TY - GEN
T1 - Detecting Vulnerabilities in Linux-Based Embedded Firmware with SSE-Based On-Demand Alias Analysis
AU - Cheng, Kai
AU - Zheng, Yaowen
AU - Liu, Tao
AU - Guan, Le
AU - Liu, Peng
AU - Li, Hong
AU - Zhu, Hongsong
AU - Ye, Kejiang
AU - Sun, Limin
N1 - Funding Information:
We thank the anonymous reviewers for their valuable comments to improve our paper. This work was partially supported by National Key R&D Program of China (No. 2022YFB3103904), NSF CNS- 2019340, NSF ECCS-2140175, a grant from Cisco Research, National Natural Science Foundation of China (No. 62072451, 92267105), Guangdong Special Support Plan (No. 2021TQ06X990), and Shenzhen Basic Research Program (No. JCYJ20200109115418592 and JCYJ20220818101610023).
Funding Information:
We thank the anonymous reviewers for their valuable comments to improve our paper. This work was partially supported by National Key R&D Program of China (No. 2022YFB3103904), NSF CNS-2019340, NSF ECCS-2140175, a grant from Cisco Research, National Natural Science Foundation of China (No. 62072451, 92267105), Guangdong Special Support Plan (No. 2021TQ06X990), and Shen-zhen Basic Research Program (No. JCYJ20200109115418592 and JCYJ20220818101610023).
Publisher Copyright:
© 2023 ACM.
PY - 2023/7/12
Y1 - 2023/7/12
N2 - Although the importance of using static taint analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by following major limitations: (a) Existing works cannot properly handle indirect call on the path from attacker-controlled sources to security-sensitive sinks, resulting in lots of false negatives. (b) They employ heuristics to identify mediate taint source and it is not accurate enough, which leads to high false positives. To address issues, we propose EmTaint, a novel static approach for accurate and fast detection of taint-style vulnerabilities in Linux-based embedded firmware. In EmTaint, we first design a structured symbolic expression-based (SSE-based) on-demand alias analysis technique. Based on it, we come up with indirect call resolution and accurate taint analysis scheme. Combined with sanitization rule checking, EmTaint can eventually discovers a large number of taint-style vulnerabilities accurately within a limited time. We evaluated EmTaint against 35 real-world embedded firmware samples from six popular vendors. The result shows EmTaint discovered at least 192 vulnerabilities, including 41 n-day vulnerabilities and 151 0-day vulnerabilities. At least 115 CVE/PSV numbers have been allocated from a subset of the reported vulnerabilities at the time of writing. Compared with state-of-the-art tools such as KARONTE and SaTC, EmTaint found significantly more vulnerabilities on the same dataset in less time.
AB - Although the importance of using static taint analysis to detect taint-style vulnerabilities in Linux-based embedded firmware is widely recognized, existing approaches are plagued by following major limitations: (a) Existing works cannot properly handle indirect call on the path from attacker-controlled sources to security-sensitive sinks, resulting in lots of false negatives. (b) They employ heuristics to identify mediate taint source and it is not accurate enough, which leads to high false positives. To address issues, we propose EmTaint, a novel static approach for accurate and fast detection of taint-style vulnerabilities in Linux-based embedded firmware. In EmTaint, we first design a structured symbolic expression-based (SSE-based) on-demand alias analysis technique. Based on it, we come up with indirect call resolution and accurate taint analysis scheme. Combined with sanitization rule checking, EmTaint can eventually discovers a large number of taint-style vulnerabilities accurately within a limited time. We evaluated EmTaint against 35 real-world embedded firmware samples from six popular vendors. The result shows EmTaint discovered at least 192 vulnerabilities, including 41 n-day vulnerabilities and 151 0-day vulnerabilities. At least 115 CVE/PSV numbers have been allocated from a subset of the reported vulnerabilities at the time of writing. Compared with state-of-the-art tools such as KARONTE and SaTC, EmTaint found significantly more vulnerabilities on the same dataset in less time.
UR - http://www.scopus.com/inward/record.url?scp=85167722162&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85167722162&partnerID=8YFLogxK
U2 - 10.1145/3597926.3598062
DO - 10.1145/3597926.3598062
M3 - Conference contribution
AN - SCOPUS:85167722162
T3 - ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
SP - 360
EP - 372
BT - ISSTA 2023 - Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis
A2 - Just, Rene
A2 - Fraser, Gordon
PB - Association for Computing Machinery, Inc
T2 - 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis, ISSTA 2023
Y2 - 17 July 2023 through 21 July 2023
ER -