CN113987517A - Vulnerability mining method, device, equipment and storage medium based on Internet of things firmware - Google Patents
Vulnerability mining method, device, equipment and storage medium based on Internet of things firmware Download PDFInfo
- Publication number
- CN113987517A CN113987517A CN202111294302.0A CN202111294302A CN113987517A CN 113987517 A CN113987517 A CN 113987517A CN 202111294302 A CN202111294302 A CN 202111294302A CN 113987517 A CN113987517 A CN 113987517A
- Authority
- CN
- China
- Prior art keywords
- function
- reference function
- address
- vulnerability
- things
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y40/00—IoT characterised by the purpose of the information processing
- G16Y40/50—Safety; Security of things, users, data or systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
Abstract
The application provides a vulnerability discovery method, a vulnerability discovery device, vulnerability discovery equipment and a storage medium based on Internet of things firmware, wherein the vulnerability discovery method based on the Internet of things firmware comprises the following steps: acquiring a binary file of target Internet of things equipment; extracting firmware of the target Internet of things according to the binary file of the target Internet of things equipment; analyzing the firmware of the target Internet of things, obtaining symbol information of the firmware, searching a system function and determining a function address of the system function; searching a reference function based on a vulnerability search script and a function address of a system function, and determining code information of the reference function according to the function address of the reference function; and judging whether the reference function has a command injection risk or not according to the code information of the reference function, and if the reference function has the command injection risk, outputting target vulnerability information based on the reference function. According to the method and the device, the vulnerability excavation accuracy and efficiency of the Internet of things can be improved while the vulnerability excavation of the Internet of things firmware is realized.
Description
Technical Field
The application relates to the field of computers, in particular to a vulnerability discovery method, device, equipment and storage medium based on Internet of things firmware.
Background
With the advance of the development of the internet of things technology, various internet of things devices have been widely applied to the fields of administration, commerce, finance and the like. Various internet of things devices such as intelligent cameras, routers and intelligent door locks play more and more important roles in daily life. However, recent attack events show that while the internet of things devices bring convenience to our lives, they also bring security hazards. The current security situation of the ecosystem of the internet of things is worried. Due to the lack of an effective method for monitoring the Internet of things equipment with weak safety, people face safety threats in daily life, and attackers can realize remote control of an automatic driving automobile, intelligent camera picture stealing, user privacy data stealing in intelligent storage equipment and the like by utilizing the loopholes of the Internet of things equipment.
Disclosure of Invention
An object of the embodiment of the application is to provide a vulnerability discovery method, device, equipment and storage medium based on internet of things firmware, which are used for carrying out vulnerability discovery on the internet of things firmware and improving the accuracy and efficiency of vulnerability discovery of the internet of things.
Therefore, the application discloses a vulnerability mining method based on Internet of things firmware, and the method comprises the following steps:
acquiring a binary file of target Internet of things equipment;
extracting the firmware of the target Internet of things according to the binary file of the target Internet of things equipment;
analyzing the firmware of the target Internet of things and obtaining symbolic information of the firmware;
searching a system function based on the vulnerability search script, the symbol information, the function offset and the function assembly code and determining a function address of the system function;
searching a reference function of the system function based on the vulnerability searching script and the function address of the system function, and obtaining the function address of the reference function;
determining code information of the reference function according to the function address of the reference function;
and judging whether the reference function has a command injection risk or not according to the code information of the reference function, and if the reference function has the command injection risk, outputting target vulnerability information based on the reference function.
According to the method, on one hand, the address of the system function is obtained by automatically searching the vulnerability search script based on the character information, the function offset and the function assembly code, so that the method has the advantages of high system function search efficiency and accurate search, wherein the vulnerability search script can replace a human search system so as to overcome the problems of low search efficiency and low accuracy existing in manual search. On the other hand, due to the fact that the vulnerability search script is used, the advantage that a large number of searches can be completed in a short time by the vulnerability search script is utilized, the reference function (reference function of the system function) in the firmware of the Internet of things equipment is completed, and then the search efficiency of the reference function is improved. Furthermore, because the vulnerability search script is a machine instruction, on the premise that the vulnerability search script is determined in advance, the vulnerability search script is used for searching the reference functions, particularly a large number of reference functions, so that the problems of inaccurate reference function search and low search efficiency caused by manual errors can be solved. On the other hand, other programs can control the execution process and the execution result of the firmware of the equipment of the internet of things by modifying the parameters of the reference function, so that the vulnerability is caused, whether the reference function has a command injection risk or not is judged through the code information of the reference function, and then vulnerability investigation is carried out on the firmware of the equipment of the internet of things, so that the safety of the firmware of the internet of things is guaranteed.
In the first aspect of the present application, as an optional implementation manner, the determining, according to code information of the quote function, whether there is a risk of command injection in the quote function includes:
converting the code information of the reference function into a target intermediate code based on an intermediate code encoding format;
judging whether the parameters of the reference function belong to a transparent predicate in the target intermediate code after conversion, if so, determining that the reference function has no command injection risk, otherwise, determining that the reference function has the command injection risk.
