KR20240011218A - Method of diagnosing bootloader using deep-learning model and apparatus therefor - Google Patents

Abstract

The present invention relates to a bootloader diagnosis method and device using a deep learning model. More specifically, generating an Executable and Linkable Format (ELF) file for each hardware type and function of the learning firmware bootloader; Generating a structural image file from the generated ELF file using a reverse engineering tool and learning the structural image; Detecting a learned structure image corresponding to the structure image of the target firmware bootloader; and performing a diagnosis as to whether the target firmware bootloader is normal by applying a deep learning algorithm to each detected structure image.

Description

Bootloader diagnosis method and device using deep learning model {METHOD OF DIAGNOSING BOOTLOADER USING DEEP-LEARNING MODEL AND APPARATUS THEREFOR}

The present invention relates to bootloader diagnosis, and more specifically, to a method and device for automatically diagnosing and predicting abnormal functions and vulnerabilities in the bootloader through a deep learning algorithm.

Firmware is software included in a specific hardware device and is a device that enables reading, executing, or modifying software. Types of firmware include a device driver that controls the device, a bootloader that uploads the operating system (OS) to the device, a small operating system for the device, and application software that runs on the device. there is. The bootloader is software that is generally stored in flash memory and is run by the central processing unit during initial booting, reads the contents stored inside the device, and executes the next level of operating system software. The bootloader can be updated as needed.

If there is a manufacturing mistake or a randomly occurring vulnerability in the bootloader, which performs a major task in the initial operation of the hardware device, various security attacks are possible through this, which can eventually lead to fatal problems in the hardware device. Therefore, it is necessary to protect the bootloader, which is software installed during initial production of equipment or updated as needed, from attacks targeting security vulnerabilities.

To this end, in the past, security vulnerabilities or abnormal malicious functions in the actual bootloader software were detected through manual analysis by experts in the fields of firmware, hardware, operating systems, and reverse engineering. In other words, in the past, according to the software structure and flowchart obtained through reverse engineering, developers, test verification experts, etc. followed the chronological order of each line and found problems based on experience and code base for abnormal parts. Therefore, these conventional methods had limitations or problems, such as problems with detection accuracy depending on expert capabilities and the need for a large amount of resources for analysis.

In order to solve the above-described conventional problems, the work of the present invention is to apply a deep learning algorithm to a structural image file generated through reverse engineering of the bootloader file, It provides a method and device for automatically diagnosing and predicting vulnerabilities.

Another task of the present invention is to provide a method and device for automatically diagnosing whether a bootloader is normal while minimizing human intervention through learning a deep learning algorithm as described above.

The technical problems to be achieved in the present invention are not limited to the above technical problems, and other technical problems not mentioned will be clearly understood by those skilled in the art from the description below.

The firmware bootloader diagnosis method according to an embodiment of the present invention to solve the above-described problem includes the steps of generating an ELF (Executable and Linkable Format) file for each hardware type and function of the learning firmware bootloader; Generating a structural image file from the generated ELF file using a reverse engineering tool and learning the structural image; Detecting a learned structure image corresponding to the structure image of the target firmware bootloader; and performing a diagnosis as to whether the target firmware bootloader is normal by applying a deep learning algorithm to each detected structure image.

According to the firmware bootloader diagnosis method according to an embodiment of the present invention, generating an ELF file of the target firmware bootloader; and generating a structure image file from the ELF file of the target firmware bootloader created using a reverse engineering tool and converting it into a structure image.

According to the firmware bootloader diagnosis method according to an embodiment of the present invention, the learning step includes images of individual functions of the firmware bootloader and graphics displaying the processing order for each function in the generated structure image file. It may include a step of converting to an image.

According to the firmware bootloader diagnosis method according to an embodiment of the present invention, the learning step may include generating a learning model using spatial features extracted from the converted image.

*

*According to the firmware bootloader diagnosis method according to an embodiment of the present invention, it may further include generating a data set for applying the deep learning based on the detected structure image.

A firmware bootloader diagnostic device according to an embodiment of the present invention includes a first file generator that generates a first ELF file for each hardware type and function of a learning firmware bootloader; a second file generator that generates a first structure image file from the generated first ELF file using a reverse engineering tool; a learning unit that learns a structure image based on the first structure image file; An image detection unit that detects the structure image of the target firmware bootloader and the corresponding learned structure image, respectively; and a diagnostic unit that applies a deep learning algorithm to each detected structure image to diagnose whether the target firmware bootloader is normal.

