CN117873646A - Firmware simulation method and system based on peripheral access point guidance - Google Patents
Firmware simulation method and system based on peripheral access point guidance Download PDFInfo
- Publication number
- CN117873646A CN117873646A CN202311804745.9A CN202311804745A CN117873646A CN 117873646 A CN117873646 A CN 117873646A CN 202311804745 A CN202311804745 A CN 202311804745A CN 117873646 A CN117873646 A CN 117873646A
- Authority
- CN
- China
- Prior art keywords
- firmware
- peripheral access
- function
- execution
- peripheral
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000002093 peripheral effect Effects 0.000 title claims abstract description 163
- 238000000034 method Methods 0.000 title claims abstract description 80
- 238000004088 simulation Methods 0.000 title claims abstract description 41
- 230000008569 process Effects 0.000 claims abstract description 39
- 230000004044 response Effects 0.000 claims abstract description 39
- 230000006870 function Effects 0.000 claims description 166
- 238000013138 pruning Methods 0.000 claims description 9
- 238000007781 pre-processing Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000004880 explosion Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 244000141353 Prunus domestica Species 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention relates to the technical field of security analysis of embedded equipment, in particular to a firmware simulation method and a system based on peripheral access point guidance, which are used for identifying peripheral access points in firmware and constructing a peripheral access point set by acquiring and analyzing a firmware binary program; the set of peripheral access points is utilized to guide the firmware simulation based on dynamic symbol execution: and determining an objective function according to the peripheral access point, and solving a peripheral access response value which enables the firmware to normally execute by recursion symbol execution of the objective function for specific execution of the firmware. According to the invention, the recursive symbol execution of the objective function is solved to enable the peripheral access response value of the normal execution of the firmware, the symbol execution in the firmware simulation is separated from the specific execution, the resource expense caused by state switching in the specific execution and the dynamic symbol execution process is avoided, the firmware simulation efficiency is improved, the safety of the embedded equipment is effectively improved, and the method has a good application prospect.
Description
Technical Field
The invention relates to the technical field of security analysis of embedded equipment, in particular to a firmware simulation method and system based on peripheral access point guidance.
Background
In recent years, firmware emulation techniques have played an increasingly important role in embedded device security analysis. Compared with a general-purpose computer, the embedded device has small volume power consumption and limited computing resources, and generally cannot directly use a large dynamic analysis tool or run an analysis task for a long time. While firmware emulation techniques may emulate some or all of the services in the running firmware, providing an analysis environment that is as identical as possible to the real device. For firmware security analysis, firmware codes can be dynamically operated in the simulator to acquire the runtime environment of the firmware, so that analysts can find and solve the existing security problems, and the security of the embedded equipment is improved.
Universal simulators (e.g., QEMU, etc.) are widely used in firmware emulation to simulate different processor architectures and peripherals, providing a flexible debug and test environment. However, the wide variety of peripheral devices makes it difficult to run the firmware directly in the generic emulator, and the peripheral devices must respond some time after the firmware issues some access request, otherwise the firmware will crash or enter a suspended state. The high fidelity simulation environment is the basis for all subsequent applications of dynamic analysis techniques. Thus, how quickly to automatically run embedded firmware on a general-purpose computer lacking peripheral devices, unlike device architecture, is a hotspot in current research. Many works have been done to solve the peripheral access return value using the symbolic execution technique and reduce the path explosion problem during symbolic execution in various ways, but the state switching in such hybrid execution brings a lot of time overhead and reduces the simulation efficiency.
Disclosure of Invention
Therefore, the invention provides a firmware simulation method and a system based on peripheral access point guidance, which solve the problems of high time cost, influence on firmware simulation efficiency and the like in the existing firmware simulation, solve peripheral access response values in the normal execution process of the firmware through recursive symbol execution of an objective function, avoid resource cost caused by state switching in the mixed execution process, improve the firmware simulation efficiency, and further effectively improve the safety of embedded equipment.
