TY - GEN
T1 - Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis
AU - Cheng, Kai
AU - Zheng, Yaowen
AU - Liu, Tao
AU - Guan, Le
AU - Liu, Peng
AU - Li, Hong
AU - Zhu, Hongsong
AU - Ye, Kejiang
AU - Sun, Limin
N1 - Publisher Copyright:
© 2023 ACM.
PY - 2023/7/12
Y1 - 2023/7/12
N2 - Although the importance of using static taint analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by following major limitations: (a) Existing works cannot properly handle indirect call on the path from attacker-controlled sources to security-sensitive sinks, resulting in lots of false negatives. (b) They employ heuristics to identify mediate taint source and it is not accurate enough, which leads to high false positives. To address issues, we propose EmTaint, a novel static approach for accurate and fast detection of taint-style vulnerabilities in Linux-based embedded firmware. In EmTaint, we first design a structured symbolic expression-based (SSE-based) on-demand alias analysis technique. Based on it, we come up with indirect call resolution and accurate taint analysis scheme. Combined with sanitization rule checking, EmTaint can eventually discovers a large number of taint-style vulnerabilities accurately within a limited time. We evaluated EmTaint against 35 real-world embedded firmware samples from six popular vendors. The result shows EmTaint discovered at least 192 vulnerabilities, including 41 n-day vulnerabilities and 151 0-day vulnerabilities. At least 115 CVE/PSV numbers have been allocated from a subset of the reported vulnerabilities at the time of writing. Compared with state-of-the-art tools such as KARONTE and SaTC, EmTaint found significantly more vulnerabilities on the same dataset in less time.
AB - Although the importance of using static taint analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by following major limitations: (a) Existing works cannot properly handle indirect call on the path from attacker-controlled sources to security-sensitive sinks, resulting in lots of false negatives. (b) They employ heuristics to identify mediate taint source and it is not accurate enough, which leads to high false positives. To address issues, we propose EmTaint, a novel static approach for accurate and fast detection of taint-style vulnerabilities in Linux-based embedded firmware. In EmTaint, we first design a structured symbolic expression-based (SSE-based) on-demand alias analysis technique. Based on it, we come up with indirect call resolution and accurate taint analysis scheme. Combined with sanitization rule checking, EmTaint can eventually discovers a large number of taint-style vulnerabilities accurately within a limited time. We evaluated EmTaint against 35 real-world embedded firmware samples from six popular vendors. The result shows EmTaint discovered at least 192 vulnerabilities, including 41 n-day vulnerabilities and 151 0-day vulnerabilities. At least 115 CVE/PSV numbers have been allocated from a subset of the reported vulnerabilities at the time of writing. Compared with state-of-the-art tools such as KARONTE and SaTC, EmTaint found significantly more vulnerabilities on the same dataset in less time.
UR - http://www.scopus.com/inward/record.url?scp=85167722162&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85167722162&partnerID=8YFLogxK
U2 - 10.1145/3597926.3598062
DO - 10.1145/3597926.3598062
M3 - Conference contribution
AN - SCOPUS:85167722162
T3 - ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
SP - 360
EP - 372
BT - ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
A2 - Just, Rene
A2 - Fraser, Gordon
PB - Association for Computing Machinery, Inc
T2 - 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023
Y2 - 17 July 2023 through 21 July 2023
ER -