CN113312220A - Firmware hidden danger detection method and device and electronic equipment - Google Patents

Firmware hidden danger detection method and device and electronic equipment Download PDF

Info

Publication number
CN113312220A
CN113312220A CN202110577220.0A CN202110577220A CN113312220A CN 113312220 A CN113312220 A CN 113312220A CN 202110577220 A CN202110577220 A CN 202110577220A CN 113312220 A CN113312220 A CN 113312220A
Authority
CN
China
Prior art keywords
firmware
stored
data
paradigm
sequence
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110577220.0A
Other languages
Chinese (zh)
Other versions
CN113312220B (en
Inventor
邢燕祯
李东宏
张家琦
马良
刘中金
何跃鹰
陈杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
National Computer Network and Information Security Management Center
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center, Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical National Computer Network and Information Security Management Center
Priority to CN202110577220.0A priority Critical patent/CN113312220B/en
Publication of CN113312220A publication Critical patent/CN113312220A/en
Application granted granted Critical
Publication of CN113312220B publication Critical patent/CN113312220B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/22Detection or location of defective computer hardware by testing during standby operation or during idle time, e.g. start-up testing
    • G06F11/2273Test methods

Abstract

According to the method, after information of firmware is acquired, the firmware information can be disassembled, and then the disassembled data are matched with a pre-stored character sequence paradigm and a pre-stored instruction sequence paradigm which represent that the firmware has hidden dangers, so that a result of whether the firmware has the hidden dangers or not is output. Therefore, the dependence on the setting is eliminated, the detection cost of the hidden danger of the firmware is reduced, the problem of inaccuracy in manual analysis and detection is avoided, the detection accuracy of the hidden danger of the firmware is improved, and the time for analyzing the hidden danger is shortened.

