CN114386032A - Firmware detection system and method for power Internet of things equipment - Google Patents
Firmware detection system and method for power Internet of things equipment Download PDFInfo
- Publication number
- CN114386032A CN114386032A CN202111466269.5A CN202111466269A CN114386032A CN 114386032 A CN114386032 A CN 114386032A CN 202111466269 A CN202111466269 A CN 202111466269A CN 114386032 A CN114386032 A CN 114386032A
- Authority
- CN
- China
- Prior art keywords
- firmware
- information
- analysis
- file
- sensitive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y10/00—Economic sectors
- G16Y10/35—Utilities, e.g. electricity, gas or water
-
- G—PHYSICS
- G16—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR SPECIFIC APPLICATION FIELDS
- G16Y—INFORMATION AND COMMUNICATION TECHNOLOGY SPECIALLY ADAPTED FOR THE INTERNET OF THINGS [IoT]
- G16Y30/00—IoT infrastructure
- G16Y30/10—Security thereof
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Health & Medical Sciences (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Development Economics (AREA)
- Economics (AREA)
- General Business, Economics & Management (AREA)
- Stored Programmes (AREA)
Abstract
The application relates to a firmware detection system and method for power Internet of things equipment, computer equipment, a storage medium and a computer program product. The method comprises the following steps: the firmware meta-information extraction module is used for acquiring a firmware file packet uploaded by the power Internet of things equipment and identifying format information contained in the firmware file packet; the firmware automatic decompression module is used for decompressing the firmware file packet according to the format information to obtain the firmware files stored in the firmware file packet; and the firmware analysis module is used for performing static analysis on the firmware file, generating at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code contained in the firmware file package. By adopting the method, the security loophole and hidden danger of the firmware can be automatically and timely found, the analysis process of the security of the firmware is highly automated, and the detection/analysis efficiency is high.
Description
Technical Field
The application relates to the technical field of internet of things, in particular to a firmware detection system and method of power internet of things equipment, computer equipment, a storage medium and a computer program product.
Background
With the development of the power internet of things, security attacks and hidden dangers on the aspect of power internet of things equipment become more and more serious, organized directional attacks in the power internet of things industry are more and more frequent, the caused loss is more and more, more and more intelligent equipment are connected into the internet of things, and the safety of the internet of things is a focus.
Taking the distribution network terminal as an example, a hacker is very good at attacking the intelligent terminal detection device by hiding a rear door vulnerability, and because the rear door is a vulnerability intentionally implanted into the embedded device, the hacker can provide remote access to any person with secret identity authentication information, so that a malicious attacker can perform malicious operation and steal sensitive information through the rear door vulnerability. The intelligent electric meter is also one of key equipment types with serious bugs, and an attacker can crash target equipment by utilizing bugs such as buffer overflow and the like, so that a line is overloaded, and even a fire disaster can be caused under serious conditions. The wireless protocol used by the intelligent electric meter has a plurality of serious security holes, but when a manufacturer uses a wireless network, a plurality of electric devices still do not introduce any encryption means, and an attacker can hijack communication data and acquire the control right of a target device.
Besides the distribution network terminal and the intelligent electric meter, terminal devices such as a charging pile, a concentrator, a distribution transformer monitoring terminal, a power station meter and an unmanned aerial vehicle have more or less potential safety hazards such as code security loopholes, software package loopholes and sensitive information leakage, and can be maliciously attacked by an attacker, so that the consequences such as malicious operation execution, information stealing or device paralysis are caused.
Through analyzing cases of security events of the internet of things equipment, a chain of the internet of things equipment under attack can be found to have a certain rule, for example, an attacker obtains equipment firmware, unpacks the firmware reversely, can analyze the operation flow and network behavior of the equipment, and can find key information related to security encryption, so that vulnerability attack is performed in a targeted manner. In this regard, the security of an internet of things device depends to a large extent on the security of its firmware.
Therefore, a method is needed for analyzing the security of the firmware of the internet of things equipment in the power industry and discovering security holes and hidden dangers of the firmware in time.
Disclosure of Invention
In view of the above, it is necessary to provide a firmware detection method and apparatus for an electric power industry internet of things device, a computer readable storage medium, and a computer program product, which can automatically analyze the firmware security of the electric power industry internet of things device.
In a first aspect, the application provides a firmware detection system for power internet of things equipment. The system comprises:
the firmware meta-information extraction module is used for acquiring a firmware file packet uploaded by the power Internet of things equipment and identifying format information contained in the firmware file packet;
the firmware automatic decompression module is used for decompressing the firmware file packet according to the format information to obtain the firmware files stored in the firmware file packet;
and the firmware analysis module is used for performing static analysis on the firmware file, generating at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code contained in the firmware file package.
