CN113515749A - Firmware security evaluation method and system - Google Patents
Firmware security evaluation method and system Download PDFInfo
- Publication number
- CN113515749A CN113515749A CN202110785938.9A CN202110785938A CN113515749A CN 113515749 A CN113515749 A CN 113515749A CN 202110785938 A CN202110785938 A CN 202110785938A CN 113515749 A CN113515749 A CN 113515749A
- Authority
- CN
- China
- Prior art keywords
- firmware
- tested
- sample
- security
- array
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011156 evaluation Methods 0.000 title claims description 14
- 238000000034 method Methods 0.000 claims abstract description 32
- 238000011022 operating instruction Methods 0.000 claims description 5
- 238000011157 data evaluation Methods 0.000 claims description 3
- 238000013075 data extraction Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 2
- 238000012935 Averaging Methods 0.000 claims 1
- 230000001186 cumulative effect Effects 0.000 claims 1
- 238000004458 analytical method Methods 0.000 abstract description 14
- 238000004364 calculation method Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a firmware security assessment method and a firmware security assessment system, wherein the method comprises the following steps: analyzing the firmware to be tested, and extracting an assembly code of the firmware to be tested; comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware; and evaluating the safety of the firmware to be tested according to the similarity and the safety score of the sample firmware. The invention effectively relieves the huge consumption of time and resources caused by the complete firmware safety analysis of all the firmware, can greatly reduce the work of the firmware safety analysis and effectively improves the whole work efficiency.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a firmware security assessment method and system.
Background
The statements in this section merely provide background information related to the present disclosure and may not necessarily constitute prior art.
With the continuous improvement of the informatization level of China, the informatization and intelligent construction of the power system is rapidly developed as a key infrastructure related to national safety. Along with this, a large number of power system internet of things devices are introduced and applied to a series of important work such as device control, data acquisition, environmental monitoring and the like of a power grid. On one hand, the informatization and intelligence level of the power grid is greatly improved, but a large amount of information security loopholes are introduced at the same time, and the security operation of the power system is threatened.
The power internet of things device usually adopts a driver software to execute the specified task, and the driver software is firmware. Considering that the firmware generally interacts directly with the underlying hardware, if a security vulnerability exists, the device cannot operate according to a predetermined manner, and a very serious threat is caused to the safe and stable operation of the power system, the security analysis of the firmware is required. However, if a complete security analysis is performed on each firmware, a huge time and resource consumption is caused, and therefore, how to provide a more efficient firmware security assessment method is a technical problem to be solved.
Disclosure of Invention
In order to solve the above problems, the present invention provides a firmware security evaluation method and system, which can effectively reduce the workload of firmware security analysis and improve the overall work efficiency.
In order to achieve the above purpose, in some embodiments, the following technical solutions are adopted:
a firmware security assessment method, comprising:
analyzing the firmware to be tested, and extracting an assembly code of the firmware to be tested;
comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware;
and evaluating the safety of the firmware to be tested according to the similarity and the safety score of the sample firmware.
Comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware, specifically comprising the following steps:
taking the operation instruction array of the assembly code of the firmware to be tested as a firmware array to be tested, and taking the operation instruction array of the assembly code of the known sample firmware as a sample firmware array;
respectively setting sliding windows with preset sizes on the firmware array to be tested and the sample firmware array, and counting the number of the operating instructions in the two sliding windows which are completely consistent at any position;
if the number of the repeated numbers exceeds the maximum sliding distance of a sliding window on the firmware array to be tested, the similarity is determined to be 1; if not, the similarity is the ratio of the repeated number to the maximum sliding distance.
In other embodiments, the following technical solutions are adopted:
a firmware security assessment system, comprising:
the data extraction module is used for analyzing the firmware to be detected and extracting the assembly code of the firmware to be detected;
the data comparison module is used for comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware;
and the data evaluation module is used for evaluating the safety of the firmware to be tested according to the similarity and the safety score of the sample firmware.
In other embodiments, the following technical solutions are adopted:
a terminal device comprising a processor and a memory, the processor being arranged to implement instructions; the memory is used for storing a plurality of instructions which are suitable for being loaded by the processor and executing the firmware safety evaluation method.
In other embodiments, the following technical solutions are adopted:
a computer-readable storage medium having stored therein a plurality of instructions adapted to be loaded by a processor of a terminal device and to execute the above firmware security assessment method.
Compared with the prior art, the invention has the beneficial effects that:
(1) according to the method, the similarity calculation of the assembly code level is combined with the information of the known sample firmware, the safety of the firmware can be preliminarily evaluated, so that the firmware with potential threats is screened out, and can be subsequently submitted to a professional for further analysis, so that the huge time and resource consumption caused by the complete firmware safety analysis of all the firmware is effectively relieved, the work of the firmware safety analysis can be greatly reduced, and the overall work efficiency is effectively improved.
Drawings
FIG. 1 is a flowchart of a method for evaluating firmware security according to an embodiment of the present invention;
FIG. 2 is a schematic view of a sliding window in an embodiment of the present invention;
FIG. 3 is a diagram illustrating a system for evaluating firmware security according to an embodiment of the present invention.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present application. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
Example one
In one or more embodiments, a firmware security evaluation method is disclosed, which considers that if firmware is primarily screened, firmware with a large potential threat is selected for further security analysis, so that the work of firmware security analysis can be greatly reduced, and the overall work efficiency is effectively improved.
Since the extracted firmware code is usually binary assembly code, it is usually composed of operation instructions and their parameters, such as MOV% EAX, [% ESP +8] indicating that 8 bytes are added to the address in the ESP register to obtain a new address, and then the data is fetched from this address and written into the EAX register, the operation instruction of assembly code. As for the MOV instruction, the arrangement structure thereof reflects the operation logic of the program to a certain extent, and the higher the similarity of the operation instructions of the two assembly codes is, the more similar the code functions thereof are, and if one of the two assembly codes has a security vulnerability, the higher the possibility of the security vulnerability in the other assembly code is, therefore, the application provides a firmware security evaluation method, which performs preliminary evaluation on the security of the firmware to be tested by comparing the similarity of the firmware to be tested with the known firmware, specifically as follows:
referring to fig. 1, the method for evaluating the security of firmware disclosed in this embodiment specifically includes:
In this embodiment, the process of constructing the firmware library specifically includes:
the sample firmware and its security label are obtained,
analyzing the sample firmware, and extracting an assembly code of the sample firmware;
and obtaining a security score of the sample firmware according to the security label.
It can be understood that, when the sample firmware is obtained, the security label of the sample firmware can be obtained by combining information sources such as public vulnerability libraries, manufacturer security bulletins and the like.
It can be understood that, the firmware unpacking engine can be used to analyze the content of the sample firmware and obtain the file system containing the program code in the sample firmware; decompiling software or techniques is used to convert machine language code in the file system into assembly code.
The safety labels can be specifically divided into four categories of high-risk, medium-risk, low-risk and safety, the 4 categories of labels are assigned with values vHigh riskSafety score, v, for high risk samplesMiddle-riskSafety score for intermediate risk samples, vLow riskSafety score, v, for Low-risk samplesSecureDenotes the safety score of a safety sample, v in the present applicationHigh risk=100,vMiddle-risk=80,vLow risk=60,vSecure0. The safety scoring criteria can be determined by one skilled in the art according to actual needs, and the scoring criteria are only examples and are not limited.
It is understood that to evaluate the security of the firmware to be tested, the firmware to be tested needs to be acquired first.
It can be understood that the firmware unpacking engine can be used for analyzing the content of the firmware to be tested to obtain a file system containing the program code in the firmware to be tested; decompiling software or techniques is used to convert machine language code in the file system into assembly code.
And step 204, comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware.
It should be noted that, in the embodiment, the known sample firmware is also known to indicate that the assembly code of the sample firmware is also known, so that the similarity between the firmware to be tested and the sample firmware can be obtained by comparing the assembly code of the firmware to be tested with the assembly code of the sample firmware.
In this embodiment, a method for comparing assembly codes is provided, which includes:
taking the operation instruction array of the assembly code of the firmware to be tested as a firmware array to be tested, and taking the operation instruction array of the assembly code of the known sample firmware as a sample firmware array;
respectively setting sliding windows with preset sizes on the firmware array to be tested and the sample firmware array, and counting the number of the operating instructions in the two sliding windows which are completely consistent at any position;
if the number of the repeated numbers exceeds the maximum sliding distance of the sliding window on the firmware array to be tested, the similarity is determined to be 1; if not, the similarity is the ratio of the number of the repeated pieces to the maximum sliding distance.
Please refer to fig. 2, wherein fig. 2 is a schematic diagram of a sliding window in this embodiment.
Denote the sample firmware array by a and NaRepresenting the length of the sample firmware array, b representing the firmware array to be tested, and NbIndicating the length of the firmware array to be tested. That is, the left side in fig. 2 is the sample firmware array, and the right side is the firmware array to be tested.
② the sliding window size (number of elements in the sliding window, w in fig. 2 equals 3) by waSliding window representing array a, by wbSliding window representing array b, sliding window wbAt the head of the array b, a sliding window waIs positioned at the head of the array a;
selecting sliding window wbList of operation instructions in current rangebAnd a sliding window waList of operation instructions within rangeaWhen Lista=ListbTime, counter
Value plus 1 (initial value is zero), when Lista≠ListbWhen it is, no operation is performed. Where w represents the current sliding window size and i represents the sliding window wbDistance moved (i ═ 0 in fig. 2);
fourthly, moving the sliding window waMoving step length to one element, repeating the steps from (c) - (c) until sliding window waReach the tail of the array a;
moving the sliding window wbStep size is moved by one element, and window w is then slidaReturn to array a headRepeating the third step and the fifth step until the sliding window wbReach the tail of the array b;
sixthly, calculating the similarity of the array a and the array b according to the result of the counter, wherein the calculation formula is as follows:
namely: if the number of the repeated numbers exceeds the maximum sliding distance of the sliding window on the firmware array to be tested, the similarity is determined to be 1; if not, the similarity is the ratio of the number of the repeated pieces to the maximum sliding distance.
As an optional embodiment, in order to improve the similarity calculation result, the size of the sliding window may also be changed, specifically:
denote the sample firmware array by a and NaRepresenting the length of the sample firmware array, b representing the firmware array to be tested, and NbIndicating the length of the firmware array to be tested.
② the sliding window size (number of elements in the sliding window) by w, and waSliding window representing array a, by wbRepresenting the sliding window of the array b, let w equal to wlow,wlowThe minimum value representing the size of the sliding window, w is preferred in the embodiment of the present application through practical testslow=5;
③ sliding window wbAt the head of the array b, a sliding window waIs positioned at the head of the array a;
selecting sliding window wbList of operation instructions in current rangebAnd a sliding window waList of operation instructions within rangeaWhen Lista=ListbTime, counter
Value plus 1 (initial value is zero), when Lista≠ListbWhen it is, no operation is performed. Where w represents the current sliding window size and i represents the sliding window wbThe distance of movement;
moving the sliding window waMoving step length is one element, repeating the step four-fifth until sliding window waReach the tail of the array a;
sixthly, moving the sliding window wbStep size is moved by one element, and window w is then slidaReturning to the head of the array a, repeating the step four to the step six until the window w slidesbReach the tail of the array b;
seventhly, changing the size of the sliding window, w being w +1, and repeating the step (c) and the step (c) until w being whighIn the present embodiment, w is preferredhigh=10;
And (b) calculating the similarity of the array a and the array b according to the result of the counter, wherein the calculation formula is as follows:
in the method, the calculation of the similarity is combined with the factor of size change of the sliding window, and compared with a method for fixing the size of the sliding window, the accuracy of the calculation of the similarity is further improved.
Specifically, the method for evaluating the security of the firmware to be tested comprises the following steps:
using N to represent number of sample firmware, i to represent serial number of sample firmware, and SiRepresenting the similarity between the ith sample firmware and the firmware to be tested by ViRepresenting the safety score of the ith sample firmware, and representing the safety score of the firmware to be tested by V;
security score of sample firmware ViAssigning values according to the security label of the sample, using vHigh riskSafety score, v, for high risk samplesMiddle-riskSafety score for intermediate risk samples, vLow riskSafety score, v, for Low-risk samplesSecureRepresents the security score of a security sample which, in this application,vhigh risk=100,VMiddle-risk=80,vLow risk=60,vSecure=0;
Calculating the safety score of the firmware to be tested, wherein the calculation formula is as follows:
fourthly, the safety score V with the testing and fixing piece and the safety threshold value VαComparing, when V is more than or equal to VαWhen the firmware to be tested is marked as the potentially unsafe firmware, the firmware to be tested is given to a professional for further analysis, and the safety of the firmware to be tested is marked according to the analysis result of the professional; when V < VαAnd marking the firmware to be tested as safe firmware. Safety threshold VαGiven by the skilled person in the light of the actual circumstances.
After the security score of the firmware to be tested is obtained, the firmware to be tested can also be used as sample firmware to be compared, so that a sample library is perfected, and therefore the firmware library can be updated: and adding the firmware to be tested and the security score of the firmware to be tested into the firmware library, and updating the content of the firmware library. In addition to updating the contents of the firmware library through the firmware to be tested based on the method, the firmware and the security tag thereof in the firmware library can be dynamically updated by combining information sources such as public vulnerability libraries, manufacturer security bulletins and the like.
The firmware safety evaluation method can effectively improve the overall working efficiency of firmware safety analysis, improve the firmware library and improve the evaluation accuracy.
Example two
In one or more embodiments, a firmware security assessment system is disclosed, with reference to fig. 3, comprising:
the data extraction module 301 is configured to parse the firmware to be tested, and extract an assembly code of the firmware to be tested;
a data comparison module 302, configured to compare the assembly code of the firmware to be tested with the assembly code of the known sample firmware, so as to obtain a similarity between the firmware to be tested and the sample firmware;
and the data evaluation module 303 is configured to evaluate the security of the firmware to be tested according to the similarity and the security score of the sample firmware.
It should be noted that, the specific implementation of each module described above has been described in detail in the first embodiment, and is not described in detail here.
Optionally, since the firmware to be tested needs to be compared with the sample firmware in the subsequent step, the firmware library may be pre-constructed without the firmware library, for example, the firmware of the power internet of things device is obtained as the original sample. There are several known sample firmware in the firmware library, and the acquisition mode of the sample firmware includes, but is not limited to, downloading directly from a manufacturer official network or providing by a device vendor, disguising firmware upgrade request acquisition, acquiring through a hardware debug interface such as UART or JTAG, or reading a device memory and recovering firmware contents therefrom.
Therefore, the firmware security evaluation system of the embodiment further includes:
the building module 305 is configured to build a firmware library, where the firmware library includes a plurality of known sample firmware and corresponding security scores thereof.
The building block 305 specifically includes:
a sample acquiring unit 3051 for acquiring sample firmware and security tags thereof,
the sample analysis unit 3052 is configured to analyze the sample firmware and extract an assembly code of the sample firmware;
and the sample scoring unit 3053 is configured to obtain a security score of the sample firmware according to the security label.
It can be understood that, when the sample firmware is obtained, the security label of the sample firmware can be obtained by combining information sources such as public vulnerability libraries, manufacturer security bulletins and the like.
It can be understood that, the firmware unpacking engine can be used to analyze the content of the sample firmware and obtain the file system containing the program code in the sample firmware; decompiling software or techniques is used to convert machine language code in the file system into assembly code.
Further, the method also comprises the following steps: and an adding module 304, configured to add the firmware to be tested and the security score thereof to the firmware library.
It can be understood that after the security score of the firmware to be tested is obtained, the firmware to be tested can also be used as a sample firmware to be compared, so that the sample library is perfected, and therefore, the firmware library can be updated: and adding the firmware to be tested and the security score of the firmware to be tested into the firmware library, and updating the content of the firmware library. In addition to updating the contents of the firmware library through the firmware to be tested based on the method, the firmware and the security tag thereof in the firmware library can be dynamically updated by combining information sources such as public vulnerability libraries, manufacturer security bulletins and the like.
EXAMPLE III
In one or more embodiments, a terminal device is disclosed, which includes a server including a memory, a processor, and a computer program stored in the memory and executable on the processor, and the processor implements the firmware security evaluation method in the first embodiment when executing the program. For brevity, no further description is provided herein.
It should be understood that in this embodiment, the processor may be a central processing unit CPU, and the processor may also be other general purpose processors, digital signal processors DSP, application specific integrated circuits ASIC, off-the-shelf programmable gate arrays FPGA or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and so on. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory may include both read-only memory and random access memory, and may provide instructions and data to the processor, and a portion of the memory may also include non-volatile random access memory. For example, the memory may also store device type information.
In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software.