In this optional embodiment, the code information of the reference function is converted into the target intermediate code based on the intermediate code coding format, so that different types of internet of things devices can be compatible, wherein different processor architectures and machine code expression forms adopted by different types of internet of things devices are different, and this aspect of difference causes non-uniformity of the code information of the reference function extracted based on the binary file, and further causes that the judgment of the code information of one type of internet of things device cannot be applied to the judgment of the code information of another type of internet of things device, so that a mining method needs to be separately set for each type of internet of things device The code information of the internet of things equipment with different machine code expression forms is uniform, and the difference is shielded, so that the equipment and platform compatibility is better, namely, the cross-platform better effect is achieved.
In the first aspect of the present application, as an optional implementation manner, the converting the code information of the reference function into the target intermediate code based on the intermediate code encoding format includes:
when the storage pointer of the reference function points to a constant string address or the storage pointer of the reference function is empty, converting the parameter of the reference function into a transparent predicate;
and when the saving pointer of the reference function points to an address pointer or an offset address, converting the parameter of the reference function into a non-transparent predicate.
In this optional embodiment, when the save pointer of the reference function points to a constant string address or the save pointer of the reference function is null, the parameter of the reference function can be converted into a transparent predicate based on an intermediate code, and on the other hand, when the save pointer of the reference function points to an address pointer or an offset address, the parameter of the reference function can be converted into a non-transparent predicate based on the intermediate code.
In the first aspect of the present application, as an optional implementation, the method further includes:
and when the parameter of the reference function belongs to the transparent predicate, searching the function address of the lower function referenced by the reference function in a recursive search mode according to the function address of the reference function until the searched lower function has a command injection risk.
In the optional embodiment, all the reference functions related to the system function can be completely excluded by searching the function addresses of the lower-level functions referenced by the reference functions in a recursive search mode, and based on this, the optional embodiment has better intelligence and vulnerability scanning comprehensiveness.
In the first aspect of the present application, as an optional manner, after determining whether the quote function has a command injection risk according to the code information of the quote function, before outputting the target vulnerability information based on the quote function, the method further includes:
when the parameters of the reference function do not belong to the transparent predicates, judging whether the function address of the reference function is a termination address or not, and if so, executing the target vulnerability output based on the reference function;
if the function address of the reference function is not the termination address, based on the vulnerability search script and the function address of the searched system function, recursively searching the reference function referenced by the system function and judging whether the reference function obtained by current search has a command injection risk or not until the function address of the reference function obtained by current search is the termination address.
In the optional embodiment, by judging that the function address of the reference function is the termination address, whether to perform vulnerability discovery on the reference function used by the system function can be judged, so that the optional embodiment has better intelligence and vulnerability scanning comprehensiveness.
This application second aspect discloses a vulnerability discovery device based on thing networking firmware, the device includes:
the acquisition module is used for acquiring a binary file of the target Internet of things equipment;
the extraction module is used for extracting the firmware of the target Internet of things according to the binary file of the target Internet of things equipment;
the analysis module is used for analyzing the firmware of the target Internet of things and obtaining symbolic information of the firmware;
the first searching module is used for searching a system function based on a vulnerability searching script, the symbol information, the function offset and the function assembly code and determining a function address of the system function;
the second searching module is used for searching a reference function of the system function based on the vulnerability searching script and the function address of the system function and obtaining the function address of the reference function;
the determining module is used for determining the code information of the reference function according to the function address of the reference function;
and the judging module is used for judging whether the reference function has a command injection risk according to the code information of the reference function, and outputting target vulnerability information based on the reference function if the reference function has the command injection risk.
In the application, by acquiring the binary file of the target internet of things device, the firmware of the target internet of things can be extracted according to the binary file of the target internet of things device, further, the firmware of the target Internet of things can be analyzed, the symbolic information of the firmware can be obtained, further, the system function can be searched and the function address of the system function can be determined based on the vulnerability search script and the symbolic information, and then the system function can be executed by using the search script and taking the function address of the system function as the starting address, thereby acquiring a function address of a reference function referenced by the system function and acquiring code information of the reference function based on the function address of the reference function, and on the other hand, whether the reference function has the command injection risk can be judged through the code information of the reference function, and if the reference function has the command injection risk, outputting the target vulnerability information based on the reference function.
Compared with the mode of manually checking whether the IOT equipment has the command injection vulnerability in the prior art, the vulnerability searching time can be greatly reduced and the vulnerability searching efficiency can be improved because the searching script is adopted to search the system function and the reference function quoted by the system function, however, the manual checking of the IOT equipment is to manually record and track the function call stack. On the other hand, in a scene that the calling relation of the system function and the reference function is complex, particularly the calling stack of the function is very deep or a plurality of calling stacks exist, the function is easily lost in a manual checking mode, so that the vulnerability mining and removing accuracy is not high.
In the second aspect of the present application, as an optional implementation manner, the determining module includes:
the conversion submodule is used for converting the code information of the reference function into a target intermediate code based on an intermediate code coding format;
and the judging submodule is used for judging whether the parameters of the reference function belong to the transparent predicates in the target intermediate code after conversion, if so, determining that the reference function has no command injection risk, and otherwise, determining that the reference function has the command injection risk.
