research-article

Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies

Authors:

Abdullah Qasem,

Mourad Debbabi,

Basile L. AgbaAuthors Info & Claims

ACM Computing Surveys (CSUR), Volume 54, Issue 2

Article No.: 25, Pages 1 - 42

https://doi.org/10.1145/3432893

Published: 05 March 2021 Publication History

Abstract

In the era of the internet of things (IoT), software-enabled inter-connected devices are of paramount importance. The embedded systems are very frequently used in both security and privacy-sensitive applications. However, the underlying software (a.k.a. firmware) very often suffers from a wide range of security vulnerabilities, mainly due to their outdated systems or reusing existing vulnerable libraries; which is evident by the surprising rise in the number of attacks against embedded systems. Therefore, to protect those embedded systems, detecting the presence of vulnerabilities in the large pool of embedded devices and their firmware plays a vital role. To this end, there exist several approaches to identify and trigger potential vulnerabilities within deployed embedded systems firmware. In this survey, we provide a comprehensive review of the state-of-the-art proposals, which detect vulnerabilities in embedded systems and firmware images by employing various analysis techniques, including static analysis, dynamic analysis, symbolic execution, and hybrid approaches. Furthermore, we perform both quantitative and qualitative comparisons among the surveyed approaches. Moreover, we devise taxonomies based on the applications of those approaches, the features used in the literature, and the type of the analysis. Finally, we identify the unresolved challenges and discuss possible future directions in this field of research.

References

[1]

Mohsen Ahmadvand, Alexander Pretschner, and Florian Kelbert. 2019. A taxonomy of software integrity protection techniques. Advances in Computers 112 (2019), 413--486.

[2]

Chengwei Ai, Weiyu Dong, and Zicong Gao. 2020. A novel concolic execution approach on embedded device. In Proceedings of the 4th International Conference on Cryptography, Security and Privacy (CSP’20). 47--52.

Digital Library

[3]

Vincent Alimi, Sylvain Vernois, and Christophe Rosenberger. 2014. Analysis of embedded applications by evolutionary fuzzing. In Proceedings of the International Conference on High Performance Computing & Simulation (HPCS’14). IEEE, 551--557.

[4]

Magnus Almgren, Davide Balzarotti, Jan Stijohann, and Emmanuele Zambon. 2014. D5.3 report on automated vulnerability discovery techniques. CRISALIS EU Project. https://docplayer.net/53692826-D5-3-report-on-automated-vulnerability-discovery-techniques.html.

[5]

Saed Alrabaee, Paria Shirani, Lingyu Wang, and Mourad Debbabi. 2015. SIGMA: A semantic integrated graph matching approach for identifying reused functions in binary code. Dig. Investig. 12 (2015), S61--S71.

Digital Library

[6]

Saed Alrabaee, Paria Shirani, Lingyu Wang, and Mourad Debbabi. 2018. FOSSIL: A resilient and efficient system for identifying FOSS functions in malware binaries. ACM Trans. Priv. Secur. 21, 2 (2018), 8.

Digital Library

[7]

Saed Alrabaee, Paria Shirani, Lingyu Wang, Mourad Debbabi, and Aiman Hanna. 2018. On leveraging coding habits for effective binary authorship attribution. In Proceedings of the European Symposium on Research in Computer Security (ESORICS’18). Springer, 26--47.

[8]

Rajeev Alur and Parthasarathy Madhusudan. 2009. Adding nesting structure to words. J. ACM 56, 3 (2009), 1--43.

Digital Library

[9]

Amazon. 2018. Amazon elastic compute cloud. Retrieved from https://aws.amazon.com/ec2/.

[10]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J. Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the Mirai botnet. In Proceedings of the 26th USENIX Security Symposium (USENIX Security’17). 1093--1110.

[11]

Relja Arandjelovic and Andrew Zisserman. 2013. All about VLAD. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR’13). 1578--1585.

Digital Library

[12]

Martin Arjovsky, Soumith Chintala, and Léon Bottou. 2017. Wasserstein gan. Arxiv Preprint Arxiv:1701.07875 (2017).

[13]

Domagoj Babić, Lorenzo Martignoni, Stephen McCamant, and Dawn Song. 2011. Statically-directed dynamic automated test generation. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’11). ACM, 12--22.

[14]

Gogul Balakrishnan and Thomas Reps. 2004. Analyzing memory accesses in x86 executables. In Proceedings of the International Conference on Compiler Construction (CC’04). Springer, 5--23.

[15]

Roberto Baldoni, Emilio Coppa, Daniele Cono D’elia, Camil Demetrescu, and Irene Finocchi. 2018. A survey of symbolic execution techniques. ACM Comput. Surv. 51, 3 (2018), 1--39.

Digital Library

[16]

Tiffany Bao, Jonathan Burket, Maverick Woo, Rafael Turner, and David Brumley. 2014. BYTEWEIGHT: Learning to recognize functions in binary code. In 23rd USENIX Security Symposium (USENIX Security’14). 845--860.

[17]

Clark Barrett, Daniel Kroening, and Thomas Melham. 2014. Problem solving for the 21st century: Efficient solver for satisfiability modulo theories. London Mathematical Society and Smith Institute for Industrial Mathematics and System Engineering.