In one embodiment, the firmware analysis module comprises:
the firmware file security analysis unit is used for detecting firmware sensitive information in the firmware file and generating a security analysis report based on the detected firmware sensitive information; the firmware sensitive information comprises a sensitive file and a sensitive field;
the firmware vulnerability correlation analysis unit is used for detecting third-party component information in the firmware file, determining related vulnerability information based on the detected third-party component information, and generating a vulnerability analysis list based on the vulnerability information;
and the code reverse analysis unit is used for extracting the firmware codes in the firmware file and carrying out binary reverse analysis on the firmware codes to obtain a code analysis result.
In one embodiment, the firmware file security analysis unit is configured to:
detecting a sensitive file in the firmware file and a sensitive field in the sensitive file;
classifying the sensitive files according to preset sensitive levels, and counting to obtain the statistical data of the sensitive files and the sensitive fields under the sensitive levels;
generating a sensitive information list based on the sensitive files and the sensitive fields under each sensitive level;
and generating a security analysis report based on the sensitive file and the sensitive field and the sensitive information list.
In one embodiment, the system further comprises a firmware security knowledge base, wherein the firmware security knowledge base comprises a firmware knowledge base, a third-party component vulnerability information base and a third-party component fingerprint base; the firmware vulnerability association analysis unit is used for:
extracting fingerprint information in the firmware file, and searching corresponding third-party component and third-party component information in the third-party component fingerprint library according to the fingerprint information; the third-party component information comprises component name information and component version information;
searching vulnerability information associated with the third-party component information in the third-party component vulnerability information base according to the component name information;
searching firmware information related to the vulnerability information in a firmware knowledge base according to the component name information and the component version information;
and generating a vulnerability analysis list based on the vulnerability information and the firmware information obtained by searching.
In one embodiment, the code reverse analysis unit is configured to:
extracting firmware codes in the firmware files, disassembling the firmware codes and generating pseudo codes;
decompiling the pseudo code to generate a readable code;
detecting the readable code by using a preset unsafe code rule to obtain an unsafe code;
generating a code analysis result based on the insecure code.
In one embodiment, the system further comprises a firmware security emulation verification module for:
constructing a simulation operation environment;
running firmware codes in the simulation running environment, and recording running result information in the simulation running process; the operation result information comprises simulation operation vulnerability information;
and updating the vulnerability analysis list based on the simulation operation vulnerability information.
In a second aspect, the application further provides a firmware detection method for the power internet of things equipment. The method comprises the following steps:
the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package;
decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system;
and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package;
decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system;
and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of:
the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package;
decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system;
and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package;
decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system;
and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
The firmware detection system, the method, the computer device, the storage medium and the computer program product of the power internet of things device, the firmware meta-information extraction module is used for acquiring a firmware file packet uploaded by the power Internet of things equipment, identifying format information contained in the firmware file packet, and the firmware automatic decompression module is used for automatically decompressing the firmware file packet according to the format information, decompressing the firmware file packet to obtain the firmware files stored in the firmware file packet, the firmware file is statically analyzed by a firmware analysis module to generate at least one of a security analysis report and a vulnerability analysis list, and the firmware file is dynamically analyzed by the firmware analysis module to obtain a code analysis result of the firmware code contained in the firmware file package, therefore, automation of detection and analysis of the safety of the firmware is realized, and the safety analysis efficiency of the firmware is high.
Drawings
Fig. 1 is a schematic structural diagram of a firmware detection system of an electric power internet of things device in one embodiment;
FIG. 2 is a schematic diagram of an embodiment of an automatic firmware decompression module;
FIG. 3 is a schematic diagram of a firmware analysis module in one embodiment;
FIG. 4 is a block diagram illustrating the components of a firmware analysis module according to one embodiment;
FIG. 5 is a flowchart illustrating steps performed by the firmware file security analysis unit in one embodiment;
FIG. 6 is a schematic diagram of a firmware file security analysis unit in one embodiment;
FIG. 7 is a flowchart illustrating steps performed by the firmware vulnerability association analysis unit in one embodiment;
FIG. 8 is a schematic diagram of a firmware vulnerability association analysis unit in one embodiment;
FIG. 9 is a flowchart illustrating steps performed by the code inverse analysis unit in one embodiment;
FIG. 10 is a schematic diagram of a code inverse analysis unit in one embodiment;
FIG. 11 is a flowchart illustrating steps performed by a firmware security emulation verification module in one embodiment;
FIG. 12 is a block flow diagram of a firmware detection system of a power IOT device in one embodiment;
fig. 13 is a schematic flowchart of a firmware detection method of an electric power internet of things device in one embodiment;
FIG. 14 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
With the development of the power internet of things, security attacks and hidden dangers on the aspect of power internet of things equipment become more and more serious, organized directional attacks in the power internet of things industry are more and more frequent, the caused loss is more and more, more and more intelligent equipment are connected into the internet of things, and the safety of the internet of things is a focus.
