research-article

Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis

Authors:

Shengli LiuAuthors Info & Claims

IoT '22: Proceedings of the 12th International Conference on the Internet of Things

Pages 65 - 72

https://doi.org/10.1145/3567445.3567458

Published: 05 January 2023 Publication History

Abstract

Command injection vulnerability is a severe threat to the embedded device. Most methods detect command injection vulnerability with taint analysis and symbolic execution and achieve promising results. However, they waste too much time analyzing secure sink call-sites, resulting in less efficient vulnerability detection.

To tackle the above problem, we propose a novel sink call-site classification method named CINDY to accelerate the command injection vulnerability discovery in embedded firmware with static backtracking analysis. CINDY first performs sink call-sites detection in the binary executables and constructs the data flow for function call parameters. Then, CINDY analyzes whether the parameters passed to sink functions are derived from constant string or not and labels them “secure" or “risky". According to the labels, CINDY classifies the sink call-sites into risky and secure sink call-sites. Finally, CINDY performs taint analysis with symbolic execution to check whether a risky sink call-site is vulnerable. To demonstrate the efficacy of CINDY, we compare CINDY with the state-of-the-art method SaTC, using the dataset published by SaTC. Compared with SaTC, CINDY can filter out more of the secure sink call-sites, with a 35% decrease, and the efficiency is improved by 17% than SaTC.

References

[1]

National Security Agency. 2022. Ghidra is a software reverse engineering (SRE) framework. https://github.com/NationalSecurityAgency/ghidra.

[2]

Alex.Turing and Hui Wang. 2021. Mozi, Another Botnet Using DHT. https://blog.netlab.360.com/mozi-another-botnet-using-dht/. .

[3]

Cristian Cadar, Daniel Dunbar, and Dawson Engler. 2008. KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In Proceedings of the 8th USENIX conference on Operating systems design and implementation. USENIX Association, Berkeley, CA, 209–224.

Digital Library

[4]

Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Proceedings of the 23th Annual Network and Distributed System Security Symposium. The Internet Society, Reston, VA, 15.

[5]

Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Proceedings of the 25th Annual Network and Distributed System Security Symposium. The Internet Society, Reston, VA, 15.

[6]

Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Network and Distributed System Security Symposium. The Internet Society, Reston, VA, 1–16.

[7]

Libo Chen, Yanhao Wang, Quanpu Cai, Yunfan Zhan, Hong Hu, Jiaqi Linghu, Qinsheng Hou, Chao Zhang, Haixin Duan, and Zhi Xue. 2021. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Berkeley, CA, 303–319.

[8]

Kai Cheng, Qiang Li, Lei Wang, Qian Chen, Yaowen Zheng, Limin Sun, and Zhenkai Liang. 2018. DTaint: detecting the taint-style vulnerability in embedded device firmware. In 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, IEEE, Piscataway, NJ, 430–441.

[9]

Kai Cheng, Tao Liu, Le Guan, Peng Liu, Hong Li, Hongsong Zhu, and Limin Sun. 2021. Finding Taint-Style Vulnerabilities in Linux-based Embedded Firmware with SSE-based Alias Analysis. arXiv preprint arXiv:2109.12209 1, 1 (2021), 17.

[10]

Abraham A Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware re-hosting through abstraction layer emulation. In 29th USENIX Security Symposium ({USENIX} Security 20). USENIX Association, Berkeley, CA, 1201–1218.

[11]

Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In 22nd USENIX Security Symposium (USENIX Security 13). USENIX Association, Berkeley, CA, 463–478.

[12]

Xiaotao Feng, Ruoxi Sun, Xiaogang Zhu, Minghui Xue, Sheng Wen, Dongxi Liu, Surya Nepal, and Yang Xiang. 2021. Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference. In Proceedings of the ACM Conference on Computer and Communications Security (ACM CCS). ACM Press, New York, NY, 337––350.

Digital Library

[13]

Eric Gustafson, Marius Muench, Chad Spensky, Nilo Redini, Aravind Machiry, Yanick Fratantonio, Davide Balzarotti, Aurélien Francillon, Yung Ryn Choe, Christophe Kruegel, 2019. Toward the analysis of embedded firmware through automated re-hosting. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses ({RAID} 2019). USENIX Association, Berkeley, CA, 135–150.

[14]

Muhui Jiang, Yajin Zhou, Xiapu Luo, Ruoyu Wang, Yang Liu, and Kui Ren. 2020. An empirical study on arm disassembly tools. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. ACM Press, New York, NY, 401–414.

Digital Library

[15]

ReFirm Labs. 2021. Binwalk: Firmware Analysis Tool. https://github.com/ReFirmLabs/binwalk.

[16]

Wenqiang Li, Jiameng Shi, Fengjun Li, Jingqiang Lin, Wei Wang, and Le Guan. 2022. uAFL: Non-intrusive Feedback-driven Fuzzing for Microcontroller Firmware. In 2022 IEEE/ACM 44th International Conference on Software Engineering (ICSE). ACM Press, New York, NY, 1–12.

[17]

Peiyu Liu, Shouling Ji, Xuhong Zhang, Qinming Dai, Kangjie Lu, Lirong Fu, Wenzhi Chen, Peng Cheng, Wenhai Wang, and Raheem Beyah. 2021. IFIZZ: Deep-State and Efficient Fault-Scenario Generation to Test IoT Firmware. In 2021 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, Piscataway, NJ, 805–816.

Digital Library

[18]

Marius Muench, Jan Stijohann, Frank Kargl, Aurélien Francillon, and Davide Balzarotti. 2018. What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices. In Proceedings of the 25th Annual Network and Distributed System Security Symposium. The Internet Society, Reston, VA, 15.