According to the design scheme provided by the invention, on one hand, a firmware simulation method based on peripheral access point guidance is provided, which comprises the following steps:
acquiring a firmware binary program and a peripheral access point, and constructing a peripheral access point set based on the peripheral access point;
guiding firmware simulation based on dynamic symbol execution based on the set of peripheral access points, wherein the firmware simulation process comprises: and determining an objective function according to the peripheral access point, and solving a peripheral access response value which enables the firmware to normally execute by performing recursion symbols of the objective function so as to specifically execute the firmware according to the peripheral access response value. The method for simulating the firmware based on the peripheral access point guidance, which is provided by the invention, further guides the firmware simulation based on the dynamic symbol execution based on the peripheral access point set, and comprises the following steps:
firstly, determining an objective function requiring symbolic execution solution according to a peripheral access point, and setting a memory reading check function, so that all firmware returns a symbolic value to memory access of an unrealized peripheral in the symbolic execution process;
then, determining a basic block execution mode according to whether a symbol value created by peripheral access exists in the current execution state, and obtaining a peripheral access response value through direct function and/or path constraint function solution in the basic block execution process, wherein the basic block execution mode determination process comprises the following steps: if the current execution state has a symbol value created by peripheral access, executing a corresponding basic block by a symbol execution engine, and if the current execution state does not have the symbol value, executing the corresponding basic block by a specific execution engine; the direct function is a function determined according to the peripheral access point, and the path constraint function is a constraint function determined according to the symbol execution path constraint.
The firmware simulation method based on the peripheral access point guidance, provided by the invention, further obtains a peripheral access response value through direct function solution, and comprises the following steps:
starting from the function entry, the predetermined parameters in the function are symbolized, and whenever a peripheral read operation occurs during execution of the symbology, the value read from the peripheral register by the read operation is represented by the created global memory symbology value. When the function symbol is executed to return, a symbol execution path set represented by a state is acquired, a path which reaches a target point first is selected, and all memory symbols created in the symbol execution are solved based on the path. And matching the instruction address of the peripheral access point with the solved specific value, and acquiring a corresponding peripheral access response value by the specific execution of the firmware according to the instruction address of the current access peripheral.
The firmware simulation method based on the peripheral access point guidance, provided by the invention, further obtains a peripheral access response value through solving a path constraint function, and comprises the following steps:
and taking the state of the function call as the initial state of the constraint function solution, recording the function entry and the function return address of the function call, and matching the peripheral access response value in the corresponding constraint function recursion solution by using the function return address so that the peripheral response return value in the constraint function responds to peripheral read operation according to the instruction address of the peripheral access point and the corresponding function return address.
As the firmware simulation method based on the peripheral access point guidance, the method further utilizes the function return address to match the peripheral access response value in the corresponding constraint function recursion solution, and further comprises the following steps:
and merging the states with the same return value, and checking whether the function return value in the current execution path meets the calling requirement.
The method for simulating the firmware based on the peripheral access point guidance, which is provided by the invention, is further used for simulating the firmware based on the dynamic symbol execution based on the peripheral access point set guidance, and further comprises the following steps:
the state space is pruned based on the irrelevant path, the infinite loop and the error function, so that a normal execution path of the firmware is selected in the dynamic symbol execution, and the objective function is prevented from entering an error state in the dynamic symbol execution.
As the firmware simulation method based on the peripheral access point guidance, the invention further prunes the state space based on irrelevant paths, infinite loops and error functions, and comprises the following steps:
utilizing the directionality of the function control flow graph to trim the state space of an irrelevant path in the dynamic symbol execution process; the state space pruning of infinite loops in the dynamic symbol execution process is realized by circularly counting and discarding the loop basic blocks exceeding a preset loop threshold; the state space pruning of the error function in the dynamic symbol execution process is realized by setting the error function call point and discarding the path of the error function call point.