Therefore, the invention provides a firmware detection system of power internet of things equipment in the power industry, which is used for detecting the firmware security of the power internet of things equipment and finding the security loopholes and hidden dangers of the firmware on the file, component and function level through the functions of firmware meta-information extraction, automatic firmware decompression, firmware file security analysis, component loophole association analysis and the like.
The electric power internet of things equipment comprises equipment such as a distribution network terminal, an intelligent electric meter, a charging pile, a distribution transformer monitoring terminal and a power station meter. Firmware refers to a program in the device memory for the system to implement specific operational operations in accordance with standard device drivers.
In some embodiments, the firmware detection system of the power internet of things device provided in the embodiment of the present application may adopt a B/S (Browser/Server) architecture design, and may upload firmware to a local Server at a Browser end of a terminal to detect and analyze security of the firmware. Of course, in some embodiments, some or all of the modules in the firmware detection system of the power internet of things device may also be disposed in the cloud server.
The architecture of the firmware detection system of the power internet of things equipment provided by the embodiment of the application is shown in fig. 1. The firmware detection system 10 of the power internet of things device includes a firmware meta-information extraction module 101, an automatic firmware decompression module 102, and a firmware analysis module 103.
The firmware meta-information extraction module 101 is configured to acquire a firmware file package uploaded by the power internet of things device, and identify format information included in the firmware file package.
The firmware meta-information extraction module acquires a firmware file package uploaded by the power Internet of things equipment. The firmware file package is a compressed package of binary files. In order to decompress the firmware file package without damage or loss, the firmware file package needs to be subjected to format recognition. Specifically, the firmware meta-information extraction module extracts the firmware file package, extracts the firmware meta-information, and determines format information included in the firmware file package. The firmware meta-information is basic information such as an instruction set (for example, instructions x86, ARM, POWER, SPARC, etc.), a file system, and format information of firmware code directly extractable in the firmware header.
Wherein the extracted instruction set is used for subsequent firmware format identification and firmware emulation. The file system is a component in the firmware file package that is stored in a specific offset address of the binary file. Among them, file system types include, but are not limited to, one or more of squarhfs, ubifs, romfs, rootfs, jffs2, yaffs2, cramfs, initramfs, and the like. To analyze the firmware internal related file system data, uncompiled code, and device configuration, the firmware file system needs to be extracted.
Illustratively, as shown in fig. 2, the firmware meta-information extraction module acquires a firmware file package uploaded by the power internet of things device, scans the firmware file package, extracts firmware meta-information therein, such as a file system, a compression method, and an instruction set, and determines format information of the firmware according to the determined compression method.
And the firmware automatic decompression module 102 is configured to decompress the firmware file packet according to the format information to obtain the firmware file stored in the firmware file packet.
In order to realize automatic decompression of the firmware file, the compression format of the firmware needs to be automatically identified and screened, and the identified format information needs to be decompressed. Specifically, the firmware automatic decompression module calls a corresponding decompression module according to the extracted firmware meta information (compression mode, file system, etc.), decompresses compression formats such as gzip, 7z, bz2, tar, arj, unrar, lzop, srec, and unstuff, sets different extraction parameters according to different file system formats, and extracts directories and stored firmware files under the file system by using the extraction parameters.
The firmware automatic decompression module can analyze the character strings, screen out effective character strings and ignore irrelevant data blocks and the like through the associated frame operation codes, and finally extract the file system and obtain a directory under the file system and stored firmware files. And the association of the frame operation codes refers to matching association according to different extraction parameters and frame operation codes preset in the modules. The character string analysis refers to module matching of character strings in the decompressed file and preset character strings and data blocks to determine validity or invalidity.
Illustratively, as shown in fig. 3, the firmware automatic decompression module performs firmware scanning according to the format information determined by the firmware meta-information extraction module, determines a file system, a compression method, and an instruction architecture (i.e., an instruction set), and filters irrelevant data, thereby decompressing a firmware file package, extracting a file, and obtaining a directory/file.
The firmware analysis module 103 is configured to perform static analysis on the firmware file, generate at least one of a security analysis report and a vulnerability analysis list, and perform dynamic analysis on the firmware file to obtain a code analysis result of the firmware code included in the firmware file package.
Static analysis refers to finding bugs or collecting security data for firmware, and does not require compiling and executing code. And the dynamic analysis can accurately find the abnormity by dynamically monitoring the running condition of the firmware code, thereby finding the bugs and defects of the firmware code. Dynamic analysis can overcome the limitations of static analysis (e.g., shell or obfuscated code, etc.) to perform more complex security detection and analysis.
