Research On Techniques Of Firmware Control Flow Graph Recovery

Firmware control flow graph recovery, as an important component of the Firmware ReverseAnalysis, is the guarantee of firmware analysis. It is also the key approach for security detection,intellectual property protection, and maintenance of Legacy Systems, etc. Therefore, research ontechniques of firmware control flow graph is of great practical significance.Taking the research on National863Project2009AA01Z434as background, this thesis ismainly concerned with firmware disassembly, control flow graph recovery and visualization withthe study object of firmware in electronic equipment. The design and implementation of acontrol flow graph recovery prototype system is also discussed. Major contributions andinnovations endeavored in this thesis are as follows:1. A path-driven technique of firmware control flow graph recovery is proposed. Against thepath coverage problem in dynamic control flow graph recovery, this technique puts the analyzedprograms in a controllable simulated environment with a status saving and restoring mechanism,enables programs to visit the path branches by PC auto-modifying, which are unavailable undercurrent input. Therefore, the path coverage rate of firmware control flow graph recovery isincreased. Compared with dynamic control flow graph recovery techniques dependent onconstraint solving, this technique gets rid of complex constraint solving and shows conciseness,efficiency and good extensibility. It is demonstrated by experiments that this path-driventechnique can effectively increase the coverage rate of firmware control flow graph recovery.2. An interrupt vector table reconstruction-based technique of firmware static control flowgraph recovery is proposed. Considering the characteristics of interrupt vector table in firmware,this technique can acquire the control flow information of available interrupt subprogramsthrough searching for available interrupt vectors in interrupt vector table. The experimentalresults indicate that the precision of firmware static control flow graph recovery is increased by8.72%averagely, compared with current algorithms.3. A prototype system of firmware control flow graph recovery is designed andimplemented. The prototype system, named fw-CFGRecovery, could achieve competence inacquisition of control flow information, construction and visualization of control flow graph. Ithas been applied in National863Project. It is demonstrated by experiments that the firmwarecontrol flow graph recovery techniques proposed by this thesis are valid and effective.