Further, the invention also provides a firmware simulation system based on the guidance of the peripheral access point, which comprises: a data preprocessing module and a symbol execution module, wherein,
the data preprocessing module is used for acquiring and analyzing the firmware binary program, identifying peripheral access points in the firmware and constructing a peripheral access point set;
the symbol execution module is used for guiding the firmware simulation based on dynamic symbol execution based on the peripheral access point set, wherein the firmware simulation process comprises the following steps: and determining an objective function according to the peripheral access point, and solving a peripheral access response value which enables the firmware to normally execute by performing recursion symbols of the objective function so as to specifically execute the firmware according to the peripheral access response value.
The invention has the beneficial effects that:
the method and the device use the static peripheral access point to guide the symbol execution in the firmware simulation, perform program analysis on the firmware to solve the proper peripheral access return value, separate the symbol execution from the specific execution in the firmware simulation, so that the firmware is not crashed or suspended due to the access to the unknown peripheral in the specific execution process of the firmware, meanwhile, the extra cost caused by state switching in the mixed execution process of the specific execution and the dynamic symbol execution is reduced, the firmware simulation efficiency is improved, the analyst can be helped to find and solve the safety problem existing in the firmware in time, the safety of the embedded equipment is improved, the deployment and the implementation in the safety analysis of the embedded equipment are facilitated, and the method and the device have good application prospect.
Description of the drawings:
FIG. 1 is a schematic flow of firmware emulation based on peripheral access point boot in an embodiment;
FIG. 2 is a schematic architecture of a firmware simulation algorithm in an embodiment.
The specific embodiment is as follows:
the present invention will be described in further detail with reference to the drawings and the technical scheme, in order to make the objects, technical schemes and advantages of the present invention more apparent.
Aiming at the problems of high time cost, influence on firmware simulation efficiency and the like caused by state switching of the prior mixed execution described in the background art, the embodiment of the invention, referring to fig. 1, provides a firmware simulation method based on peripheral access point guidance, which comprises the following contents:
s101, acquiring a firmware binary program and a peripheral access point, and constructing a peripheral access point set based on the peripheral access point;
s102, guiding firmware simulation based on dynamic symbol execution based on the peripheral access point set, wherein the firmware simulation process comprises the following steps: and determining an objective function according to the peripheral access point, and solving a peripheral access response value which enables the firmware to normally execute by performing recursion symbols of the objective function so as to specifically execute the firmware according to the peripheral access response value.
Specifically, the method for guiding the firmware simulation executed based on the dynamic symbol based on the set of peripheral access points comprises the following steps:
firstly, determining an objective function requiring symbolic execution solution according to a peripheral access point, and setting a memory reading check function, so that all firmware returns a symbolic value to memory access of an unrealized peripheral in the symbolic execution process;
then, determining a basic block execution mode according to whether a symbol value created by peripheral access exists in the current execution state, and obtaining a peripheral access response value through direct function and/or path constraint function solution in the basic block execution process, wherein the basic block execution mode determination process comprises the following steps: if the current execution state has a symbol value created by peripheral access, executing a corresponding basic block by a symbol execution engine, and if the current execution state does not have the symbol value, executing the corresponding basic block by a specific execution engine; the direct function is a function determined according to the peripheral access point, and the path constraint function is a constraint function determined according to the symbol execution path constraint.
The firmware simulation algorithm architecture shown in fig. 2 may be composed of a dynamic symbol execution engine, a symbol execution control component, and a path solver. In the dynamic symbol execution stage, aiming at each peripheral access point in the peripheral access set, executing the function dynamic symbol where the peripheral access point is located. The basic blocks in the objective function in the dynamic symbol execution process are translated into the host code and the VEX intermediate language used by Angr according to whether the symbol values accessed by the peripheral exist or not, and are respectively submitted to the SimEngineUnicom engine concrete execution and the heavyVEXMIXIN engine symbol execution. In the process of executing the symbol, the invention uses the symbol execution control component to create the symbol value and the clipping state space of the unknown peripheral access, wherein the memory read control component judges that the memory access is located in the MMIO space, and creates the corresponding memory symbol. The state space is pruned by three components of irrelevant path, long loop and error function. The path solver solves the peripheral access response value for the symbol value on the symbol execution path, and if a constraint function exists in the function execution process, the constraint function analysis is carried out.
