Stringer: measuring the importance of static data comparisons to detect backdoors and undocumented functionality

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Colleges, School and Institutes

Abstract

Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows us
to identify three authentication backdoors - two of which previously un-
documented. Moreover, we show our method is effective in aiding the
recovery of both previously known and proprietary text-based protocols.
We have developed a tool, Stringer which implements our technique; we
demonstrate the effectiveness of our approach as well as its applicability
to lightweight analysis by running it on a data set of 2,451,532 binaries
from 30 different COTS device vendors.

Bibliographic note

Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)

Details

Original languageEnglish
Title of host publicationComputer Security - ESORICS 2017
Subtitle of host publication22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II
EditorsSimon N. Foley, Dieter Gollmann, Einar Snekkenes
Publication statusE-pub ahead of print - 12 Aug 2017
Event22nd European Symposium on Research in Computer Security (ESORICS 2017) - Oslo, Norway
Duration: 11 Sep 201715 Sep 2017

Publication series

NameLecture Notes in Computer Science
PublisherSpringer
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference22nd European Symposium on Research in Computer Security (ESORICS 2017)
CountryNorway
CityOslo
Period11/09/1715/09/17