Abstract
This paper presents a semi-automated approach to detect hidden functionality (such as backdoors) within binaries from consumer off-the-shelf (COTS) embedded device firmware. We build a classifier using semi-supervised learning to infer what kind of functionality a given binary has. We then use this classifier to identify binaries from firmware, so that they may then be compared to an expected functionality profile, which we define by hand for a range of applications. To specify these profiles we have developed a domain specific language called Binary Functionality Description Language (BFDL), which encodes the static analysis passes used to identify specific functionality traits of a binary. Our tool, HumIDIFy achieves a classification accuracy of 96:45% with virtually zero false positives for the most common services. We demonstrate
the applicability of our techniques to large-scale analysis by measuring
performance on a large data set of firmware. From sampling that data set, HumIDIFy identifies a number of binaries containing unexpected functionality,
notably a backdoor in router firmware by Tenda. In addition to this, it is also able to identify backdoors in artificial instances known to contain unexpected functionality in the form of backdoors.
the applicability of our techniques to large-scale analysis by measuring
performance on a large data set of firmware. From sampling that data set, HumIDIFy identifies a number of binaries containing unexpected functionality,
notably a backdoor in router firmware by Tenda. In addition to this, it is also able to identify backdoors in artificial instances known to contain unexpected functionality in the form of backdoors.
Original language | English |
---|---|
Title of host publication | 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '17), Proceedings |
Publisher | Springer |
Pages | 279-300 |
Number of pages | 22 |
DOIs | |
Publication status | Published - 2017 |
Event | 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '17) - Bonn, Germany Duration: 6 Jul 2017 → 7 Jul 2017 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
Volume | 10327 |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 14th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA '17) |
---|---|
Country/Territory | Germany |
City | Bonn |
Period | 6/07/17 → 7/07/17 |