The code information of the quote function is converted into the target intermediate code based on the intermediate code coding format, different types of Internet of things equipment can be compatible, wherein the processor architecture and the machine code expression form adopted by different types of Internet of things equipment are different, so that the difference on the one hand causes the inconsistency of the code information of the quote function extracted based on the binary file, and further the judgment of the code information of certain type of Internet of things equipment cannot be suitable for the judgment of the code information of another type of Internet of things equipment, so that a mining method needs to be independently set for each type of Internet of things equipment, and in the process of judging whether the quote function has command injection risk according to the code information of the quote function, the code information of the quote function is converted into the intermediate code, so that the target intermediate code adopting the processor architecture, The code information of the internet of things equipment with different machine code expression forms is uniform, and the difference is shielded, so that the equipment and platform compatibility is better, namely, the cross-platform better effect is achieved.
In the second aspect of the present application, as an optional implementation manner, the conversion sub-module is specifically configured to:
when the storage pointer of the reference function points to a constant string address or the storage pointer of the reference function is empty, converting the parameter of the reference function into a transparent predicate;
and when the saving pointer of the reference function points to an address pointer or an offset address, converting the parameter of the reference function into a non-transparent predicate.
In this optional embodiment, when the save pointer of the reference function points to a constant string address or the save pointer of the reference function is null, the parameter of the reference function can be converted into a transparent predicate based on an intermediate code, and on the other hand, when the save pointer of the reference function points to an address pointer or an offset address, the parameter of the reference function can be converted into a non-transparent predicate based on an intermediate code.
The third aspect of the application discloses vulnerability discovery equipment based on thing networking firmware, vulnerability discovery equipment based on thing networking firmware includes:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute the vulnerability discovery method based on the firmware of the internet of things according to the first aspect of the application.
According to the vulnerability mining equipment based on the Internet of things firmware, the vulnerability mining method based on the Internet of things firmware is executed, so that the accuracy and efficiency of the vulnerability mining of the Internet of things can be improved while the vulnerability mining of the Internet of things firmware is realized.
A fourth aspect of the present application discloses a storage medium, where the storage medium stores computer instructions, and the computer instructions are used to execute the vulnerability discovery method based on the firmware of the internet of things according to the first aspect of the present application when being called.
By executing the vulnerability mining method based on the Internet of things firmware, the storage medium can improve the accuracy and efficiency of vulnerability mining of the Internet of things while realizing vulnerability mining of the Internet of things firmware.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic flowchart of a vulnerability discovery method based on internet of things firmware disclosed in an embodiment of the present application;
FIG. 2 is a schematic diagram illustrating printing of target vulnerability information disclosed in an embodiment of the present application;
FIG. 3 is a schematic diagram of another example of target vulnerability information printing disclosed in the embodiments of the present application;
fig. 4 is a schematic structural diagram of a vulnerability discovery apparatus based on internet of things firmware disclosed in an embodiment of the present application;
fig. 5 is a schematic structural diagram of vulnerability discovery equipment based on internet of things firmware, disclosed in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Example one
Referring to fig. 1, fig. 1 is a schematic flowchart of a vulnerability discovery method based on an internet of things firmware according to an embodiment of the present application. As shown in fig. 1, the method of the embodiment of the present application includes the following steps:
101. acquiring a binary file of target Internet of things equipment;
102. extracting firmware of the target Internet of things according to the binary file of the target Internet of things equipment;
103. analyzing the firmware of the target Internet of things and obtaining symbol information of the firmware;
104. searching a system function based on a vulnerability searching script and symbol information and determining a function address of the system function;
105. searching a reference function of the system function based on the vulnerability search script and the function address of the system function, and obtaining the function address of the reference function;
106. determining code information of the reference function according to the function address of the reference function;
107. and judging whether the reference function has a command injection risk or not according to the code information of the reference function, and if the reference function has the command injection risk, outputting target vulnerability information based on the reference function.
In the embodiment of the application, the target internet of things device includes, but is not limited to, one or more of an intelligent camera, a router and an intelligent door lock.
Further, in the embodiment of the present application, the firmware of the internet of things device refers to software related to the underlying hardware of the internet of things device, such as a driver for driving a network card and a driver for driving a camera, where such programs are called firmware compared to software because such programs have a lower update frequency than programs (software) located in an application layer and are usually not rewritten by a third-party developer.
In this embodiment of the application, the firmware of the target internet of things device is stored in a binary file in hardware of the internet of things device, for example, stored on a hard disk of the internet of things device.
In this embodiment of the application, the binary file of the target internet of things device includes a binary file compiled by firmware of the target internet of things device, where generally, the firmware of the target internet of things device is compiled in assembly language or high-level language, and then the firmware of the target internet of things device is compiled into the binary file by a compiler, so that the firmware of the target internet of things device is executed by hardware of the target internet of things device in binary machine code. Based on the above, in order to determine whether the reference function has a command injection risk according to the code information of the reference function, the binary file related to the firmware can be extracted from the binary file of the target physical network device.
