Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis
Although the importance of using static taint analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by following major limitations: (a) Existing works cannot properly handle indirect call on the path from attacker-controlled sources to security-sensitive sinks, resulting in lots of false negatives. (b) They employ heuristics to identify mediate taint source and it is not accurate enough, which leads to high false positives.
To address issues, we propose EmTaint, a novel static approach for accurate and fast detection of taint-style vulnerabilities in Linux-based embedded firmware. In EmTaint, we first design a structured symbolic expression-based (SSE-based) on-demand alias analysis technique. Based on it, we come up with indirect call resolution and accurate taint analysis scheme. Combined with sanitization rule checking, EmTaint can eventually discovers a large number of taint-style vulnerabilities accurately within a limited time. We evaluated EmTaint against 35 real-world embedded firmware samples from six popular vendors. The result shows EmTaint discovered at least 192 vulnerabilities, including 41 n-day vulnerabilities and 151 0-day vulnerabilities. At least 115 CVE/PSV numbers have been allocated from a subset of the reported vulnerabilities at the time of writing. Compared with state-of-the-art tools such as KARONTE and SaTC, EmTaint found significantly more vulnerabilities on the same dataset in less time.
Tue 18 JulDisplayed time zone: Pacific Time (US & Canada) change
13:30 - 15:00 | ISSTA 4: Static AnalysisTechnical Papers at Smith Classroom (Gates G10) Chair(s): Christian Hammer University of Passau | ||
13:30 15mTalk | Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis Technical Papers Kai Cheng Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences; Sangfor Technologies, Yaowen Zheng Nanyang Technological University, Tao Liu Pennsylvania State University, Le Guan University of Georgia, Peng Liu Pennsylvania State University, Hong Li Institute of Information Engineering at Chinese Academy of Sciences, Hongsong Zhu Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Kejiang Ye Shenzhen Institute of Advanced Technology at Chinese Academy of Sciences, Limin Sun Institute of Information Engineering at Chinese Academy of Sciences; University of Chinese Academy of Sciences DOI | ||
13:45 15mTalk | Beware of the Unexpected: Bimodal Taint AnalysisACM SIGSOFT Distinguished Paper Technical Papers DOI | ||
14:00 15mTalk | OCFI: Make Function Entry Identification Hard Again Technical Papers Chengbin Pang Nanjing University, Tiantai Zhang Nanjing University, Xuelan Xu Nanjing University, Linzhang Wang Nanjing University, Bing Mao Nanjing University DOI | ||
14:15 15mTalk | Tai-e: A Developer-Friendly Static Analysis Framework for Java by Harnessing the Good Designs of Classics Technical Papers DOI Pre-print | ||
14:30 15mTalk | That’s a Tough Call: Studying the Challenges of Call Graph Construction for WebAssemblyACM SIGSOFT Distinguished Artifact Technical Papers Daniel Lehmann University of Stuttgart, Michelle Thalakottur Northeastern University, Frank Tip Northeastern University, Michael Pradel University of Stuttgart DOI | ||
14:45 15mTalk | Eunomia: Enabling User-Specified Fine-Grained Search in Symbolically Executing WebAssembly BinariesACM SIGSOFT Distinguished Paper Technical Papers Ningyu He Peking University, Zhehao Zhao Peking University, Jikai Wang Huazhong University of Science and Technology, Yubin Hu Beijing University of Posts and Telecommunications, Shengjian (Daniel) Guo Baidu Security, Haoyu Wang Huazhong University of Science and Technology, Guangtai Liang Huawei Cloud Computing Technologies, Ding Li Peking University, Xiangqun Chen Peking University, Yao Guo Peking University DOI | ||