虚实结合的迭代式固件分析技术
|
摘要
当前对嵌入式设备固件进行动态分析面临很多困难,单独的仿真分析和设备实体调试都难以满足实际需求,针对这一问题,提出虚拟执行和实体执行相结合的迭代式固件分析方法。设计一种迭代式分析机制并实现一个分析框架,使固件代码的执行能够根据分析需求在虚拟运行环境和实体运行环境之间多轮切换,解决仿真执行无法模拟I/O端口访问以及实体执行难以跟踪记录的问题,能够为嵌入式设备固件分析提供基础支撑。应用该技术对希捷硬盘固件进行分析,验证了其有效性。
At present,there are many difficulties in dynamic analysis of embedded device firmware.It is difficult to meet actual demands for separate simulation analysis and debugging of device entity.To solve this problem,an iterative firmware analysis method combining virtual execution and entity execution was proposed.An iterative analysis mechanism was designed and an analysis framework was implemented to enable the implementation of firmware code to switch between the virtual execution environment and the physical execution environment multiple times according to the analysis requirements.This method solved the problem that emulation execution cannot simulate I/O port access and entity execution is difficult to track and record,and could provide basic support for firmware analysis of embedded devices.This technology was applied to the analysis of Seagate hard disk firmware,which verified its effectiveness.
At present,there are many difficulties in dynamic analysis of embedded device firmware.It is difficult to meet actual demands for separate simulation analysis and debugging of device entity.To solve this problem,an iterative firmware analysis method combining virtual execution and entity execution was proposed.An iterative analysis mechanism was designed and an analysis framework was implemented to enable the implementation of firmware code to switch between the virtual execution environment and the physical execution environment multiple times according to the analysis requirements.This method solved the problem that emulation execution cannot simulate I/O port access and entity execution is difficult to track and record,and could provide basic support for firmware analysis of embedded devices.This technology was applied to the analysis of Seagate hard disk firmware,which verified its effectiveness.
引文
[1]Glenn Greenwald.How the NSA tampers with US-made internet routers[EB/OL].[2014-05-12].https://www.theguar-dian.com/books/2014/may/12/glenn-greenwald-nsa-tampers-us-internet-routers-snowden.
[2]Kaspersky Lab.Kaspersky lab discovers equation group:The crown creator of cyber-espionage[EB/OL].[2015-02-17].https://usa.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-of-cyber-espionage.
[3]Kolias C,Kambourakis G,Stavrou A,et al.DDoS in the IoT:Mirai and other botnets[J].Computer,2017,50(7):80-84.
[4]BAO Qingguo.Research on key technologies of embedded device firmware analysis[D].Beijing:Beijing University of Technology,2016:5-6(in Chinese).[鲍庆国.嵌入式设备固件分析的关键技术研究[D].北京:北京工业大学,2016:5-6.]
[5]Shoshitaishvili Y,Wang R,Hauser C,et al.Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware[C]//Network and Distributed System Security Symposium,2015:8-11.
[6]Wang F,Shoshitaishvili Y.Angr-the next generation of binary analysis[C]//Cybersecurity Development(SecDev).IEEE,2017:8-9.
[7]Aslam M J,Jozwiak L,van Eijndhoven J.Binary instrumentation with QEMU[J].Eindhoven University of Technology,2016:8-9.
[8]ZHAO Yaxin,GUO Yudong,SHU Hui.Analysis technology of embedded device firmware based on JTAG[J].Computer Engineering and Design,2014,35(10):3410-3415(in Chinese).[赵亚新,郭玉东,舒辉.基于JTAG的嵌入式设备固件分析技术[J].计算机工程与设计,2014,35(10):3410-3415.]
[9]Park H,Xu J,Ji J H,et al.Design methodology for on-chipbased processor debugger[J].Design Automation for Embedded Systems,2015,19(1-2):35-57.
[10]Mazidi M A,Naimi S,Naimi S,et al.ARM assembly language programming&architecture(Volume 1)[M].MicroDigitalEd.com,2016:30-38.
[2]Kaspersky Lab.Kaspersky lab discovers equation group:The crown creator of cyber-espionage[EB/OL].[2015-02-17].https://usa.kaspersky.com/about/press-releases/2015_equation-group-the-crown-creator-of-cyber-espionage.
[3]Kolias C,Kambourakis G,Stavrou A,et al.DDoS in the IoT:Mirai and other botnets[J].Computer,2017,50(7):80-84.
[4]BAO Qingguo.Research on key technologies of embedded device firmware analysis[D].Beijing:Beijing University of Technology,2016:5-6(in Chinese).[鲍庆国.嵌入式设备固件分析的关键技术研究[D].北京:北京工业大学,2016:5-6.]
[5]Shoshitaishvili Y,Wang R,Hauser C,et al.Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware[C]//Network and Distributed System Security Symposium,2015:8-11.
[6]Wang F,Shoshitaishvili Y.Angr-the next generation of binary analysis[C]//Cybersecurity Development(SecDev).IEEE,2017:8-9.
[7]Aslam M J,Jozwiak L,van Eijndhoven J.Binary instrumentation with QEMU[J].Eindhoven University of Technology,2016:8-9.
[8]ZHAO Yaxin,GUO Yudong,SHU Hui.Analysis technology of embedded device firmware based on JTAG[J].Computer Engineering and Design,2014,35(10):3410-3415(in Chinese).[赵亚新,郭玉东,舒辉.基于JTAG的嵌入式设备固件分析技术[J].计算机工程与设计,2014,35(10):3410-3415.]
[9]Park H,Xu J,Ji J H,et al.Design methodology for on-chipbased processor debugger[J].Design Automation for Embedded Systems,2015,19(1-2):35-57.
[10]Mazidi M A,Naimi S,Naimi S,et al.ARM assembly language programming&architecture(Volume 1)[M].MicroDigitalEd.com,2016:30-38.