The method for obtaining the peripheral access response value through direct function solution comprises the following steps:
starting from the function entry, the predetermined parameters in the function are symbolized, and whenever a peripheral read operation occurs during execution of the symbology, the value read from the peripheral register by the read operation is represented by the created global memory symbology value. When the function symbol is executed to return, a symbol execution path set represented by a state is acquired, a path which reaches a target point first is selected, and all memory symbols created in the symbol execution are solved based on the path. And matching the instruction address of the peripheral access point with the solved specific value, and acquiring a corresponding peripheral access response value by the specific execution of the firmware according to the instruction address of the current access peripheral.
The firmware interacts with the peripheral device through registers mapped into MMIO space, and peripheral registers can be generally divided into data registers, status registers, and control registers, which are read from and written to by the device to control the state of the peripheral device, while also executing different codes depending on the state of the peripheral device. In the analysis of external access points, device access points in the memory mapped I/O may be identified by manual analysis. And executing the objective function symbol with the peripheral access according to the peripheral access point identified by analysis. Starting from the function entry, all parameters in the function that can be identified are symbolized and dynamically executed to the function return. In order to alleviate the problem of state explosion during the execution of function symbols, in this embodiment, the state space may be trimmed to prevent the function from entering an error state, such as a long loop, an infinite loop, an error function, etc. In order to avoid the influence of function call in the process of executing the function, all called functions are replaced through dynamic symbol execution, no function code is executed, and only one symbol value is returned for the operation of the return value of the function in the function. Whenever a peripheral read operation occurs during the execution of a symbol, the memory read control component creates a global symbol value representing the value read from the peripheral register by the read operation. After the function is executed and returned, the symbol execution engine gives a set of paths represented by states, a path which reaches a target point first is selected, all memory symbols created in the symbol execution process are solved on the basis of the path, and the PC value at the occurrence position of the peripheral access is paired with a specific value solved by a solver, so that a set of peripheral access return values are obtained. During the firmware specific execution phase, the peripheral return value will respond to peripheral read operations in the firmware based on the corresponding PC value.
The method for obtaining the peripheral access response value through solving the path constraint function comprises the following steps:
and taking the state of the function call as the initial state of the constraint function solution, recording the function entry and the function return address of the function call, and matching the peripheral access response value in the corresponding constraint function recursion solution by using the function return address so that the peripheral response return value in the constraint function responds to peripheral read operation according to the instruction address of the peripheral access point and the corresponding function return address.
Matching peripheral access response values in the corresponding constraint function recursion solution using the function return address may further comprise:
and merging the states with the same return value, and checking whether the function return value in the current execution path meets the calling requirement.
The return value of the called function will have an effect on the execution path of the calling function, and if the path selected in the direct function solving stage contains the constraint of the return value of the function, the constraint function needs to be solved. And solving a group of peripheral access response values for the constraint function, so that the constraint function returns a return value meeting the direct function path constraint after the execution is finished. In this embodiment, the initial state of the constraint function solution is the state of the function call, and the function entry and the return address of the function call are recorded. Dynamic symbolic execution of the constraint function solving stage uses the same strategy as the direct function solving stage. When the constraint function returns, in order to reduce the size of the constraint solving space, the states with the same return value are combined first, and then whether the function return value in the current path meets the requirement of a caller is checked. The same constraint function may be called in different locations of the firmware, nor is the return value required for the call in different locations necessarily the same. Thus, the solved peripheral access return values in the constraint function require additional function return addresses to match, i.e. the peripheral return values in the constraint function will respond to peripheral read operations based on the access point PC and the current function return address. The constraint function solving process is a recursive process, and when the constraint function still exists in the constraint function, the constraint function can be solved continuously until the constraint of the called function return value is not contained in the final state.
