Research On Memory Vulnerability Mining For Lightweight Io T Device Firmware

With the rapid development of the Io T industry,the security of Io T devices is receiving more and more attention from the security researchers.However,current approaches based on firmware emulation or symbolic execution are hampered when applying to the lightweight Io T devices for the reason that:(1)It is challenging to acquire the firmware images or source code of the lightweight devices,(2)The file format and loading rules of lightweight Io T devices are not uniform,(3)The lightweight Io T device firmware images lack symbol information,(4)It is hard to emulate the firmware images due to failing to access the custom and proprietary hardware components.To address the above four problems in the research filed of lightweight Io T device firmware,we propose a novel approach and implement a detecting tool to detect memory corruption in the lightweight Io T device firmware images.Specifically,the contributions and works are as following:We propose a novel approach for firmware acquisition.The key idea is constructing software to simulate the Io T devices to interact with the cloud and trick the cloud to send the firmware images by uploading an outdated firmware version.Firstly,we review the code provided by the Io T solution company and its cooperative hardware vendors.Through that,we can get the communication protocol between the cloud,the device,and the App.Then we construct a software simulator called the phantom device that could be authenticated and authorized by the cloud.Through it,we can report the modified device configures to trick the cloud to send the firmware download link and the firmware images are acquired across the link.Finally,we collected 193 firmware images from 3 platforms.Combining with web crawlers and extracting from Apps,we collected 318 firmware images in total.We propose a novel memory corruption detection framework for lightweight Io T devices firmware.In order to reduce the interference of the binary file,we leverage a partition information and loading address determination approach based on character feature matching.At meanwhile,we re-compile the device SDK according to the chip information in the firmware and perform a library function identification to complete the missing symbol information such as the function names.After that,we generate the completed CFG of the firmware and leverage a backward code slice method based on CFG to attain code snippets that contain a full-path from the attacker-controlled data source to the vulnerability trigger point.Lastly,we perform dynamic symbolic execution on the code snippets to emulate the firmware.During the execution,a Fuzzing test is carried out to detect memory corruption vulnerabilities.We implement a detection tool named FIo T.We systematically evaluate this tool from the reliability of the firmware acquisition,the accuracy of the library function identification,and the effectiveness of the vulnerability detection.The library function identification experiment on 40 firmware images reports that compared to existing tools,the library functions identification rate of FIo T has been increased to 31.8%.And the accuracy reaches 100%through verifying manually.We also evaluate it with 115 firmware images,it successfully detected 35 firmware images exist stack overflow vulnerabilities,and the false positive rate is 0%.We conduct an experiment for validating the time cost of FIo T.The experiment reports that FIo T is able to complete memory corruption detection on a single firmware image within 210 seconds on average,while the performance overhead of FIo T is reasonable and acceptable.