CN112905233B - Peripheral transplanting method of embedded firmware based on Linux kernel - Google Patents

Peripheral transplanting method of embedded firmware based on Linux kernel Download PDF

Info

Publication number
CN112905233B
CN112905233B CN202110097929.0A CN202110097929A CN112905233B CN 112905233 B CN112905233 B CN 112905233B CN 202110097929 A CN202110097929 A CN 202110097929A CN 112905233 B CN112905233 B CN 112905233B
Authority
CN
China
Prior art keywords
linux kernel
transplanting
transplanted
peripheral
embedded firmware
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110097929.0A
Other languages
Chinese (zh)
Other versions
CN112905233A (en
Inventor
周亚金
姜木慧
马麟
刘强
吴磊
罗夏朴
任奎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN202110097929.0A priority Critical patent/CN112905233B/en
Publication of CN112905233A publication Critical patent/CN112905233A/en
Application granted granted Critical
Publication of CN112905233B publication Critical patent/CN112905233B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/76Adapting program code to run in a different environment; Porting
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a peripheral transplanting method of embedded firmware based on Linux kernel, which takes the embedded firmware as input, automatically decompresses the embedded firmware and extracts the needed kernel. And simultaneously, transplanting the peripheral appointed by the developer into the decompressed and extracted Linux kernel through peripheral transplanting, so as to successfully simulate and start the Linux kernel and perform corresponding security analysis. The method can transplant the appointed peripheral equipment into the Linux kernel of the embedded firmware to be analyzed, thereby reducing the dependence required by dynamically analyzing the Linux kernel. According to the invention, a developer can simulate and run the Linux kernel in the embedded firmware, so that an embedded firmware analysis platform based on the Linux kernel is constructed.