[18]

Daniel Bilar. 2007. Opcodes as predictor for malware. Int. J. Electron. Secur. Dig. Forens. 1, 2 (2007), 156--168.

Digital Library

[19]

Hristo Bojinov, Elie Bursztein, Eric Lovett, and Dan Boneh. 2009. Embedded management interfaces: Emerging massive insecurity. BlackHat USA 1, 8 (2009), 14.

[20]

Boofuzz. 2019. 2Binwalk: firmware analysis tool. Retrieved from https://boofuzz.readthedocs.io/en/latest.

[21]

Konstantin Böttinger and Claudia Eckert. 2016. DeepFuzz: Triggering vulnerabilities deeply hidden in binaries. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’16). Springer, 25--34.

Digital Library

[22]

Jane Bromley, Isabelle Guyon, Yann LeCun, Eduard Säckinger, and Roopak Shah. 1994. Signature verification using a “siamese” time delay neural network. In Proceedings of the International Conference on Advances in Neural Information Processing Systems (NeurIPS). 737--744.

[23]

Teresa Nicole Brooks. 2018. Survey of automated vulnerability detection and exploit generation techniques in cyber reasoning systems. In Proceedings of the Science and Information (SAI’18) Conference. Springer, 1083--1102.

[24]

Cristian Cadar, Daniel Dunbar, Dawson R. Engler, et al. 2008. KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the Symposium on Operating Systems Design and Implementation (OSDI’08). 209--224.

[25]

Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy (SP’12). IEEE, 380--394.

Digital Library

[26]

Sang Kil Cha, Maverick Woo, and David Brumley. 2015. Program-adaptive mutational fuzzing. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). IEEE, 725--741.

Digital Library

[27]

Mahinthan Chandramohan, Yinxing Xue, Zhengzi Xu, Yang Liu, Chia Yuan Cho, and Hee Beng Kuan Tan. 2016. BinGo: Cross-architecture cross-OS binary search. In Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’16). ACM, 678--689.

Digital Library

[28]

Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards automated dynamic analysis for Linux-based embedded firmware. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16).

[29]

Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering memory corruptions in iot through app-based fuzzing. In Proceedings of the Network and Distributed System Security Symposium (NDSS’18).

[30]

Ting Chen, Xiao-Song Zhang, Xiao-Li Ji, Cong Zhu, Yang Bai, and Yue Wu. 2014. Test generation for embedded executables via concolic execution in a real environment. IEEE Transactions on Reliability 64, 1 (2014), 284--296.

[31]

Long Cheng, Ke Tian, and Danfeng Daphne Yao. 2017. Orpheus: Enforcing cyber-physical execution semantics to defend against data-oriented attacks. In Proceedings of the 33rd Computer Security Applications Conference (ACSAC’17). ACM, 315--326.

Digital Library

[32]

Brian Chess and Jacob West. 2008. Dynamic taint propagation: Finding vulnerabilities without attacking. Information Security Technical Report 13, 1 (2008), 33--39.

[33]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A platform for in-vivo multi-path analysis of software systems. ACM SIGPLAN Notices 46, 3 (2011), 265--278.

Digital Library

[34]

James Clause, Wanchun Li, and Alessandro Orso. 2007. Dytan: A generic dynamic taint analysis framework. In Proceedings of the International Symposium on Software Testing and Analysis (ISSTA’07). ACM, 196--206.

Digital Library

[35]

Christian Collberg, Clark Thomborson, and Douglas Low. 1997. A Taxonomy of Obfuscating Transformations. Technical Report. Department of Computer Science, The University of Auckland, New Zealand.

[36]

Nassim Corteggiani, Giovanni Camurati, and Aurélien Francillon. 2018. Inception: System-wide security testing of real-world embedded systems software. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). 309--326.

[37]

Andrei Costin, Apostolis Zarras, and Aurélien Francillon. 2016. Automated dynamic firmware analysis at scale: A case study on embedded web interfaces. In Proceedings of the 11th ACM Asia Conference on Computer and Communications Security (ASIACCS’16). ACM, 437--448.

Digital Library

[38]

Ang Cui, Michael Costello, and Salvatore J. Stolfo. 2013. When firmware modifications attack: A case study of embedded exploitation. In Proceedings of the Network and Distributed System Security Symposium (NDSS’13).

[39]

Ang Cui and Salvatore J. Stolfo. 2010. A quantitative analysis of the insecurity of embedded network devices: Results of a wide-area scan. In Proceedings of the 26th Computer Security Applications Conference (ACSAC’10). ACM, 97--106.

[40]

Padraig Cunningham and Sarah Jane Delany. 2007. k-nearest neighbour classifiers. Mult. Class. Syst. 34, 8 (2007), 1--17.

[41]

Johannes Dahse and Thorsten Holz. 2014. Simulation of built-in PHP features for precise static code analysis. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14). Citeseer.

[42]

Hanjun Dai, Bo Dai, and Le Song. 2016. Discriminative embeddings of latent variable models for structured data. In Proceedings of the International Conference on Machine Learning (ICML’16). 2702--2711.

[43]

DARPA. 2018. Cyber Grand Challenge. Retrieved from http://cybergrandchallenge.com.