Description

Firmware hidden danger detection method and device and electronic equipment
Technical Field
The application relates to the technical field of internet of things, in particular to a firmware hidden danger detection method and device and electronic equipment.
Background
At present, the thing allies oneself with the equipment and has progressively penetrated the aspect of production life, for people in time know oneself surrounding environment and supplementary daily work bring the facility.
In the development process of the software of the internet of things equipment, open source project content, shared third-party components or agreed code writing specifications are introduced, so that the introduction of risks is expanded while the product development is facilitated.
At present, the most used method for analyzing the hidden danger of the equipment of the internet of things is a manual analysis mode, namely, the equipment of the internet of things purchased from various manufacturers is verified by using a conceptual verification code to evaluate the hidden danger of product firmware. Obviously, the above method requires purchasing an internet of things device, which results in higher cost for detecting hidden danger of firmware, and the manual analysis method results in lower accuracy.
Disclosure of Invention
The application provides a firmware hidden danger detection method and device and electronic equipment, which are used for avoiding the dependence on the equipment in firmware hidden danger detection and the problem of inaccurate hidden danger detection caused by manual analysis.
In a first aspect, the present application provides a method for detecting hidden firmware danger, where the method includes:
disassembling the acquired firmware information to obtain a first data unit meeting a preset condition;
judging whether a pre-stored character sequence normal form and/or a pre-stored instruction sequence normal form exist in the first data unit, wherein the pre-stored character sequence normal form and the instruction sequence normal form are obtained based on information of firmware hidden danger;
if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm exist, outputting a first result that hidden danger exists in firmware corresponding to the firmware information;
and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm do not exist, outputting a second result that hidden danger does not exist in the firmware corresponding to the firmware information.
Based on the method, the obtained firmware information is matched with a pre-stored character sequence paradigm and a pre-stored instruction sequence paradigm which represent that the firmware has hidden danger, so that a result of whether the firmware has hidden danger or not is output. Therefore, the dependence on the setting is eliminated, the detection cost of the hidden danger of the firmware is reduced, the problem of inaccuracy in manual analysis and detection is avoided, the detection accuracy of the hidden danger of the firmware is improved, and the time for analyzing the hidden danger is shortened.
In a possible design, the disassembling the acquired firmware information to obtain a first data unit meeting a preset condition includes:
disassembling the acquired firmware information to obtain first disassembly data;
judging whether the first disassembled data has compressed format data and encrypted format data;
if the compressed format data and/or the encrypted format data exist, continuing to disassemble the first disassembled data;
and if the compressed format data and the encrypted format data do not exist, taking the first disassembled data as the first data unit.
Through the mode, the acquired firmware information is disassembled into the minimum unit, and the minimum unit is ensured not to have compressed data and encrypted data, so that the accuracy of subsequent matching of the character sequence paradigm and the instruction sequence paradigm is ensured.
In one possible design, before determining whether a pre-stored character sequence pattern and/or a pre-stored instruction sequence pattern exists in the first data unit, the method further includes:
extracting a key character sequence from the uploaded firmware information with hidden danger;
and generating a character sequence normal form containing the key character sequence according to the key character sequence, and storing the character sequence normal form into a characteristic database.
Through the mode, the character sequence paradigm corresponding to the firmware with the hidden danger can be stored in the database in advance, so that the follow-up matching of the character sequence paradigm can be accurately carried out.
In one possible design, before determining whether a pre-stored character sequence pattern and/or a pre-stored instruction sequence pattern exists in the first data unit, the method further includes:
acquiring instruction sequence information corresponding to the firmware information, character string information called in the execution instruction and a function calling name;
and generating the instruction sequence normal form according to the instruction sequence information, the character string information and the function calling name, and storing the instruction sequence normal form into a characteristic database.
Through the mode, the instruction sequence paradigm corresponding to the firmware with the hidden danger can be stored in the database in advance, so that the follow-up matching of the instruction sequence paradigm can be accurately carried out.
In one possible design, the determining whether a pre-stored character sequence pattern and/or a pre-stored instruction sequence pattern exists in the first data unit includes:
determining a data and code starting position and a data and code ending position in the first data unit;
determining whether a pre-stored character sequence paradigm and/or a pre-stored instruction sequence paradigm exists in data between the data and code start position and the data and code end position.