Description

Peripheral transplanting method of embedded firmware based on Linux kernel
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a peripheral transplanting method of embedded firmware based on a Linux kernel.
Background
In recent years, embedded devices have become increasingly popular. Many of them run in Linux-based operating systems. The kernel of Linux has hundreds of holes mined each year. Thus, once the embedded firmware based on the Linux operating system is broken, an attacker can control the whole machine, causing a huge loss. Therefore, the kernel security problem of embedded firmware is worth studying.
Research into the kernel of embedded firmware requires either static or dynamic analysis methods. Static methods are not accurate enough and dynamic methods require corresponding simulators. Because of the large number of peripherals in embedded devices, the most popular Simulators (QEMUs) currently have no way to support all peripherals. In order to perform dynamic analysis, the Linux kernel in the embedded device must be successfully started, and here, the problem of dependence of numerous peripherals needs to be solved.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a peripheral transplanting method of embedded firmware based on a Linux kernel, which solves the problem of peripheral dependence in the process of simulating and executing embedded equipment. The specific technical scheme is as follows:
the peripheral transplanting method of the embedded firmware based on the Linux kernel comprises hardware model transplanting and software driving transplanting;
the hardware model is transplanted to be specifically described through a fixed interface provided by the QEMU;
the software driven transplanting comprises the following steps:
(1) Analyzing the provided embedded firmware based on the Linux kernel, and extracting the Linux kernel from the embedded firmware;
(2) Decompressing the pre-extracted Linux kernel through simulation operation to obtain a decompressed Linux kernel;
(3) Static analyzing the decompressed Linux kernel to identify a forward function pointer and a backward function pointer;
(4) Generating a software driver which is adapted to a hardware model to be transplanted according to version information provided by the decompressed Linux kernel; rewriting the backward function pointer into a software driver adapted to a hardware model to be transplanted to obtain the software driver to be transplanted, and placing the software driver to be transplanted into an opaque memory of a Linux kernel; the Linux kernel indirectly calls a driving function stored in the opaque memory by utilizing a forward function pointer, and a software driver to be transplanted indirectly calls a specific function stored in the kernel by utilizing a backward function pointer; the opaque memory is a memory space which cannot be known by a Linux kernel;
(5) The transplanting operation is carried out, specifically: the Linux kernel initializes the software driver, in the initialization process, the forward function pointer initializes the software driver to be transplanted stored in the opaque memory, and the software driver to be transplanted calls a peripheral related interface through the backward function pointer to communicate with the hardware model to be transplanted, so that the software driver is transplanted;
and when the hardware model transplanting and the software driving transplanting are finished at the same time, successfully simulating and executing the embedded firmware to obtain a starting interface.
Further, in the whole transplanting operation process of the step (5), when the QEMU translates the virtual address into the physical address through the page table translation module, detecting whether the virtual address belongs to an opaque memory, if so, translating by using a page table modified by a user; if not, translating by using the original page table of the kernel; so as not to affect the memory allocation mechanism of the Linux kernel itself.
Further, in the step (3), the decompressed Linux kernel is statically analyzed, a corresponding instruction set and a function boundary are generated, and a forward function pointer and a backward function pointer are identified through three different strategies; the three strategies are specifically as follows:
strategy one: when the function contains specific character strings or warning information, the function is uniquely determined;
strategy II: indirectly determining a function pointer through a relation between functions;
strategy III: for functions which cannot be determined according to the first strategy and the second strategy, the range is further narrowed by the characteristics of the functions.
The beneficial effects of the invention are as follows:
the peripheral migration method of the embedded firmware based on the Linux kernel is independent of specific equipment model, peripheral model and system architecture, is independent of whether the target embedded firmware provides source codes or not, is widely applicable to the embedded firmware based on the Linux kernel, various types of peripheral and Linux kernels of various system architectures, and can effectively act on the embedded firmware without source codes. And after the transplanting, the functionality and the stability of the Linux kernel are not affected.
Drawings
FIG. 1 is an overall architecture diagram of a peripheral migration method of the present invention;
FIG. 2 is a schematic diagram of the present invention operating for an opaque memory.
Detailed Description
The objects and effects of the present invention will become more apparent from the following detailed description of the preferred embodiments and the accompanying drawings, it being understood that the specific embodiments described herein are merely illustrative of the invention and not limiting thereof.
The invention relates to a peripheral transplanting method of embedded firmware based on Linux kernel, wherein the peripheral transplanting comprises hardware model transplanting and software driving transplanting;
wherein, the hardware model is transplanted to make specific description through a fixed interface (API) provided by the QEMU;
the software driver transplanting is suitable for the corresponding hardware model transplanting, and the software driver is transplanted into the opaque memory of the Linux kernel without affecting the memory allocation mechanism of the Linux kernel.
As shown in fig. 1, the software driven migration includes the following steps:
step (1): analyzing the provided embedded firmware based on the Linux kernel, using a general binary format scanning tool binwalk, adding a supported header file format, and extracting the Linux kernel from the embedded firmware according to the characteristics of the header file;
step (2): decompressing the pre-extracted Linux kernel through simulation operation to obtain a decompressed Linux kernel; the method comprises the following steps:
the extracted Linux kernel is put into QEMU for simulation execution, and in the simulation execution process, the firmware kernel cannot be successfully simulated and executed due to peripheral dependency. However, the Linux kernel performs self-decompression through the decompression code inside the Linux kernel, the decompression code is consistent for different versions of the kernel, and the Linux kernel is positioned to a specific position of the decompression code by comparing an execution path with the section of the decompression code. By implanting the breakpoint, after the decompressed code execution is completed, the simulator reads out the decompressed binary file of the Linux kernel and stores the binary file locally.