[44]

Yaniv David, Nimrod Partush, and Eran Yahav. 2016. Statistical similarity of binaries. ACM SIGPLAN Not. 51, 6 (2016), 266--280.

Digital Library

[45]

Yaniv David, Nimrod Partush, and Eran Yahav. 2017. Similarity of binaries through re-optimization. In Proceedings of the 38th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI’17). ACM, 79--94.

Digital Library

[46]

Yaniv David, Nimrod Partush, and Eran Yahav. 2018. FirmUp: Precise static detection of common vulnerabilities in firmware. In Proceedings of the 23rd International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS’18). ACM, 392--404.

Digital Library

[47]

Yaniv David and Eran Yahav. 2014. Tracelet-based code search in executables. ACM SIGPLAN Not. 49, 6 (2014), 349--360.

Digital Library

[48]

Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In Proceedings of the USENIX Security Symposium (USENIX Security’13). 463--478.

[49]

Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: An efficient SMT solver. In Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’08). Springer, 337--340.

[50]

die.net. 2018. Determine file type. Retrieved from https://linux.die.net/man/1/file.

[51]

Artem Dinaburg and Andrew Ruef. 2014. Mcsema: Static translation of X86 instructions to LLVM. In Proceedings of the ReCon 2014 Conference.

[52]

Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. LAVA: Large-scale automated vulnerability addition. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 110--121.

[53]

Dominic Rath. 2018. OpenOCD. Retrieved from http://openocd.org.

[54]

Pavel Dovgalyuk. 2012. Deterministic replay of system’s execution with multi-target QEMU simulator for dynamic analysis and reverse debugging. In Proceedings of the European Conference on Software Maintenance and Reengineering (CSMR’12). 553--556.

Digital Library

[55]

Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. 2014. Blanket execution: Dynamic similarity testing for program binaries and components. In 23rd USENIX Security Symposium (USENIX Security’14). 303--317.

[56]

Andrzej Ehrenfeucht. 1961. An application of games to the completeness problem for formalized theories. Fund. Math 49, 13 (1961), 129--141.

[57]

Sebastian Eschweiler, Khaled Yakdan, and Elmar Gerhards-Padilla. 2016. discovRE: Efficient cross-architecture identification of bugs in binary code. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16).

[58]

ESET. 2018. Vulnerabilities reached a historic peak in 2017. Retrieved from https://bit.ly/2Mgk4x9.

[59]

F-Secure. 2015. Vulnerabilities in Foscam IP cameras enable root and remote control. Retrieved from https://bit.ly/2PONhRW.

[60]

Josselin Feist, Laurent Mounier, Sébastien Bardin, Robin David, and Marie-Laure Potet. 2016. Finding the needle in the heap: Combining static analysis and dynamic symbolic execution to trigger use-after-free. In Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering (SSPREW’16). ACM, 2.

Digital Library

[61]

Josselin Feist, Laurent Mounier, and Marie-Laure Potet. 2014. Statically detecting use after free on binary code. J. Comput. Virol. Hack. Techn. 10, 3 (2014), 211--217.

[62]

Qian Feng, Minghua Wang, Mu Zhang, Rundong Zhou, Andrew Henderson, and Heng Yin. 2017. Extracting conditional formulas for cross-platform bug search. In Proceedings of the ACM Asia Conference on Computer and Communications Security (ASIACCS’17). ACM, 346--359.

Digital Library

[63]

Qian Feng, Rundong Zhou, Chengcheng Xu, Yao Cheng, Brian Testa, and Heng Yin. 2016. Scalable graph-based bug search for firmware images. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’16). ACM, 480--491.

Digital Library

[64]

Halvar Flake. 2004. Structural comparison of executable objects. In Proceedings of the International GI Workshop on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA’04). Gesellschaft für Informatik eV, 161--174.

[65]

András Frank. 2005. On Kuhn’s Hungarian method—A tribute from Hungary. Naval Res. Logist. 52, 1 (2005), 2--5.

[66]

Debin Gao, Michael K. Reiter, and Dawn Song. 2008. BinHunt: Automatically finding semantic differences in binary programs. In Proceedings of the International Conference on Information and Communications Security (ICICS’08). Springer, 238--255.

Digital Library

[67]

Jian Gao, Xin Yang, Ying Fu, Yu Jiang, and Jiaguang Sun. 2018. VulSeeker: A semantic learning based vulnerability seeker for cross-platform binary. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE’18). ACM, 896--899.

Digital Library

[68]

François Gauthier, Thierry Lavoie, and Ettore Merlo. 2013. Uncovering access control weaknesses and flaws with security-discordant software clones. In Proceedings of the 29th Computer Security Applications Conference (ACSAC’13). ACM, 209--218.

Digital Library

[69]

Patrice Godefroid, Michael Y. Levin, David A. Molnar, et al. 2008. Automated whitebox fuzz testing. In Proceedings of the Network and Distributed System Security Symposium (NDSS’08). 151--166.

[70]

Patrice Godefroid, Hila Peleg, and Rishabh Singh. 2017. Learn&Fuzz: Machine learning for input fuzzing. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE’17). IEEE Press, 50--59.

Digital Library

[71]

Andy Greenberg. 2017. The Reaper IoT Botnet Has Already Infected a Million Networks. Retrieved from https://bit.ly/2SiYZpJ.