By the method, on the basis of accurately determining the initial position of the data and the code and the end position of the data and the code, the character sequence paradigm and the instruction sequence paradigm can be accurately matched subsequently.
In a second aspect, an embodiment of the present application provides a device for detecting a hidden firmware hazard, where the device includes:
the data processing module is used for disassembling the acquired firmware information to obtain a first data unit meeting a preset condition;
the control module is used for judging whether a pre-stored character sequence paradigm and/or a pre-stored instruction sequence paradigm exist in the first data unit, and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm exist, outputting a first result that hidden danger exists in firmware corresponding to the firmware information; and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm do not exist, outputting a second result that hidden danger does not exist in the firmware corresponding to the firmware information, wherein the pre-stored character sequence paradigm and the pre-stored instruction sequence paradigm are obtained based on information of the hidden danger of the firmware.
In one possible design, the control module is further configured to extract a key character sequence from the uploaded firmware information with hidden danger; and generating a character sequence normal form containing the key character sequence according to the key character sequence, and storing the character sequence normal form into a characteristic database.
In one possible design, the control module is further configured to obtain instruction sequence information corresponding to the firmware information, character string information called in the execution instruction, and a function call name; and generating the instruction sequence normal form according to the instruction sequence information, the character string information and the function calling name, and storing the instruction sequence normal form into a characteristic database.
In a third aspect, an embodiment of the present application provides an electronic device, including:
a memory for storing a computer program;
and the processor is used for realizing the steps of the firmware hidden danger detection method when executing the computer program stored in the memory.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and when the computer program is executed by a processor, the steps of the firmware hidden danger detection method are implemented.
For each of the second to fourth aspects and possible technical effects of each aspect, please refer to the above description of the first aspect or the possible technical effects of each of the possible solutions in the first aspect, and no repeated description is given here.
Drawings
Fig. 1 is a flowchart of a firmware hidden danger detection method provided in the present application;
FIG. 2 is a schematic diagram illustrating a firmware disassembly process provided herein;
FIG. 3 is a schematic diagram of the start position of data and code and the end position of data and code provided in the present application;
fig. 4 is a schematic structural diagram of a firmware hidden danger detection apparatus provided in the present application;
fig. 5 is a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clear, the present application will be further described in detail with reference to the accompanying drawings. The particular methods of operation in the method embodiments may also be applied to apparatus embodiments or system embodiments. It should be noted that "a plurality" is understood as "at least two" in the description of the present application. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a exists alone, A and B exist simultaneously, and B exists alone. A is connected with B and can represent: a and B are directly connected and A and B are connected through C. In addition, in the description of the present application, the terms "first," "second," and the like are used for descriptive purposes only and are not intended to indicate or imply relative importance nor order to be construed.
The firmware is typically stored in an Electrically Erasable read only memory (EEPROM) or FLASH chip in the device, and is typically a program that can be upgraded by the user by a specific refresh program. Generally, software which serves as the most basic and bottom layer of a digital product can be called as firmware, so that detection of hidden danger of the firmware of equipment is extremely important, the equipment needs to be purchased in the current detection mode and the detection mode is manually analyzed and completed, and the mode is high in cost and low in hidden danger detection accuracy.
Based on the above problems, the method for detecting hidden danger of firmware provided in the embodiments of the present application is used to detect hidden danger of firmware through uploaded firmware information, thereby avoiding high cost caused by purchasing equipment and inaccurate hidden danger detection caused by manual analysis.
The embodiments of the present application will be described in detail below with reference to the accompanying drawings.
Fig. 1 is a flowchart of a firmware hidden danger detection method in an embodiment of the present application, where the method includes:
s11, performing disassembly processing on the acquired firmware information to obtain a first data unit meeting preset conditions;
since the firmware hidden danger needs to be detected in the embodiment of the application, the firmware needs to be collected first, that is, the firmware to be detected is uploaded to the system, or the latest firmware is periodically downloaded from each platform or server through other programs and is input into the system. In order to ensure the uniqueness of each firmware, a unique identification format exists for each firmware name, and then the firmware name and the firmware information are saved in a firmware information database.