Step (3): the decompressed Linux kernel is statically analyzed, and a forward function pointer and a backward function pointer are identified, wherein the method specifically comprises the following steps:
and statically analyzing the decompressed Linux kernel, disassembling the decompressed Linux kernel, generating a corresponding instruction set and a function boundary, and analyzing the disassembled Linux kernel. Wherein, when generating the function boundary, mainly based on whether the specific starting sequence of the function is satisfied for the corresponding instruction sequence or whether the function is called by the function call instruction (BL). Because the source code of the Linux kernel is an open source, a specific strategy is adopted by establishing a corresponding relation between the open source code and the anti-assembled Linux kernel, and a required function is automatically identified, namely the address of a specific function pointer is obtained.
The specific strategies include the following three types:
strategy one: whether a specific character string or warning information is contained. If a function contains a specific character string, the function can be uniquely determined. If the function contains warning information, the function can be uniquely determined by parameters in the warning information, namely, the file in which the function is located and the line number.
Strategy II: the function pointer is determined indirectly by the relationship between the functions. Here, the relationships between the three functions and the functions are considered in total, that is, the determined function calls the undetermined function, the undetermined function calls the determined function, and the determined function and the undetermined function are simultaneously called by other functions, respectively.
Strategy III: for functions which cannot be determined according to the first strategy and the second strategy, the range is further narrowed by the characteristics of the functions. The characteristics of the function itself include a specific return value, a specific fixed value for performing logic operation, the number of basic blocks of the function, the number of calling functions, and the like.
Step (4): generating a software driver which is adapted to a hardware model to be transplanted according to version information provided by the decompressed Linux kernel; rewriting the backward function pointer into a software driver adapted to a hardware model to be transplanted to obtain the software driver to be transplanted, and placing the software driver to be transplanted into an opaque memory of a Linux kernel; the Linux kernel indirectly calls a driving function stored in the opaque memory by utilizing a forward function pointer, and a software driver to be transplanted indirectly calls a specific function stored in the kernel by utilizing a backward function pointer; the opaque memory is a memory space which cannot be known by the Linux kernel.
When the software driver is generated, different software drivers are adapted to Linux kernels of different versions. And packaging and integrating the driving functions required in the software driver to be transplanted into a single C language file, and completely rewriting the calling sentences from the calling to the kernel functions in the software driver to be transplanted into indirect calling, so that all compiler optimizations are closed, and the compiler does not optimize indirect jump into direct jump, thereby avoiding the limitation of the length of a function calling instruction (BL) when the functions are called.
A typical indirect jump is shown below. Address 0x10000, the value at [ pc, #72] address is stored in register r3, and then jumps to the function address pointed to by r 3.
0x10000:ldr r3,[pc,#72]
0x10004:blx r3
0x10050: "function Address"
Step (5): the transplanting operation is carried out, specifically: and initializing the software driver by the Linux kernel, initializing the software driver to be transplanted stored in the opaque memory by the forward function pointer in the initialization process, calling a peripheral related interface by the software driver to be transplanted through the backward function pointer, and communicating with the hardware model to be transplanted to finish the software driver transplantation. As shown in fig. 1, when peripheral migration is performed, a Linux kernel, a software driver to be migrated, and a function pointer are received as inputs of a QEMU. The Linux kernel is the kernel to be simulated. The function pointer is divided into a forward function pointer and a backward function pointer. In the transplanting process, the Linux kernel is loaded into the system memory, and the Linux kernel performs the initialization operation of the peripheral driver. And when the initialization operation of the peripheral driver is carried out, the initialization of the peripheral driver to be transplanted is guided into the software driver stored in the opaque memory through the forward function pointer, so that the initialization of the software driver to be transplanted is completed. Meanwhile, the software driver to be transplanted calls the related peripheral interfaces to configure the peripheral. The software driver to be transplanted will successfully call the peripheral related interface in the Linux kernel through the backward function pointer, and is used for configuring the hardware model to be transplanted.
In order to ensure that the set opaque memory does not affect the memory allocation mechanism of the Linux kernel itself, as shown in fig. 2, when the QEMU translates a virtual address into a physical address through a page table translation module in the whole operation process of step (5), it is detected whether the virtual address belongs to the opaque memory, if so, the page table modified by the user is used for translation; if not, the original page table of the kernel is used for translation. The algorithm ensures that the Linux kernel does not know the existence of the opaque memory, thereby not affecting the memory allocation mechanism of the Linux kernel itself, ensuring the normal operation of the software driver to be transplanted,
and when the hardware model transplanting and the software driving transplanting are finished at the same time, successfully simulating and executing the embedded firmware to obtain a starting interface.
The invention successfully transfers the specific peripheral equipment to 719 Linux kernels of different firmware, and obtains a starting interface. The 719 Linux kernels cover 17 different Linux versions and are adapted to 24 different firmware vendors, which can prove the feasibility of the invention.
Meanwhile, in order to prove that the peripheral transplanting method is not influenced on the stability and the functionality of the Linux kernel. And running a test suite of the Linux kernel about system call on the Linux kernel which is simulated and started after the peripheral is transplanted. The results show that 94% of the system call tests can run normally, and the cores cannot run, which often have loopholes. The result shows that the Linux kernel is stable and has complete functionality.
It will be appreciated by persons skilled in the art that the foregoing description is a preferred embodiment of the invention, and is not intended to limit the invention, but rather to limit the invention to the specific embodiments described, and that modifications may be made to the technical solutions described in the foregoing embodiments, or equivalents may be substituted for elements thereof, for the purposes of those skilled in the art. Modifications, equivalents, and alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (3)