[72]

C. Griffin. 2012. Graph Theory: Penn State Math 485 Lecture Notes. Retrieved from http://www. personal.psu.edu/cxg286/Math485.pdf.

[73]

Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurélien Francillon, Yung Ryn Choe, Christophe Kruegel, et al. 2019. Toward the analysis of embedded firmware through automated re-hosting. In Proceedings of the 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID’19). 135--150.

[74]

H. Craig. 2019. 2Binwalk: firmware analysis tool. Retrieved from https://github.com/ReFirmLabs/binwalk.

[75]

Istvan Haller, Asia Slowinska, Matthias Neugschwandtner, and Herbert Bos. 2013. Dowsing for overflows: A guided fuzzer to find buffer boundary violations. In Proceedings of the USENIX Security Symposium (USENIX Security’13). 49--64.

[76]

Armijn Hemel, Karl Trygve Kalleberg, Rob Vermaas, and Eelco Dolstra. 2011. Finding software license violations through binary code clone detection. In Proceedings of the 8th Working Conference on Mining Software Repositories (MSR’11). ACM, 63--72.

Digital Library

[77]

Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2012. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In Proceedings of the USENIX Security Symposium (USENIX Security’12), Vol. 8. 1.

[78]

Luigi Auriemma. 2018. Signsrch signature identification tool. http://aluigi.altervista.org/mytoolz.htm.

[79]

IT Governance Blog. 2018. 6 reasons why software is becoming more vulnerable to cyber attacks. Retrieved from https://bit.ly/2tJq7nu.

[80]

Jiyong Jang, Abeer Agrawal, and David Brumley. 2012. ReDeBug: Finding unpatched code clones in entire OS distributions. In Proceedings of the IEEE Symposium on Security and Privacy (SP’12). IEEE, 48--62.

Digital Library

[81]

Ranjit Jhala and Rupak Majumdar. 2005. Path slicing. In ACM SIGPLAN Notices, Vol. 40. ACM, 38--47.

Digital Library

[82]

Tiantian Ji, Yue Wu, Chang Wang, Xi Zhang, and Zhongru Wang. 2018. The coming era of alphahacking? A survey of automatic software vulnerability detection, exploitation and patching techniques. In Proceedings of the 3rd International Conference on Data Science in Cyberspace (DSC’18). IEEE, 53--60.

[83]

Lingxiao Jiang, Ghassan Misherghi, Zhendong Su, and Stephane Glondu. 2007. Deckard: Scalable and accurate tree-based detection of code clones. In Proceedings of the 29th International Conference on Software Engineering (ICSE’07). IEEE Computer Society, 96--105.

Digital Library

[84]

Gong Jie, Kuang Xiao-Hui, and Liu Qiang. 2016. Survey on software vulnerability analysis method based on machine learning. In Proceedings of the IEEE International Conference on Data Science in Cyberspace (DSC’16). IEEE, 642--647.

[85]

Wesley Jin, Sagar Chaki, Cory Cohen, Arie Gurfinkel, Jeffrey Havrilla, Charles Hines, and Priya Narasimhan. 2012. Binary function clustering using semantic hashes. In Proceedings of the 11th International Conference on Machine Learning and Applications (ICMLA’12), Vol. 1. IEEE, 386--391.

Digital Library

[86]

Nassima Kamel and Jean-Louis Lanet. 2013. Analysis of HTTP protocol implementation in smart card embedded web server. Int. J. Inf. Netw. Secur. 2, 5 (2013), 417.

[87]

Toshihiro Kamiya, Shinji Kusumoto, and Katsuro Inoue. 2002. CCFinder: A multilinguistic token-based code clone detection system for large scale source code. IEEE Trans. Softw. Eng. 28, 7 (2002), 654--670.

Digital Library

[88]

Markus Kammerstetter, Daniel Burian, and Wolfgang Kastner. 2016. Embedded security testing with peripheral device caching and runtime program state approximation. In Proceedings of the 10th International Conference on Emerging Security Information, Systems and Technologies (SECUWARE’16).

[89]

Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. 2014. Prospect: Peripheral proxying supported embedded code testing. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS’14). ACM, 329--340.

Digital Library

[90]

Min Gyung Kang, Pongsin Poosankam, and Heng Yin. 2007. Renovo: A hidden code extractor for packed executables. In Proceedings of the ACM Workshop on Recurring Malcode (WORM’07). ACM, 46--53.

Digital Library

[91]

Md Enamul Karim, Andrew Walenstein, Arun Lakhotia, and Laxmi Parida. 2005. Malware phylogeny generation using permutations of code. J. Comput. Virol. 1, 1--2 (2005), 13--23.

[92]

Wei Ming Khoo, Alan Mycroft, and Ross Anderson. 2013. Rendezvous: A search engine for binary code. In Proceedings of the 10th Working Conference on Mining Software Repositories (MSR’13). IEEE Press, 329--338.

Digital Library

[93]

Karl Koscher, Alexei Czeskis, Franziska Roesner, Shwetak Patel, Tadayoshi Kohno, Stephen Checkoway, Damon McCoy, Brian Kantor, Danny Anderson, Hovav Shacham, et al. 2010. Experimental security analysis of a modern automobile. In Proceedings of the IEEE Symposium on Security and Privacy (SP’10). IEEE, 447--462.