Specifically, the firmware analysis module respectively performs static analysis and dynamic analysis on the firmware file. In one aspect, the firmware analysis module distinguishes between critical directories and critical firmware files (referring to system files and directories such as password files and information files) and general directories and general firmware files (referring to files other than system files and directories) through static analysis, then extracts sensitive information in the firmware files, and generates a security analysis report according to the extracted sensitive information. Meanwhile, the firmware analysis module extracts fingerprint information in the firmware file through static analysis, and identifies a third-party component according to the extracted fingerprint information and analyzes the third-party component to obtain a vulnerability analysis list. On the other hand, the firmware analysis module extracts the firmware code to perform binary reverse analysis through dynamic analysis to obtain a code analysis result.
In some embodiments, as shown in fig. 4, the illustrated firmware analysis module 103 includes a firmware file security analysis unit 1031, a firmware vulnerability association analysis unit 1032, and a code reverse analysis unit 1033. Wherein:
a firmware file security analysis unit 1031, configured to detect firmware sensitive information in the firmware file, and generate a security analysis report based on the detected firmware sensitive information; the firmware sensitive information includes a sensitive file and a sensitive field.
Specifically, the firmware file security analysis unit detects the firmware sensitive information in the firmware file, that is, locates the sensitive key field (such as sensitive keyword, etc.) in the firmware file, detects the firmware file having the sensitive key field, etc., extracts the firmware file having the sensitive keyword and the corresponding sensitive keyword, and generates the firmware sensitive information list. And based on the specific information and the quantity statistics of the extracted firmware sensitive information, the firmware file security analysis unit generates a security analysis report.
In some embodiments, as shown in fig. 5, the firmware file security analysis unit is configured to perform the following steps:
step S502, detecting a sensitive file in the firmware file and a sensitive field in the sensitive file.
Step S504, classifying the sensitive files according to the preset sensitive levels, and counting to obtain the statistical data of the sensitive files and the sensitive fields under the sensitive levels.
Step S506, a sensitive information list is generated based on the sensitive files and the sensitive fields under each sensitive level.
Step S508, generating a security analysis report based on the sensitive file, the sensitive field, and the sensitive information list.
Specifically, the firmware file security analysis unit first detects whether a sensitive field exists in the firmware file, and determines that the firmware file is a sensitive file if the sensitive field exists. Meanwhile, the firmware file security analysis unit counts the sensitive fields in the sensitive files. Then, the firmware file security analysis unit classifies the sensitive files according to the preset sensitive level. The sensitivity level is used to indicate different levels of security, such as a "high risk" level, a "normal" level, and a "low risk" level. And the firmware file security analysis unit counts to obtain the statistical data of the corresponding sensitive file at each sensitive level and the statistical data of each sensitive field. Then, the firmware file security analysis unit generates a sensitive information list according to the obtained statistical data, wherein the sensitive information list comprises various sensitive fields, specific information of sensitive files and corresponding statistical data. And finally, the firmware file security analysis unit generates a security analysis report based on the detected sensitive file and sensitive field and the sensitive information list.
Illustratively, as shown in fig. 6, the firmware analysis module performs static analysis on firmware files in the file system, comprehensively analyzing one or more of components which have been exposed to bugs, dynamic link libraries, password files in firmware, SSH (Secure Shell)/SSL (Secure Socket Layer) related files, sensitive binary files, file information with sensitive keywords, configuration files, database files, all files under/opt directory, Shell (programming language) scripts, Web (world Wide Web) components, Web APP (Application) scripts, APK (Android Application package) files, sensitive words in positioning APK files, APK authority and the like, extracting sensitive files and corresponding fields, and automatically generating a firmware sensitive information list and providing a user-defined sensitive information query function. Meanwhile, the method has a malicious software scanning function to determine whether the firmware has trojans, viruses, malicious software or other malicious threats and the like.
In the above embodiment, by analyzing the sensitive information in the firmware file, it can be automatically determined whether the firmware has trojans, viruses, malware or other malicious threats.
The firmware vulnerability correlation analysis unit 1032 is configured to detect third-party component information in the firmware file, determine related vulnerability information based on the detected third-party component information, and generate a vulnerability analysis list based on the vulnerability information.
Specifically, the firmware vulnerability correlation analysis unit extracts fingerprint information in the firmware file and identifies all third party component information and binary codes contained therein according to the fingerprint information, including free and open source software, business-ready codes, and internally developed components. Then, the firmware Vulnerability association analysis unit associates a rights-based Vulnerability library such as CNVD (National interoperability platform, National information security Vulnerability sharing platform), CVE (Common Vulnerabilities & Exposures), and queries whether the current component and version have a known Vulnerability. And generating a vulnerability analysis list based on the identified information of the third-party components with the vulnerabilities, wherein the vulnerability analysis list comprises the identified third-party components and the version, the position, the known vulnerabilities and other detailed information.