1. The peripheral transplanting method of the embedded firmware based on the Linux kernel is characterized in that the peripheral transplanting comprises hardware model transplanting and software driving transplanting;
the hardware model is transplanted to be specifically described through a fixed interface provided by the QEMU;
the software driven transplanting comprises the following steps:
(1) Analyzing the provided embedded firmware based on the Linux kernel, and extracting the Linux kernel from the embedded firmware;
(2) Decompressing the pre-extracted Linux kernel through simulation operation to obtain a decompressed Linux kernel;
(3) Static analyzing the decompressed Linux kernel to identify a forward function pointer and a backward function pointer;
(4) Generating a software driver which is adapted to a hardware model to be transplanted according to version information provided by the decompressed Linux kernel; rewriting the backward function pointer into a software driver adapted to a hardware model to be transplanted to obtain the software driver to be transplanted, and placing the software driver to be transplanted into an opaque memory of a Linux kernel; the Linux kernel indirectly calls a driving function stored in the opaque memory by utilizing a forward function pointer, and a software driver to be transplanted indirectly calls a specific function stored in the kernel by utilizing a backward function pointer; the opaque memory is a memory space which cannot be known by a Linux kernel;
(5) The transplanting operation is carried out, specifically: the Linux kernel initializes the software driver, in the initialization process, the forward function pointer initializes the software driver to be transplanted stored in the opaque memory, and the software driver to be transplanted calls a peripheral related interface through the backward function pointer to communicate with the hardware model to be transplanted, so that the software driver is transplanted;
and when the hardware model transplanting and the software driving transplanting are finished at the same time, successfully simulating and executing the embedded firmware to obtain a starting interface.
2. The method for transplanting the peripheral of the embedded firmware based on the Linux kernel according to claim 1, wherein in the whole transplanting operation process of the step (5), when the QEMU translates the virtual address into the physical address through the page table translation module, it is detected whether the virtual address belongs to the opaque memory, if so, the page table modified by the user is used for translation; if not, translating by using the original page table of the kernel; so as not to affect the memory allocation mechanism of the Linux kernel itself.
3. The method for transplanting the peripheral of the embedded firmware based on the Linux kernel as set forth in claim 1, wherein in the step (3), the decompressed Linux kernel is statically analyzed, a corresponding instruction set and a function boundary are generated, and a forward function pointer and a backward function pointer are identified through three different strategies; the three strategies are specifically as follows:
strategy one: when the function contains specific character strings or warning information, the function is uniquely determined;
strategy II: indirectly determining a function pointer through a relation between functions;
strategy III: for functions which cannot be determined according to the first strategy and the second strategy, the range is further narrowed by the characteristics of the functions.
CN202110097929.0A 2021-01-25 2021-01-25 Peripheral transplanting method of embedded firmware based on Linux kernel Active CN112905233B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110097929.0A CN112905233B (en) 2021-01-25 2021-01-25 Peripheral transplanting method of embedded firmware based on Linux kernel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110097929.0A CN112905233B (en) 2021-01-25 2021-01-25 Peripheral transplanting method of embedded firmware based on Linux kernel

