HumIDIFy: A Tool for Hidden Functionality Detection in Firmware

Research output: Chapter in Book/Report/Conference proceedingConference contribution

14 Citations (Scopus)
332 Downloads (Pure)

Abstract

This paper presents a semi-automated approach to detect hidden functionality (such as backdoors) within binaries from consumer off-the-shelf (COTS) embedded device firmware. We build a classifier using semi-supervised learning to infer what kind of functionality a given binary has. We then use this classifier to identify binaries from firmware, so that they may then be compared to an expected functionality profile, which we define by hand for a range of applications. To specify these profiles we have developed a domain specific language called Binary Functionality Description Language (BFDL), which encodes the static analysis passes used to identify specific functionality traits of a binary. Our tool, HumIDIFy achieves a classification accuracy of 96:45% with virtually zero false positives for the most common services. We demonstrate
the applicability of our techniques to large-scale analysis by measuring
performance on a large data set of firmware. From sampling that data set, HumIDIFy identifies a number of binaries containing unexpected functionality,
notably a backdoor in router firmware by Tenda. In addition to this, it is also able to identify backdoors in artificial instances known to contain unexpected functionality in the form of backdoors.
Original languageEnglish
Title of host publication14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '17), Proceedings
PublisherSpringer
Pages279-300
Number of pages22
DOIs
Publication statusPublished - 2017
Event14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '17) - Bonn, Germany
Duration: 6 Jul 20177 Jul 2017

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
Volume10327
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '17)
Country/TerritoryGermany
CityBonn
Period6/07/177/07/17

Fingerprint

Dive into the research topics of 'HumIDIFy: A Tool for Hidden Functionality Detection in Firmware'. Together they form a unique fingerprint.

Cite this