Research On Dynamic And Static Detection Technology For Firmware Vulnerability

In recent years,Io T has seen rapid development at home and abroad and has been widely used in many fields such as intelligent logistics,intelligent transportation,intelligent security,intelligent healthcare,intelligent manufacturing and intelligent home.With the increasing demand for large-scale deployment of Io T,its security is also receiving more and more attention.Among them,firmware is the underlying software of Io T,responsible for the initialization of Io T devices and the control of various system functions.Attackers can exploit the firmware vulnerability to attack Io T devices and achieve remote control or damage to Io T devices.Therefore,firmware security is the core of Io T security.In this paper,we conduct an in-depth study on the detection methods of Io T firmware vulnerabilities from the static detection and dynamic detection methods of firmware vulnerabilities,respectively,and our main research work and contributions are as follows:(1)Firstly,reviewed the development process of firmware vulnerability detection,and the firmware vulnerability detection methods are classified into two categories,static detection and dynamic detection,based on whether the firmware needs to be actually run or not.Then a research review of the existing firmware vulnerability detection tools is launched in terms of static and dynamic detection,respectively.For static detection,homology detection tools based on data flow,graph,distance and symbolic execution are analyzed in detail;for dynamic detection,dynamic detection tools based on partial and full simulation are analyzed in detail.The current state of research and current problems in the firmware vulnerability detection domain are discussed,and the future research directions for firmware vulnerability detection are presented.In addition,the principles of the relevant techniques used in this paper are also presented in detail.(2)Proposed a firmware vulnerability dynamic detection tool,SAB-Firm AFL,which combines improved Bidirectional Gate Recurrent Unit(BGRU)and Firm-AFL.It is found that due to the working mechanism of fuzzers limitations,the fuzzing process of Firm-AFL for firmware has problems such as low rate and poor coverage.Inspired by machine translation and based on the characteristics of variable length of the seed input file and close connection between the preceding and following texts,this paper treats the firmware binary program as a language and introduces a BGRU model combining a self-attentive mechanism and a sparrow search algorithm,and embeds it into Firm-AFL.Firstly,we enhance the learning ability of the BGRU model on the pre-and post-text relationship of the seed file by introducing the attention mechanism,then optimize the hyperparameters of the model by the sparrow search algorithm to improve the efficiency and accuracy of the model,and finally train the model to learn the vulnerability and coverage features of the seed file,predict the effective mutation location in the file,and embed it into Firm-AFL to increase the FirmAFL’s detection efficiency and mining capability for firmware vulnerabilities.(3)Proposed a static detection method based on semantic information and control flow graph similarity to detect firmware vulnerabilities.Although dynamic detection can detect unknown vulnerabilities in firmware,it is difficult to cover all the codes of the firmware binary,so it may miss many problematic codes,leading to problems such as low recall rate.To address this problem,this paper proposes to use structure2 vec model to learn semantic features of binary functions based on firmware Control Flow Graph(CFG)and data dependencies while performing dynamic detection of firmware,and compare the similarity with known vulnerability functions to get function semantic similarity score;then use Graph Convolutional Network(GCN)to learn the graph features of CFG,and the graph structure similarity score is obtained by comparing the graph features of the target binary function and the vulnerability function,and finally the target function is judged to contain vulnerability based on the semantic similarity score and the graph structure similarity score,so as to mine the known vulnerability of firmware in all aspects.