An Experimental Study of Four Methods for Homology Analysis of Firmware Vulnerability

In the production process of embedded device, due to the frequent reuse of third-party libraries or development kits, there are large number of same vulnerabilities that appear in more than one firmware. Homology analysis is often used in detecting this kind of vulnerabilities caused by code reuse or third-party reuse and in the homology analysis, the widely used methods are mainly Binary difference analysis, Normalized compression distance, String feature matching and Fuzz hash. But when we use these methods for homology analysis, we found that the detection result is not ideal and there is a high false positive rate. Focusing on this problem, we analyzed the application scenarios of these four methods and their limitations by combining different methods and different types of files and the experiments show that the combination of methods and files have a better performance in homology analysis.

[1]  Naı̈ve Differences of Executable Code , 2003 .

[2]  Marcus A. Maloof,et al.  Learning to detect malicious executables in the wild , 2004, KDD.

[3]  Christian S. Collberg,et al.  K-gram based software birthmarks , 2005, SAC '05.

[4]  Dirk Fox,et al.  Open Web Application Security Project , 2006, Datenschutz und Datensicherheit - DuD.

[5]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[6]  Debin Gao,et al.  BinHunt: Automatically Finding Semantic Differences in Binary Programs , 2008, ICICS.

[7]  Michael D. Ernst,et al.  HAMPI: A String Solver for Testing, Analysis and Vulnerability Detection , 2011, CAV.

[8]  Moses Schwartz,et al.  Analysis of Field Devices Used in Industrial Control Systems , 2012, Critical Infrastructure Protection.

[9]  Priya Narasimhan,et al.  Binary Function Clustering Using Semantic Hashes , 2012, 2012 11th International Conference on Machine Learning and Applications.

[10]  Debin Gao,et al.  iBinHunt: Binary Hunting with Inter-procedural Control Flow , 2012, ICISC.

[11]  Atul Prakash,et al.  Expose: Discovering Potential Binary Code Re-use , 2013, 2013 IEEE 37th Annual Computer Software and Applications Conference.

[12]  Arun Lakhotia,et al.  Fast location of similar code fragments using semantic 'juice' , 2013, PPREW '13.

[13]  Yaniv David,et al.  Tracelet-based code search in executables , 2014, PLDI.

[14]  Oscar H. Ibarra,et al.  Automata-based symbolic string analysis for vulnerability detection , 2014, Formal Methods Syst. Des..

[15]  Mehdi Kharrazi,et al.  Back to Static Analysis for Kernel-Level Rootkit Detection , 2014, IEEE Transactions on Information Forensics and Security.

[16]  Aurélien Francillon,et al.  A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[17]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[18]  Christian Rossow,et al.  Cross-Architecture Bug Search in Binary Executables , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[20]  Ritu Sibal,et al.  Vulnerability Discovery Modeling for Open and Closed Source Software , 2016, Int. J. Secur. Softw. Eng..

[21]  Sun Limin,et al.  VDNS: An Algorithm for Cross-Platform Vulnerability Searching in Binary Firmware , 2016 .

[22]  Apostolis Zarras,et al.  Towards Automated Classification of Firmware Images and Identification of Embedded Devices , 2017, SEC.

[23]  Cheng Chang,et al.  Research for Vulnerability Detection of Embedded System Firmware , 2017 .