In some embodiments, the firmware vulnerability association analysis unit determines vulnerability information related to the detected third party component information by accessing a firmware security repository. Therefore, the system also comprises a firmware safety knowledge base, and important firmware and components are collected in the modes of equipment firmware extraction, network collection, free compiling, open source software and the like, so as to support the functions of other modules. The firmware repository may include basic information such as an instruction set architecture (e.g., instruction sets such as x86, ARM, POWER, SPARC, etc.), a file system, and a compression format of firmware code extracted by the firmware meta-information extraction module.
The firmware security knowledge base comprises a firmware knowledge base, a third-party component vulnerability information base and a third-party component fingerprint base. The firmware knowledge base comprises various names and various versions of firmware information. And the third-party component vulnerability information base comprises the vulnerability information base. The third party component fingerprint library comprises fingerprint information of the third party component, and the fingerprint information is a piece of characteristic information which can identify the object type of the component on the component. Illustratively, the firmware security repository is cross-compiled from a third party open source component package.
Accordingly, as shown in fig. 7, the firmware vulnerability association analysis unit is configured to perform the following steps:
step S702, extracting fingerprint information in the firmware file, and searching corresponding third-party component and third-party component information in a third-party component fingerprint library according to the fingerprint information; wherein the third party component information includes component name information and component version information.
Step S704, according to the component name information, searching vulnerability information associated with the third-party component information in the third-party component vulnerability information base.
Step S706, according to the component name information and the component version information, firmware information related to the vulnerability information is searched in a firmware knowledge base.
Step S706, generating a vulnerability analysis list based on the vulnerability information and the firmware information obtained by searching.
Specifically, the firmware vulnerability correlation analysis unit extracts fingerprint information (component name information and component version information) in the firmware file, retrieves the fingerprint information from the third-party component fingerprint library according to the fingerprint information, and inquires whether a corresponding third-party component exists; and if the corresponding third-party component exists in the inquiry, acquiring the third-party component information of the third-party component. And the firmware vulnerability correlation analysis unit searches in the third-party component vulnerability information base according to the component name information and determines vulnerability information correlated with the third-party component information. And then, the firmware vulnerability correlation analysis unit searches the firmware information related to the vulnerability information in a firmware knowledge base according to the component name information and the component version information. Based on the vulnerability information and the firmware information obtained through searching, the firmware vulnerability correlation analysis unit can generate a vulnerability analysis list.
Illustratively, as shown in fig. 8, the firmware vulnerability correlation analysis unit obtains the firmware to be analyzed and the third-party component affected by the latest security event, calls a component identification and security analysis function to perform analysis, and outputs the third-party component contained in the firmware file. Meanwhile, the firmware vulnerability correlation analysis unit searches in a firmware security knowledge base through a component identification and security analysis function, and outputs the affected third-party components in the firmware and the firmware related to the component vulnerability.
In the embodiment, the vulnerability analysis list is generated by statically analyzing the firmware file in the file system, so that the safety risk point of the test equipment can be quickly identified without the need of the test equipment.
And a code reverse analysis unit 1033, configured to extract the firmware code in the firmware file, and perform binary reverse analysis on the firmware code to obtain a code analysis result.
In some embodiments, as shown in fig. 9, the code reverse analysis unit is to:
step S902, extracting the firmware code in the firmware file, and disassembling the firmware code to generate a pseudo code.
Step S904, decompiling the pseudo code to generate a readable code.
And step S906, detecting the readable code by using a preset unsafe code rule to obtain an unsafe code.
Step S908, generating a code analysis result based on the insecure code.
Specifically, the code reverse analysis unit extracts firmware codes in the firmware file, disassembles the firmware codes, and generates pseudo codes. Then, the code reverse analysis unit decompiles the generated pseudo code to generate a readable code. And the code reverse analysis unit detects the readable code by using a preset unsafe code rule to obtain an unsafe code. Generating a code analysis result based on the insecure code. In some embodiments, the code reverse analysis unit may further extract key codes in the firmware to perform binary reverse analysis, search for typical problems in the program, such as null pointer reference, Buffer (cache region) repeat release, reference after Buffer release, and Copy String (String Copy) parameter check miss, analyze a function call relationship, and match suspected vulnerability functions. And calling a fuzzy test engine for the suspicious code part in a man-machine cooperation semi-automatic mode according to the result of the binary analysis to perform a guide type fuzzy test.
Illustratively, as shown in fig. 10, the code inverse analysis unit disassembles the decompressed firmware binary program by using an IDA PRO (Interactive platform Professional) tool based on the binary instruction set, the assembly instruction set, and the instruction mapping function, and specifically generates pseudo codes by binary program format recognition, data instruction separation, and code disassembly. The code reverse analysis unit decompiles the pseudo code generated by the disassembling, and the specific process is to call a syntax/semantic analyzer to perform semantic and syntax analysis on the generated pseudo code, call an intermediate code generator to generate an intermediate code file, and then call a high-level code generator to generate a readable high-level code. And finally, the code reverse analysis unit carries out rule matching on the generated high-level code calling preset unsafe code rules, and detects unsafe codes such as array boundary crossing, unsafe functions, high-risk calling and the like in the codes, so that a code analysis result is obtained.