Digital Library

[94]

Karl Koscher, Tadayoshi Kohno, and David Molnar. 2015. SURROGATES: Enabling near-real-time dynamic analyses of embedded systems. In Proceedings of the 9th USENIX Workshop on Offensive Technologies (WOOT’15).

[95]

Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. 2005. Polymorphic worm detection using structural information of executables. In Proceedings of the International Workshop on Recent Advances in Intrusion Detection (RAID’05). Springer, 207--226.

[96]

Christopher Kruegel, William Robertson, Fredrik Valeur, and Giovanni Vigna. 2004. Static disassembly of obfuscated binaries. In Proceedings of the USENIX Security Symposium, Vol. 13. 18--18.

Digital Library

[97]

Hyeryun Lee, Kyunghee Choi, Kihyun Chung, Jaein Kim, and Kangbin Yim. 2015. Fuzzing can packets into automobiles. In Proceedings of the IEEE 29th International Conference on Advanced Information Networking and Applications (AINA’15). IEEE, 817--821.

[98]

Jun Li, Bodong Zhao, and Chao Zhang. 2018. Fuzzing: A survey. Cybersecurity 1, 1 (2018), 6.

[99]

Yuekang Li, Bihuan Chen, Mahinthan Chandramohan, Shang-Wei Lin, Yang Liu, and Alwen Tiu. 2017. Steelix: Program-state based binary fuzzing. In Proceedings of the 11th Joint Meeting on Foundations of Software Engineering (ESEC/FSE’17). ACM, 627--637.

Digital Library

[100]

Bingchang Liu, Wei Huo, Chao Zhang, Wenchao Li, Feng Li, Aihua Piao, and Wei Zou. 2018. αdiff: Cross-version binary code similarity detection with DNN. In Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering (ASE’18). ACM, 667--678.

Digital Library

[101]

Lannan Luo, Jiang Ming, Dinghao Wu, Peng Liu, and Sencun Zhu. 2014. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software plagiarism detection. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’14). ACM, 389--400.

Digital Library

[102]

Lannan Luo, Jiang Ming, Dinghao Wu, Peng Liu, and Sencun Zhu. 2017. Semantics-based obfuscation-resilient binary code similarity comparison with applications to software and algorithm plagiarism detection. IEEE Trans. Softw. Eng. 43, 12 (2017), 1157--1177.

Digital Library

[103]

Chenyang Lv, Shouling Ji, Yuwei Li, Junfeng Zhou, Jianhai Chen, Pan Zhou, and Jing Chen. 2018. SmartSeed: Smart seed generation for efficient fuzzing. Arxiv Preprint Arxiv:1807.02606 (2018).

[104]

Valentin Jean Marie Manès, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2019. The art, science, and engineering of fuzzing: A survey. IEEE Trans. Softw. Eng. (2019), 1--1.

[105]

James J. McGregor. 1982. Backtrack search algorithms and the maximal common subgraph problem. Softw.: Pract. Exper. 12, 1 (1982).

[106]

Mitre. 2018. CWE-416: Use after free. Retrieved from https://cwe.mitre.org/data/definitions/416.html.

[107]

Steven S. Muchnick et al. 1997. Advanced Compiler Design Implementation. Morgan Kaufmann.

[108]

Marius Muench, Dario Nisi, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar2: A multi-target orchestration platform. In Proceedings of the Workshop on Binary Analysis Research (Colocated with the Network and Distributed System Security Symposium), Vol. 18. 1--11.

[109]

Marius Muench, Jan Stijohann, Frank Kargl, Aurélien Francillon, and Davide Balzarotti. 2018. What you corrupt is not what you crash: Challenges in fuzzing embedded devices. In Proceedings of the Network and Distributed System Security Symposium (NDSS’18).

[110]

Collin Mulliner, Nico Golde, and Jean-Pierre Seifert. 2011. SMS of death: From analyzing to attacking mobile phones on a large scale. In Proceedings of the USENIX Security Symposium (USENIX Security’11). 99.

[111]

Marius Munch. 2019. Dynamic Binary Firmware Analysis: Challenges and Solutions. Ph.D. Dissertation. Sorbonne Université.

[112]

Ginger Myles and Christian Collberg. 2005. K-gram based software birthmarks. In Proceedings of the ACM Symposium on Applied Computing (SAC’05). ACM, 314--318.

Digital Library

[113]

Mary Natrella. 2010. NIST/SEMATECH e-handbook of statistical methods. (2010). Retrieved from http://www.itl.nist.gov/div898/handbook/.

[114]

Jose Nazario. 2007. BlackEnergy DDoS Bot Analysis. Arbor Networks. http://pds15.egloos.com/pds/201001/01/66/BlackEnergy_DDoS_Bot_Analysis.pdf.

[115]

Nicholas Nethercote and Julian Seward. 2007. Valgrind: A framework for heavyweight dynamic binary instrumentation. In ACM SIGPLAN Notices, Vol. 42. ACM, 89--100.

Digital Library

[116]

Mark Newman. 2010. Networks: An Introduction. Oxford University Press.

[117]

James Newsome and Dawn Song. 2005. Dynamic taint analysis: Automatic detection, analysis, and signature generation of exploit attacks on commodity software. In Proceedings of the 12th Network and Distributed Systems Security Symposium (NDSS’05). Citeseer.

