Finding Taint-Style Vulnerabilities in Linux-based Embedded Firmware with SSE-based Alias Analysis

Although the importance of using static analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by three major limitations. (a) Approaches based on symbolic execution may miss alias information and therefore suffer from a high false-negative rate. (b) Approaches based on VSA (value set analysis) often provide an over-approximate pointer range. As a result, many false positives could be produced. (c) Existing work for detecting taint-style vulnerability does not consider indirect call resolution, whereas indirect calls are frequently used in Internet-facing embedded devices. As a result, many false negatives could be produced. In this work, we propose a precise demand-driven flow-, contextand field-sensitive alias analysis approach. Based on this new approach, we also design a novel indirect call resolution scheme. Combined with sanitization rule checking, our solution discovers taint-style vulnerabilities by static taint analysis. We implemented our idea with a prototype called EmTaint and evaluated it against 35 real-world embedded firmware samples from six popular vendors. EmTaint discovered at least 192 bugs, including 41 n-day bugs and 151 0-day bugs. At least 115 CVE/PSV numbers have been allocated from a subset of the reported vulnerabilities at the time of writing. Compared to state-of-the-art tools such as KARONTE and SaTC, EmTaint found significantly more bugs on the same dataset in less time.

[1]  Yuqing Zhang,et al.  RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing , 2013, KSII Trans. Internet Inf. Syst..

[2]  Zhiqiang Lin,et al.  IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing , 2018, NDSS.

[3]  Lei Wang,et al.  DTaint: Detecting the Taint-Style Vulnerability in Embedded Device Firmware , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[4]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[5]  Barton P. Miller,et al.  Binary code is not easy , 2016, ISSTA.

[6]  Jun Yang,et al.  LoongChecker: Practical Summary-Based Semi-simulation to Detect Vulnerability in Binary Code , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[7]  Thomas Reps,et al.  Recovery of Variables and Heap Structure in x86 Executables , 2005 .

[8]  Konrad Rieck,et al.  Automatic Inference of Search Patterns for Taint-Style Vulnerabilities , 2015, 2015 IEEE Symposium on Security and Privacy.

[9]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[10]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[11]  Hong Hu,et al.  Where Does It Go?: Refining Indirect-Call Targets with Multi-Layer Type Analysis , 2019, CCS.

[12]  Dawson R. Engler,et al.  Under-Constrained Symbolic Execution: Correctness Checking for Real Code , 2015, USENIX Annual Technical Conference.

[13]  Saumya K. Debray,et al.  Alias analysis of executable code , 1998, POPL '98.

[14]  Thomas W. Reps,et al.  CodeSurfer/x86-A Platform for Analyzing x86 Executables , 2005, CC.

[15]  David Brumley,et al.  Saluki: Finding Taint-style Vulnerabilities with Static Property Checking , 2018 .

[16]  Hong Hu,et al.  Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems , 2021, USENIX Security Symposium.

[17]  Luca Bruno,et al.  AVATAR: A Framework to Support Dynamic Security Analysis of Embedded Systems' Firmwares , 2014, NDSS.

[18]  Thomas W. Reps,et al.  Improved Memory-Access Analysis for x86 Executables , 2008, CC.

[19]  Thomas W. Reps,et al.  DIVINE: DIscovering Variables IN Executables , 2007, VMCAI.

[20]  Wei You,et al.  BDA: practical dependence analysis for binary executables by unbiased whole-program path sampling and per-path abstract interpretation , 2019, Proc. ACM Program. Lang..

[21]  Giovanni Vigna,et al.  Static Detection of Vulnerabilities in x86 Executables , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[22]  Xi Chen,et al.  A Tough Call: Mitigating Advanced Code-Reuse Attacks at the Binary Level , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[23]  David Brumley,et al.  Towards Automated Dynamic Analysis for Linux-based Embedded Firmware , 2016, NDSS.

[24]  Thomas W. Reps,et al.  WYSINWYX: What you see is not what you eXecute , 2005, TOPL.

[25]  Easwaran Raman,et al.  Practical and accurate low-level pointer analysis , 2005, International Symposium on Code Generation and Optimization.

[26]  Yajin Zhou,et al.  An empirical study on ARM disassembly tools , 2020, ISSTA.

[27]  Heng Yin,et al.  FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation , 2019, USENIX Security Symposium.

[28]  Sanjay Rawat,et al.  LiSTT: An Investigation into Unsound-Incomplete Yet Practical Result Yielding Static Taintflow Analysis , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[29]  Christopher Krügel,et al.  BootStomp: On the Security of Bootloaders in Mobile Devices , 2017, USENIX Security Symposium.

[30]  Giovanni Vigna,et al.  Karonte: Detecting Insecure Multi-binary Interactions in Embedded Firmware , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[31]  Cristina Cifuentes,et al.  Recovery of jump table case statements from binary code , 1999, Proceedings Seventh International Workshop on Program Comprehension.

[32]  Peng-Sheng Chen,et al.  Accurate Instruction-Level Alias Analysis for ARM Executable Code , 2013 .

[33]  Aurélien Francillon,et al.  What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices , 2018, NDSS.

[34]  Christopher Krügel,et al.  Firmalice - Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware , 2015, NDSS.

[35]  Bart Demoen,et al.  On the Static Analysis of Indirect Control Transfers in Binaries , 2000, PDPTA.

[36]  Jörg Brauer,et al.  Precise control flow reconstruction using Boolean logic , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).