Automatic Inference of Taint Sources to Discover Vulnerabilities in SOHO Router Firmware

Cheng, Kai; Fang, Dufei; Qin, Chuan; Wang, Huizhao; Zheng, Yaowen; Yu, Nan; Sun, Limin

doi:10.1007/978-3-030-78120-0_6

Cited by 3 publications

(6 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SaTC [12] proposes utilizing shared keyword-aware taint checking to track user input data flow between the front end and back end. Researchers like Liu Lingxiang [13] and Cheng Kai [14] have suggested identifying external data input functions to increase analytical precision. Through our analysis of the associations between the front end and back end, we deduced that boundary binary files, which facilitate data interactions with the front end, exhibit salient HTTP service-related characteristics.…”

Section: Challenges and Methodsmentioning

confidence: 99%

“…Nevertheless, this approach overlooks the fact that user input data are ingested via data import functions, leading to a substantial number of false positives in the analysis. Liu et al [13] and Cheng et al [14] have researched the identification of these external data import functions and have proposed relevant identification techniques.…”

Section: Static Analysis-based Approachesmentioning

confidence: 99%

“…In recent years, considerable work has been carried out on discovering firmware vulnerabilities, including dynamic [2][3][4][5][6][7][8] and static [9][10][11][12][13][14] analyses. Within dynamic analyses, employing emulation techniques for grey-box fuzz testing or conducting black-box fuzz testing on actual physical devices represent mainstream approaches to discovering vulnerability.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Vulnerability Scanning Method for Web Services in Embedded Firmware

Ma,

Yan,

Wang

et al. 2024

Applied Sciences

View full text Add to dashboard Cite

As the Internet of Things (IoT) era arrives, the proliferation of IoT devices exposed to the Internet presents a significant challenge to device security. Firmware is software that operates within Internet of Things (IoT) devices, directly governing their behaviors and functionalities. Consequently, the security of firmware is critical to shielding IoT devices from potential threats. In order to enable users to operate a device intuitively, firmware commonly provides a web interface. Consequently, this interface frequently serves as the primary attack goal in Internet of Things (IoT) devices, rendering them susceptible to numerous cyber-attacks. Unfortunately, web services have complex data interactions and implicit dependencies, and it is not easy to balance efficiency and accuracy during the analysis process, leading to heavy overhead. This paper proposes a lightweight vulnerability scanning approach, WFinder, designed explicitly for embedded firmware web services to perform vulnerability checks on backend binary files in firmware. WFinder uses static analysis to focus on identifying vulnerabilities in boundary binary files related to web services in firmware. Initially, the approach identifies boundary binary files and external data entry points based on front-end and back-end associativity features. Subsequently, rules are formulated to filter hazardous functions to narrow the analysis targets. Finally, the method generates sensitive call paths from the external data input points to the hazardous functions and conducts a lightweight taint analysis along these paths to uncover potential vulnerabilities. We implemented a prototype of WFinder and evaluated it on the firmware of ten devices from five well-known manufacturers. We discovered thirteen potential vulnerabilities, eight of which were confirmed by the CNVD, and assigned them CNVD identification numbers. Compared with the most advanced tool, SATC, WFinder was more efficient at discovering more bugs on the test set. These results indicate that WFinder is effective at detecting bugs in embedded web services.

show abstract

Section: Challenges and Methodsmentioning

confidence: 99%

Section: Static Analysis-based Approachesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A Vulnerability Scanning Method for Web Services in Embedded Firmware

Ma,

Yan,

Wang

et al. 2024

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…In this paper, we focus on taint-style vulnerabilities [5], [11], [4], [3] in Linux-based IoT devices. Figure 1 depicts the scene of taint-style vulnerability: An attacker can access the target device over a local or wide area network and send arbitrary data to the device with no restriction.…”

Section: A Threat Modelmentioning

confidence: 99%

“…In contrast, static analysis has fewer application preconditions that do not depend on a complicated execution environment. Thus, several works utilize static analysis to detect vulnerabilities in firmware [5], [26], [3], [4], [29].…”

Section: Static Analysis In Firmwarementioning

confidence: 99%

Faster and Better: Detecting Vulnerabilities in Linux-based IoT Firmware with Optimized Reaching Definition Analysis

Gao,

Zhang,

Liu

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

IoT devices are often found vulnerable, i.e., untrusted inputs may trigger potential vulnerabilities and flow to sensitive operations in the firmware, which could cause severe damage. As such vulnerabilities are in general taint-style, a promising solution to find them is static taint analysis. However, existing solutions have limited efficiency and effectiveness. In this paper, we propose a new efficient and effective taint analysis solution, namely HermeScan, to discover such vulnerabilities, which utilizes reaching definition analysis (RDA) to conduct taint analysis and gets much fewer false negatives, false positives, and time costs. We have implemented a prototype of HermeScan and conducted a thorough evaluation on two datasets, i.e., one 0-day dataset with 30 latest firmware and one N-day dataset with 98 older firmware, and compared with two state-of-theart (SOTA) solutions, i.e., KARONTE and SaTC. In terms of effectiveness, HermeScan, SaTC, and KARONTE find 163, 32, and 0 vulnerabilities in the 0-day dataset respectively. In terms of accuracy, the true positive rates of HermeScan, SaTC, and KARONTE are 81%, 42%, and 0% in the 0-day dataset. In terms of efficiency, HermeScan is 7.5X and 3.8X faster than SaTC and KARONTE on average in finding 0-day vulnerabilities.

show abstract

Detecting Vulnerabilities in Firmware Via Back-End Differences

Liu,

Wang,

et al. 2024

Preprint

View full text Add to dashboard Cite

Automatic Inference of Taint Sources to Discover Vulnerabilities in SOHO Router Firmware

Cited by 3 publications

References 12 publications

A Vulnerability Scanning Method for Web Services in Embedded Firmware

A Vulnerability Scanning Method for Web Services in Embedded Firmware

Faster and Better: Detecting Vulnerabilities in Linux-based IoT Firmware with Optimized Reaching Definition Analysis

Detecting Vulnerabilities in Firmware Via Back-End Differences

Contact Info

Product

Resources

About