使用狀態快照加速物聯網韌體分析

Chen-Yu Li; 李振宇

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/79272

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君(Hsu-Chun Hsiao)
dc.contributor.author	Chen-Yu Li	en
dc.contributor.author	李振宇	zh_TW
dc.date.accessioned	2022-11-23T08:57:07Z	-
dc.date.available	2022-02-16
dc.date.available	2022-11-23T08:57:07Z	-
dc.date.copyright	2022-02-16
dc.date.issued	2022
dc.date.submitted	2022-02-10
dc.identifier.citation	[1] IDA Pro - Hex Rays. https://hex-rays.com/ida-pro/. [2] F. Bellard. QEMU, a fast and portable dynamic translator. In 2005 USENIX An- nual Technical Conference (USENIX ATC 05), Anaheim, CA, Apr. 2005. USENIX Association. [3] M. Boehme, C. Cadar, and A. ROYCHOUDHURY. Fuzzing: Challenges and re- flections. IEEE Software, 38(3):79–86, 2021. [4] D. Chen, M. Egele, M. Woo, and D. Brumley. Towards automated dynamic analysis for linux-based embedded firmware. 01 2016. [5] J. Chen, W. Diao, Q. Zhao, C. Zuo, Z. Lin, X. Wang, W. Lau, M. Sun, R. Yang, and K. Zhang. Iotfuzzer: Discovering memory corruptions in iot through app-based fuzzing. 01 2018. [6] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti. A large-scale analysis of the security of embedded firmwares. In 23rd USENIX Security Symposium (USENIX Security 14), pages 95–110, San Diego, CA, Aug. 2014. USENIX Association. [7] H.-V. Dang and A.-Q. Nguyen. Unicorn: Next generation cpu emulator framework. 01 2015. [8] R. Daws. Kaspersky: Attacks on iot devices double in a year. https://iottechnews.com/news/2021/sep/07/kaspersky-attacks-on-iot-devices-double-in-a-year/. [9] A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse. AFL++: Combining incremental steps of fuzzing research. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association, Aug. 2020. [10] Z. Gui, H. Shu, F. Kang, and X. Xiong. Firmcorn: Vulnerability-oriented fuzzing of iot firmware via optimized virtual execution. IEEE Access, 8:1–1, 02 2020. [11] IoT Analytics. State of IoT - Summer 2021. https://iot-analytics.com/product/ state-of-iot-summer-2021/. [12] J. Kim, J. Yu, H. Kim, F. Rustamov, and J. Yun. Firm-cov: High-coverage greybox fuzzing for iot firmware via optimized process emulation. IEEE Access, 9:101627– 101642, 2021. [13] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim. Firmae: Towards large-scale emulation of iot firmware for dynamic analysis. pages 733–745, 12 2020. [14] M.Muench,J.Stijohann,F.Kargl,A.Francillon,andD.Balzarotti.Whatyoucorrupt is not what you crash: Challenges in fuzzing embedded devices. 01 2018. [15] National Security Agency. Ghidra. https://ghidra-sre.org/. [16] Qiling Framework. Qiling advanced binary emulation framework. https://github.com/qilingframework/qiling. [17] ReFirmLabs. binwalk: Firmware analysis tool. https://github.com/ReFirmLabs/binwalk. [18] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna. Firmalice - au- tomatic detection of authentication bypass vulnerabilities in binary firmware. 01 2015. [19] X. Xu, C. Liu, Q. Feng, H. Yin, L. Song, and D. Song. Neural network-based graph embedding for cross-platform binary code similarity detection. 