In this embodiment of the application, as an optional implementation manner, regarding step 102, a specific implementation manner of extracting the firmware of the target internet of things according to the binary file of the target internet of things device is as follows:
and extracting the firmware of the target Internet of things from the binary file of the target Internet of things device by using the binwalk tool. Among them, the Binwalk tool is a tool for searching a given binary image file to acquire an embedded file and code. Specifically, it is designed to identify files and codes embedded within the firmware image, and thus in the present embodiment, codes and files of firmware parts in a binary file of a target internet of things device may be identified using a bindtalk tool, so that firmware of the target internet of things device may be extracted based on the identification result.
In this embodiment, as an optional implementation manner, regarding step 103, a specific implementation manner of analyzing the firmware of the target internet of things and obtaining symbolic information of the firmware is as follows:
and analyzing the firmware of the target Internet of things by using a Ghidra decompiling tool and obtaining symbolic information of the firmware. The Ghidra decompilation tool is a reverse compilation tool, generally speaking, a source code of firmware of the target internet of things device can be compiled into an executable file, namely a binary file, in some cases, the compilation process can also perform obfuscation and encryption processing on the source code of the firmware to improve the anti-cracking performance of the source code, and therefore the firmware of the target internet of things device, which is usually extracted from the binary file of the target internet of things device, is poor in readability and cannot clearly identify information in the code, so that the firmware of the target internet of things device needs to be reversely compiled to restore the source code of the firmware of the target internet of things device.
Further, the symbol information refers to a function name in the firmware.
In the embodiment of the present application, as an optional implementation manner, a specific implementation manner of step 104 is:
and loading the vulnerability search script by the Ghidra decompiling tool, searching the system function through the vulnerability search script and the symbol information, and determining the function address of the system function.
In this optional embodiment, specifically, the symbolic information includes a plurality of function names in the target internet of things device firmware, so that information that matches the search keyword can be queried in the plurality of function names by inputting the function search keyword in the vulnerability search script, for example, by inputting the function name of the system function, the name of the system function can be queried in the symbolic information, and then the address of the system function can be queried by the name of the system function.
Further, in this optional embodiment, the vulnerability search script is preset with a code for searching a system function, and when the code is triggered to execute, an address of the system function capable of being searched is preset.
In the embodiment of the application, specifically, the parameter of the quote function is included in the code information of the quote function, wherein the parameter of the quote function is used for judging whether the quote function has a risk of command injection by judging whether the parameter of the quote function can be modified. Accordingly, in step 107, if the code information of the reference function indicates that the parameter of the reference function cannot be changed by the new parameter injected in the program running process, the reference function has no command injection risk, and if the code information of the reference function indicates that the parameter of the reference function can be changed by the new parameter injected in the program running process, the reference function has a command injection risk.
Specifically, the parameter of the reference function is stored at the storage address pointed to by the reserved pointer, where the value of the reserved pointer is different according to the difference of the values of the parameters, for example, when the value of the parameter of the reference function is null, that is, the reference function does not need to receive the externally injected parameter value, the reserved pointer is null; when the value of the parameter of the reference function is constant, the pointer is reserved to point to a constant character string address; when the value of the parameter of the reference function is an indeterminate value (e.g., the value of the parameter is determined during the dynamic run phase of the program, and the value of the parameter is treated as an indeterminate value), the reservation pointer is an address pointer or an offset address.
In summary, the storage content of the reserved pointer can be judged by the code information of the reference function, the storage content of the pointer can be further judged, the type of the parameter of the reference function can be further judged, and whether the parameter of the reference function has the command injection risk can be further judged based on the type of the parameter of the reference function.
According to the method, on one hand, the address of the system function is obtained by automatically searching the vulnerability search script based on the character information, the function offset and the function assembly code, so that the method has the advantages of high system function search efficiency and accurate search, wherein the vulnerability search script can replace a human search system so as to overcome the problems of low search efficiency and low accuracy existing in manual search. On the other hand, due to the fact that the vulnerability search script is used, the advantage that a large number of searches can be completed in a short time by the vulnerability search script is utilized, the reference function (reference function of the system function) in the firmware of the Internet of things equipment is completed, and then the search efficiency of the reference function is improved. Furthermore, because the vulnerability search script is a machine instruction, on the premise that the vulnerability search script is determined in advance, the vulnerability search script is used for searching the reference functions, particularly a large number of reference functions, so that the problems of inaccurate reference function search and low search efficiency caused by manual errors can be solved. On the other hand, other programs can control the execution process and the execution result of the firmware of the equipment of the internet of things by modifying the parameters of the reference function, so that the vulnerability is caused, whether the reference function has a command injection risk or not is judged through the code information of the reference function, and then vulnerability investigation is carried out on the firmware of the equipment of the internet of things, so that the safety of the firmware of the internet of things is guaranteed.
For example, when the call stack of a reference function is very deep and there are multiple call stacks, the reference function is tracked manually, and it is easy to lose the reference function.
In the embodiment of the present application, as an optional implementation manner, after analyzing the firmware of the target internet of things, the Ghidra decompilation tool can further obtain a function offset address and a function assembly code, where the function offset address refers to a description in the prior art, and the function assembly code refers to a function implementation process presented in the form of a pseudo assembly code in the embodiment of the present application.
In this embodiment, as an optional implementation manner, the Ghidra decompiling tool is provided with an analysis interface, where the analysis interface may be used to display the symbol information, the function offset address, and the function assembly code obtained through analysis, so that a user can view related information at any time.