The unique identification format of the firmware can be obtained based on a firmware check code, a firmware version number, a device type and a manufacturer number, and can also be a hash value of a file corresponding to the firmware.
In addition to the unique identifier format of the firmware needing to be obtained in advance and stored in the database, in the embodiment of the present application, a character sequence paradigm and an instruction sequence paradigm also need to be stored in the database. The following specifically describes the generation process of the character sequence paradigm and the instruction sequence paradigm:
character sequence paradigm
And generating a corresponding character sequence paradigm according to the uploaded firmware hidden danger and the brief information, and storing the corresponding character sequence paradigm into a feature database.
Specifically, in the embodiment of the application, a key character sequence is extracted from firmware information based on uploaded firmware hidden dangers and corresponding firmware information, a character sequence paradigm containing the key character sequence is generated according to the key character sequence, and the character sequence paradigm is stored in a feature database.
For example, a device has a telnet service that is remotely turned on, and a user is required to input a web user name, a password, and a Media Access Control Address (MAC) of the device to turn on the telnet service remotely. The corresponding executed character commands are: "utelened-d-i br 0".
The key character sequence of the running program can be obtained through strings, which are as follows:
>/dev/console
utelnetd
-d
-i
br0
telnetInit0:already initialized.
after obtaining the key character sequence, a character sequence paradigm can be generated based on the key character sequence, specifically: telnetd \ s-d \ s-i \ s br.
Second, instruction sequence paradigm
The method comprises the steps of positioning the position of binary codes triggering the occurrence of the uploaded firmware hidden danger, forming a high-level language by using a decompilation program, generating instruction sequence normal forms of various CPU platforms by using a cross compiling tool, and inputting the formed instruction sequence normal forms into a feature database.
Specifically, firstly, the instruction sequence information corresponding to the uploaded firmware information, the character string information called in the execution instruction and the function call name are uploaded, a corresponding instruction sequence paradigm is generated according to the instruction sequence information, the character string information and the function call name, and the instruction sequence paradigm is stored in a feature database.
For example, for a device with a telnet service remotely opened, since the telnet program needs to be started in the program, functions such as system, eval, exec, etc. are called, where a function is a family of functions. The file system command is used to know that the program is an ARM architecture, which includes the following specific steps:
$file telnetenabled
telnetenabled:ELF 32-bit LSB executable,ARM,EABI5 version 1(SYSV),dynamically linked,interpreter/lib/ld-linux.so.3,for GNU/Linux 3.2.0,stripped
based on the above architecture, program code locations are located using a disassembler.
It should be noted that, since a developer may compile the same set of code into different CPU architecture platforms, such as X86, X64, ARM64, PPC, and different CPUs have different byte orderings, such as big-end first and small-end first, different service scene requirements, such as cameras, routers, and Android-based devices, are met.
If the existence of hidden danger in firmware needs to be determined, programs of different CPU framework platforms need to be covered, the located binary codes with the potential safety hazards need to be decompiled into C language through a high-level decompiler, then the C language is recompiled into target platform programs of different CPU frameworks through the compiler, or the target platform programs are generated by translating through the instruction mapping relation of the different CPU platforms, and then the instruction normal form is generated according to instruction data.
According to the assembly language descriptions of different CPU instructions, original hexadecimal instructions are reserved by using a character string and a call following principle, and corresponding instruction sequence paradigms can be generated by taking the character string and function call name characteristics called in the instructions as judgment standards.
Based on the process, the character sequence paradigm and the instruction sequence paradigm are imported into the feature database, so that whether hidden danger exists in the firmware can be accurately positioned subsequently.
After the preparation conditions are completed, firstly, slicing, decompressing and decrypting the acquired firmware information are required to obtain first disassembled data, whether compressed format data and encrypted format data exist in the first disassembled data is judged, if the compressed format data and/or the encrypted format data exist, the slicing, decompressing and decrypting are continuously performed on the first disassembled data, and if the compressed format data and/or the encrypted format data do not exist, the first disassembled data is used as the first data unit.
For example, as shown in fig. 2, a schematic diagram of a firmware disassembly process is shown, and the flow includes:
s21, collecting firmware;
s22, firmware slicing processing;
s23, judging whether a compression format exists or not;
if yes, go to step S24; if not, step S24 is executed.
S24, data decompression;
after the decompression is completed, execution returns to step S22.
S25, judging whether an encryption format exists;
if yes, go to step S26; if not, step S27 is executed.
S26, decrypting the data;
after the data decryption is completed, execution returns to step S22.
And S27, determining the data as a minimum unit.