In the above embodiment, by performing reverse analysis on the firmware code, security vulnerabilities and hidden dangers of the firmware at the file, component and function levels can be discovered.
In the firmware detection system of the power internet of things equipment, a firmware file packet uploaded by the power internet of things equipment is acquired through a firmware meta-information extraction module, format information contained in the firmware file packet is identified, a firmware automatic decompression module decompresses the firmware file packet according to the format information to obtain a firmware file stored in the firmware file packet, a firmware analysis module performs static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and the firmware analysis module performs dynamic analysis on the firmware file to obtain a code analysis result of a firmware code contained in the firmware file packet, so that automation of detection and analysis of the security of the firmware is realized; the functional modules are closely cooperated, the analysis process of the safety of the firmware is highly automated, and the detection/analysis efficiency is high. Many existing technologies perform targeted analysis on one aspect of firmware security, such as the above-mentioned reverse kernel file analysis and firmware vulnerability security level assessment, but the security analysis for firmware fails to automate a series of operations, such as automatic firmware extraction, security analysis and vulnerability association. Thus, the work of the present invention is pioneering.
In some embodiments, the system further includes a firmware security simulation verification module, configured to load and run the firmware using a dynamic simulation running environment supporting the firmware for detecting suspected bugs output by the firmware detection system, simulate system running, and perform corresponding bug verification through dynamic analysis of the firmware running. As shown in fig. 11, the firmware security emulation verification module is configured to perform the following steps:
step S1102, a simulation operating environment is constructed.
Step S1104, running firmware codes in the simulation running environment, and recording running result information in the simulation running process; the operation result information comprises simulation operation vulnerability information.
Step S1106, updating the vulnerability analysis list based on the simulation operation vulnerability information.
Specifically, the firmware security simulation verification module builds a simulation running environment in the system, and runs firmware codes in the simulation running environment to simulate the running process of the firmware. In the operation process, the firmware security simulation verification module records the operation instruction and the operation result information (for example, the operation result information prompts that a bug exists and displays corresponding bug information; and is called simulation operation bug information for distinguishing from the bug information in the above embodiment). Based on the simulation operation vulnerability information obtained by simulation operation in the simulation operation environment, the third-party component information is combined to the firmware vulnerability correlation analysis unit, and the firmware vulnerability correlation analysis unit can call vulnerability information, fingerprint information and the like in the firmware security knowledge base to perform vulnerability correlation analysis and update a vulnerability analysis list.
In the embodiment, the firmware is loaded and run through the simulation running environment, so that the system running is simulated, and the corresponding vulnerability verification can be performed on the dynamic analysis of the firmware running.
It should be noted that all or part of the modules in the firmware detection system may be implemented by software, hardware and their combination. Each module can be embedded in a hardware form or independent of a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute the operation corresponding to each module, and the detection of the firmware security is realized.
In a specific example, as shown in fig. 12, the power internet of things device uploads a firmware file package, a firmware meta-information extraction module in the firmware detection system extracts firmware meta-information, determines a firmware format, and an automatic firmware decompression module decompresses according to the firmware format and transmits a directory/file of a file system obtained by decompression to a firmware file security analysis unit; meanwhile, the firmware automatic decompression module transmits the firmware code (a binary program) obtained by decompression to the code reverse analysis unit, the code reverse analysis unit performs reverse analysis, and outputs an analysis result (for example, the analysis result includes an unsafe function, and the condition that the function call is a high-risk call, etc.). Meanwhile, the firmware security simulation verification module carries out simulation operation according to the firmware file packet, records an intermediate result and an operation instruction, and transmits the intermediate result and the operation instruction to the firmware file security analysis unit; and the firmware file security analysis unit generates a security analysis report according to the directory/file of the file system, the intermediate result of the simulation operation and the operation instruction. In addition, the firmware file security analysis unit identifies a third-party component according to the directory/file of the file system and transmits the third-party component to the firmware vulnerability association analysis unit; and the firmware vulnerability correlation analysis unit analyzes the vulnerability of the third-party component by means of the firmware security knowledge base to obtain a vulnerability analysis list. Thus, a series of work such as automatic extraction of firmware, security analysis, vulnerability correlation and the like is highly automated.
Based on the same inventive concept, the embodiment of the application also provides a firmware detection method of the power internet of things equipment. The method can be implemented in an application environment of a local server or a cloud server, and is executed by the local server of a firmware detection system deployed with the power internet of things equipment. In some embodiments, for example, a server executes a firmware detection method of an electric power internet of things device, as shown in fig. 13, the method includes:
step S1302, acquiring a firmware file package uploaded by the power internet of things device, and identifying format information included in the firmware file package.
