NPFTaint: Detecting highly exploitable vulnerabilities in Linux-based IoT firmware with network parsing functions

Abstract

The security issues of IoT firmware have become increasingly prominent, particularly taint-style vulnerabilities arising from untrusted external inputs. Although existing solutions work to detect firmware vulnerabilities automatically, they still encounter limitations regarding the accuracy of taint source identification and the efficiency of vulnerability detection. Research has shown that the network parsing function call chain, a critical path for IoT firmware to process external input data, is a high-risk area for firmware vulnerabilities. Inferring the network parsing function accurately plays a crucial role in firmware vulnerability analysis. In this paper, we propose a static analysis method called NPFTaint, which extracts the structural, behavioral, and semantic features of network parsing functions and combines supervised machine learning methods to achieve the identification of network parsing functions. Additionally, unlike traditional forward/backward analysis methods that start from classical sources or sensitive sinks, NPFTaint takes network parsing functions as the entry points, first identifying sensitive sinks on their call chains, and then using value analysis and data dependency analysis of sink-to-source to achieve the detection of highly exploitable vulnerabilities. Experimental evaluations demonstrate that NPFTaint outperforms FITS in accuracy and efficiency when identifying network parsing functions. Regarding vulnerability detection, compared to Mango, NPFTaint not only identifies taint-style vulnerabilities effectively but also improves analysis efficiency, reducing sink analysis by 40.42% and decreasing alerts by 32.77%. This solution provides a more efficient and precise vulnerability detection method for IoT firmware security, contributing to the overall security of the IoT ecosystem.