Based on the mode, the minimum unit can be accurately disassembled by slicing the firmware, and the minimum unit is ensured not to have the conditions of encryption and data compression, so that the follow-up judgment on the hidden danger of the firmware is ensured to be more accurate.
S12, judging whether the first data unit has a pre-stored character sequence normal form and/or a pre-stored instruction sequence normal form;
if yes, go to step S13; if not, go to step S14.
S13, outputting a first result that hidden danger exists in the firmware corresponding to the firmware information;
and S14, outputting a second result that the firmware corresponding to the firmware information has no hidden danger.
In the embodiment of the present application, after obtaining the first data unit, the start position of the data and the code and the end position of the data and the code of the data result of the first data unit are determined first. Based on whether a pre-stored character sequence paradigm and/or instruction sequence paradigm exists in the data between the data and code start positions and the data and code end positions.
For example, for the first data unit, the offset 0 position of the data unit can be set as the data and code start position, and the end of the data unit can be set as the data and code end position, as shown in fig. 3, the data and code start position and the data and code end position of the data unit are shown in fig. 3, and the data is matched with the pre-stored character sequence pattern from the data and code start position to the data and code end position when the determination is made. And outputting a first result when the pre-stored character sequence paradigm exists. And when the character sequence paradigm does not exist, matching the instruction sequence paradigm.
In order to perform the instruction sequence mode matching, it is further determined whether the first data unit is in an executable file format, such as a PE format in a Microsoft Windows system or an ELF format in a Linux system. If the file format is executable, the start and end positions of the data and code can be determined by the inherent structure of the file. The end position of the code is the start position of the code + the number of bytes of the code. Of course, if the first data unit is in a non-executable file format, then the offset 0 position is set as the data and code start position and the end of the file is set as the data and code end position, as per normal data processing.
And matching the data between the data and the code starting position to the data and the code ending position with a prestored instruction sequence paradigm during judgment. And outputting a first result when a prestored instruction sequence paradigm exists. And outputting a second result when the instruction sequence paradigm does not exist.
Here, in the present application, the order of matching the character sequence paradigm and the command sequence paradigm is not limited, and the matching of the character sequence paradigm may be performed first, or the matching of the command sequence paradigm may be performed first. In the embodiment of the application, the number of the hidden dangers needing to be detected at a time is not limited, 1 hidden danger can be detected, and a plurality of hidden dangers can also be detected.
Based on the method, after the information of the firmware is acquired, the firmware information is disassembled, and then the disassembled data is matched with a pre-stored character sequence normal form and a pre-stored instruction sequence normal form which represent that the firmware has hidden danger, so that a result of whether the firmware has hidden danger or not is output. Therefore, the dependence on the setting is eliminated, the detection cost of the hidden danger of the firmware is reduced, the problem of inaccuracy in manual analysis and detection is avoided, the detection accuracy of the hidden danger of the firmware is improved, and the time for analyzing the hidden danger is shortened.
In addition, the method provided by the application is completed based on local data analysis, and remote whole-network detection is avoided, so that influence on entity services is avoided.
Further, in the embodiment of the present application, in order to determine the influence range of the firmware, when it is determined that the firmware has a hidden danger, a product name and/or a manufacturer corresponding to the firmware may be determined according to the characteristic of the unique identifier format of the firmware name when it is determined that the firmware has a hidden danger. And finally, the hidden danger of the firmware and the influence range of the hidden danger of the firmware can be output.
Based on the same inventive concept, an embodiment of the present application further provides a device for detecting hidden danger in firmware, where the device for detecting hidden danger in firmware is used to implement the method for detecting hidden danger in firmware shown in fig. 1, and as shown in fig. 4, the device for detecting hidden danger in firmware includes:
the data processing module 401 is configured to disassemble the acquired firmware information to obtain a first data unit meeting a preset condition;
a control module 402, configured to determine whether a pre-stored character sequence paradigm and/or a pre-stored instruction sequence paradigm exist in the first data unit, and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm exist, output a first result that hidden danger exists in firmware corresponding to the firmware information; and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm do not exist, outputting a second result that hidden danger does not exist in the firmware corresponding to the firmware information, wherein the pre-stored character sequence paradigm is obtained based on information of the hidden danger of the firmware, and the instruction sequence paradigm is obtained based on the information of the hidden danger of the firmware.