For example, as shown in fig. 2 and fig. 3, by clicking the reference function, it is possible to jump to a key point to obtain the complete data of the reference function.
In the embodiment of the present application, as an optional implementation manner, step 107: judging whether the quote function has a command injection risk according to the code information of the quote function, comprising the following sub-steps:
converting the code information of the reference function into a target intermediate code based on an intermediate code encoding format;
and judging whether the parameters of the reference function belong to the transparent predicates in the target intermediate code after conversion, if so, determining that the reference function has no command injection risk, and otherwise, determining that the reference function has the command injection risk.
In this alternative embodiment, since the processors of different internet of things devices have different architectures, or the machine code may be represented differently, for example, the processor of some internet of things devices is of x86 architecture, others are of other mechanisms, in the machine code representation, some processors employ the X86 instruction set, some processors employ the AVX instruction set, these differences can result in inaccuracies in determining whether the referencing function is at risk of command injection based on the code information of the referencing function, therefore, in order to mask the difference, the embodiment of the application converts the code information of the reference function into the target intermediate code based on the intermediate code encoding format, wherein, the intermediate code is IR for short, which is an intermediate representation and is an intermediate expression converted from the machine code, namely, the intermediate code can uniformly represent machine codes which represent the same meaning in different internet of things devices. Further, the result of the code information conversion of the reference function is that the parameter with the determined value in the reference function is described as a transparent predicate, and the parameter with the determined value is described as a non-transparent predicate, so that whether the parameter of the reference function has a command injection vulnerability can be judged by judging whether the parameter of the reference function is described as the transparent predicate after the conversion.
Based on this, it should be noted that, in the embodiment of the present application, the transparent predicate refers to a descriptor that a parameter with a definite value is converted into an intermediate code, and the non-transparent predicate refers to a descriptor that a parameter with a definite value is converted into an intermediate code.
It should be noted that the Ghidra decompiling tool provides a function named as p-code library for converting the code information of the reference function into the target intermediate code.
In this optional embodiment, the code information of the reference function is converted into the target intermediate code based on the intermediate code coding format, so that different types of internet of things devices can be compatible, wherein different processor architectures and machine code expression forms adopted by different types of internet of things devices are different, and this aspect of difference causes non-uniformity of the code information of the reference function extracted based on the binary file, and further causes that the judgment of the code information of one type of internet of things device cannot be applied to the judgment of the code information of another type of internet of things device, so that a mining method needs to be separately set for each type of internet of things device The code information of the internet of things equipment with different machine code expression forms is uniform, and the difference is shielded, so that the equipment and platform compatibility is better, namely, the cross-platform better effect is achieved.
In the embodiment of the present application, as an optional implementation manner, the steps of: converting code information of the reference function into a target intermediate code based on an intermediate code encoding format, including:
when the storage pointer of the reference function points to a constant string address or the storage pointer of the reference function is empty, converting the parameter of the reference function into a transparent predicate;
when the saved pointer of the reference function points to the address pointer or the offset address, the parameter of the reference function is converted into the non-transparent predicate.
In this optional embodiment, when the save pointer of the reference function points to a constant string address or the save pointer of the reference function is null, the parameter of the reference function can be converted into the transparent predicate based on the intermediate code, and on the other hand, when the save pointer of the reference function points to an address pointer or an offset address, the parameter of the reference function can be converted into the non-transparent predicate based on the intermediate code.
In the embodiment of the present application, as an optional implementation manner, the method of the embodiment of the present application further includes the following steps:
and when the parameters of the reference function belong to the transparent predicates, searching the function address of the lower function referenced by the reference function in a recursive search mode according to the function address of the reference function until the searched lower function has a command injection risk.
In the optional embodiment, all the reference functions related to the system function can be completely excluded by searching the function addresses of the lower-level functions referenced by the reference functions in a recursive search mode, and based on the above, the optional embodiment has better intelligence and vulnerability scanning comprehensiveness.
Illustratively, the reference function a may refer to the subordinate functions a1 and a2, while a1 refers to the function a11, at which time two search paths are generated, one being a-a1-a11 and the other being a-a2, until i complete the search of all the subordinate functions, it should be noted that the function a11 may be regarded as the subordinate function of the reference function a.
In this alternative embodiment, the reference function a1 may refer to the functions a11, a12 and a12 by means of strong reference, or may refer to the function a11 by means of weak reference, where the function address of the function a11 may be associated with more than two addresses, in this case, it may be considered that a1 refers to a plurality of lower-level functions and sequentially traverses the search.
In this optional embodiment, in order to save the search result, when there is no risk of command injection in one reference function, that is, the parameter of the reference function is a transparent predicate, the reference function may be set to the reserved state, so that the next search is performed only on the lower functions of the reference functions in the reserved state, and on the other hand, if the lower functions of the subsequent reference functions are determined to have the risk of command injection, the states of the lower functions and the upper functions are all discarded to indicate that it is determined that there is an injection risk in the reference chain without searching downwards.
In this optional embodiment, if the system function S has the reference function a and the reference function B, the reference function a and the reference function B are searched through traversal until all reference functions of the system function S are searched through traversal.