[118]

Andrew Y. Ng, Michael I. Jordan, and Yair Weiss. 2002. On spectral clustering: Analysis and an algorithm. In Proceedings of the International Conference on Advances in Neural Information Processing Systems (NIPS’02). 849--856.

[119]

Beng Heng Ng and Atul Prakash. 2013. Expose: Discovering potential binary code re-use. In Proceedings of the IEEE 37th Computer Software and Applications Conference (COMPSAC’13). IEEE, 492--501.

Digital Library

[120]

Saahil Ognawala, Martín Ochoa, Alexander Pretschner, and Tobias Limmer. 2016. MACKE: Compositional analysis of low-level vulnerabilities with symbolic execution. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering (ASE’16). IEEE, 780--785.

Digital Library

[121]

Jonathan Oliver, Chun Cheng, and Yanggui Chen. 2013. TLSH—A locality sensitive hash. In Proceedings of the 4th Cybercrime and Trustworthy Computing Workshop (CTC’13). IEEE, 7--13.

Digital Library

[122]

Hui Peng, Yan Shoshitaishvili, and Mathias Payer. 2018. T-fuzz: Fuzzing by program transformation. In Proceedings of the IEEE Symposium on Security and Privacy (SP’18). IEEE, 697--710.

[123]

Jannik Pewny, Behrad Garmany, Robert Gawlik, Christian Rossow, and Thorsten Holz. 2015. Cross-architecture bug search in binary executables. In Proceedings of the IEEE Symposium on Security and Privacy (SP’15). IEEE, 709--724.

Digital Library

[124]

Jannik Pewny, Felix Schuster, Lukas Bernhard, Thorsten Holz, and Christian Rossow. 2014. Leveraging semantic signatures for bug search in binary programs. In Proceedings of the 30th Computer Security Applications Conference (ACSAC’14). ACM, 406--415.

Digital Library

[125]

Protean Security. 2018. Next Generation Dynamic Analysis with PANDA. Retrieved from https://bit.ly/2ZfXlq8.

[126]

Jing Qiu, Xiaohong Su, and Peijun Ma. 2016. Using reduced execution flow graph to identify library functions in binary code. IEEE Trans. Softw. Eng. 42, 2 (2016), 187--202.

Digital Library

[127]

Ashkan Rahimian, Paria Shirani, Saed Alrbaee, Lingyu Wang, and Mourad Debbabi. 2015. BinComp: A stratified approach to compiler provenance attribution. Dig. Investig. 14 (2015), S146--S155.

Digital Library

[128]

Sanjay Rawat, Vivek Jain, Ashish Kumar, Lucian Cojocar, Cristiano Giuffrida, and Herbert Bos. 2017. Vuzzer: Application-aware evolutionary fuzzing. In Proceedings of the Network and Distributed System Security Symposium (NDSS’17).

[129]

Sanjay Rawat and Laurent Mounier. 2012. Finding buffer overflow inducing loops in binary executables. In Proceedings of the IEEE 6th International Conference on Software Security and Reliability (SERE’12). IEEE, 177--186.

Digital Library

[130]

Alexandre Rebert, Sang Kil Cha, Thanassis Avgerinos, Jonathan Foote, David Warren, Gustavo Grieco, and David Brumley. 2014. Optimizing seed selection for fuzzing. In Proceedings of the USENIX Security Symposium (USENIX Security’14). 861--875.

[131]

Nathan E. Rosenblum. 2011. The Provenance Hierarchy of Computer Programs. Ph.D. Dissertation. University of Wisconsin--Madison.

Digital Library

[132]

Paria Shirani, Leo Collard, Basile L. Agba, Bernard Lebel, Mourad Debbabi, Lingyu Wang, and Aiman Hanna. 2018. BinARM: Scalable and efficient detection of vulnerabilities in firmware images of intelligent electronic devices. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’18). Springer, 114--138.

[133]

Paria Shirani, Lingyu Wang, and Mourad Debbabi. 2017. BinShape: Scalable and robust binary library function identification using function shape. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’17). Springer, 301--324.

[134]

Yan Shoshitaishvili. 2017. Building a Base for Cyber-autonomy. Ph.D. Dissertation. University of California, Santa Barbara.

[135]

Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice—Automatic detection of authentication bypass vulnerabilities in binary firmware. In Proceedings of the Network and Distributed System Security Symposium (NDSS’15).

[136]

Yan Shoshitaishvili, Ruoyu Wang, Christopher Salls, Nick Stephens, Mario Polino, Andrew Dutcher, John Grosen, Siji Feng, Christophe Hauser, Christopher Kruegel, et al. 2016. Sok:(state of) the art of war: Offensive techniques in binary analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP’16). IEEE, 138--157.

[137]

Maksim Shudrak. 2017. WinHeap explorer: Efficient and transparent heap-based bug detection in machine code. In Proceedings of the IEEE International Conference on Software Quality, Reliability and Security (QRS’17). IEEE, 94--101.

[138]

Steelix. 2020. LAVA-M. Retrieved from https://sites.google.com/site/steelix2017/home/lava.

[139]

Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In Proceedings of the Network and Distributed System Security Symposium (NDSS’16). 1--16.

