A Lightweight Method for Accelerating Discovery of Taint-Style Vulnerabilities in Embedded Systems

Nowadays, embedded systems have been widely deployed in numerous applications. Firmwares in embedded systems are typically custom-built to provide a set of very specialized functionalities. They are prone to taint-style vulnerability with a high probability, but traditional whole-program analysis has low efficiency in discovering the vulnerability. In this paper, we propose a two-stage mechanism to accelerate discovery of taint-style vulnerabilities in embedded firmware: first recognizing protocol parsers that are prone to taint-style vulnerabilities from firmware, and then constructing program dependence graph for security-sensitive sinks to analyze their input source. We conduct a real-world experiment to verify the mechanism. The result indicates that the mechanism can help find taint-style vulnerabilities in less time compared with whole-program analysis.

[1]  Mark N. Wegman,et al.  Efficiently computing static single assignment form and the control dependence graph , 1991, TOPL.

[2]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[3]  Heng Yin,et al.  Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform , 2014, ISSTA 2014.

[4]  Konrad Rieck,et al.  Automatic Inference of Search Patterns for Taint-Style Vulnerabilities , 2015, 2015 IEEE Symposium on Security and Privacy.

[5]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[6]  Frances E. Allen,et al.  Control-flow analysis , 2022 .

[7]  Tao Wei,et al.  IntScope: Automatically Detecting Integer Overflow Vulnerability in X86 Binary Using Symbolic Execution , 2009, NDSS.

[8]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[9]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[10]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[11]  Herbert Bos,et al.  PIE: Parser Identification in Embedded Systems , 2015, ACSAC.

[12]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[13]  Konrad Rieck,et al.  Modeling and Discovering Vulnerabilities with Code Property Graphs , 2014, 2014 IEEE Symposium on Security and Privacy.

[14]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.