Research On Key Technologies Of Automatic Vulnerability Detection For Embedded Devices

With the development of the Internet of Things and communication technology,embedded devices are increasingly used in life,industry,national defense,medicine and other applications.Embedded devices usually interact with the external physical world,leading to considerable security risks.Attackers can invade and destroy devices through the external communication interface of embedded devices.An increasing number of embedded devices have exposed security vulnerabilities.If these vulnerabilities are maliciously exploited,they may cause abnormal operation of equipment or illegal control of equipment and property loss,threatening personal safety,public facilities safety and political safety to varying degrees.Therefore,the security of embedded systems should be paid more attention,and research on automatic vulnerability detection technology for embedded devices has become particularly important.The automatic vulnerability detection of embedded devices is mainly based on fuzzing technology.The goal of fuzzing is to find as many software crashes as possible through continuous testing.This technology can be used not only for traditional software but also for embedded devices.To improve test efficiency,researchers use code instrumentation technology to dynamically obtain and analyze the runtime information to guide the test process,but in the face of embedded devices with limited resources,the current instrumentation technology is difficult to use effectively.Additional,the low efficiency of high-quality sample generation in fuzzing is one of the factors restricting the vulnerability detection for embedded devices.The thesis studies code instrumentation and fuzzing.The details are as follows.1.Firmware dynamic instrumentation based on ptrace and static analysisDynamic instrumentation can analyze runtime information by inserting analysis code when the program is running.However,when the technology is applied to embedded devices,it faces two problems:the first is that the traditional dynamic instrumentation technology needs to rely on many operating system interfaces and powerful hardware resources,but it is difficult to be satisfied due to the limited software and hardware resources for most embedded devices;the second is that the traditional dynamic instrumentation technology causes a great loss of runtime performance due to real-time analysis.This thesis proposes a general dynamic instrumentation technology for embedded devices.The technology uses the ptrace system call to control the running process of firmware,and leverages static analysis to move some functions of dynamic analysis before execution to reduce the performance loss at runtime.The experimental results show that the performance loss of this technology is lower than that of Pin,Valgrind and DynamoRIO when the number of instrumented points is less than 400.The technology is simple and universal and can be effectively applied to the runtime analysis of embedded devices with limited scale of instrumentation.2.Firmware static instrumentation technology based on context maintenance code separationThe dynamic instrumentation technology for embedded devices reduces the runtime efficiency due to that the inserted code and the original code run in different processes.This thesis proposes a static instrumentation method to re-arrange the inserted code by separating the context maintenance code,merge the inserted code into the same process space without changing the original program logic,and write it into the binary directly.The experimental results show that the code expansion caused by the technology accounts for 3.3%?15.4%of that by Dyninst,and the time loss accounts for 0.8%?63.7%of that by DynamoRIO,Valgrind and Dyninst.There is no obvious time loss caused by instrumentation on the actual embedded device in the experiment.The method is suitable for real-time analysis on embedded devices,which have limited hardware and software resources.3.Coverage-guided fuzzing based on fireworks algorithmTraditional fuzzing increases the probability of vulnerability detection by improving the edge coverage.Due to the lack of edge perception,the quality of the generated test samples is not high.To solve this problem,a coverage-guided fuzzing is proposed.The method uses model constraint technology and the fireworks algorithm to balance the execution strength for edges.It allocates more computing resources for fewer executed edges to improve the probability of executing new edges.The experimental results show that the edge coverage by this technology is 2.0%?67.8%higher than that by Peach,AFL and AFLFast,and the number of trigger vulnerabilities is 1.3?4 times than that by the three fuzzers.This technology can be effectively applied to the vulnerability detection of embedded devices by using the firmware instrumentation tools to obtain real-time information.4.Target-guided fuzzing based on particle swarm optimizationThe sample generation algorithm used in the current target-guided fuzzing has the problems of weak guidance and poor sample penetration.This thesis proposes a target-guided fuzzing technology based on particle swarm optimization.By learning high-quality sample features quickly and passing them to new samples,and combining with model constraint technology,the penetration ability of mutation samples is improved,and the testing is automatically guided to the vulnerable point.The experimental results show that the number of high-quality samples generated by PSOFuzzer is 1.1?47.8 times higher than AFLGo and Sidewinder.The probability of triggering vulnerability is 79%and 423%higher than AFLGo and Sidewinder,respectively.Combined with the firmware instrumentation technology,this technology can be used for vulnerability detection and verification for embedded devices.