In a possible design, the control module 402 is further configured to extract a key character sequence from the uploaded hidden danger firmware information; and generating a character sequence normal form containing the key character sequence according to the key character sequence, and storing the character sequence normal form into a characteristic database.
In a possible design, the control module 402 is further configured to obtain instruction sequence information corresponding to the firmware information, character string information called in the execution instruction, and a function call name; and generating the instruction sequence normal form according to the instruction sequence information, the character string information and the function calling name, and storing the instruction sequence normal form into a characteristic database.
Based on the device, the firmware information is disassembled into the minimum data unit, and then the disassembled data is matched with the pre-stored character sequence normal form and the pre-stored instruction sequence normal form which represent that the firmware has hidden danger, so that the result of whether the firmware has hidden danger or not is output. Therefore, the dependence on the setting is eliminated, the detection cost of the hidden danger of the firmware is reduced, the problem of inaccuracy in manual analysis and detection is avoided, the detection accuracy of the hidden danger of the firmware is improved, and the time for analyzing the hidden danger is shortened.
It should be noted that, in the embodiment of the present application, the division of the module is schematic, and is only one logic function division, and there may be another division manner in actual implementation. Each functional module in the embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode.
Based on the same inventive concept, an embodiment of the present application further provides an electronic device, and with reference to fig. 5, the electronic device includes:
at least one processor 501 and a memory 502 connected to the at least one processor 501, in this embodiment, a specific connection medium between the processor 501 and the memory 502 is not limited in this application, and fig. 5 illustrates an example where the processor 501 and the memory 502 are connected through a bus 500. The bus 500 is shown in fig. 5 by a thick line, and the connection manner between other components is merely illustrative and not limited thereto. The bus 500 may be divided into an address bus, a data bus, a control bus, etc., and is shown with only one thick line in fig. 5 for ease of illustration, but does not represent only one bus or one type of bus. Alternatively, the processor 501 may also be referred to as a controller, without limitation to name a few.
In the embodiment of the present application, the memory 502 stores instructions executable by the at least one processor 501, and the at least one processor 501 may execute the firmware hazard detection method discussed above by executing the instructions stored in the memory 502. The processor 501 may implement the functions of the respective modules in the firmware hazard detection apparatus shown in fig. 4.
The processor 501 is a control center of the device for detecting hidden danger in firmware, and can connect various parts of the entire control apparatus by using various interfaces and lines, and by running or executing instructions stored in the memory 502 and calling data stored in the memory 502, various functions and processing data of the control apparatus are performed, so as to perform overall monitoring on the device for detecting hidden danger in firmware.
In one possible design, processor 501 may include one or more processing units and processor 501 may integrate an application processor that handles primarily operating systems, user interfaces, application programs, and the like, and a modem processor that handles primarily wireless communications. It will be appreciated that the modem processor described above may not be integrated into the processor 501. In some embodiments, processor 501 and memory 502 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 501 may be a general-purpose processor, such as a Central Processing Unit (CPU), digital signal processor, application specific integrated circuit, field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, that may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the firmware hidden danger detection method disclosed in the embodiments of the present application may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor.
Memory 502, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 502 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 502 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 502 in the embodiments of the present application may also be circuitry or any other device capable of performing a storage function for storing program instructions and/or data.
By programming the processor 501, the code corresponding to the firmware hidden danger detecting method described in the foregoing embodiment may be solidified into a chip, so that the chip can execute the steps of the firmware hidden danger detecting method in the embodiment shown in fig. 1 when running. How to program the processor 501 is well known to those skilled in the art and will not be described in detail herein.
Based on the same inventive concept, embodiments of the present application further provide a storage medium storing computer instructions, which when executed on a computer, cause the computer to perform the firmware hidden danger detection method discussed above.
In some possible embodiments, the aspects of the firmware hazard detection method provided by the present application may also be implemented in the form of a program product including program code for causing the control apparatus to perform the steps of the firmware hazard detection method according to various exemplary embodiments of the present application described above in this specification when the program product is run on a device.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (10)