According to the firmware bootloader diagnosis device according to an embodiment of the present invention, the first file generator further generates a second ELF file for each hardware type and function of the target firmware bootloader, and the second file generator: Using a reverse engineering tool, a second structural image file can be further created from the generated second ELF file.

According to the firmware bootloader diagnostic device according to an embodiment of the present invention, the learning unit converts the generated first structure image file into images for individual functions of the learning firmware bootloader and graphics displaying the order of processing for each function. It can be converted to an image containing this.

According to the firmware bootloader diagnostic device according to an embodiment of the present invention, the learning unit may generate a learning model using spatial features extracted from the converted image.

According to the firmware bootloader diagnostic device according to an embodiment of the present invention, it may further include a data generator that generates a data set for applying the deep learning based on the detected structure image.

According to the present invention as described above, the effects described below can be obtained. However, the effects that can be achieved through the present invention are not limited to this.

First, we provide a method and device to automatically diagnose and predict abnormal functions or vulnerabilities in the bootloader by applying a deep learning algorithm to the structural image file created through reverse engineering of the bootloader file. There is an effect that can be done.

Second, as described above, there is an effect of providing a method and device for automatically diagnosing whether the bootloader is normal while minimizing human intervention through learning of a deep learning algorithm.

Figure 1 is a block diagram of a device for diagnosing whether a firmware bootloader is normal according to an embodiment of the present invention.
Figure 2 is a flowchart illustrating a method for automatically diagnosing whether the bootloader of firmware is normal according to an embodiment of the present invention.
Figure 3 is a diagram illustrating a method for generating a reverse engineering structure image used to automatically diagnose whether the bootloader of firmware is normal according to an embodiment of the present invention.
FIG. 4 is a diagram illustrating a structure image candidate detected for classifying a firmware bootloader reverse engineering structure image file according to an embodiment of the present invention.
Figure 5 is a diagram illustrating a process of learning a bootloader structure image by applying a deep learning algorithm according to an embodiment of the present invention.
Figures 6 and 7 are diagrams to explain item classification by firmware structure according to an embodiment of the present invention.
Figures 8 to 10 are diagrams to explain a reverse engineering image according to an embodiment of the present invention.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the attached drawings. The detailed description set forth below in conjunction with the accompanying drawings is intended to illustrate exemplary embodiments of the invention and is not intended to represent the only embodiments in which the invention may be practiced.

These embodiments are provided solely to ensure that the disclosure of the present invention is complete and to fully inform those skilled in the art of the present invention of the scope of the invention, and that the present invention will be defined by the scope of the claims. It's just that.

In some cases, in order to avoid ambiguity of the concept of the present invention, well-known structures and devices may be omitted or may be shown in block diagram form focusing on the core functions of each structure and device. In addition, the same components are described using the same reference numerals throughout this specification.

Throughout the specification, when a part is said to “comprise or include” a certain element, this means that it does not exclude other elements but may further include other elements, unless specifically stated to the contrary. do.

Additionally, the term "unit" used in the specification refers to a unit that processes at least one function or operation, and may be implemented as hardware, software, or a combination of hardware and software. Furthermore, the terms “a” or “an”, “one”, and similar related terms may be used in the singular and plural in the context of describing the present invention, unless otherwise indicated herein or clearly contradicted by context. It can be used in a meaning that includes.

In addition, specific terms used in the embodiments of the present invention are provided to aid understanding of the present invention, and unless otherwise defined, all terms used herein, including technical or scientific terms, refer to the present invention. It has the same meaning as generally understood by those with ordinary knowledge in the technical field to which it belongs. The use of these specific terms may be changed to other forms without departing from the technical spirit of the present invention.

Hereinafter, embodiments of a method, device, or system for automatically diagnosing and predicting abnormal functions and vulnerabilities in a bootloader through a deep-learning algorithm according to the present invention will be described. Explain.