In this embodiment of the present application, as an optional manner, after determining whether there is a risk of command injection in the reference function according to the code information of the reference function, before outputting the target vulnerability information based on the reference function, the method further includes:
when the parameters of the reference function do not belong to the transparent predicates, judging whether the function address of the reference function is a termination address or not, and if so, outputting target vulnerability information based on the reference function;
if the function address of the reference function is not the termination address, based on the vulnerability search script and the function address of the searched system function, recursively searching the reference function referenced by the system function and judging whether the reference function obtained by current search has a command injection risk or not until the function address of the reference function obtained by current search is the termination address.
In the optional embodiment, by judging that the function address of the reference function is the termination address, whether to perform vulnerability discovery on the reference function used by the system function can be judged, so that the optional embodiment has better intelligence and vulnerability scanning comprehensiveness.
Example two
Referring to fig. 4, fig. 4 is a schematic structural diagram illustrating a vulnerability discovery apparatus based on an internet of things firmware according to an embodiment of the present application. As shown in fig. 4, the apparatus of the embodiment of the present application includes the following functional modules:
an obtaining module 201, configured to obtain a binary file of a target internet of things device;
the extracting module 202 is configured to extract the firmware of the target internet of things according to the binary file of the target internet of things device;
the analysis module 203 is used for analyzing the firmware of the target internet of things and obtaining symbolic information of the firmware;
the first search module 204 is configured to search a system function based on a vulnerability search script and symbolic information and determine a function address of the system function;
the second searching module 205 is configured to search a reference function of the system function based on the vulnerability searching script and the function address of the system function, and obtain a function address of the reference function;
a determining module 206, configured to determine code information of the reference function according to the function address of the reference function;
and the judging module 207 is configured to judge whether the reference function has a command injection risk according to the code information of the reference function, and output target vulnerability information based on the reference function if the reference function has the command injection risk.
According to the device, on one hand, the address of the system function is obtained by automatically searching the vulnerability search script based on the character information, the function offset and the function assembly code, so that the device has the advantages of high system function search efficiency and accurate search, wherein the vulnerability search script can replace a human search system so as to overcome the problems of low search efficiency and low accuracy existing in manual search. On the other hand, due to the fact that the vulnerability search script is used, the advantage that a large number of searches can be completed in a short time by the vulnerability search script is utilized, the reference function (reference function of the system function) in the firmware of the Internet of things equipment is completed, and then the search efficiency of the reference function is improved. Furthermore, because the vulnerability search script is a machine instruction, on the premise that the vulnerability search script is determined in advance, the vulnerability search script is used for searching the reference functions, particularly a large number of reference functions, so that the problems of inaccurate reference function search and low search efficiency caused by manual errors can be solved. On the other hand, other programs can control the execution process and the execution result of the firmware of the equipment of the internet of things by modifying the parameters of the reference function, so that the vulnerability is caused, whether the reference function has a command injection risk or not is judged through the code information of the reference function, and then vulnerability investigation is carried out on the firmware of the equipment of the internet of things, so that the safety of the firmware of the internet of things is guaranteed.
For example, when the call stack of a reference function is very deep and there are multiple call stacks, the reference function is tracked manually, and it is easy to lose the reference function.
In the second aspect of the present application, as an optional implementation manner, the determining module includes:
the conversion submodule is used for converting the code information of the reference function into a target intermediate code based on the intermediate code coding format;
and the judging submodule is used for judging whether the parameters of the reference function belong to the transparent predicates in the target intermediate code after conversion, if the parameters of the reference function belong to the transparent predicates, the reference function is determined to have no command injection risk, and otherwise, the reference function is determined to have the command injection risk.
The code information of the quote function is converted into the target intermediate code based on the intermediate code coding format, so that different types of Internet of things equipment can be compatible, wherein the processor architecture and the machine code expression form adopted by different types of Internet of things equipment are different, so that the difference on the one hand causes the inconsistency of the code information of the quote function extracted based on the binary file, and further causes the judgment of the code information of certain type of Internet of things equipment to be not suitable for the judgment of the code information of another type of Internet of things equipment, so that a mining method is required to be independently set for each type of Internet of things equipment, and the code information of the quote function is converted into the intermediate code in the process of judging whether the quote function has command injection risk according to the code information of the quote function, so that the code information of the Internet of things equipment with different processor architecture and machine code expression forms can be unified, and further, the difference is shielded, so that the better equipment and platform compatibility is achieved, namely the better effect of cross-platform is achieved.
In the second aspect of the present application, as an optional implementation manner, the conversion sub-module is specifically configured to:
when the storage pointer of the reference function points to a constant string address or the storage pointer of the reference function is empty, converting the parameter of the reference function into a transparent predicate;
when the saved pointer of the reference function points to the address pointer or the offset address, the parameter of the reference function is converted into the non-transparent predicate.
In this optional embodiment, when the save pointer of the reference function points to a constant string address or the save pointer of the reference function is null, the parameter of the reference function can be converted into the transparent predicate based on the intermediate code, and on the other hand, when the save pointer of the reference function points to an address pointer or an offset address, the parameter of the reference function can be converted into the non-transparent predicate based on the intermediate code.