Step S1304, according to the format information, decompressing the firmware file packet to obtain the firmware file stored in the file system.
Step S1306, performing static analysis on the firmware file, generating at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
Specifically, the server acquires a firmware file packet uploaded by the power internet of things device, identifies format information contained in the firmware file packet, and decompresses the firmware file packet according to the format information to obtain a firmware file stored in the file system. The server performs static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performs dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
The firmware detection method of the power internet of things device may be cooperatively implemented by each module in the firmware detection system of the power internet of things device in the foregoing embodiment, and for the specific principle and the flow steps, reference is made to the description in the foregoing embodiment, which is not described herein again.
In the firmware detection method of the power internet of things equipment, a firmware file packet uploaded by the power internet of things equipment is acquired through a firmware meta-information extraction module, format information contained in the firmware file packet is identified, a firmware automatic decompression module decompresses the firmware file packet according to the format information to obtain a firmware file stored in the firmware file packet, a firmware analysis module performs static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and the firmware analysis module performs dynamic analysis on the firmware file to obtain a code analysis result of a firmware code contained in the firmware file packet, so that automation of detection and analysis of the security of the firmware is realized; the functional modules are closely cooperated, the analysis process of the safety of the firmware is highly automated, and the detection/analysis efficiency is high.
It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
In one embodiment, a computer device is provided, and the computer device may be a server, and a firmware detection system of a power internet of things device is deployed in the server, and is used for detecting the security of firmware. The internal structure of the server may be as shown in fig. 14. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The database of the computer device is used for storing data such as firmware codes. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to realize a firmware detection method of the power Internet of things equipment.
Those skilled in the art will appreciate that the architecture shown in fig. 14 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program: the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package; decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system; and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of: the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package; decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system; and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of: the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package; decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system; and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.
Claims (10)
1. A firmware detection system of power Internet of things equipment is characterized in that the system comprises:
the firmware meta-information extraction module is used for acquiring a firmware file packet uploaded by the power Internet of things equipment and identifying format information contained in the firmware file packet;
the firmware automatic decompression module is used for decompressing the firmware file packet according to the format information to obtain the firmware files stored in the firmware file packet;
and the firmware analysis module is used for performing static analysis on the firmware file, generating at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code contained in the firmware file package.
2. The system of claim 1, wherein the firmware analysis module comprises:
the firmware file security analysis unit is used for detecting firmware sensitive information in the firmware file and generating a security analysis report based on the detected firmware sensitive information; the firmware sensitive information comprises a sensitive file and a sensitive field;
the firmware vulnerability correlation analysis unit is used for detecting third-party component information in the firmware file, determining related vulnerability information based on the detected third-party component information, and generating a vulnerability analysis list based on the vulnerability information;
and the code reverse analysis unit is used for extracting the firmware codes in the firmware file and carrying out binary reverse analysis on the firmware codes to obtain a code analysis result.
3. The system of claim 2, wherein the firmware file security analysis unit is to:
detecting a sensitive file in the firmware file and a sensitive field in the sensitive file;
classifying the sensitive files according to preset sensitive levels, and counting to obtain the statistical data of the sensitive files and the sensitive fields under the sensitive levels;
generating a sensitive information list based on the sensitive files and the sensitive fields under each sensitive level;
and generating a security analysis report based on the sensitive file and the sensitive field and the sensitive information list.
4. The system of claim 2, further comprising a firmware security repository comprising a firmware repository, a third party component vulnerability information repository, and a third party component fingerprint repository; the firmware vulnerability association analysis unit is used for:
extracting fingerprint information in the firmware file, and searching corresponding third-party component and third-party component information in the third-party component fingerprint library according to the fingerprint information; the third-party component information comprises component name information and component version information;
searching vulnerability information associated with the third-party component information in the third-party component vulnerability information base according to the component name information;
searching firmware information related to the vulnerability information in a firmware knowledge base according to the component name information and the component version information;
and generating a vulnerability analysis list based on the vulnerability information and the firmware information obtained by searching.
5. The system of claim 2, wherein the code reverse analysis unit is configured to:
extracting firmware codes in the firmware files, disassembling the firmware codes and generating pseudo codes;
decompiling the pseudo code to generate a readable code;
detecting the readable code by using a preset unsafe code rule to obtain an unsafe code;
generating a code analysis result based on the insecure code.
6. The system of any one of claims 1 to 5, further comprising a firmware security emulation verification module to:
constructing a simulation operation environment;
running firmware codes in the simulation running environment, and recording running result information in the simulation running process; the operation result information comprises simulation operation vulnerability information;
and updating the vulnerability analysis list based on the simulation operation vulnerability information.