The firmware security evaluation method in the first embodiment may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, among other storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor. To avoid repetition, it is not described in detail here.
Those of ordinary skill in the art will appreciate that the various illustrative elements, i.e., algorithm steps, described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
Example four
In one or more embodiments, a computer-readable storage medium is disclosed, in which a plurality of instructions are stored, the instructions being adapted to be loaded by a processor of a terminal device and to perform the firmware security assessment method described in the first embodiment.
Although the embodiments of the present invention have been described with reference to the accompanying drawings, it is not intended to limit the scope of the present invention, and it should be understood by those skilled in the art that various modifications and variations can be made without inventive efforts by those skilled in the art based on the technical solution of the present invention.
Claims (10)
1. A method for firmware security assessment, comprising:
analyzing the firmware to be tested, and extracting an assembly code of the firmware to be tested;
comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware;
and evaluating the safety of the firmware to be tested according to the similarity and the safety score of the sample firmware.
2. The method for evaluating the security of the firmware as claimed in claim 1, further comprising, before acquiring the firmware to be tested:
and constructing a firmware library, wherein the firmware library comprises a plurality of known sample firmware and corresponding safety scores thereof.
3. The method for evaluating the security of the firmware as claimed in claim 2, wherein the constructing the firmware library specifically comprises:
acquiring sample firmware and a security label thereof;
analyzing the sample firmware and extracting an assembly code of the sample firmware;
and obtaining a security score of the sample firmware according to the security label.
4. The method according to claim 1, wherein the comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware comprises:
taking the operation instruction array of the assembly code of the firmware to be tested as a firmware array to be tested, and taking the operation instruction array of the assembly code of the known sample firmware as a sample firmware array;
respectively setting sliding windows with preset sizes on the firmware array to be tested and the sample firmware array, and counting the number of the operating instructions in the two sliding windows which are completely consistent at any position;
if the number of the repeated numbers exceeds the maximum sliding distance of a sliding window on the firmware array to be tested, the similarity is determined to be 1; if not, the similarity is the ratio of the repeated number to the maximum sliding distance.
5. The method according to claim 1, wherein the comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware comprises:
taking the operation instruction array of the assembly code of the firmware to be tested as a firmware array to be tested, and taking the operation instruction array of the assembly code of the known sample firmware as a sample firmware array;
respectively setting sliding windows with set sizes on the firmware array to be tested and the sample firmware array, and counting the number of the operating instructions in the two sliding windows which are completely consistent at any position;
changing the size of the sliding window and repeating the process; until the value of the sliding window reaches the set threshold value requirement;
counting the number of the operating instructions in the two sliding windows in any position which are completely consistent;
if the number of the repeated numbers exceeds the maximum sliding distance of a sliding window on the firmware array to be tested, the similarity is determined to be 1; if not, the similarity is the cumulative sum of the product of the ratio of the number of the repetitions to the maximum sliding distance and the ratio of the size of each sliding window to the sum of the sizes of all the sliding windows.
6. The method for evaluating the security of the firmware according to claim 1, wherein evaluating the security of the firmware to be tested according to the similarity and the security score of the sample firmware comprises:
and multiplying the similarity of the firmware to be tested and all the sample firmware by the security score of the corresponding sample firmware, and then averaging to obtain the security score of the firmware to be tested.
7. The method as claimed in claim 1, further comprising, after evaluating the security of the firmware to be tested according to the similarity and the security score of the sample firmware:
and adding the firmware to be tested and the security score thereof to the firmware library.
8. A firmware security evaluation system, comprising:
the data extraction module is used for analyzing the firmware to be detected and extracting the assembly code of the firmware to be detected;
the data comparison module is used for comparing the assembly code of the firmware to be tested with the assembly code of the known sample firmware to obtain the similarity between the firmware to be tested and the sample firmware;
and the data evaluation module is used for evaluating the safety of the firmware to be tested according to the similarity and the safety score of the sample firmware.
9. A terminal device comprising a processor and a memory, the processor being arranged to implement instructions; the memory is configured to store a plurality of instructions, wherein the instructions are adapted to be loaded by the processor and to perform the firmware security assessment method of any one of claims 1-7.
