RTOSExtracter: Extracting user-defined functions in stripped RTOS-based firmware

Abstract

In recent years, Real-Time Operating System (RTOS) has been widely used in the Internet of Things (IoT) devices in many fields. Meanwhile, IoT devices running RTOS are facing an increasing number of security vulnerabilities, which are caused mainly by user-defined functions. Therefore, researchers usually need to manually identify and analyze user-defined functions in the firmware to detect vulnerabilities. However, stripped RTOS-based firmware does not contain the debug symbols such as function names. There is no clear boundary between the system and user-defined functions, making it laborious and inefficient to identify user-defined functions from the thousands of functions.In this paper, we design and implement RTOSExtracter, an automated static analysis tool for identifying user-defined functions and their names in stripped RTOS-based firmware, which can be extended to support multiple RTOS types. This tool can disassemble the target firmware, recover the names of the task creation APIs, identify the parameter structure, and generate the parameter values that contain user-defined function addresses and function name addresses. To evaluate RTOSExtracter, we implemented a prototype of RTOSExtracter on IDA Pro with support for five common types of RTOS including FreeRTOS, LiteOS, RT-Thread, μC/OS-II, and μC/OS-III. We compiled 30 open-source projects covering these five RTOS types with 12 different compilers and optimizations and generated 275 firmware without the debug symbols to test RTOSExtracter. The experimental results show that RTOSExtracter identifies user-defined function addresses and function name addresses with high accuracy and low time cost. Furthermore, the case study shows that RTOSExtracter can effectively identify user-defined functions and their names in actual firmware.