.Ltd