一种基于导向式模糊测试的IoT设备固件漏洞分析方法  

作　　者：潘祖烈 王泰彦 周航 郭徽 PAN Zulie;WANG Taiyan;ZHOU Hang;GUO Hui(College of Electronic Engineering,National University of Defense Technology,Hefei 230037,China;Anhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation,Hefei 230037,China)

机构地区：[1]国防科技大学电子对抗学院,安徽合肥230037 [2]网络空间安全态势感知与评估安徽省重点实验室,安徽合肥230037

出　　处：《信息对抗技术》2023年第1期38-54,共17页Information Countermeasures Technology

基　　金：国家重点研发计划资助项目(2017YFB0802900)。

摘　　要：为提高物联网(Internet of Things,IoT)设备漏洞分析的准确度,在深入分析了50余个MIPS架构的IoT设备固件漏洞的基础上,提出了一种基于导向式模糊测试的动静结合IoT设备固件漏洞分析方法。获取固件程序中所有函数信息,依据数据引入函数与漏洞触发函数的函数调用关系图,定位危险代码区域。基于危险代码区域详细控制流图,计算执行路径中基本块到达漏洞触发函数的距离,动态调控种子能量,实现面向漏洞触发函数的导向性模糊测试。设计实现了面向MIPS架构的IoT设备固件漏洞分析系统DirFirmFuzz。实验结果表明,相较于已有工具,系统漏洞分析的误报率平均缩减了73.31%,到达漏洞触发函数的平均速度加快了1.1~7倍。同时,在实际环境测试过程中,发现了D-Link、Cisco等多个厂商的12个0-day漏洞,均已报送相关厂商进行修补。To increase the accuracy of vulnerability analysis of Internet of Things(IoT)device firmware,an in-depth analysis of more than 50 IoT device firmware vulnerabilities of the MIPS architecture was performed,and a firmware vulnerability analysis combining dynamic and static method based on guided fuzzing was proposed.All the function information in the firmware program was obtained,and the dangerous code area was located according to function call graph of data introducing function and dangerous function.The detailed control flow diagram of dangerous code area was used to calculate the distance from the basic block to vulnerability trigger function,and the seed energy was dynamically adjused to achieve the guided fuzzing of the vulnerability trigger function.The DirFirmFuzz,a firmware vulnerability analysis system for IoT devices based on MIPS architecture was designed and implemented.The experimental results showed that comparing with the existing methods,the false alarm rate of system vulnerability analysis could be reduced by 73.31%on average,and the average speed of DirFirmFuzz to reach the vulnerability trigger function was 1.1~7 times faster than that of the existing tools.At the same time,during the real world testing,120-day vulnerabilities from multiple vendors such as D-Link and Cisco were discovered,and all of them have been reported to relevant vendors for patching.

关 键 词：MIPS架构 物联网设备 固件漏洞分析 模糊测试 轻量级仿真 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]