[140]

G. Edward Suh, Jae W. Lee, David Zhang, and Srinivas Devadas. 2004. Secure program execution via dynamic information flow tracking. In ACM SIGPLAN Notices, Vol. 39. ACM, 85--96.

Digital Library

[141]

Gaith Taha. 2007. Counterattacking the Packers. McAfee Avert Labs, Aylesbury, UK.

[142]

Randy Torrance and Dick James. 2009. The state-of-the-art in IC reverse engineering. In Proceedings of the International Workshop on Cryptographic Hardware and Embedded Systems (CHES’09). Springer, 363--381.

Digital Library

[143]

Fabian Van Den Broek, Brinio Hond, and Arturo Cedillo Torres. 2014. Security testing of GSM implementations. In Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS’14). Springer, 179--195.

Digital Library

[144]

Dong Wang, Xiaosong Zhang, Ting Chen, and Jingwei Li. 2019. Discovering vulnerabilities in COTS IoT devices through blackbox fuzzing web management interface. Secur. Commun. Netw. 2019 (2019).

[145]

Mingzhe Wang, Jie Liang, Yuanliang Chen, Yu Jiang, Xun Jiao, Han Liu, Xibin Zhao, and Jiaguang Sun. 2018. SAFL: Increasing and accelerating testing coverage with symbolic execution and guided fuzzing. In Proceedings of the 40th International Conference on Software Engineering (ICSE’18). ACM, 61--64.

Digital Library

[146]

Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. 2010. TaintScope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proceedings of the IEEE Symposium on Security and Privacy (SP’10). IEEE, 497--512.

Digital Library

[147]

Zhiqiang Wang, Yuqing Zhang, and Qixu Liu. 2013. RPFuzzer: A framework for discovering router protocols vulnerabilities based on fuzzing. KSII Trans. Internet Inf. Syst. 7, 8 (2013).

[148]

Mark Weiser. 1981. Program slicing. In Proceedings of the 5th International Conference on Software Engineering (ICSE). IEEE Press, 439--449.

Digital Library

[149]

Dominik Wermke, Nicolas Huaman, Yasemin Acar, Brad Reaves, Patrick Traynor, and Sascha Fahl. 2018. A large scale investigation of obfuscation use in Google Play. Arxiv Preprint Arxiv:1801.02742 (2018).

[150]

Xiaojun Xu, Chang Liu, Qian Feng, Heng Yin, Le Song, and Dawn Song. 2017. Neural network-based graph embedding for cross-platform binary code similarity detection. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’17). ACM, 363--376.

Digital Library

[151]

Fabian Yamaguchi, Markus Lottmann, and Konrad Rieck. 2012. Generalized vulnerability extrapolation using abstract syntax trees. In Proceedings of the 28th Computer Security Applications Conference (ACSAC’12). ACM, 359--368.

Digital Library

[152]

Bo Yu, Pengfei Wang, Tai Yue, and Yong Tang. 2019. Poster: Fuzzing IoT firmware via multi-stage message generation. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS’19). ACM, 2525--2527.

Digital Library

[153]

Insu Yun, Sangho Lee, Meng Xu, Yeongjin Jang, and Taesoo Kim. 2018. QSYM: A practical concolic execution engine tailored for hybrid fuzzing. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). USENIX Association, 745--761.

[154]

Jonas Zaddach, Luca Bruno, Aurelien Francillon, and Davide Balzarotti. 2014. AVATAR: A framework to support dynamic security analysis of embedded systems’ firmwares. In Proceedings of the Network and Distributed System Security Symposium (NDSS’14).

[155]

Michal Zalewski. 2010. American fuzzy lop: A security-oriented fuzzer. Retrieved from http://lcamtuf.coredump.cx/afl/ (2010).

[156]

Junyuan Zeng, Yangchun Fu, Kenneth A. Miller, Zhiqiang Lin, Xiangyu Zhang, and Dongyan Xu. 2013. Obfuscation resilient binary code reuse through trace-oriented programming. In Proceedings of the ACM SIGSAC Conference on Computer & Communications Security (CCS’13). ACM, 487--498.

Digital Library

[157]

Mingwei Zhang and R. Sekar. 2013. Control flow integrity for COTS binaries. In Proceedings of the USENIX Security Symposium (USENIX Security’13). 337--352.

[158]

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation. In Proceedings of the 28th USENIX Security Symposium (USENIX Security’19). 1099--1114.

[159]

Fei Zuo, Xiaopeng Li, Zhexin Zhang, Patrick Young, Lannan Luo, and Qiang Zeng. 2018. Neural machine translation inspired binary code similarity comparison beyond function pairs. Arxiv Preprint Arxiv:1808.04706 (2018).