Dynamic symbol execution uses symbol values in executing a program, tracking all possible paths of execution of the program, which results in a number of active states during symbol execution, and the required computing resources increase exponentially as symbol execution proceeds. In order for the path selected in the dynamic symbol execution to represent the normal execution path of the firmware, the efficiency of the simulation is improved, and the state space needs to be trimmed. Further, in this embodiment, the guiding the firmware simulation based on the dynamic symbol execution based on the set of peripheral access points further includes:
the state space is pruned based on the irrelevant path, the infinite loop and the error function, so that a normal execution path of the firmware is selected in the dynamic symbol execution, and the objective function is prevented from entering an error state in the dynamic symbol execution.
The method comprises the following steps: utilizing the directionality of the function control flow graph to trim the state space of an irrelevant path in the dynamic symbol execution process; the state space pruning of infinite loops in the dynamic symbol execution process is realized by circularly counting and discarding the loop basic blocks exceeding a preset loop threshold; the state space pruning of the error function in the dynamic symbol execution process is realized by setting the error function call point and discarding the path of the error function call point.
In the course of dynamic symbolic execution, to handle peripheral access occurring in a function, a program is first executed to the peripheral access point. In this process, many execution paths occur that are independent of the MMIO access, increasing the state space for symbolic execution. To handle such irrelevant states, in the present embodiment, the directionality of the function control flow graph may be utilized, and for the remaining basic blocks of the function, if the basic block where the target peripheral accesses is located is connected, it indicates that the function has an opportunity to execute the basic block before or after executing the basic block to the target basic block, otherwise, it indicates that the basic block is not in the path of executing the basic block to the target basic block, and the basic block does not need to be processed during the dynamic symbol execution process.
During execution of the firmware, a developer often uses an infinite loop to suspend the firmware if an unexpected peripheral response occurs. Thus, it is avoided to enter an excessively long loop state during the execution of firmware by the symbol. In this embodiment, the loop states exceeding the preset loop threshold are discarded through the loop count, and these states are set as loops, so as to obtain the entry points of all error loop basic blocks. This threshold is set to 30 times. Furthermore, the entry point of the error cycle may also be manually added by hand. During the execution of the symbol, the error loop basic block is executed only once and then discarded, avoiding error conditions due to long/infinite loops.
In firmware, an error function is called to perform error processing in addition to using a dead loop to indicate that an unrecoverable error has occurred or to continue to perform a task. These errant functions either indicate assertion failure or cause program exception exit, regardless of how an error in firmware execution would cause the invocation of such functions. Therefore, in the symbol execution process, in this embodiment, by designating call points of the error functions, if a state is executed to the call points of the functions, it is indicated that the current path is in error, and the current path should be discarded to implement state space pruning of the error functions.
By pruning the state space under the conditions of irrelevant paths, long/infinite loops and error functions, the objective function avoids exploring wrong or unnecessary states when the dynamic symbol is executed, so that the time overhead of symbol execution is further reduced, and the firmware simulation efficiency is improved.
Further, based on the above method, the embodiment of the present invention further provides a firmware emulation system based on peripheral access point boot, including: a data preprocessing module and a symbol execution module, wherein,
the data preprocessing module is used for acquiring and analyzing the firmware binary program, identifying peripheral access points in the firmware and constructing a peripheral access point set;
the symbol execution module is used for guiding the firmware simulation based on dynamic symbol execution based on the peripheral access point set, wherein the firmware simulation process comprises the following steps: and determining an objective function according to the peripheral access point, and solving a peripheral access response value which enables the firmware to normally execute by performing recursion symbols of the objective function so as to specifically execute the firmware according to the peripheral access response value.
The relative steps, numerical expressions and numerical values of the components and steps set forth in these embodiments do not limit the scope of the present invention unless it is specifically stated otherwise.
In the present specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, and identical and similar parts between the embodiments are all enough to refer to each other. For the system disclosed in the embodiment, since it corresponds to the method disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
The elements and method steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or a combination thereof, and the elements and steps of the examples have been generally described in terms of functionality in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Those of ordinary skill in the art may implement the described functionality using different methods for each particular application, but such implementation is not considered to be beyond the scope of the present invention.