Publications (2)

Publication Number Publication Date
CN112905233A CN112905233A (en) 2021-06-04
CN112905233B true CN112905233B (en) 2023-09-12

Family

ID=76119588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110097929.0A Active CN112905233B (en) 2021-01-25 2021-01-25 Peripheral transplanting method of embedded firmware based on Linux kernel

Country Status (1)

Country Link
CN (1) CN112905233B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102073532A (en) * 2010-12-29 2011-05-25 浙大网新科技股份有限公司 Method for realizing Windows system call simulation mechanism in Linux kernel
CN103778368A (en) * 2014-01-23 2014-05-07 重庆邮电大学 Safe progress isolating method based on system virtualization technology
CN106873951A (en) * 2015-12-14 2017-06-20 北京谊安医疗系统股份有限公司 A kind of method that Anesthesia machine upper computer software is transplanted to built-in Linux
CN111722875A (en) * 2020-05-19 2020-09-29 上海中科网威信息技术有限公司 Method for rapidly transplanting and compiling open source program by Shenwei platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7571445B2 (en) * 2001-11-29 2009-08-04 Dell Products L.P. System and method for dynamic device driver support in an open source operating system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102073532A (en) * 2010-12-29 2011-05-25 浙大网新科技股份有限公司 Method for realizing Windows system call simulation mechanism in Linux kernel
CN103778368A (en) * 2014-01-23 2014-05-07 重庆邮电大学 Safe progress isolating method based on system virtualization technology
CN106873951A (en) * 2015-12-14 2017-06-20 北京谊安医疗系统股份有限公司 A kind of method that Anesthesia machine upper computer software is transplanted to built-in Linux
CN111722875A (en) * 2020-05-19 2020-09-29 上海中科网威信息技术有限公司 Method for rapidly transplanting and compiling open source program by Shenwei platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于S3C2440的嵌入式Linux系统移植的研究与实现;赵敏;杨恢先;汤安平;;电子器件(第06期);1947-1950 *

Also Published As

Publication number Publication date
CN112905233A (en) 2021-06-04

Similar Documents

Publication Publication Date Title
US10339036B2 (en) Test automation using multiple programming languages
US20060155525A1 (en) System and method for improved software simulation using a plurality of simulator checkpoints
US20030131148A1 (en) Cross-platform software development with a software development peripheral
US7895575B2 (en) Apparatus and method for generating test driver
CN111338925A (en) Applet test method, device and system, electronic equipment and storage medium
CN100514298C (en) System for software transplantation between isomerization hardware systems
US6519768B1 (en) Instruction translation method
US7243059B2 (en) Simulation of hardware based on smart buffer objects
CN117215963B (en) Simulator program checkpoint saving and restoring method, system and related equipment
US8276132B1 (en) System and method for representing and managing a multi-architecture co-processor application program
CN112905233B (en) Peripheral transplanting method of embedded firmware based on Linux kernel
CN115421861B (en) General TMS320C55x processor instruction set virtualization simulation method
JP2817786B2 (en) Simulation apparatus and simulation method
US9182990B1 (en) Method and apparatus for detecting execution of unsupported instructions while testing multiversioned code
Casinghino et al. Using binary analysis frameworks: The case for BAP and angr
CN110709823A (en) Emulation of target system using JIT compiler and bypassing translation of selected target code blocks
CN115480871A (en) Universal TMS320C3X processor instruction set virtualization simulation method
CN116340081A (en) RISCV memory access violation detection method and device based on hardware virtualization
US8281294B1 (en) System and method for representing and managing a multi-architecture co-processor application program
CN112380133A (en) Method and device for simulating instruction set simulator by using function library
US8347310B1 (en) System and method for representing and managing a multi-architecure co-processor application program
CN115421860B (en) General SPARC processor instruction set virtualization simulation method
CN118246377B (en) Simulator architecture, simulation method, simulation equipment and medium of tensor processor
CN117270967B (en) Automatic generation method and device of instruction set architecture simulator based on model driving
CN113703920B (en) Hardware simulation method and platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant