| Internet of Things(IoT)devices have been widely used in various application scenarios such as smart grid,smart home,smart medical and smart transportation,and have become an important part of life,production and smart cities.However,with the rapid development of the IoT,IoT network security incidents also emerge endlessly,and IoT devices have suffered network attacks and illegal controls,which seriously affect the safety and privacy of enterprises and users.The IoT firmware carries the core functions of the IoT devices.The vulnerability analysis of the IoT firmware is an effective method to study and explore the security issues of the IoT device.Due to the fact that instruction sets,operating systems,and application components are heterogeneous and diverse in existing IoT devices,the known sandbox and fuzzing methods of common platforms cannot be directly applied to the vulnerability analysis of IoT firmware.Therefore,manual analysis of the firmware is implemented by security researchers themselves,which makes the vulnerability analysis of IoT firmware slowly and incompletely.Meanwhile,there is no systematic assessment for the vulnerability status of individual firmware.Aiming at the above problems,this thesis specifically studies the vulnerability analysis of IoT firmware.The main contributions are as follows:1.The thesis analyzes the instances of vulnerability in the IoT firmware,and constructs a system that based on fuzzy analytic hierarchy process for evaluating firmware vulnerability.From the perspective of firmware system level,component level and service level,the firmware vulnerability assessment standards are established from 38 dimensions,including passwords,credentials,key system information,firmware updates,vulnerable services and components,etc.Furthermore,we establish a firmware vulnerability evaluation system and grade the assessment for the vulnerability status of firmware by utilizing fuzzy analytic hierarchy process evaluation method.The feasibility and effectiveness of the evaluation method is verified by static analysis of the firmware instances.2.Based on the IoT firmware vulnerability assessment standard,an automated analysis process for firmware vulnerability is proposed.Aiming at the differences in compression formats and file systems of different firmware,this thesis determines the firmware vulnerability information at all levels,where the information can be automatically extracted.And this thesis also designs an architecture and function modules of the firmware vulnerability analysis system.Which supports functions including automatic identification of firmware format,automatic decompression of firmware,file system-level vulnerability analysis,component-level vulnerability analysis,and automatic report generation.3.The thesis develops an IoT firmware vulnerability analysis system,which is based on a browser-server architecture.After users upload the analyzed firmware files through the Web interface,the back end of the system generates the firmware analysis report by extracting firmware metadata,automatically decompressing firmware,firmware vulnerability analysis and formatting vulnerability information,which is available for users to download on the front page.Finally,the thesis uses the developed system to analyze a large number of firmware files,and analyzes the hidden safety issues of homologically different components in different firmware files. |
PDF Full Text Request