Those of ordinary skill in the art will appreciate that all or a portion of the steps in the above methods may be performed by a program that instructs associated hardware, and that the program may be stored on a computer readable storage medium, such as: read-only memory, magnetic or optical disk, etc. Alternatively, all or part of the steps of the above embodiments may be implemented using one or more integrated circuits, and accordingly, each module/unit in the above embodiments may be implemented in hardware or may be implemented in a software functional module. The present invention is not limited to any specific form of combination of hardware and software.
Finally, it should be noted that: the above examples are only specific embodiments of the present invention, and are not intended to limit the scope of the present invention, but it should be understood by those skilled in the art that the present invention is not limited thereto, and that the present invention is described in detail with reference to the foregoing examples: any person skilled in the art may modify or easily conceive of the technical solution described in the foregoing embodiments, or perform equivalent substitution of some of the technical features, while remaining within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. A firmware emulation method based on peripheral access point boot, comprising:
acquiring and analyzing a firmware binary program, identifying peripheral access points in the firmware and constructing a peripheral access point set;
guiding firmware simulation based on dynamic symbol execution based on the set of peripheral access points, wherein the firmware simulation process comprises: and determining an objective function according to the peripheral access point, and solving a peripheral access response value which enables the firmware to normally execute by performing recursion symbols of the objective function so as to specifically execute the firmware according to the peripheral access response value.
2. The method for firmware emulation based on peripheral access point guidance according to claim 1, wherein the step of guiding the firmware emulation based on dynamic symbol execution based on the set of peripheral access points comprises:
firstly, determining an objective function requiring symbolic execution solution according to a peripheral access point, and setting a memory reading check function, so that all firmware returns a symbolic value to memory access of an unrealized peripheral in the symbolic execution process;
then, determining a basic block execution mode according to whether a symbol value created by peripheral access exists in the current execution state, and obtaining a peripheral access response value through direct function and/or path constraint function solution in the basic block execution process, wherein the basic block execution mode determination process comprises the following steps: if the current execution state has a symbol value created by peripheral access, executing a corresponding basic block by a symbol execution engine, and if the current execution state does not have the symbol value, executing the corresponding basic block by a specific execution engine; the direct function is a function determined according to the peripheral access point, and the path constraint function is a constraint function determined according to the symbol execution path constraint.
3. The peripheral access point boot-based firmware emulation method of claim 2, wherein obtaining the peripheral access response value by direct function solution comprises:
starting from the function entry, the predetermined parameters in the function are symbolized, and whenever a peripheral read operation occurs during execution of the symbology, the value read from the peripheral register by the read operation is represented by the created global memory symbology value. When the function symbol is executed to return, a symbol execution path set represented by a state is acquired, a path which reaches a target point first is selected, and all memory symbols created in the symbol execution are solved based on the path. And matching the instruction address of the peripheral access point with the solved specific value, and acquiring a corresponding peripheral access response value by the specific execution of the firmware according to the instruction address of the current access peripheral.
4. The peripheral access point boot-based firmware emulation method of claim 2, wherein obtaining the peripheral access response value by path constraint function solution comprises:
and taking the state of the function call as the initial state of the constraint function solution, recording the function entry and the function return address of the function call, and matching the peripheral access response value in the corresponding constraint function recursion solution by using the function return address so that the peripheral response return value in the constraint function responds to peripheral read operation according to the instruction address of the peripheral access point and the corresponding function return address.
5. The peripheral access point boot-based firmware emulation method of claim 4, wherein using the function return address to match the peripheral access response value in the corresponding constraint function recursion solution further comprises:
and merging the states with the same return value, and checking whether the function return value in the current execution path meets the calling requirement.
6. The method for firmware emulation based on peripheral access point guidance according to claim 1, wherein the method for firmware emulation based on dynamic symbol execution based on peripheral access point set guidance further comprises:
the state space is pruned based on the irrelevant path, the infinite loop and the error function, so that a normal execution path of the firmware is selected in the dynamic symbol execution, and the objective function is prevented from entering an error state in the dynamic symbol execution.