Hereinafter, in this specification, to help understand the present invention and for convenience of explanation, the firmware bootloader is described as an example, but the present invention is not limited thereto, and includes a firmware device driver, a device It can also be applied to small operating systems (OS) and application software running on the device. That is, the present invention can be applied to a system that diagnoses firmware.

Various embodiments of the present invention will be described with reference to the attached drawings.

Figure 1 is a block diagram of a device 100 for diagnosing whether the bootloader of firmware is normal according to an embodiment of the present invention.

Referring to FIG. 1, the device 100 for diagnosing whether the bootloader of the firmware is normal includes a file receiving unit 110, a first file generating unit 120, a second file generating unit 130, a learning unit 140, and an image. It may include a detection unit 150, a data generation unit 160, a diagnosis unit 170, and a memory 180.

The file receiving unit 110 may receive data about the bootloader of the target firmware. The file receiving unit 110 may receive data about the bootloader of learning firmware for deep learning learning. Data on the bootloader of firmware for deep learning learning can be obtained or received from public databases, firmware bootloader manufacturers, etc.

The file receiving unit 110 may provide an interface environment necessary to receive data about the bootloader of target firmware and/or the bootloader of firmware for deep learning learning.

The first file generator 120 may generate a file in a first format for each hardware type and function of the bootloader from data in the bootloader of the target firmware and the bootloader of the learning firmware. At this time, the first format is an ELF (Executable and Linkable Format) file format to be used in a reverse engineering tool for debug purposes. However, the present invention is not limited to these file formats.

The second file generator 130 generates the first file for the bootloader of the target firmware in the first file generator 120 and the learning firmware in order to automatically diagnose whether the bootloader of the target firmware is normal. A file of a second format is generated from the second file generated for the boot loader. At this time, the generated file of the second format will be described by being named a structure image file. Meanwhile, the second file generator 130 may generate a structural image file using a reverse engineering tool. However, the present invention is not limited to this.

Depending on the embodiment, at least one of the file receiving unit 110, the first file generating unit 120, and the second file generating unit 130 is separately provided for a bootloader of the target firmware and a bootloader of the learning firmware. It can be.

The learning unit 140 generates a structural image for actual deep learning learning, that is, creates a structural image file for the bootloader of the learning firmware generated in the second file generating unit 130 with images for individual functions of the bootloader. It can be converted into an image showing the order of processing for each function. The converted image may include graphics.

The learning unit 140 may perform deep learning learning on the converted image and create a learning model.

The image detector 150 may detect a structure image from a structure image file for the bootloader of the target firmware. The image detector 150 may detect a pre-learned structure image for the bootloader of the learning firmware corresponding to the structure image of the bootloader file of the detected target firmware.

The data generator 160 may generate a data set for the structure image of the firmware bootloader detected by the image detector 150. The generated data set may be generated based on the unit to which the deep learning algorithm is applied. Depending on the embodiment, the generated data may be generated in arbitrary units.

Depending on the embodiment, the data generator 160 determines whether the target firmware bootloader is normal, determines whether structural abnormal behavior is inserted, and improves accuracy in diagnosing vulnerabilities by determining the method in which the firmware bootloader is implemented and the firmware boot. By analyzing the characteristics shown in the loader's operation sequence, etc., a data set can be created so that deep learning algorithms can be applied by dividing each item.

The diagnosis unit 170 may apply a deep learning algorithm to the data set generated by the data generation unit 160 to diagnose whether the target firmware bootloader is normal. In this specification, normality refers to a concept that encompasses whether the bootloader of the firmware behaves abnormally in its structure, whether it contains vulnerabilities, or whether it contains malicious functions.

The memory 180 temporarily stores various types of files related to the present invention. For example, the memory 180 may temporarily store a bootloader structured image or structured image file of firmware used for deep learning learning. Depending on the embodiment, the memory 180 does not necessarily need to be one, and does not need to be included in the device for diagnosing whether the bootloader of the firmware is normal.

The system for diagnosing whether the bootloader of firmware is normal according to the present invention may include a device 100 for diagnosing whether the bootloader of firmware is normal and a user terminal (not shown). At this time, the device 100 for diagnosing whether the bootloader of the firmware is normal may be a server. Accordingly, a request to diagnose whether the bootloader of the target firmware is normal or a related file can be received from at least one user terminal online. The device 100 for diagnosing whether the bootloader of the firmware is normal and the user terminal can perform data communication by sending and receiving requests, files, etc. through a wired or wireless communication network.

