Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis

Command injection vulnerability is a severe threat to the embedded device. Most methods detect command injection vulnerability with taint analysis and symbolic execution and achieve promising results. However, they waste too much time analyzing secure sink call-sites, resulting in less efficient vulnerability detection. To tackle the above problem, we propose a novel sink call-site classification method named CINDY to accelerate the command injection vulnerability discovery in embedded firmware with static backtracking analysis. CINDY first performs sink call-sites detection in the binary executables and constructs the data flow for function call parameters. Then, CINDY analyzes whether the parameters passed to sink functions are derived from constant string or not and labels them “secure" or “risky". According to the labels, CINDY classifies the sink call-sites into risky and secure sink call-sites. Finally, CINDY performs taint analysis with symbolic execution to check whether a risky sink call-site is vulnerable. To demonstrate the efficacy of CINDY, we compare CINDY with the state-of-the-art method SaTC, using the dataset published by SaTC. Compared with SaTC, CINDY can filter out more of the secure sink call-sites, with a 35% decrease, and the efficiency is improved by 17% than SaTC.