论文信息 - Determining image base of firmware for ARM devices by matching literal pools

Determining image base of firmware for ARM devices by matching literal pools

Abstract In the field of reverse engineering, the correct image base of firmware has very important significance for the reverse engineers to understand the firmware by building accurate cross references. Furthermore, patching firmware needs to insert some instructions that references absolute addresses depending on the correct image base. However, for a large number of embedded system firmwares, the format is nonstandard and the image base is unknown. In this paper, we present a two-step method to determine the image base of firmwares for ARM-based devices. First, based on the storage characteristic of string in the firmware files and the encoding feature of literal pools that contain string addresses, we propose an algorithm called FIND-LP to recognize all possible literal pools in firmware. Second, we propose an algorithm called Determining image Base by Matching Literal Pools (DBMLP) to determine the image base. DBMLP can obtain the relationship between absolute addresses of strings and their corresponding offsets in a firmware file, thereby a candidate list for image base value is obtained. If the number of matched literal pools corresponding to a certain candidate image base is far greater than the others, this candidate is considered as the correct image base of the firmware. The experimental result indicates that the proposed method can effectively determine image base for a lot of firmwares that use the literal pools to store the string addresses.

[1] Stephen Dunlap,et al. An evaluation of modification attacks on programmable logic controllers , 2014, Int. J. Crit. Infrastructure Prot..

[2] Huy Kang Kim,et al. Case study of the vulnerability of OTP implemented in internet banking systems of South Korea , 2014, Multimedia Tools and Applications.

[3] Yuanzhang Li,et al. Descrambling data on solid-state disks by reverse-engineering the firmware , 2015 .

[4] Aurélien Francillon,et al. A Large-Scale Analysis of the Security of Embedded Firmwares , 2014, USENIX Security Symposium.

[5] Luca Bruno,et al. AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[6] Salvatore J. Stolfo,et al. When Firmware Modifications Attack: A Case Study of Embedded Exploitation , 2013, NDSS.

[7] Christof Paar,et al. Don't Trust Satellite Phones: A Security Analysis of Two Satphone Standards , 2012, 2012 IEEE Symposium on Security and Privacy.

[8] Juan Lopez,et al. Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[9] Jonas Zaddach. Embedded devices security and firmware reverse engineering , 2013 .

[10] Carl D Schuett. Programmable Logic Controller Modification Attacks for use in Detection Analysis , 2014 .