基于语义冲突的硬编码后门检测方法  

作　　者：胡安祥 肖达 郭世臣 刘胜利 HU Anxiang;XIAO Da;GUO Shichen;LIU Shengli(State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China;School of Information Engineering,Zhengzhou University of Industry Technology,Zhengzhou 451100,China)

机构地区：[1]数学工程与先进计算国家重点实验室,河南郑州450001 [2]郑州工业应用技术学院信息工程学院,河南郑州451100

出　　处：《网络与信息安全学报》2023年第1期150-157,共8页Chinese Journal of Network and Information Security

基　　金：科技委基础加强项目(2019-JCJQ-ZD-113)。

摘　　要：路由器安全问题主要聚焦于内存型漏洞的挖掘与利用,对后门的检测与发现的研究较少。硬编码后门是较常见的后门之一,设置简单方便,仅仅需要少量代码就能实现,然而却难以被发现,往往造成严重的危害和损失。硬编码后门的触发过程离不开字符串比较函数,因此硬编码后门的检测借助于字符串比较函数,主要分为静态分析方法和符号执行方法。前者自动化程度较高,但存在较高的误报率,检测效果不佳;后者准确率高,但无法自动化大规模检测固件,面临着路径爆炸甚至无法约束求解的问题。针对上述问题,在静态分析的基础上,结合污点分析的思想,提出了基于语义冲突的硬编码后门检测方法——Stect。Stect从常用的字符串比较函数出发,结合MIPS和ARM体系结构的特点,利用函数调用关系、控制流图和分支选择依赖的字符串,提取出具有相同起点和终点的路径集合,如果验证成功的路径集合中的字符串具有语义冲突,则判定路由器固件中存在硬编码后门。为了评估Stect对路由器硬编码后门的检测效果,对收集的1074个设备固件进行了测试,并与其他的后门检测方法进行了对比。实验结果表明,相比现有的后门检测方法Costin和Stringer,Stect具有更好的检测效果:从数据集中成功检测出8个固件后门口令,召回率达到88.89%。The current router security issues focus on the mining and utilization of memory-type vulnerabilities,but there is low interest in detecting backdoors.Hard-coded backdoor is one of the most common backdoors,which is simple and convenient to set up and can be implemented with only a small amount of code.However,it is difficult to be discovered and often causes serious safety hazard and economic loss.The triggering process of hard-coded backdoor is inseparable from string comparison functions.Therefore,the detection of hard-coded backdoors relies on string comparison functions,which are mainly divided into static analysis method and symbolic execution method.The former has a high degree of automation,but has a high false positive rate and poor detection results.The latter has a high accuracy rate,but cannot automate large-scale detection of firmware,and faces the problem of path explosion or even unable to constrain solution.Aiming at the above problems,a hard-coded backdoor detection algorithm based on string text semantic conflict(Stect)was proposed since static analysis and the think of stain analysis.Stect started from the commonly used string comparison functions,combined with the characteristics of MIPS and ARM architectures,and extracted a set of paths with the same start and end nodes using function call relationships,control flow graphs,and branching selection dependent strings.If the strings in the successfully verified set of paths have semantic conflict,it means that there is a hard-coded backdoor in the router firmware.In order to evaluate the detection effect of Stect,1074 collected device images were tested and compared with other backdoor detection methods.Experimental results show that Stect has a better detection effect compared with existing backdoor detection methods including Costin and Stringer:8 hard-coded backdoor images detected from image data set,and the recall rate reached 88.89%.

关 键 词：路由器固件 硬编码后门 字符串比较函数 语义冲突 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]