UEFI的启发式逆向分析与模糊测试方法  

作　　者：林欣康 顾匡愚 赵磊[1,2] LIN Xin-Kang;GU Kuang-Yu;ZHAO Lei(Key Laboratory of Aerospace Information Security and Trusted Computing(Wuhan University),Ministry of Education,Wuhan 430072,China;School of Cyber Science and Engineering,Wuhan University,Wuhan 430072,China)

机构地区：[1]空天信息安全与可信计算教育部重点实验室(武汉大学),湖北武汉430072 [2]武汉大学国家网络安全学院,湖北武汉430072

出　　处：《软件学报》2024年第8期3577-3590,共14页Journal of Software

基　　金：国家自然科学基金(62172305)。

摘　　要：统一可扩展固件接口(unified extensible firmware interface,UEFI)作为新一代固件接口标准,广泛应用于现代计算机系统,但其漏洞可能引发严重安全威胁.为了减少UEFI漏洞引发的安全问题,需要进行漏洞检测.而第三方安全测试场景下的模糊测试是检测的主要手段.但符号信息的缺失影响了测试效率.提出了一种启发式的UEFI逆向分析方法,恢复固件中的符号信息,改进模糊测试并实现了原型系统Re UEFuzzer.通过对来自4个厂商的525个EFI文件进行测试,证明了逆向分析方法的有效性.Re UEFuzzer可以提升函数测试覆盖率,并在测试过程中发现了一个零日漏洞,已报告给国家信息安全漏洞共享平台以及公共漏洞和暴露系统.实验证明,该方法在UEFI漏洞检测方面具有有效性,可以为UEFI安全提供一定的保障.As a next-generation firmware interface standard,the unified extensible firmware interface(UEFI)has been widely used in modern computer systems.However,UEFI vulnerabilities have also brought serious security threats.To avoid security problems caused by UEFI vulnerabilities as much as possible,vulnerability detection is needed,in which,fuzzing under third-party security testing scenarios is mainly used.Nevertheless,the absence of symbolic information affects the efficiency of testing.This study proposes a heuristic UEFI reverse analysis method,which recovers the symbolic information within the firmware,improves fuzz testing,and implements a prototype system,ReUEFuzzer.Through testing 525 EFI files from four manufacturers,the effectiveness of the reverse analysis method is demonstrated.ReUEFuzzer can enhance the function test coverage and has identified an unknown vulnerability during the testing process,which has been reported to China National Vulnerability Database and the Common Vulnerabilities and Exposures(CVE)system.Empirical evidence shows that the method presented in this paper is valid for UEFI vulnerability detection and can provide a certain degree of security guarantee for UEFI.

关 键 词：统一可扩展固件接口 逆向工程 模糊测试 静态程序分析 固件安全 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]