Research On Embedded Operating System Identification Technology Oriented Firmware

Reverse analysis of operating systems in firmware of embedded equipment is an importantpart in the reverse anatomizing of embedded equipments. Identify the type of operating systemand the version of kernel the firmware used is a necessary precondition. So it plays an importantsignificance to study on the operation system identification technology of embedded firmware.First of all, this thesis narrates the structure of the embedded operating system firmware, thestorage mechanism and the reverse analysis method of the firmware. On this basis, a frameworkof embedded operating system identification is proposed. The framework is divided into threeparts as the separation and reverse analysis of firmware image, the operating system typeidentification and the kernel version identification. The separation and reverse analysis offirmware image complete the work separating the system code and abstracting the basicfirmware information. It provides the basic data for identification. For the operating system typeidentification, an identification technique based on Multi-attribute Decision Making is proposed.On the basis of abstracting the multi-features of firmware, using a database of the operatingsystem type identification built beforehand, by system filtering and similarity decision to identifythe operating system type of the firmware to be identified. For the kernel version identification,an identification technique based on kernel similarity is proposed. Match the functions of thekernel to be identified and all standard kernels using FLIRT and improved structural comparison,and then calculate the similarity between kernel to be identified and all standard kernelsaccording to the functions count matched. At last, determine the version according to thedistribution of the similarity.On the basis, designs and realizes a prototype system of operating system identification.The system is tested with a group of different types of operating system firmwares. The testingresults show that the system can accurately and effectively accomplish the operating system typeand kernel version identification work.