7. A firmware detection method for power Internet of things equipment is characterized by comprising the following steps:
the method comprises the steps of obtaining a firmware file package uploaded by the power Internet of things equipment, and identifying format information contained in the firmware file package;
decompressing the firmware file packet according to the format information to obtain a firmware file stored in the file system;
and performing static analysis on the firmware file to generate at least one of a security analysis report and a vulnerability analysis list, and performing dynamic analysis on the firmware file to obtain a code analysis result of the firmware code.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor realizes the steps of the method of claim 7 when executing the computer program.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method as claimed in claim 7.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of claim 7 when executed by a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111466269.5A CN114386032A (en) | 2021-11-29 | 2021-11-29 | Firmware detection system and method for power Internet of things equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111466269.5A CN114386032A (en) | 2021-11-29 | 2021-11-29 | Firmware detection system and method for power Internet of things equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114386032A true CN114386032A (en) | 2022-04-22 |
Family
ID=81196313
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111466269.5A Pending CN114386032A (en) | 2021-11-29 | 2021-11-29 | Firmware detection system and method for power Internet of things equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114386032A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884717A (en) * | 2022-04-28 | 2022-08-09 | 浙江大学 | User data deep evidence obtaining analysis method and system for Internet of things equipment |
| CN114925372A (en) * | 2022-05-12 | 2022-08-19 | 北京控制与电子技术研究所 | Firmware safety detection method for enterprise safety production requirements |
| CN115544517A (en) * | 2022-10-08 | 2022-12-30 | 上海安般信息科技有限公司 | Firmware supply chain safety system based on static analysis |
| CN116226871A (en) * | 2023-05-08 | 2023-06-06 | 中汽智联技术有限公司 | Vulnerability verification method, device and medium based on static and dynamic combination |
| CN116846540A (en) * | 2023-05-19 | 2023-10-03 | 国家计算机网络与信息安全管理中心 | Equipment manufacturer presumption method, equipment, storage medium and device |
-
2021
- 2021-11-29 CN CN202111466269.5A patent/CN114386032A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114884717A (en) * | 2022-04-28 | 2022-08-09 | 浙江大学 | User data deep evidence obtaining analysis method and system for Internet of things equipment |
| CN114884717B (en) * | 2022-04-28 | 2023-08-25 | 浙江大学 | User data deep evidence collection analysis method and system for Internet of things equipment |
| CN114925372A (en) * | 2022-05-12 | 2022-08-19 | 北京控制与电子技术研究所 | Firmware safety detection method for enterprise safety production requirements |
| CN114925372B (en) * | 2022-05-12 | 2024-04-12 | 北京控制与电子技术研究所 | Firmware security detection method for enterprise security production requirements |
| CN115544517A (en) * | 2022-10-08 | 2022-12-30 | 上海安般信息科技有限公司 | Firmware supply chain safety system based on static analysis |
| CN116226871A (en) * | 2023-05-08 | 2023-06-06 | 中汽智联技术有限公司 | Vulnerability verification method, device and medium based on static and dynamic combination |
| CN116226871B (en) * | 2023-05-08 | 2023-08-01 | 中汽智联技术有限公司 | Vulnerability verification method, device and medium based on static and dynamic combination |
| CN116846540A (en) * | 2023-05-19 | 2023-10-03 | 国家计算机网络与信息安全管理中心 | Equipment manufacturer presumption method, equipment, storage medium and device |
| CN116846540B (en) * | 2023-05-19 | 2024-03-08 | 国家计算机网络与信息安全管理中心 | Equipment manufacturer presumption method, equipment, storage medium and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11277423B2 (en) | Anomaly-based malicious-behavior detection | |
| CN114386032A (en) | Firmware detection system and method for power Internet of things equipment | |
| US9300682B2 (en) | Composite analysis of executable content across enterprise network | |
| US9081961B2 (en) | System and method for analyzing malicious code using a static analyzer | |
| CN103279710B (en) | Method and system for detecting malicious codes of Internet information system | |
| US20160070911A1 (en) | Rapid malware inspection of mobile applications | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| EP3531329B1 (en) | Anomaly-based-malicious-behavior detection | |
| KR102362516B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR102424014B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR102396237B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| Liang et al. | Malicious packages lurking in user-friendly python package index | |
| KR20160090566A (en) | Apparatus and method for detecting APK malware filter using valid market data | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| CN116932381A (en) | Automatic evaluation method for security risk of applet and related equipment | |
| US20230048076A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| KR102411383B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR102420884B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR101908517B1 (en) | Method for malware detection and unpack of malware using string and code signature | |
| KR20230103275A (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| US11763004B1 (en) | System and method for bootkit detection | |
| Le et al. | A Basic Malware Analysis Process Based on FireEye Ecosystem. | |
| KR102447280B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR102437376B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| US20240054215A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |