DFirmSan: A lightweight dynamic memory sanitizer for Linux-based firmware

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-04-12 DOI:10.1016/j.cose.2025.104467

Shanquan Yang , Yansong Gao , Boyu Kuang , Yixuan Yang , Anmin Fu

{"title":"DFirmSan: A lightweight dynamic memory sanitizer for Linux-based firmware","authors":"Shanquan Yang , Yansong Gao , Boyu Kuang , Yixuan Yang , Anmin Fu","doi":"10.1016/j.cose.2025.104467","DOIUrl":null,"url":null,"abstract":"<div><div>Vulnerabilities in Linux-based firmware present a significant risk to IoT security, with memory-related issues being especially hidden and dangerous. Despite substantial efforts to uncover firmware vulnerabilities through fuzzing, these methods are often ineffective in detecting memory vulnerabilities. To address this issue, prior research introduces sanitizers integrated into fuzzers. However, applying existing sanitizers to Linux-based firmware poses three significant challenges: First, embedded Linux systems lack robust memory protection and operate under tight performance constraints, making it difficult to detect “silent memory corruption”. Second, most binary sanitizers focus on executables, such as the main program (the core backend service programs handling requests), and fail to effectively monitor dynamically loaded libraries, which are often assumed to be trustworthy. Third, sanitizers that rely on global memory monitoring techniques, such as shadow memory or redzone, introduce substantial performance overhead. These mechanisms significantly slow down resource-constrained firmware, rendering fuzz testing impractical for IoT devices. This paper introduces DFirmSan, a lightweight dynamic memory sanitizer for Linux-based firmware. DFirmSan addresses key challenges in detecting memory vulnerabilities through a two-step process. First, the pre-analysis phase identifies service programs and vendor-customized libraries, analyzing them for sensitive function calls and key parameters. In the second step, dynamic memory corruption detection, DFirmSan leverages this information to perform targeted dynamic boundary checks during runtime, focusing on detecting memory flaws, particularly silent corruptions. To minimize overhead, DFirmSan focuses on selectively monitoring sensitive function parameters influenced by untrusted data, rather than tracking all memory variables. It further reduces false positives by dynamically adjusting parameter boundaries. We evaluate DFirmSan on 18 real-world firmware samples. By integrating DFirmSan, two advanced fuzzers detect 117 and 25 additional known CVEs, respectively. Besides, it helps uncover 4 CNVD zero-day vulnerabilities. Despite this enhanced capability, the impact on fuzzing speed remains minimal, with reductions of only 16.43% and 2.69%, well within acceptable limits. Moreover, DFirmSan maintains an impressively low false positive rate of under 0.35% for detecting memory corruption, further underscoring its practicality in real-world firmware.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"155 ","pages":"Article 104467"},"PeriodicalIF":4.8000,"publicationDate":"2025-04-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001567","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Vulnerabilities in Linux-based firmware present a significant risk to IoT security, with memory-related issues being especially hidden and dangerous. Despite substantial efforts to uncover firmware vulnerabilities through fuzzing, these methods are often ineffective in detecting memory vulnerabilities. To address this issue, prior research introduces sanitizers integrated into fuzzers. However, applying existing sanitizers to Linux-based firmware poses three significant challenges: First, embedded Linux systems lack robust memory protection and operate under tight performance constraints, making it difficult to detect “silent memory corruption”. Second, most binary sanitizers focus on executables, such as the main program (the core backend service programs handling requests), and fail to effectively monitor dynamically loaded libraries, which are often assumed to be trustworthy. Third, sanitizers that rely on global memory monitoring techniques, such as shadow memory or redzone, introduce substantial performance overhead. These mechanisms significantly slow down resource-constrained firmware, rendering fuzz testing impractical for IoT devices. This paper introduces DFirmSan, a lightweight dynamic memory sanitizer for Linux-based firmware. DFirmSan addresses key challenges in detecting memory vulnerabilities through a two-step process. First, the pre-analysis phase identifies service programs and vendor-customized libraries, analyzing them for sensitive function calls and key parameters. In the second step, dynamic memory corruption detection, DFirmSan leverages this information to perform targeted dynamic boundary checks during runtime, focusing on detecting memory flaws, particularly silent corruptions. To minimize overhead, DFirmSan focuses on selectively monitoring sensitive function parameters influenced by untrusted data, rather than tracking all memory variables. It further reduces false positives by dynamically adjusting parameter boundaries. We evaluate DFirmSan on 18 real-world firmware samples. By integrating DFirmSan, two advanced fuzzers detect 117 and 25 additional known CVEs, respectively. Besides, it helps uncover 4 CNVD zero-day vulnerabilities. Despite this enhanced capability, the impact on fuzzing speed remains minimal, with reductions of only 16.43% and 2.69%, well within acceptable limits. Moreover, DFirmSan maintains an impressively low false positive rate of under 0.35% for detecting memory corruption, further underscoring its practicality in real-world firmware.

查看原文本刊更多论文

DFirmSan：基于 Linux 的固件的轻量级动态内存消毒器

基于 Linux 的固件漏洞给物联网安全带来了巨大风险，其中与内存相关的问题尤其隐蔽和危险。尽管在通过模糊测试发现固件漏洞方面做出了大量努力，但这些方法在检测内存漏洞方面往往效果不佳。为解决这一问题，先前的研究引入了集成到模糊器中的消毒器。然而，将现有的消毒器应用于基于 Linux 的固件会面临三个重大挑战：首先，嵌入式Linux系统缺乏强大的内存保护功能，并且在严格的性能限制下运行，因此很难检测到 "无声内存损坏"。其次，大多数二进制消毒器只关注可执行文件，如主程序（处理请求的核心后端服务程序），无法有效监控动态加载的库，而这些库通常被认为是可信的。第三，依赖全局内存监控技术（如影子内存或红区）的消毒程序会带来大量性能开销。这些机制大大降低了资源受限的固件的运行速度，使模糊测试在物联网设备上变得不切实际。本文介绍了适用于基于 Linux 的固件的轻量级动态内存消毒器 DFirmSan。DFirmSan 通过两步流程解决了检测内存漏洞的关键难题。首先，预分析阶段识别服务程序和供应商定制库，分析其中的敏感函数调用和关键参数。第二步是动态内存损坏检测，DFirmSan 利用这些信息在运行期间执行有针对性的动态边界检查，重点检测内存漏洞，尤其是静默损坏。为了最大限度地减少开销，DFirmSan 专注于有选择地监控受不受信任数据影响的敏感函数参数，而不是跟踪所有内存变量。它通过动态调整参数边界，进一步减少误报。我们在 18 个真实固件样本上对 DFirmSan 进行了评估。通过集成 DFirmSan，两个高级模糊器分别检测到 117 个和 25 个额外的已知 CVE。此外，它还帮助发现了 4 个 CNVD 零日漏洞。尽管功能增强了，但对模糊速度的影响仍然很小，仅降低了 16.43% 和 2.69%，完全在可接受的范围内。此外，DFirmSan 在检测内存损坏方面保持了令人印象深刻的低误报率（低于 0.35%），进一步突出了其在实际固件中的实用性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.