7. The peripheral access point boot-based firmware emulation method of claim 6, wherein pruning the state space based on irrelevant paths, infinite loops, and error functions comprises:
utilizing the directionality of the function control flow graph to trim the state space of an irrelevant path in the dynamic symbol execution process; the state space pruning of infinite loops in the dynamic symbol execution process is realized by circularly counting and discarding the loop basic blocks exceeding a preset loop threshold; the state space pruning of the error function in the dynamic symbol execution process is realized by setting the error function call point and discarding the path of the error function call point.
8. A firmware emulation system based on peripheral access point booting, comprising: a data preprocessing module and a symbol execution module, wherein,
the data preprocessing module is used for acquiring and analyzing the firmware binary program, identifying peripheral access points in the firmware and constructing a peripheral access point set;
the symbol execution module is used for guiding the firmware simulation based on dynamic symbol execution based on the peripheral access point set, wherein the firmware simulation process comprises the following steps: and determining an objective function according to the peripheral access point, and solving a peripheral access response value which enables the firmware to normally execute by performing recursion symbols of the objective function so as to specifically execute the firmware according to the peripheral access response value.
9. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the method of any of claims 1 to 7.
10. An electronic device, comprising:
at least one processor, and a memory coupled to the at least one processor;
wherein the memory stores a computer program executable by the at least one processor to implement the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311804745.9A CN117873646A (en) | 2023-12-26 | 2023-12-26 | Firmware simulation method and system based on peripheral access point guidance |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311804745.9A CN117873646A (en) | 2023-12-26 | 2023-12-26 | Firmware simulation method and system based on peripheral access point guidance |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117873646A true CN117873646A (en) | 2024-04-12 |
Family
ID=90591089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311804745.9A Pending CN117873646A (en) | 2023-12-26 | 2023-12-26 | Firmware simulation method and system based on peripheral access point guidance |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117873646A (en) |
-
2023
- 2023-12-26 CN CN202311804745.9A patent/CN117873646A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107526625B (en) | Java intelligent contract security detection method based on bytecode inspection | |
| CN110580226B (en) | Object code coverage rate testing method, system and medium for operating system level program | |
| US11604643B2 (en) | System for executing new instructions and method for executing new instructions | |
| US11803387B2 (en) | System for executing new instructions and method for executing new instructions | |
| Kinder et al. | Precise static analysis of untrusted driver binaries | |
| US11625247B2 (en) | System for executing new instructions and method for executing new instructions | |
| Sandell et al. | Static timing analysis of real-time operating system code | |
| US10997055B2 (en) | Methods, circuits, apparatus, systems and associated software modules for evaluating code behavior | |
| US20080307397A1 (en) | Program Analysis by Partial Emulation | |
| CN106055481B (en) | Method and device for testing computer program | |
| US20180189167A1 (en) | Methods, circuits, apparatus, systems and associated software modules for evaluating code behavior | |
| WO2011089478A1 (en) | Debugger system, method and computer program product for debugging instructions | |
| CN114428642A (en) | Random instruction generation environment based on novel processor architecture | |
| US20240086310A1 (en) | What-if analysis for notebooks | |
| CN116521231A (en) | Reference model for SPARC V8 instruction set dynamic simulation verification | |
| CN116450431A (en) | Instruction function test system of CPU reference model, method thereof, computer equipment and storage medium | |
| CN116150021A (en) | Program running track tracking method, program running track comparing method, program running track tracking device and computing equipment | |
| CN117873646A (en) | Firmware simulation method and system based on peripheral access point guidance | |
| CN109426546B (en) | Application starting method and device, computer storage medium and equipment | |
| US11886589B2 (en) | Process wrapping method for evading anti-analysis of native codes, recording medium and device for performing the method | |
| CN115374017A (en) | Method for capturing site during simulation running of executable file and computing equipment | |
| CN116340081A (en) | RISCV memory access violation detection method and device based on hardware virtualization | |
| CN115470151B (en) | Application operation analysis method, computing device and storage medium | |
| US9830174B2 (en) | Dynamic host code generation from architecture description for fast simulation | |
| CN112380529B (en) | Embedded bare computer system safety isolation system based on operation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |