Research On Key Techniques For Automatic Reverse Engineering Of RTOS Firmware

Real-Time Operating System(RTOS)is widely used in the firmware of smart devices in many fields,such as aerospace,defense,smart cities,smart cars,etc.,because of its streamlined structure and strong real-time performance.Meanwhile,with the rapid development and application of the Internet of Things,many RTOS devices are connected to public networks,and due to the lack of effective security mechanisms,these devices are highly vulnerable to a variety of attacks,and many attacks are successful because of the security vulnerabilities caused by the RTOS firmware in the devices.Therefore,security analysis of RTOS firmware and early detection of security issues are important to improve the security of RTOS devices.RTOS uses a monolithic design that combines various tasks and services into a single monolithic firmware,which largely hinders the application of traditional firmware analysis techniques in RTOS.To address this problem,the thesis focuses on automated security analysis techniques for RTOS firmware of ARM architecture,and the main work and results achieved are as follows:1.For the problems of mixing task code and system code in RTOS firmware and no symbolic information within the firmware to assist analysis,an automatic identification method of RTOS firmware task code is proposed.RTOS usually divides a complex firmware into many single and independent tasks to run,and each task completes a specific function.These task codes are written by developers according to actual requirements and contain numerous data-sensitive functions,such as external input reading functions and processing functions,which can be used by attackers to trigger various security vulnerabilities.The first step in analyzing RTOS firmware is to find the code locations of these tasks.Since the system service and user task codes of RTOS are generally mixed together with no obvious distinguishing boundary,the process of finding each task code accurately in RTOS firmware is quite tedious.To solve this problem,this paper proposes an automatic RTOS firmware task code identification method.The method uses disassembly and binary code similarity matching algorithms to recover the function symbols in the firmware,then uses SDK function signatures to identify the parameter structure of task creation functions in the firmware,and then uses backward slicing algorithms to extract parameter-related generation paths and simulated execution techniques to generate corresponding parameter values to quickly and accurately identify task entry function pointers and task name pointers.To verify the effectiveness of this method,275 RTOS firmware of five common types,including Free RTOS,Lite OS,RT-Thread,μC/OS-II and μC/OS-III,are used for testing.The average accuracy rate of identifying task entry function pointers is 96.5%,and the average accuracy rate of identifying task name pointers is 92.9%.In addition,the analysis of real firmware examples also verifies the effectiveness and practicality of the method.2.For the problem of low accuracy of existing base address identification methods for RTOS firmware,a base address identification method for RTOS firmware based on task pointer content constraints is proposed.Generally,most task entry function pointers and task name pointers in RTOS firmware are absolute pointers,and if the base address is incorrect during firmware analysis,the jump of absolute pointers will also be affected.Common base address identification methods usually require searching the entire firmware space,which may amplify the impact of incorrect data interference and thus lead to a decrease in identification accuracy.To solve this problem,this paper designs an RTOS firmware base address identification method based on task pointer content constraint,which uses the correct content pointed by the generated task entry function pointer and task name pointer to constrain the value of the base address,i.e.,whether the task entry function pointer points to a function preamble(e.g.,PUSH)and whether the task name pointer points to a string The address is constrained by whether the entry function pointer is a function preamble(e.g.,PUSH)and whether the task name pointer is a string,and the number of times the same address satisfies the constraints of different tasks is recorded.To verify the effectiveness of the method,this paper uses the above firmware dataset for testing,and the experimental results show that the method can accurately identify most of the base addresses in RTOS firmware,and the average accuracy rate of identifying the base addresses is 95.6%.In addition,the analysis of real firmware examples also verifies the effectiveness and practicality of the method.3.This paper implements a prototype RTOSExtracter system based on the above method,which consists of four core modules: firmware preprocessing,parameter structure identification,parameter value analysis and base address identification.The system has been tested to have a high execution efficiency while ensuring the same recognition accuracy.In addition,a test dataset for evaluating RTOS-based firmware static analysis methods is also constructed to provide data support for related research work.