Abstract
Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows us
to identify three authentication backdoors - two of which previously un-
documented. Moreover, we show our method is effective in aiding the
recovery of both previously known and proprietary text-based protocols.
We have developed a tool, Stringer which implements our technique; we
demonstrate the effectiveness of our approach as well as its applicability
to lightweight analysis by running it on a data set of 2,451,532 binaries
from 30 different COTS device vendors.
to identify three authentication backdoors - two of which previously un-
documented. Moreover, we show our method is effective in aiding the
recovery of both previously known and proprietary text-based protocols.
We have developed a tool, Stringer which implements our technique; we
demonstrate the effectiveness of our approach as well as its applicability
to lightweight analysis by running it on a data set of 2,451,532 binaries
from 30 different COTS device vendors.
Original language | English |
---|---|
Title of host publication | Computer Security - ESORICS 2017 |
Subtitle of host publication | 22nd European Symposium on Research in Computer Security, Oslo, Norway, September 11-15, 2017, Proceedings, Part II |
Editors | Simon N. Foley, Dieter Gollmann, Einar Snekkenes |
Publisher | Springer |
Pages | 513-531 |
Number of pages | 18 |
ISBN (Electronic) | 978-3-319-66399-9 |
ISBN (Print) | 978-3-319-66398-2 |
DOIs | |
Publication status | E-pub ahead of print - 12 Aug 2017 |
Event | 22nd European Symposium on Research in Computer Security (ESORICS 2017) - Oslo, Norway Duration: 11 Sept 2017 → 15 Sept 2017 |
Publication series
Name | Lecture Notes in Computer Science |
---|---|
Publisher | Springer |
ISSN (Print) | 0302-9743 |
ISSN (Electronic) | 1611-3349 |
Conference
Conference | 22nd European Symposium on Research in Computer Security (ESORICS 2017) |
---|---|
Country/Territory | Norway |
City | Oslo |
Period | 11/09/17 → 15/09/17 |