Research On Cross-platform Vulnerability Detection In Firmware Based On Pattern-specific Features

The popularity of Io T devices provides convenience for people’s daily life and work,but it also brings many security risks.In recent years,attacks on Io T devices by using vulnerabilities in firmware have occurred from time to time,which makes the security issues of firmware get more and more attention.Cross-platform firmware vulnerability detection is an important research area of firmware security.Because code reuse is ubiquitous,firmware on different platforms is often affected by the same known vulnerabilities.Through the detection of firmware vulnerabilities across platforms,the threat of homologous known vulnerabilities to devices can be reduced,which helps to enhance system security.Existing work usually implements crossplatform firmware vulnerability detection based on the general features related to functions and has achieved good results.However,the same feature may have some differences on different platforms,which leads to poor detection results of these methods in some cases.In order to improve this situation,this thesis takes the existing work as the basis and mainly carried out research work in the following aspects:1)A function filtering method based on pattern-specific numerical features is proposed.Association patterns are used to describe different cross-platform cases in this thesis.The so-called pattern-specific numerical features are the ones adapted to the corresponding association pattern.In the basis of the numerical features used in the existing related work discov RE,the robustness analysis is conducted in different association patterns to determine the pattern-specific numerical features,and then the functions are quickly filtered based on these numerical features.Taking Open SSL as the test dataset,the experimental results show that the function filtering method based on pattern-specific numerical features has a better filtering result than the function filtering method used in discov RE.The improvement is obvious in the three association patterns of ARM to x86,x86 to ARM and MIPS to x86,and the recall rate has increased by more than 7%.In addition,the recall rate has increased by an average of 5.12% in the association patterns discussed in this thesis.2)A cross-platform firmware vulnerability detection algorithm based on patternspecific numerical features and structural features is proposed.The first stage of the algorithm uses the pattern-specific numerical features to filter functions and obtain the candidate function set.The second stage of the algorithm uses five-layer local call graphs to precisely match functions,so as to find the function that truly matches the vulnerable function.The experimental results show that the algorithm has a better vulnerability detection result than some related research work.On the Open SSL test dataset,the similarity between the vulnerable function and its homologous function ranks the first by using this algorithm,so that the function that truly matches the vulnerable function can be accurately detected.3)A precise matching method based on weighted three-layer local call graph is proposed.Firstly,the local call graph is reduced from five layers to three layers so as to improve the efficiency of the algorithm.Then,based on the three-layer local call graph,the call frequency information is introduced to generate a weighted three-layer local call graph so as to make up for the information loss on the structural features of the function.The experimental results show that,compared with the five-layer local call graph,the Top1 index of the weighted three-layer local graph decreased by an average of 0.84%,but its matching efficiency is about 2.6 times of the former.That is to say,the weighted three-layer local call graph can improve the efficiency of the algorithm to a certain degree at the cost of less accuracy.In the end,this thesis combines the pattern-specific numerical features and the weighted three-layer local call graph to detect some real firmware vulnerable functions,and can effectively find the function that truly matches the vulnerable function.