08 2017. [20] J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti. Avatar: A framework to support dynamic security analysis of embedded systems'firmwares. 02 2014. [21] M. Zalewski. American fuzzy lop. http://lcamtuf.coredump.cx/afl. [22] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun. Firm-afl: High- throughput greybox fuzzing of iot firmware via augmented process emulation. In 28th USENIX Security Symposium (USENIX Security 19), pages 1099–1114, Santa Clara, CA, Aug. 2019. USENIX Association.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/79272	-
dc.description.abstract	隨著物聯網裝置的數量逐年增加，對於物聯網設備的攻擊事件也越來越多，因此物聯網設備的軟體安全也逐漸倍受重視。近期軟體測試技術中，模糊測試是一種目前廣泛運用的自動化漏洞挖掘技術。由於物聯網韌體程式缺乏源始碼、架構多樣化且有些需要硬體相關的相依性，所以物聯網韌體程式的模糊測試比一般程式的模糊測試更複雜。在對於物聯網韌體程式進行模糊測試前，我們必須正確地模擬該程式。此外，一些基於網路的物聯網設備的程式只能接受具有特定語法的輸入值。因此，如何生成有效的輸入值也是影響物聯網韌體模糊測試效率的其中一個重要因素。在本論文中，我們設計並實作一種透過狀態快照來加速對物聯網韌體分析的方法。透過從狀態快照恢復程式執行來節省程式模擬時間。我們根據物聯網韌體程式判斷輸入值的類型與輸入值儲存方式，修改記憶體中的輸入值並進行模糊測試。另外，我們使用關鍵字為讀取特定格式輸入值的程式生成更有效率的輸入值。我們的實驗結果證實透過狀態快照恢復程式執行的方式來進行模糊測試會比不使用狀態快照的方式更快地觸發崩潰。在透過關鍵字生成輸入值方面，此方式亦顯著加快讀取特定結構輸入值的物聯網韌體程式觸發崩潰的時間。	zh_TW
dc.description.provenance	Made available in DSpace on 2022-11-23T08:57:07Z (GMT). No. of bitstreams: 1 U0001-2812202113491600.pdf: 1237737 bytes, checksum: 10dddc0daf901a2b1bd2d0147d3fcc67 (MD5) Previous issue date: 2022	en
dc.description.tableofcontents	口試委員會審定書 iii 誌謝 v Acknowledgements vii 摘要 ix Abstract xi 1 Introduction 1 2 Background 5 2.1 IoT Firmware 5 2.2 Fuzzing 5 2.3 IoT Firmware Emulation 7 2.3.1 User-Mode Emulation 7 2.3.2 System-Mode Emulation 7 2.3.3 Augmented Process Emulation 7 2.3.4 Unicron Engine 8 3 Methodology 9 3.1 Preanalysis 9 3.2 Emulation 10 3.3 Fuzzing 10 4 Implementation 11 4.1 Preanalysis 11 4.1.1 Input Type Identification 11 4.1.2 Environment Configuration 13 4.1.3 Function Address Identification 14 4.2 Emulation 14 4.2.1 Memory Address Identification 14 4.2.2 Hook Functions 15 4.2.3 Map Memory Area 15 4.2.4 Take State Sanpshot 15 4.3 Fuzzing 16 4.3.1 Restore From Snapshot 16 4.3.2 Input Mutation 16 4.3.3 Inputs Modification 17 5 Evaluation 19 5.1 Experimental Environment 19 5.2 Target IoT Device 20 5.3 RQ1: Efficiency of state snapshot 20 5.4 RQ2: Effectiveness of state snapshot 21 5.5 RQ3: Effectiveness of keywords 22 6 Related Work 25 6.1 IoT Firmware Analysis 25 6.2 IoT Firmware Fuzzing 26 7 Conclusion 27 8 Future Work 29 Bibliography 31
dc.language.iso	en
dc.title	使用狀態快照加速物聯網韌體分析	zh_TW
dc.title	Accelerating IoT Firmware Analysis Using State Snapshots	en
dc.date.schoolyear	110-1
dc.description.degree	碩士
dc.contributor.advisor-orcid	蕭旭君(0000-0001-9592-6911)
dc.contributor.oralexamcommittee	黎士瑋(Hsin-Tsai Liu),黃俊穎(Chih-Yang Tseng),黃世昆
dc.subject.keyword	物聯網,韌體,狀態快照,	zh_TW
dc.subject.keyword	IoT,Firmware,State snapshot,	en
dc.relation.page	33
dc.identifier.doi	10.6342/NTU202104587
dc.rights.note	同意授權(全球公開)
dc.date.accepted	2022-02-11
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	資訊工程學研究所	zh_TW
顯示於系所單位：	資訊工程學系

文件中的檔案：

檔案	大小	格式
U0001-2812202113491600.pdf	1.21 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。