1. A firmware hidden danger detection method is characterized by comprising the following steps:
disassembling the acquired firmware information to obtain a first data unit meeting a preset condition;
judging whether a pre-stored character sequence normal form and/or a pre-stored instruction sequence normal form exist in the first data unit, wherein the pre-stored character sequence normal form and the instruction sequence normal form are obtained based on information of firmware hidden danger;
if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm exist, outputting a first result that hidden danger exists in firmware corresponding to the firmware information;
and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm do not exist, outputting a second result that hidden danger does not exist in the firmware corresponding to the firmware information.
2. The method according to claim 1, wherein the disassembling the acquired firmware information to obtain the first data unit satisfying a preset condition includes:
disassembling the acquired firmware information to obtain first disassembly data;
judging whether the first disassembled data has compressed format data and encrypted format data;
if the compressed format data and/or the encrypted format data exist, continuing to disassemble the first disassembled data;
and if the compressed format data and the encrypted format data do not exist, taking the first disassembled data as the first data unit.
3. The method of claim 1, prior to determining whether a pre-stored pattern of character sequences and/or a pre-stored pattern of instruction sequences is present in the first data unit, further comprising:
extracting a key character sequence from the uploaded firmware information with hidden danger;
and generating a character sequence normal form containing the key character sequence according to the key character sequence, and storing the character sequence normal form into a characteristic database.
4. The method of claim 1, prior to determining whether a pre-stored pattern of character sequences and/or a pre-stored pattern of instruction sequences is present in the first data unit, further comprising:
acquiring instruction sequence information corresponding to the firmware information, calling character string information in an execution instruction and a function calling name;
and generating the instruction sequence normal form according to the instruction sequence information, the character string information and the function calling name, and storing the instruction sequence normal form into a characteristic database.
5. The method of claim 1, wherein said determining whether a pre-stored character sequence pattern and/or a pre-stored instruction sequence pattern exists in the first data unit comprises:
determining a data and code starting position and a data and code ending position in the first data unit;
determining whether a pre-stored character sequence paradigm and/or a pre-stored instruction sequence paradigm exists in data between the data and code start position and the data and code end position.
6. A firmware hidden danger detection device is characterized by comprising:
the data processing module is used for disassembling the acquired firmware information to obtain a first data unit meeting a preset condition;
the control module is used for judging whether a pre-stored character sequence paradigm and/or a pre-stored instruction sequence paradigm exist in the first data unit, and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm exist, outputting a first result that hidden danger exists in firmware corresponding to the firmware information; and if the pre-stored character sequence paradigm and/or the pre-stored instruction sequence paradigm do not exist, outputting a second result that hidden danger does not exist in the firmware corresponding to the firmware information, wherein the pre-stored character sequence paradigm and the instruction sequence paradigm are obtained based on information of the hidden danger of the firmware.
7. The apparatus of claim 6, wherein the control module is further configured to extract a key character sequence from the uploaded hidden danger firmware information; and generating a character sequence normal form containing the key character sequence according to the key character sequence, and storing the character sequence normal form into a characteristic database.
8. The apparatus of claim 6, wherein the control module is further configured to obtain instruction sequence information corresponding to the firmware information, character string information called in the execution instruction, and a function call name; and generating the instruction sequence normal form according to the instruction sequence information, the character string information and the function calling name, and storing the instruction sequence normal form into a characteristic database.
9. An electronic device, comprising:
a memory for storing a computer program;
a processor for implementing the method steps of any one of claims 1-5 when executing the computer program stored on the memory.
10. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1-5.
CN202110577220.0A 2021-05-26 2021-05-26 Firmware hidden danger detection method and device and electronic equipment Active CN113312220B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110577220.0A CN113312220B (en) 2021-05-26 2021-05-26 Firmware hidden danger detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110577220.0A CN113312220B (en) 2021-05-26 2021-05-26 Firmware hidden danger detection method and device and electronic equipment