10. A computer-readable storage medium having stored therein a plurality of instructions, wherein the instructions are adapted to be loaded by a processor of a terminal device and to perform the firmware security evaluation method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110785938.9A CN113515749A (en) | 2021-07-12 | 2021-07-12 | Firmware security evaluation method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110785938.9A CN113515749A (en) | 2021-07-12 | 2021-07-12 | Firmware security evaluation method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113515749A true CN113515749A (en) | 2021-10-19 |
Family
ID=78067563
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110785938.9A Pending CN113515749A (en) | 2021-07-12 | 2021-07-12 | Firmware security evaluation method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113515749A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295335A (en) * | 2015-06-11 | 2017-01-04 | 中国科学院信息工程研究所 | The firmware leak detection method of a kind of Embedded equipment and system |
| CN109977976A (en) * | 2017-12-28 | 2019-07-05 | 腾讯科技(深圳)有限公司 | Detection method, device and the computer equipment of executable file similarity |
| CN110414238A (en) * | 2019-06-18 | 2019-11-05 | 中国科学院信息工程研究所 | The search method and device of homologous binary code |
| CN111104398A (en) * | 2019-12-17 | 2020-05-05 | 智慧航海(青岛)科技有限公司 | Detection method and elimination method for approximate repeated record of intelligent ship |
| CN111881455A (en) * | 2020-07-27 | 2020-11-03 | 绿盟科技集团股份有限公司 | Firmware security analysis method and device |
-
2021
- 2021-07-12 CN CN202110785938.9A patent/CN113515749A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106295335A (en) * | 2015-06-11 | 2017-01-04 | 中国科学院信息工程研究所 | The firmware leak detection method of a kind of Embedded equipment and system |
| CN109977976A (en) * | 2017-12-28 | 2019-07-05 | 腾讯科技(深圳)有限公司 | Detection method, device and the computer equipment of executable file similarity |
| CN110414238A (en) * | 2019-06-18 | 2019-11-05 | 中国科学院信息工程研究所 | The search method and device of homologous binary code |
| CN111104398A (en) * | 2019-12-17 | 2020-05-05 | 智慧航海(青岛)科技有限公司 | Detection method and elimination method for approximate repeated record of intelligent ship |
| CN111881455A (en) * | 2020-07-27 | 2020-11-03 | 绿盟科技集团股份有限公司 | Firmware security analysis method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110287702B (en) | Binary vulnerability clone detection method and device | |
| CN110135157B (en) | Malicious software homology analysis method and system, electronic device and storage medium | |
| CN109063055B (en) | Method and device for searching homologous binary files | |
| US20200380125A1 (en) | Method for Detecting Libraries in Program Binaries | |
| Li et al. | CNN-based malware variants detection method for internet of things | |
| RU2722692C1 (en) | Method and system for detecting malicious files in a non-isolated medium | |
| CN111400719A (en) | Firmware vulnerability distinguishing method and system based on open source component version identification | |
| CN109740347B (en) | Method for identifying and cracking fragile hash function of intelligent device firmware | |
| AU2009302657A1 (en) | Detection of confidential information | |
| RU2728497C1 (en) | Method and system for determining belonging of software by its machine code | |
| Blokhin et al. | Malware similarity identification using call graph based system call subsequence features | |
| CN115587597B (en) | Sentiment analysis method and device of aspect words based on clause-level relational graph | |
| CN112000952A (en) | Author organization characteristic engineering method of Windows platform malicious software | |
| CN112347474A (en) | Method, device, equipment and storage medium for constructing security threat information | |
| CN112307337A (en) | Association recommendation method and device based on label knowledge graph and computer equipment | |
| EP3087527B1 (en) | System and method of detecting malicious multimedia files | |
| CN114579965A (en) | Malicious code detection method and device and computer readable storage medium | |
| CN115795487B (en) | Vulnerability detection method, device, equipment and storage medium | |
| CN113190847A (en) | Confusion detection method, device, equipment and storage medium for script file | |
| CN113515749A (en) | Firmware security evaluation method and system | |
| CN108875374B (en) | Malicious PDF detection method and device based on document node type | |
| CN114065202B (en) | Malicious code detection method and device, electronic equipment and storage medium | |
| Qi et al. | A Malware Variant Detection Method Based on Byte Randomness Test. | |
| CN115640577B (en) | Vulnerability detection method and system for binary Internet of things firmware program | |
| CN113569251B (en) | Binary executable file vulnerability detection method based on assembly instruction sequence |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |