编码风格很重要：在单片固件中可扩展和有效地识别内存管理功能

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2025-05-05 DOI:10.1016/j.jss.2025.112472

Ruijie Cai , Zhaowei Zhang , Xiaoya Zhu , Yongguang Zhang , Xiaokang Yin , Shengli Liu

{"title":"编码风格很重要：在单片固件中可扩展和有效地识别内存管理功能","authors":"Ruijie Cai , Zhaowei Zhang , Xiaoya Zhu , Yongguang Zhang , Xiaokang Yin , Shengli Liu","doi":"10.1016/j.jss.2025.112472","DOIUrl":null,"url":null,"abstract":"<div><div>The occurrence of memory corruption vulnerabilities is often closely associated with improper use or implementation of memory management functions. Monolithic firmware typically uses custom memory management functions and lacks information such as function names, which poses significant challenges for vulnerability detection. Therefore, it is crucial for the identification of memory management functions. Existing methods are rendered ineffective due to the absence of metadata, and the diversity in implementation across different firmware images further complicates the identification process. To address the above problem, we introduce MemIdent, a new method leveraging the coding style inherent in identifying memory management functions. MemIdent is engineered to be scalable and efficient, capable of discerning consistent call features across various compiler optimizations and instruction architectures. It leverages three key observations derived from an in-depth analysis of monolithic firmware: the regularity in memory allocation calls, the co-occurrence of allocation and deallocation functions, and the statistical prominence of these features. MemIdent extracts features of call site such as function parameter types and return values using data flow analysis, which are then analyzed through statistical patterns to identify memory allocation and deallocation functions. We evaluate MemIdent’s performance using 44 firmware images covering 6 vendors (i.e., Tenda, Cisco, SonicWall, D-Link, TP-Link, and Comtech) across 3 architectures (MIPS, ARM, and PPC). The experimental results demonstrate that MemIdent has higher accuracy, greater efficiency, and better generality than state-of-the-art (SOTA) approaches, including Heapster, IDA Lumina, and MLM, which offers a significant advancement in memory management function identification methods for monolithic firmware.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"228 ","pages":"Article 112472"},"PeriodicalIF":3.7000,"publicationDate":"2025-05-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Coding style matters: Scalable and efficient identification of memory management functions in monolithic firmware\",\"authors\":\"Ruijie Cai , Zhaowei Zhang , Xiaoya Zhu , Yongguang Zhang , Xiaokang Yin , Shengli Liu\",\"doi\":\"10.1016/j.jss.2025.112472\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>The occurrence of memory corruption vulnerabilities is often closely associated with improper use or implementation of memory management functions. Monolithic firmware typically uses custom memory management functions and lacks information such as function names, which poses significant challenges for vulnerability detection. Therefore, it is crucial for the identification of memory management functions. Existing methods are rendered ineffective due to the absence of metadata, and the diversity in implementation across different firmware images further complicates the identification process. To address the above problem, we introduce MemIdent, a new method leveraging the coding style inherent in identifying memory management functions. MemIdent is engineered to be scalable and efficient, capable of discerning consistent call features across various compiler optimizations and instruction architectures. It leverages three key observations derived from an in-depth analysis of monolithic firmware: the regularity in memory allocation calls, the co-occurrence of allocation and deallocation functions, and the statistical prominence of these features. MemIdent extracts features of call site such as function parameter types and return values using data flow analysis, which are then analyzed through statistical patterns to identify memory allocation and deallocation functions. We evaluate MemIdent’s performance using 44 firmware images covering 6 vendors (i.e., Tenda, Cisco, SonicWall, D-Link, TP-Link, and Comtech) across 3 architectures (MIPS, ARM, and PPC). The experimental results demonstrate that MemIdent has higher accuracy, greater efficiency, and better generality than state-of-the-art (SOTA) approaches, including Heapster, IDA Lumina, and MLM, which offers a significant advancement in memory management function identification methods for monolithic firmware.</div></div>\",\"PeriodicalId\":51099,\"journal\":{\"name\":\"Journal of Systems and Software\",\"volume\":\"228 \",\"pages\":\"Article 112472\"},\"PeriodicalIF\":3.7000,\"publicationDate\":\"2025-05-05\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Systems and Software\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0164121225001402\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121225001402","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

摘要

内存损坏漏洞的发生通常与内存管理功能的不当使用或实现密切相关。单片固件通常使用自定义内存管理功能，缺乏功能名称等信息，这给漏洞检测带来了重大挑战。因此，识别内存管理功能是至关重要的。由于缺乏元数据，现有方法变得无效，并且不同固件映像之间实现的多样性进一步使识别过程复杂化。为了解决上述问题，我们引入MemIdent，这是一种利用识别内存管理功能固有的编码风格的新方法。MemIdent被设计成可扩展和高效的，能够在各种编译器优化和指令架构中识别一致的调用特征。它利用了从对单片固件的深入分析中得出的三个关键观察结果：内存分配调用的规律性、分配和释放函数的共同出现，以及这些特征的统计显著性。MemIdent通过数据流分析提取调用站点的函数参数类型和返回值等特征，然后通过统计模式进行分析，识别内存分配和释放函数。我们使用涵盖6家供应商（即，Tenda, Cisco, SonicWall, D-Link， TP-Link和Comtech）的44个固件映像评估MemIdent的性能，涉及3种架构（MIPS， ARM和PPC）。实验结果表明，与Heapster、IDA Lumina和MLM等最先进的（SOTA）方法相比，MemIdent具有更高的准确性、更高的效率和更好的通用性，在单片固件的内存管理功能识别方法方面取得了重大进展。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Coding style matters: Scalable and efficient identification of memory management functions in monolithic firmware

The occurrence of memory corruption vulnerabilities is often closely associated with improper use or implementation of memory management functions. Monolithic firmware typically uses custom memory management functions and lacks information such as function names, which poses significant challenges for vulnerability detection. Therefore, it is crucial for the identification of memory management functions. Existing methods are rendered ineffective due to the absence of metadata, and the diversity in implementation across different firmware images further complicates the identification process. To address the above problem, we introduce MemIdent, a new method leveraging the coding style inherent in identifying memory management functions. MemIdent is engineered to be scalable and efficient, capable of discerning consistent call features across various compiler optimizations and instruction architectures. It leverages three key observations derived from an in-depth analysis of monolithic firmware: the regularity in memory allocation calls, the co-occurrence of allocation and deallocation functions, and the statistical prominence of these features. MemIdent extracts features of call site such as function parameter types and return values using data flow analysis, which are then analyzed through statistical patterns to identify memory allocation and deallocation functions. We evaluate MemIdent’s performance using 44 firmware images covering 6 vendors (i.e., Tenda, Cisco, SonicWall, D-Link, TP-Link, and Comtech) across 3 architectures (MIPS, ARM, and PPC). The experimental results demonstrate that MemIdent has higher accuracy, greater efficiency, and better generality than state-of-the-art (SOTA) approaches, including Heapster, IDA Lumina, and MLM, which offers a significant advancement in memory management function identification methods for monolithic firmware.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.