IEmu: 从隐藏在固件中的逻辑进行中断建模

IF 3.7 2区 计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE Journal of Systems Architecture Pub Date : 2024-07-16 DOI:10.1016/j.sysarc.2024.103237
Yuan Wei, Yongjun Wang, Lei Zhou, Xu Zhou, Zhiyuan Jiang
{"title":"IEmu: 从隐藏在固件中的逻辑进行中断建模","authors":"Yuan Wei,&nbsp;Yongjun Wang,&nbsp;Lei Zhou,&nbsp;Xu Zhou,&nbsp;Zhiyuan Jiang","doi":"10.1016/j.sysarc.2024.103237","DOIUrl":null,"url":null,"abstract":"<div><p>The security of embedded firmware has become a critical issue in light of the rapid development of the Internet of Things. Current security analysis approaches, such as dynamic analysis, still face bottlenecks and difficulties due to the wide variety of devices and systems. Recent dynamic analysis approaches for embedded firmware have attempted to provide a general solution but heavily rely on detailed device manuals. Meanwhile, approaches that do not rely on manuals have randomness in interrupt triggering, which weakens emulation fidelity and dynamic analysis efficiency. In this paper, we propose a redundant-check-based embedded firmware interrupt modeling and security analysis method that does not rely on commercial manuals. This method involves reverse engineering the control flow of firmware binary and accurately extracting the correct interrupt triggering rules to emulate embedded firmware. We have implemented functional prototypes on QEMU, called <span>IEmu</span>, and evaluated it with 26 firmware in different MCUs. Our results demonstrate significant advantages compared to the recent state-of-the-art approach. On average, <span>IEmu</span> has improved interrupt path exploration efficiency by 2.4 times and fuzz testing coverage by 19%. <span>IEmu</span> restored the interrupt triggering logic in the manual, and emulated three firmware where the state-of-the-art emulator have limitations and found vulnerabilities.</p></div>","PeriodicalId":50027,"journal":{"name":"Journal of Systems Architecture","volume":"154 ","pages":"Article 103237"},"PeriodicalIF":3.7000,"publicationDate":"2024-07-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"IEmu: Interrupt modeling from the logic hidden in the firmware\",\"authors\":\"Yuan Wei,&nbsp;Yongjun Wang,&nbsp;Lei Zhou,&nbsp;Xu Zhou,&nbsp;Zhiyuan Jiang\",\"doi\":\"10.1016/j.sysarc.2024.103237\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>The security of embedded firmware has become a critical issue in light of the rapid development of the Internet of Things. Current security analysis approaches, such as dynamic analysis, still face bottlenecks and difficulties due to the wide variety of devices and systems. Recent dynamic analysis approaches for embedded firmware have attempted to provide a general solution but heavily rely on detailed device manuals. Meanwhile, approaches that do not rely on manuals have randomness in interrupt triggering, which weakens emulation fidelity and dynamic analysis efficiency. In this paper, we propose a redundant-check-based embedded firmware interrupt modeling and security analysis method that does not rely on commercial manuals. This method involves reverse engineering the control flow of firmware binary and accurately extracting the correct interrupt triggering rules to emulate embedded firmware. We have implemented functional prototypes on QEMU, called <span>IEmu</span>, and evaluated it with 26 firmware in different MCUs. Our results demonstrate significant advantages compared to the recent state-of-the-art approach. On average, <span>IEmu</span> has improved interrupt path exploration efficiency by 2.4 times and fuzz testing coverage by 19%. <span>IEmu</span> restored the interrupt triggering logic in the manual, and emulated three firmware where the state-of-the-art emulator have limitations and found vulnerabilities.</p></div>\",\"PeriodicalId\":50027,\"journal\":{\"name\":\"Journal of Systems Architecture\",\"volume\":\"154 \",\"pages\":\"Article 103237\"},\"PeriodicalIF\":3.7000,\"publicationDate\":\"2024-07-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Systems Architecture\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S1383762124001747\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems Architecture","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1383762124001747","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0

