| With the rapid development of information technology,IoT devices are widely used in people’s lives.However,while IoT devices are developing rapidly,their security is also under constant challenge.Firmware is the core part of the software system of IoT devices,and the security threat to firmware is further aggravated,as of now,there are many kinds of firmware and different architectures,there is no common way to represent firmware in the industry,and the related technology about firmware vulnerability mining is fragmented and unsystematic,so it is impossible to conduct comprehensive security testing on firmware,and there is an overall lack of a set of effective,systematic,and universal security analysis theories and methods for firmware security analysis.The overall lack of a set of effective,systematic and universal security analysis theories and methodologies for firmware security analysis,researchers often rely on experience to conduct security analysis of firmware.In this paper,the firmware of IoT devices is used as the research object,and the firmware security attributes and related technologies used in the process of firmware vulnerability mining are comprehensively analyzed.Firstly,this paper analyzes the structure and characteristics of firmware,and proposes a generic representation technique of firmware security attributes based on normalized representation,which extracts the security features of firmware from its attribute information and system architecture,and represents the firmware in the form of firmware security attribute vector.Secondly,this paper researches and analyzes the current mainstream firmware vulnerability mining techniques,and classifies the pre-requisites of using vulnerability mining techniques or tools,output results,technical costs and other factors according to different detection levels.A feasible firmware vulnerability mining technique selection model based on firmware security attribute association modeling is proposed,which can select executable vulnerability mining techniques based on firmware security attributes.Then the EW-AHP-based multidimensional optimization recommendation model for firmware vulnerability mining solution is proposed,which proposes a set of evaluation system to evaluate vulnerability mining techniques,and combines EW-AHP analysis to determine the weights of the multidimensional evaluation system to realize the merit combination from feasible techniques into a comprehensive vulnerability mining solution.Finally,a firmware vulnerability mining scheme generation prototype system is designed and implemented,which can generate the optimal vulnerability mining scheme based on the target firmware characteristics in a targeted manner to guide researchers in firmware vulnerability mining.The system is also tested by selecting the firmware of real devices to prove the feasibility of the model. |
PDF Full Text Request