EXAMPLE III
Referring to fig. 5, fig. 5 is a schematic structural diagram illustrating vulnerability discovery equipment based on firmware of the internet of things according to an embodiment of the present application. As shown in fig. 5, the vulnerability discovery device based on the internet of things firmware includes:
a memory 301 storing executable program code;
a processor 302 coupled to the memory;
the processor 302 calls the executable program code stored in the memory 301 to execute the vulnerability discovery method based on the internet of things firmware according to the first embodiment of the present application.
By the vulnerability mining equipment based on the Internet of things firmware, the vulnerability mining method based on the Internet of things firmware is executed, so that the accuracy and efficiency of vulnerability mining of the Internet of things can be improved while vulnerability mining of the Internet of things firmware is realized.
Example four
The embodiment of the application discloses a storage medium, wherein a computer instruction is stored in the storage medium, and when the computer instruction is called, the computer instruction is used for executing the vulnerability discovery method based on the firmware of the internet of things.
By executing the vulnerability mining method based on the Internet of things firmware, the storage medium provided by the embodiment of the application can improve the accuracy and efficiency of vulnerability mining of the Internet of things while realizing vulnerability mining of the Internet of things firmware.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one logical division, and there may be other divisions when actually implemented, and for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some communication interfaces, and may be in an electrical, mechanical or other form.
In addition, units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
Furthermore, the functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.
It should be noted that the functions, if implemented in the form of software functional modules and sold or used as independent products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
In this document, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions.
The above description is only an example of the present application and is not intended to limit the scope of the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application.
Claims (10)
1. A vulnerability discovery method based on Internet of things firmware is characterized by comprising the following steps:
acquiring a binary file of target Internet of things equipment;
extracting the firmware of the target Internet of things according to the binary file of the target Internet of things equipment;
analyzing the firmware of the target Internet of things and obtaining symbolic information of the firmware;
searching a system function based on the vulnerability searching script and the symbol information and determining a function address of the system function;
searching a reference function of the system function based on the vulnerability searching script and the function address of the system function, and obtaining the function address of the reference function;
determining code information of the reference function according to the function address of the reference function;
and judging whether the reference function has a command injection risk or not according to the code information of the reference function, and if the reference function has the command injection risk, outputting target vulnerability information based on the reference function.
2. The method of claim 1, wherein said determining whether the quote function is at risk of command injection based on the code information of the quote function comprises:
converting the code information of the reference function into a target intermediate code based on an intermediate code encoding format;
judging whether the parameters of the reference function belong to a transparent predicate in the target intermediate code after conversion, if so, determining that the reference function has no command injection risk, otherwise, determining that the reference function has the command injection risk.
3. The method of claim 2, wherein the converting the code information of the reference function to the target intermediate code based on the intermediate code encoding format comprises:
when the storage pointer of the reference function points to a constant string address or the storage pointer of the reference function is empty, converting the parameter of the reference function into a transparent predicate;
and when the saving pointer of the reference function points to an address pointer or an offset address, converting the parameter of the reference function into a non-transparent predicate.
4. The method of claim 2, wherein the method further comprises:
and when the parameter of the reference function belongs to the transparent predicate, searching the function address of the lower function referenced by the reference function in a recursive search mode according to the function address of the reference function until the searched lower function has a command injection risk.
5. The method of claim 4, wherein after the determining whether the quote function has a command injection risk according to the code information of the quote function, before the outputting the target vulnerability information based on the quote function, the method further comprises:
when the parameters of the reference function do not belong to the transparent predicates, judging whether the function address of the reference function is a termination address or not, and if so, executing the target vulnerability output based on the reference function;
if the function address of the reference function is not the termination address, based on the vulnerability search script and the function address of the searched system function, recursively searching the reference function referenced by the system function and judging whether the reference function obtained by current search has a command injection risk or not until the function address of the reference function obtained by current search is the termination address.
6. The utility model provides a vulnerability discovery device based on thing networking firmware, its characterized in that, the device includes:
the acquisition module is used for acquiring a binary file of the target Internet of things equipment;
the extraction module is used for extracting the firmware of the target Internet of things according to the binary file of the target Internet of things equipment;
the analysis module is used for analyzing the firmware of the target Internet of things and obtaining symbolic information of the firmware;
the first searching module is used for searching a system function based on the vulnerability searching script and the symbol information and determining a function address of the system function;
the second searching module is used for searching a reference function of the system function based on the vulnerability searching script and the function address of the system function and obtaining the function address of the reference function;
the determining module is used for determining the code information of the reference function according to the function address of the reference function;
and the judging module is used for judging whether the reference function has a command injection risk according to the code information of the reference function, and outputting target vulnerability information based on the reference function if the reference function has the command injection risk.
7. The apparatus of claim 6, wherein the means for determining comprises:
the conversion submodule is used for converting the code information of the reference function into a target intermediate code based on an intermediate code coding format;
and the judging submodule is used for judging whether the parameters of the reference function belong to the transparent predicates in the target intermediate code after conversion, if so, determining that the reference function has no command injection risk, and otherwise, determining that the reference function has the command injection risk.
