Abstract
Cyberattacks against SOHO (small office and home office) routers have attracted much attention in recent years. Most of the vulnerabilities exploited by hackers occur in the web servers of router firmware. In vulnerabilities detection, static taint analysis can quickly cover all code without depending on the runtime environment compared to dynamic analysis (e.g., fuzzing). However, existing static analysis techniques suffer from a high false-negative rate due to the lack of resolution of indirect calls, making it challenging to track tainted data from a common source (e.g., recv) to a sink. In this work, we propose a new heuristic approach to address the challenge. Instead of resolving the indirect calls, we automatically infer taint sources through identifying functions with key-value features. We can bypass the indirect calls with the inferred taint sources and track the taint to detect vulnerabilities by static taint analysis. We implement a prototype system and evaluate it on 10 popular routers across 5 vendors. The proposed system discovered 245 vulnerabilities, including 41 1-day vulnerabilities and 204 vulnerabilities never exposed before. The experimental results show that our system can find more bugs compared to a state-of-the-art fuzzing tool.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Common vulnerabilities and exposures. https://cve.mitre.org/
Exploit database of the website. https://www.exploit-db.com/
Firmware analysis tool. https://github.com/ReFirmLabs/binwalk
Balakrishnan, G., Gruian, R., Reps, T., Teitelbaum, T.: CodeSurfer/x86—a platform for analyzing x86 executables. In: Bodik, R. (ed.) CC 2005. LNCS, vol. 3443, pp. 250–254. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31985-6_19
Chen, J., et al.: IoTFuzzer: discovering memory corruptions in IoT through app-based fuzzing. In: NDSS (2018)
Cheng, K., et al.: DTaint: detecting the taint-style vulnerability in embedded device firmware. In: DSN (2018)
Corteggiani, N., Camurati, G., Francillon, A.: Inception: system-wide security testing of real-world embedded systems software. In: USENIX Security (2018)
Davidson, D., Moench, B., Ristenpart, T., Jha, S.: \(\{\)FIE\(\}\) on firmware: finding vulnerabilities in embedded systems using symbolic execution. In: USENIX Security (2013)
Eli Kreminchuker, M.Z.: Echobot malware now up to 71 exploits, targeting scada (2019). https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits-targeting-scada
Muench, M., Stijohann, J., Kargl, F., Francillon, A., Balzarotti, D.: What you corrupt is not what you crash: challenges in fuzzing embedded devices. In: NDSS (2018)
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM Sigplan Not. 42(6), 89–100 (2007)
Rawat, S., Mounier, L., Potet, M.-L.: Static taint-analysis on binary executables (2011). http://web.cs.iastate.edu/~weile/cs513x/5.TaintAnalysis2.pdf
Redini, N., et al.: Karonte: detecting insecure multi-binary interactions in embedded firmware. In: SP (2020)
Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In: NDSS (2015)
Shoshitaishvili, Y., et al.: Sok:(state of) the art of war: offensive techniques in binary analysis. In: SP (2016)
Statista: Internet of things (IoT) (2020). https://www.statista.com/topics/2637/internet-of-things/
TrendMicro: Smart yet flawed: IoT device vulnerabilities explained (2020). https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/smart-yet-flawed-iot-device-vulnerabilities-explained
Wang, Z., Zhang, Y., Liu, Q.: Rpfuzzer: a framework for discovering router protocols vulnerabilities based on fuzzing. KSII TIIS 7(8), 1989–2009 (2013)
Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: SP (2015)
Zhang, Y., et al.: SrFuzzer: an automatic fuzzing framework for physical soho router devices to discover multi-type vulnerabilities. In: ACSAC (2019)
Zheng, Y., Song, Z., Sun, Y., Cheng, K., Zhu, H., Sun, L.: An efficient greybox fuzzing scheme for Linux-based IoT programs through binary static analysis. In: IPCCC (2019)
Zheng, Y., Davanian, A., Yin, H., Song, C., Zhu, H., Sun, L.: FIRM-AFL: high-throughput greybox fuzzing of IoT firmware via augmented process emulation. In: USENIX Security (2019)
Acknowledgement
This work was supported by the National Key R&D Program of China (Grant No. Y950201104), and Key Program of National Natural Science Foundation of China (Grant No. U1766215).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 IFIP International Federation for Information Processing
About this paper
Cite this paper
Cheng, K. et al. (2021). Automatic Inference of Taint Sources to Discover Vulnerabilities in SOHO Router Firmware. In: Jøsang, A., Futcher, L., Hagen, J. (eds) ICT Systems Security and Privacy Protection. SEC 2021. IFIP Advances in Information and Communication Technology, vol 625. Springer, Cham. https://doi.org/10.1007/978-3-030-78120-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-78120-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78119-4
Online ISBN: 978-3-030-78120-0
eBook Packages: Computer ScienceComputer Science (R0)