In this specification, for the sake of understanding and convenience of explanation, automatic diagnosis of whether the bootloader of one target firmware is normal is used as an example, but is not limited thereto.

The present invention learns by converting the file for the bootloader of the firmware into a structured image file through a reverse engineering tool, and applies the learning results and deep learning algorithm to the bootloader of the target firmware to automatically diagnose and predict whether it is normal. However, depending on the embodiment, it is possible to diagnose whether the bootloaders of multiple target firmwares are normal at the same time using a deep learning-based learning model.

Figure 2 is a flowchart illustrating a method for automatically diagnosing whether the bootloader of firmware is normal according to an embodiment of the present invention.

Referring to FIG. 2, a method of automatically diagnosing whether the firmware bootloader is normal using the firmware bootloader normality diagnosis device 100 of FIG. 1 described above will be described as follows.

The device 100 for diagnosing whether the firmware bootloader is normal generates a first learning ELF file for each hardware type and function of the learning firmware bootloader (S201).

The device 100 for diagnosing whether the firmware bootloader is normal generates a first structure image file from the generated first learning ELF file using a reverse engineering tool (S202).

The device 100 for diagnosing whether the firmware bootloader is normal converts the generated first structure image file into a structure image and learns it (S203).

The device 100 for diagnosing whether the firmware bootloader is normal detects a learned structure image corresponding to the structure image of the target firmware bootloader (S204).

The device 100 for diagnosing whether the firmware bootloader is normal applies a deep learning algorithm to each detected structure image (S205) to diagnose whether the target firmware bootloader is normal (S206).

In the above, the firmware bootloader diagnosis method according to an embodiment of the present invention generates a second target ELF file of the target firmware bootloader, and creates a second target ELF file of the target firmware bootloader using a reverse engineering tool. A second structural image file is generated from and the generated second structural image file is converted into a structural image for diagnosis.

Depending on the embodiment, in the above-described step S203, the generated first structure image file may be converted into an image including images for individual functions of the firmware bootloader and graphics indicating the processing order for each function.

Depending on the embodiment, in step S203 described above, a learning model may be created using spatial features extracted from the converted image.

Depending on the embodiment, the firmware bootloader diagnosis method according to an embodiment of the present invention may generate a data set based on the detected structure image and apply a deep learning algorithm.

Figure 3 is a diagram illustrating a method for generating a reverse engineering structure image used to automatically diagnose whether the bootloader of firmware is normal according to an embodiment of the present invention.

Figure 3 explains a method of generating a reverse engineering structure image for the bootloader described above. Figure 3 is applicable to the bootloader of the target and/or learning firmware.

First, as shown in (a) of FIG. 3, the firmware bootloader normality diagnosis device 100 generates a file in the execution and link function format of the firmware bootloader, that is, an ELF file, for the firmware bootloader. .

Next, as shown in (b) and (c) of FIG. 3, the firmware bootloader normality diagnostic device 100 converts the generated ELF file into an img file, that is, a structured image file, using a reverse engineering tool. Create.

Finally, as shown in (d) and (e) of FIG. 3, the firmware bootloader normality diagnosis device 100 analyzes the generated structured image file to generate or convert an image for deep learning learning. Depending on the embodiment, a reverse engineering tool may also be used to analyze the generated structured image file. The deep learning learning image created or converted in this way may include an image including images for individual functions of the corresponding image file and graphics indicating the order of processing for each function.

FIG. 4 is a diagram illustrating a structure image candidate detected for classifying a firmware bootloader reverse engineering structure image file according to an embodiment of the present invention.

In Figure 4, the structure image candidates detected for classifying the reverse engineering structure image file of the learning firmware bootloader are explained.

This structure image candidate, that is, the overall structure image 410 as a structure image for deep learning application, includes the sequence from start to end of the program of the learning firmware bootloader and functions and flowcharts for exception handling additional functions. It can be.

Meanwhile, the detailed structure image 420, which looks at the image structure in detail from the overall structure image, can provide detailed content according to the role and content of each function.

Figure 5 is a diagram illustrating a process of learning a bootloader structure image by applying a deep learning algorithm according to an embodiment of the present invention.