Cited By

Chen MYu YXie GZeng CXu Z(2024)UEFI-based Research on the Inner Operation Mechanism and Characteristics of Firmware Vulnerabilities in Key Devices of Electric Power Monitoring SystemsApplied Mathematics and Nonlinear Sciences10.2478/amns-2024-01369:1Online publication date: 31-Jan-2024
https://doi.org/10.2478/amns-2024-0136
Li S(2024)A Method for Automatic Code Error Detection and Repair Based on Deep Learning2024 International Conference on Integrated Circuits and Communication Systems (ICICACS)10.1109/ICICACS60521.2024.10498527(1-6)Online publication date: 23-Feb-2024
https://doi.org/10.1109/ICICACS60521.2024.10498527
Liu PCao YYan YWang Y(2024)Firmware Vulnerability Detection Algorithm Based on Matching Pattern-Specific Numerical Features With Structural FeaturesIEEE Access10.1109/ACCESS.2024.337853312(42317-42328)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3378533
Show More Cited By

Index Terms

Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies

Recommendations

A taxonomy of IoT firmware security and principal firmware analysis techniques
Abstract
Internet of Things (IoT) has come a long way since its inception. However, the standardization process in IoT systems for a secure IoT solution is still in its early days. Numerous quality review articles have been contributed by ...
Graphical abstract

Display Omitted
A Lightweight Vulnerability Mitigation Framework for IoT Devices
IoTS&P '17: Proceedings of the 2017 Workshop on Internet of Things Security and Privacy

Many of today's Internet of Things (IoT) devices are vulnerable due to the large amount of overhead incurred when their operating systems are patched against emerging vulnerabilities. In addition, legacy IoT devices are no longer supported by their ...
Firmware Update Attacks and Security for IoT Devices: Survey
ArabWIC 2019: Proceedings of the ArabWIC 6th Annual International Conference Research Track

The increasing vulnerabilities found in Internet of Things (IoT) devices have raised the need for a solid mechanism of securing the firmware update of these connected objects, since firmware updates are one way to patch vulnerabilities and add security ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 54, Issue 2

March 2022

800 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3450359

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 March 2021

Accepted: 01 October 2020

Revised: 01 October 2020

Received: 01 March 2019

Published in CSUR Volume 54, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Funding Sources

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

29
Total Citations
View Citations
2,487
Total Downloads

Downloads (Last 12 months)479
Downloads (Last 6 weeks)31

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Chen MYu YXie GZeng CXu Z(2024)UEFI-based Research on the Inner Operation Mechanism and Characteristics of Firmware Vulnerabilities in Key Devices of Electric Power Monitoring SystemsApplied Mathematics and Nonlinear Sciences10.2478/amns-2024-01369:1Online publication date: 31-Jan-2024
https://doi.org/10.2478/amns-2024-0136
Li S(2024)A Method for Automatic Code Error Detection and Repair Based on Deep Learning2024 International Conference on Integrated Circuits and Communication Systems (ICICACS)10.1109/ICICACS60521.2024.10498527(1-6)Online publication date: 23-Feb-2024
https://doi.org/10.1109/ICICACS60521.2024.10498527
Liu PCao YYan YWang Y(2024)Firmware Vulnerability Detection Algorithm Based on Matching Pattern-Specific Numerical Features With Structural FeaturesIEEE Access10.1109/ACCESS.2024.337853312(42317-42328)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3378533
Thyagarajan CVijay Bhanu SSuthir S(2024)A secure network path of implantable medical devices for detecting the vulnerabilities using hybrid DBNF networkBiomedical Signal Processing and Control10.1016/j.bspc.2024.10596892(105968)Online publication date: Jun-2024
https://doi.org/10.1016/j.bspc.2024.105968
Bonacci JMartin R(2024)Software Bill of Materials (SBOM) Approach to IoT Security Vulnerability AssessmentITNG 2024: 21st International Conference on Information Technology-New Generations10.1007/978-3-031-56599-1_8(57-62)Online publication date: 9-Jul-2024
https://doi.org/10.1007/978-3-031-56599-1_8
Shirani PBhatt SHailane AJourdan GOnut IShirani POnut IOnut IBranco P(2023)Towards Cross-Architecture Binary Code Vulnerability DetectionProceedings of the 33rd Annual International Conference on Computer Science and Software Engineering10.5555/3615924.3615947(191-196)Online publication date: 11-Sep-2023
https://dl.acm.org/doi/10.5555/3615924.3615947
Kim DKim ECha SSon SKim Y(2023)Revisiting Binary Code Similarity Analysis Using Interpretable Feature Engineering and Lessons LearnedIEEE Transactions on Software Engineering10.1109/TSE.2022.318768949:4(1661-1682)Online publication date: 1-Apr-2023
https://dl.acm.org/doi/10.1109/TSE.2022.3187689
Guri M(2023)AIR-FI: Leaking Data From Air-Gapped Computers Using Wi-Fi FrequenciesIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.318662720:3(2547-2564)Online publication date: 1-May-2023
https://dl.acm.org/doi/10.1109/TDSC.2022.3186627
Feng XZhu XHan QZhou WWen SXiang Y(2023)Detecting Vulnerability on IoT Device Firmware: A SurveyIEEE/CAA Journal of Automatica Sinica10.1109/JAS.2022.10586010:1(25-41)Online publication date: Jan-2023
https://doi.org/10.1109/JAS.2022.105860
He HXiong XZhao Y(2023)ALEmu: A Framework for Application-layer Programs Emulation of Embedded Devices2023 4th International Conference on Computer Engineering and Application (ICCEA)10.1109/ICCEA58433.2023.10135383(406-411)Online publication date: 7-Apr-2023
https://doi.org/10.1109/ICCEA58433.2023.10135383
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Issue’s Table of Contents