[19]

Abdullah Qasem, Paria Shirani, Mourad Debbabi, Lingyu Wang, Bernard Lebel, and Basile L Agba. 2021. Automatic Vulnerability Detection in Embedded Devices and Firmware: Survey and Layered Taxonomies. ACM Computing Surveys (CSUR) 54, 2 (2021), 1–42.

Digital Library

[20]

Nilo Redini, Andrea Continella, Dipanjan Das, Giulio De Pasquale, Noah Spahn, Aravind Machiry, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2021. Diane: Identifying fuzzing triggers in apps to generate under-constrained inputs for iot devices. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, Piscataway, NJ, 484–500.

[21]

Nilo Redini, Aravind Machiry, Dipanjan Das, Yanick Fratantonio, Antonio Bianchi, Eric Gustafson, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2017. Bootstomp: on the security of bootloaders in mobile devices. In 26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Berkeley, CA, 781–798.

[22]

Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. Karonte: Detecting insecure multi-binary interactions in embedded firmware. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, Piscataway, NJ, 1544–1561.

[23]

Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In 31th USENIX Security Symposium (USENIX Security 22). USENIX Association, Berkeley, CA, 1239–1256.

[24]

Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using Precise MMIO Modeling for Effective Firmware Fuzzing. In 31th USENIX Security Symposium (USENIX Security 22). USENIX Association, Berkeley, CA, 1–18.

[25]

Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware. In Proceedings of the 22th Annual Network and Distributed System Security Symposium. The Internet Society, Reston, VA, 1–15.

[26]

Ari Takanen, Jared DeMott, and Charlie Miller. 2008. Fuzzing for software security testing and quality assurance. Artech House, Massachusetts.

[27]

Jonas Zaddach, Luca Bruno, Aurelien Francillon, Davide Balzarotti, 2014. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems’ Firmwares. In Proceedings of the 21th Annual Network and Distributed System Security Symposium, Vol. 23. The Internet Society, Reston, VA, 1–16.

[28]

Yu Zhang, Wei Huo, Kunpeng Jian, Ji Shi, Haoliang Lu, Longquan Liu, Chen Wang, Dandan Sun, Chao Zhang, and Baoxu Liu. 2019. SrFuzzer: An automatic fuzzing framework for physical soho router devices to discover multi-type vulnerabilities. In Proceedings of the 35th Annual Computer Security Applications Conference. ACM Press, New York, NY, 544–556.

Digital Library

[29]

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: high-throughput greybox fuzzing of iot firmware via augmented process emulation. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Berkeley, CA, 1099–1114.

[30]

Lipeng Zhu, Xiaotong Fu, Yao Yao, Yuqing Zhang, and He Wang. 2019. FIoT: Detecting the memory corruption in lightweight IoT device firmware. In 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). IEEE, Piscataway, NJ, 248–255.

Cited By

Ye JFei Xde Carnavalet XZhao LWu LZhang M(2024)Detecting command injection vulnerabilities in Linux-based embedded firmware with LLM-based taint analysis of library functionsComputers & Security10.1016/j.cose.2024.103971144(103971)Online publication date: Sep-2024
https://doi.org/10.1016/j.cose.2024.103971
Li LCai RZhang YYin X(2023)Facilitating Web Vulnerability Detection on Embedded Devices with Root Path Pruning2023 3rd International Conference on Computer Science, Electronic Information Engineering and Intelligent Control Technology (CEI)10.1109/CEI60616.2023.10527954(41-46)Online publication date: 15-Dec-2023
https://doi.org/10.1109/CEI60616.2023.10527954

Index Terms

Accelerating Command Injection Vulnerability Discovery in Embedded Firmware with Static Backtracking Analysis

Recommendations

Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis
ISSTA 2023: Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis

Although the importance of using static taint analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by following major limitations: (a) Existing works cannot properly ...
FITS: Inferring Intermediate Taint Sources for Effective Vulnerability Analysis of IoT Device Firmware
ASPLOS '23: Proceedings of the 28th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 4

Finding vulnerabilities in firmware is vital as any firmware vulnerability may lead to cyberattacks to the physical IoT devices. Taint analysis is one promising technique for finding firmware vulnerabilities thanks to its high coverage and scalability. ...
An Enhanced Static Taint Analysis Approach to Detect Input Validation Vulnerability
Abstract
The detection of feasible paths helps to minimize the false positive rate. However, the previous works did not consider the feasibility of the program paths during the analysis detection of input validation vulnerabilities, which led ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

IoT '22: Proceedings of the 12th International Conference on the Internet of Things

November 2022

259 pages

ISBN:9781450396653

DOI:10.1145/3567445

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

IoT 2022

IoT 2022: The 12th International Conference on the Internet of Things

November 7 - 10, 2022

Delft, Netherlands

Acceptance Rates

Overall Acceptance Rate 28 of 84 submissions, 33%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
227
Total Downloads

Downloads (Last 12 months)129
Downloads (Last 6 weeks)9

Reflects downloads up to 27 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ye JFei Xde Carnavalet XZhao LWu LZhang M(2024)Detecting command injection vulnerabilities in Linux-based embedded firmware with LLM-based taint analysis of library functionsComputers & Security10.1016/j.cose.2024.103971144(103971)Online publication date: Sep-2024
https://doi.org/10.1016/j.cose.2024.103971
Li LCai RZhang YYin X(2023)Facilitating Web Vulnerability Detection on Embedded Devices with Root Path Pruning2023 3rd International Conference on Computer Science, Electronic Information Engineering and Intelligent Control Technology (CEI)10.1109/CEI60616.2023.10527954(41-46)Online publication date: 15-Dec-2023
https://doi.org/10.1109/CEI60616.2023.10527954

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents