Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality

Sam L. Thomas; Tom Chothia; Flavio D. Garcia

doi:10.1007/978-3-319-66399-9_28

Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality

Sam L. Thomas, Tom Chothia, Flavio D. Garcia

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Citations (Scopus)

354 Downloads (Pure)

Abstract

Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows us
to identify three authentication backdoors - two of which previously un-
documented. Moreover, we show our method is effective in aiding the
recovery of both previously known and proprietary text-based protocols.
We have developed a tool, Stringer which implements our technique; we
demonstrate the effectiveness of our approach as well as its applicability
to lightweight analysis by running it on a data set of 2,451,532 binaries
from 30 different COTS device vendors.

Original language	English
Title of host publication	Computer Security - ESORICS 2017
Subtitle of host publication	22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II
Editors	Simon N. Foley, Dieter Gollmann, Einar Snekkenes
Publisher	Springer
Pages	513-531
Number of pages	18
ISBN (Electronic)	978-3-319-66399-9
ISBN (Print)	978-3-319-66398-2
DOIs	https://doi.org/10.1007/978-3-319-66399-9_28
Publication status	E-pub ahead of print - 12 Aug 2017
Event	22nd European Symposium on Research in Computer Security (ESORICS 2017) - Oslo, Norway Duration: 11 Sept 2017 → 15 Sept 2017

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	22nd European Symposium on Research in Computer Security (ESORICS 2017)
Country/Territory	Norway
City	Oslo
Period	11/09/17 → 15/09/17

Bibliographical note

Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)

Access to Document

10.1007/978-3-319-66399-9_28Licence: None: All rights reserved

Thomas_et_al_Stringer_measuring_the_importance_of_static_Computer_Security_ESORICS_2017
Checked for eligibility: 05/07/2017 The final publication is available at Springer via http://doi.org/10.1007/978-3-319-66399-9_28
Accepted author manuscript, 416 KBLicence: Other (please specify with Rights Statement)

https://link.springer.com/chapter/10.1007/978-3-319-66399-9_28Licence: None: All rights reserved

Cite this

Thomas, S. L., Chothia, T., & Garcia, F. D. (2017). Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. In S. N. Foley, D. Gollmann, & E. Snekkenes (Eds.), Computer Security - ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II (pp. 513-531). (Lecture Notes in Computer Science). Springer. Advance online publication. https://doi.org/10.1007/978-3-319-66399-9_28

Thomas, Sam L. ; Chothia, Tom ; Garcia, Flavio D. / Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. Computer Security - ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II. editor / Simon N. Foley ; Dieter Gollmann ; Einar Snekkenes. Springer, 2017. pp. 513-531 (Lecture Notes in Computer Science).

@inproceedings{f9d238d0cd6945309637d1229a43497b,

title = "Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality",

abstract = "Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows usto identify three authentication backdoors - two of which previously un-documented. Moreover, we show our method is effective in aiding therecovery of both previously known and proprietary text-based protocols.We have developed a tool, Stringer which implements our technique; wedemonstrate the effectiveness of our approach as well as its applicabilityto lightweight analysis by running it on a data set of 2,451,532 binariesfrom 30 different COTS device vendors.",

author = "Thomas, {Sam L.} and Tom Chothia and Garcia, {Flavio D.}",

note = "Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493); 22nd European Symposium on Research in Computer Security (ESORICS 2017) ; Conference date: 11-09-2017 Through 15-09-2017",

year = "2017",

month = aug,

day = "12",

doi = "10.1007/978-3-319-66399-9_28",

language = "English",

isbn = "978-3-319-66398-2",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "513--531",

editor = "Foley, {Simon N.} and Dieter Gollmann and Einar Snekkenes",

booktitle = "Computer Security - ESORICS 2017",

}

Thomas, SL, Chothia, T & Garcia, FD 2017, Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. in SN Foley, D Gollmann & E Snekkenes (eds), Computer Security - ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II. Lecture Notes in Computer Science, Springer, pp. 513-531, 22nd European Symposium on Research in Computer Security (ESORICS 2017), Oslo, Norway, 11/09/17. https://doi.org/10.1007/978-3-319-66399-9_28

Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. / Thomas, Sam L.; Chothia, Tom ; Garcia, Flavio D.
Computer Security - ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II. ed. / Simon N. Foley; Dieter Gollmann; Einar Snekkenes. Springer, 2017. p. 513-531 (Lecture Notes in Computer Science).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality

AU - Thomas, Sam L.

AU - Chothia, Tom

AU - Garcia, Flavio D.

N1 - Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)

PY - 2017/8/12

Y1 - 2017/8/12

N2 - Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows usto identify three authentication backdoors - two of which previously un-documented. Moreover, we show our method is effective in aiding therecovery of both previously known and proprietary text-based protocols.We have developed a tool, Stringer which implements our technique; wedemonstrate the effectiveness of our approach as well as its applicabilityto lightweight analysis by running it on a data set of 2,451,532 binariesfrom 30 different COTS device vendors.

AB - Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows usto identify three authentication backdoors - two of which previously un-documented. Moreover, we show our method is effective in aiding therecovery of both previously known and proprietary text-based protocols.We have developed a tool, Stringer which implements our technique; wedemonstrate the effectiveness of our approach as well as its applicabilityto lightweight analysis by running it on a data set of 2,451,532 binariesfrom 30 different COTS device vendors.

U2 - 10.1007/978-3-319-66399-9_28

DO - 10.1007/978-3-319-66399-9_28

M3 - Conference contribution

SN - 978-3-319-66398-2

T3 - Lecture Notes in Computer Science

SP - 513

EP - 531

BT - Computer Security - ESORICS 2017

A2 - Foley, Simon N.

A2 - Gollmann, Dieter

A2 - Snekkenes, Einar

PB - Springer

T2 - 22nd European Symposium on Research in Computer Security (ESORICS 2017)

Y2 - 11 September 2017 through 15 September 2017

ER -

Thomas SL, Chothia T , Garcia FD. Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality. In Foley SN, Gollmann D, Snekkenes E, editors, Computer Security - ESORICS 2017: 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II. Springer. 2017. p. 513-531. (Lecture Notes in Computer Science). Epub 2017 Aug 12. doi: 10.1007/978-3-319-66399-9_28

Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality

Abstract

Publication series

Conference

Bibliographical note

Access to Document

Fingerprint

Cite this