Publications (2)

Publication Number Publication Date
CN113312220A true CN113312220A (en) 2021-08-27
CN113312220B CN113312220B (en) 2023-03-21

Family

ID=77374756

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110577220.0A Active CN113312220B (en) 2021-05-26 2021-05-26 Firmware hidden danger detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN113312220B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111475324A (en) * 2020-04-03 2020-07-31 西安广和通无线软件有限公司 Log information analysis method and device, computer equipment and storage medium
CN111611591A (en) * 2020-05-22 2020-09-01 中国电力科学研究院有限公司 Firmware vulnerability detection method and device, storage medium and electronic equipment
US10762214B1 (en) * 2018-11-05 2020-09-01 Harbor Labs Llc System and method for extracting information from binary files for vulnerability database queries
CN111881455A (en) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 Firmware security analysis method and device
CN112134761A (en) * 2020-09-23 2020-12-25 国网四川省电力公司电力科学研究院 Electric power Internet of things terminal vulnerability detection method and system based on firmware analysis
CN112149136A (en) * 2020-09-23 2020-12-29 北京顶象技术有限公司 loT device firmware vulnerability detection method and system and electronic device
CN112733151A (en) * 2021-01-14 2021-04-30 广东银基信息安全技术有限公司 Embedded equipment firmware analysis method, device, medium and electronic equipment

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10762214B1 (en) * 2018-11-05 2020-09-01 Harbor Labs Llc System and method for extracting information from binary files for vulnerability database queries
CN111475324A (en) * 2020-04-03 2020-07-31 西安广和通无线软件有限公司 Log information analysis method and device, computer equipment and storage medium
CN111611591A (en) * 2020-05-22 2020-09-01 中国电力科学研究院有限公司 Firmware vulnerability detection method and device, storage medium and electronic equipment
CN111881455A (en) * 2020-07-27 2020-11-03 绿盟科技集团股份有限公司 Firmware security analysis method and device
CN112134761A (en) * 2020-09-23 2020-12-25 国网四川省电力公司电力科学研究院 Electric power Internet of things terminal vulnerability detection method and system based on firmware analysis
CN112149136A (en) * 2020-09-23 2020-12-29 北京顶象技术有限公司 loT device firmware vulnerability detection method and system and electronic device
CN112733151A (en) * 2021-01-14 2021-04-30 广东银基信息安全技术有限公司 Embedded equipment firmware analysis method, device, medium and electronic equipment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李登等: "基于同源性分析的嵌入式设备固件漏洞检测", 《计算机工程》 *

Also Published As

Publication number Publication date
CN113312220B (en) 2023-03-21

Similar Documents

Publication Publication Date Title
KR101582601B1 (en) Method for detecting malignant code of android by activity string analysis
CN104375870A (en) Self-service terminal software remote upgrading method and system and upgrading package creation method
CN106708704B (en) Method and device for classifying crash logs
CN106778247B (en) Method and device for dynamically analyzing application program
CN106055375B (en) Application program installation method and device
CN113961919B (en) Malicious software detection method and device
KR20190037895A (en) Method and system for identifying an open source software package based on binary files
CN111459495A (en) Unit test code file generation method, electronic device and storage medium
CN106775778B (en) Program updating identification method and system in embedded program development
CN108062474B (en) File detection method and device
KR20210029621A (en) Apparatus and method for improving runtime performance after application update in electronic device
CN112241311A (en) Firmware simulation method and device, electronic equipment and readable storage medium
KR20140050323A (en) Method and apparatus for license verification of binary file
CN111181805A (en) Micro-service test baffle generation method and system based on test case
CN115185550A (en) Service deployment method, device, computer equipment and storage medium
CN106960138B (en) Virtual machine instruction verification method, device and system
CN115168847A (en) Application patch generation method and device, computer equipment and readable storage medium
CN115062309A (en) Vulnerability mining method based on equipment firmware simulation under novel power system and storage medium
CN113312220B (en) Firmware hidden danger detection method and device and electronic equipment
CN110990833B (en) SDK safety detection method and related equipment
CN107766342B (en) Application identification method and device
CN112187783A (en) Authentication method and device, electronic equipment and storage medium
CN113242288B (en) Internet of things equipment firmware upgrading method, system and device and storage medium
CN106445807B (en) Application installation package detection method and device for intelligent terminal
CN113419734B (en) Application program reinforcing method and device and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant