{"title":"利用静态回溯分析加速嵌入式固件命令注入漏洞发现","authors":"Xiaokang Yin, Ruijie Cai, Yizheng Zhang, Lukai Li, Qichao Yang, Shengli Liu","doi":"10.1145/3567445.3567458","DOIUrl":null,"url":null,"abstract":"Command injection vulnerability is a severe threat to the embedded device. Most methods detect command injection vulnerability with taint analysis and symbolic execution and achieve promising results. However, they waste too much time analyzing secure sink call-sites, resulting in less efficient vulnerability detection. To tackle the above problem, we propose a novel sink call-site classification method named CINDY to accelerate the command injection vulnerability discovery in embedded firmware with static backtracking analysis. CINDY first performs sink call-sites detection in the binary executables and constructs the data flow for function call parameters. Then, CINDY analyzes whether the parameters passed to sink functions are derived from constant string or not and labels them “secure\" or “risky\". According to the labels, CINDY classifies the sink call-sites into risky and secure sink call-sites. Finally, CINDY performs taint analysis with symbolic execution to check whether a risky sink call-site is vulnerable. To demonstrate the efficacy of CINDY, we compare CINDY with the state-of-the-art method SaTC, using the dataset published by SaTC. Compared with SaTC, CINDY can filter out more of the secure sink call-sites, with a 35% decrease, and the efficiency is improved by 17% than SaTC.","PeriodicalId":152960,"journal":{"name":"Proceedings of the 12th International Conference on the Internet of Things","volume":"106 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-11-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis\",\"authors\":\"Xiaokang Yin, Ruijie Cai, Yizheng Zhang, Lukai Li, Qichao Yang, Shengli Liu\",\"doi\":\"10.1145/3567445.3567458\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Command injection vulnerability is a severe threat to the embedded device. Most methods detect command injection vulnerability with taint analysis and symbolic execution and achieve promising results. However, they waste too much time analyzing secure sink call-sites, resulting in less efficient vulnerability detection. To tackle the above problem, we propose a novel sink call-site classification method named CINDY to accelerate the command injection vulnerability discovery in embedded firmware with static backtracking analysis. CINDY first performs sink call-sites detection in the binary executables and constructs the data flow for function call parameters. Then, CINDY analyzes whether the parameters passed to sink functions are derived from constant string or not and labels them “secure\\\" or “risky\\\". According to the labels, CINDY classifies the sink call-sites into risky and secure sink call-sites. Finally, CINDY performs taint analysis with symbolic execution to check whether a risky sink call-site is vulnerable. To demonstrate the efficacy of CINDY, we compare CINDY with the state-of-the-art method SaTC, using the dataset published by SaTC. Compared with SaTC, CINDY can filter out more of the secure sink call-sites, with a 35% decrease, and the efficiency is improved by 17% than SaTC.\",\"PeriodicalId\":152960,\"journal\":{\"name\":\"Proceedings of the 12th International Conference on the Internet of Things\",\"volume\":\"106 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2022-11-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 12th International Conference on the Internet of Things\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3567445.3567458\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 12th International Conference on the Internet of Things","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3567445.3567458","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis
Command injection vulnerability is a severe threat to the embedded device. Most methods detect command injection vulnerability with taint analysis and symbolic execution and achieve promising results. However, they waste too much time analyzing secure sink call-sites, resulting in less efficient vulnerability detection. To tackle the above problem, we propose a novel sink call-site classification method named CINDY to accelerate the command injection vulnerability discovery in embedded firmware with static backtracking analysis. CINDY first performs sink call-sites detection in the binary executables and constructs the data flow for function call parameters. Then, CINDY analyzes whether the parameters passed to sink functions are derived from constant string or not and labels them “secure" or “risky". According to the labels, CINDY classifies the sink call-sites into risky and secure sink call-sites. Finally, CINDY performs taint analysis with symbolic execution to check whether a risky sink call-site is vulnerable. To demonstrate the efficacy of CINDY, we compare CINDY with the state-of-the-art method SaTC, using the dataset published by SaTC. Compared with SaTC, CINDY can filter out more of the secure sink call-sites, with a 35% decrease, and the efficiency is improved by 17% than SaTC.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