摘要

随着物联网的快速发展,嵌入式固件的安全性已成为一个关键问题。由于设备和系统种类繁多,目前的安全分析方法(如动态分析)仍面临瓶颈和困难。最近针对嵌入式固件的动态分析方法试图提供通用解决方案,但严重依赖于详细的设备手册。同时,不依赖手册的方法在中断触发方面存在随机性,从而削弱了仿真保真度和动态分析效率。在本文中,我们提出了一种不依赖商业手册的基于冗余校验的嵌入式固件中断建模和安全分析方法。该方法涉及对固件二进制的控制流进行逆向工程,并准确提取正确的中断触发规则来仿真嵌入式固件。我们在 QEMU 上实现了功能原型,称为 ,并用不同 MCU 中的 26 个固件对其进行了评估。我们的结果表明,与最近最先进的方法相比,它具有明显的优势。平均而言,中断路径探索效率提高了 2.4 倍,模糊测试覆盖率提高了 19%。我们还原了手册中的中断触发逻辑,并仿真了三个固件,发现了最先进仿真器的局限性和漏洞。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
IEmu: Interrupt modeling from the logic hidden in the firmware

The security of embedded firmware has become a critical issue in light of the rapid development of the Internet of Things. Current security analysis approaches, such as dynamic analysis, still face bottlenecks and difficulties due to the wide variety of devices and systems. Recent dynamic analysis approaches for embedded firmware have attempted to provide a general solution but heavily rely on detailed device manuals. Meanwhile, approaches that do not rely on manuals have randomness in interrupt triggering, which weakens emulation fidelity and dynamic analysis efficiency. In this paper, we propose a redundant-check-based embedded firmware interrupt modeling and security analysis method that does not rely on commercial manuals. This method involves reverse engineering the control flow of firmware binary and accurately extracting the correct interrupt triggering rules to emulate embedded firmware. We have implemented functional prototypes on QEMU, called IEmu, and evaluated it with 26 firmware in different MCUs. Our results demonstrate significant advantages compared to the recent state-of-the-art approach. On average, IEmu has improved interrupt path exploration efficiency by 2.4 times and fuzz testing coverage by 19%. IEmu restored the interrupt triggering logic in the manual, and emulated three firmware where the state-of-the-art emulator have limitations and found vulnerabilities.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Systems Architecture
Journal of Systems Architecture 工程技术-计算机:硬件
CiteScore
8.70
自引率
15.60%
发文量
226
审稿时长
46 days
期刊介绍: The Journal of Systems Architecture: Embedded Software Design (JSA) is a journal covering all design and architectural aspects related to embedded systems and software. It ranges from the microarchitecture level via the system software level up to the application-specific architecture level. Aspects such as real-time systems, operating systems, FPGA programming, programming languages, communications (limited to analysis and the software stack), mobile systems, parallel and distributed architectures as well as additional subjects in the computer and system architecture area will fall within the scope of this journal. Technology will not be a main focus, but its use and relevance to particular designs will be. Case studies are welcome but must contribute more than just a design for a particular piece of software. Design automation of such systems including methodologies, techniques and tools for their design as well as novel designs of software components fall within the scope of this journal. Novel applications that use embedded systems are also central in this journal. While hardware is not a part of this journal hardware/software co-design methods that consider interplay between software and hardware components with and emphasis on software are also relevant here.
期刊最新文献
Non-interactive set intersection for privacy-preserving contact tracing NLTSP: A cost model for tensor program tuning using nested loop trees SAMFL: Secure Aggregation Mechanism for Federated Learning with Byzantine-robustness by functional encryption ZNS-Cleaner: Enhancing lifespan by reducing empty erase in ZNS SSDs Using MAST for modeling and response-time analysis of real-time applications with GPUs
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1