The device 100 for diagnosing whether the firmware bootloader is normal learns the structure image generated for the learning firmware bootloader, as shown in FIG. 5 .

The device 100 for diagnosing whether the firmware bootloader is normal determines whether the firmware bootloader is normal, such as whether the structure or execution order of the bootloader is changed intentionally or accidentally, or whether a malicious function is inserted, by measuring the extracted spatial data as shown. By creating a learning model using features, each function can be learned.

The device 100 for diagnosing whether the firmware bootloader is normal extracts spatial characteristics of an image file for the corresponding structure and uses these characteristics to apply them to the bootloader as a data set for learning and verifying structural frame characteristics.

The device 100 for diagnosing whether the firmware bootloader is normal may generate a learning model by learning a Deep Neural Network (DNN) about the characteristics of the bootloader structure.

In the step of learning each of the bootloader structure images, each function within the bootloader can be learned by creating a learning model using spatial features extracted for the structures based on a recursive neural network.

The device 100 for diagnosing whether the firmware bootloader is normal may recognize changes in fine functions and processing sequences based on the calculated recognition value. Depending on the embodiment, the device 100 for diagnosing whether the firmware bootloader is normal may analyze the characteristics of functions and sequences included in the bootloader structure image using deep learning and use this to recognize the bootloader function.

Depending on the embodiment, the device 100 for diagnosing whether the firmware bootloader is normal can perform effective bootloader operation recognition in terms of performance because it can model and utilize the structural characteristics of the bootloader.

Regarding the deep-learning technology applied to the present invention, known technologies may be referred to, and detailed description thereof will be omitted in this specification.

Figures 6 and 7 are diagrams to explain item classification by firmware structure according to an embodiment of the present invention.

Figures 8 to 10 are diagrams to explain a reverse engineering image according to an embodiment of the present invention.

Figures 6 and 7 show examples of hardware malicious function classifications that can be used as additional information in deep learning algorithms.

First, in order to discern minute changes, hardware equipment and firmware configuration can be divided by central processing unit, that is, CPU core.

At this time, the CPU core may include ARM shown in FIG. 6 and RISC-V shown in FIG. 7, but is not limited thereto. For example, MIPS, etc. may be included as the CPU core.

Meanwhile, as shown in FIGS. 6 and 7, different compilation and build tools are used for each CPU core, so file creation and structure may have different characteristics.

Next, since the configuration method and flow of the actual bootloader are different for each program that constitutes the bootloader, definitions can be made for each.

Depending on the embodiment, during the first learning, the corresponding structural images may be classified and learned according to the program configuration for each CPU.

Figures 8 to 10 show examples of structural images using reverse engineering tools.

FIG. 8 shows a reverse engineering structure image for a first-stage bootloader, FIG. 9 shows a reverse engineering structure image for a second-stage bootloader, and FIG. 10 shows a detailed reverse engineering structure image enlarging the structure of FIG. 9.

Meanwhile, the above-described method can be written as a program that can be executed on a computer, and can be implemented in a general-purpose digital computer that operates the program using a computer-readable medium. Additionally, the data structure used in the above-described method may be recorded on a computer-readable medium through various means. Computer-readable media storing executable computer code for performing the various methods of the present invention include magnetic storage media (e.g., ROM, floppy disk, hard disk, etc.), optical readable media (e.g., CD-ROM, DVD, etc.) etc.) and other storage media.

Those skilled in the art related to the embodiments of the present invention will understand that the above-described material may be implemented in a modified form without departing from its essential characteristics. Therefore, the disclosed methods should be considered from an illustrative rather than a restrictive perspective. The scope of the present invention is indicated in the claims, not the detailed description of the invention, and all differences within the equivalent scope should be construed as being included in the scope of the present invention.

Claims (1)

Creating an ELF (Executable and Linkable Format) file for each hardware type and function of the learning firmware bootloader;
Creating a structural image file from the generated ELF file using a reverse engineering tool and learning the structural image;
Detecting a learned structure image corresponding to the structure image of the target firmware bootloader; and
A firmware bootloader diagnosis method comprising: applying a deep learning algorithm to each detected structure image to diagnose whether the target firmware bootloader is normal.

Images