8. The apparatus of claim 7, wherein the conversion submodule is specifically configured to:
when the storage pointer of the reference function points to a constant string address or the storage pointer of the reference function is empty, converting the parameter of the reference function into a transparent predicate;
and when the saving pointer of the reference function points to an address pointer or an offset address, converting the parameter of the reference function into a non-transparent predicate.
9. The utility model provides a vulnerability discovery equipment based on thing networking firmware which characterized in that, vulnerability discovery equipment based on thing networking firmware includes:
a memory storing executable program code;
a processor coupled with the memory;
the processor calls the executable program code stored in the memory to execute the vulnerability mining method based on the firmware of the internet of things according to any one of claims 1-5.
10. A storage medium storing computer instructions which, when invoked, perform the method of vulnerability discovery based on internet of things firmware of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111294302.0A CN113987517A (en) | 2021-11-03 | 2021-11-03 | Vulnerability mining method, device, equipment and storage medium based on Internet of things firmware |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111294302.0A CN113987517A (en) | 2021-11-03 | 2021-11-03 | Vulnerability mining method, device, equipment and storage medium based on Internet of things firmware |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113987517A true CN113987517A (en) | 2022-01-28 |
Family
ID=79746163
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111294302.0A Pending CN113987517A (en) | 2021-11-03 | 2021-11-03 | Vulnerability mining method, device, equipment and storage medium based on Internet of things firmware |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113987517A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969765A (en) * | 2022-07-27 | 2022-08-30 | 杭州海康威视数字技术股份有限公司 | Internet of things equipment non-inductive security vulnerability repairing method, device and equipment |
| CN115587364A (en) * | 2022-10-10 | 2023-01-10 | 中国人民解放军国防科技大学 | Firmware vulnerability input point positioning method and device based on front-end and back-end correlation analysis |
| CN116910770A (en) * | 2023-09-13 | 2023-10-20 | 中国海洋大学 | Firmware base address recognition system and method based on density |
-
2021
- 2021-11-03 CN CN202111294302.0A patent/CN113987517A/en active Pending
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114969765A (en) * | 2022-07-27 | 2022-08-30 | 杭州海康威视数字技术股份有限公司 | Internet of things equipment non-inductive security vulnerability repairing method, device and equipment |
| CN114969765B (en) * | 2022-07-27 | 2022-11-01 | 杭州海康威视数字技术股份有限公司 | Internet of things equipment non-inductive security vulnerability repairing method, device and equipment |
| CN115587364A (en) * | 2022-10-10 | 2023-01-10 | 中国人民解放军国防科技大学 | Firmware vulnerability input point positioning method and device based on front-end and back-end correlation analysis |
| CN115587364B (en) * | 2022-10-10 | 2023-07-14 | 中国人民解放军国防科技大学 | Firmware vulnerability input point positioning method and device based on front-end and back-end correlation analysis |
| CN116910770A (en) * | 2023-09-13 | 2023-10-20 | 中国海洋大学 | Firmware base address recognition system and method based on density |
| CN116910770B (en) * | 2023-09-13 | 2023-12-19 | 中国海洋大学 | Firmware base address recognition system and method based on density |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113987517A (en) | Vulnerability mining method, device, equipment and storage medium based on Internet of things firmware | |
| Madsen et al. | Practical static analysis of JavaScript applications in the presence of frameworks and libraries | |
| US20210149788A1 (en) | Software diagnosis using transparent decompilation | |
| CN114041117A (en) | Persistent annotation of grammars for code optimization | |
| US8464207B2 (en) | System and method for tracking software changes | |
| Yu et al. | Deescvhunter: A deep learning-based framework for smart contract vulnerability detection | |
| US20110196891A1 (en) | Class loading using java data cartridges | |
| US9098627B2 (en) | Providing a core dump-level stack trace | |
| US10942718B2 (en) | Systems and/or methods for type inference from machine code | |
| CN105550594A (en) | Security detection method for android application file | |
| CN110096433B (en) | Method for acquiring encrypted data on iOS platform | |
| US20210173760A1 (en) | Software diagnostic context selection and use | |
| Lewis et al. | Memory forensics and the windows subsystem for linux | |
| CN102867144A (en) | Method and device for detecting and removing computer viruses | |
| Iannone et al. | Refactoring android-specific energy smells: A plugin for android studio | |
| CN114462044A (en) | UEFI (unified extensible firmware interface) firmware vulnerability static detection method and device based on taint analysis | |
| Alrabaee | A stratified approach to function fingerprinting in program binaries using diverse features | |
| Yang et al. | FSAFlow: Lightweight and fast dynamic path tracking and control for privacy protection on Android using hybrid analysis with state-reduction strategy | |
| Baset et al. | Identifying android library dependencies in the presence of code obfuscation and minimization | |
| Kuznetsov et al. | What do all these buttons do? statically mining android user interfaces at scale | |
| CN113536316B (en) | Method and device for detecting component dependency information | |
| CN114417347A (en) | Vulnerability detection method, device, equipment, storage medium and program of application program | |
| CN107341403B (en) | File conversion method and device | |
| Hu et al. | Elix: Path-selective taint analysis for extracting mobile app links | |
| CN116049823B (en) | Memory horse detection method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |