隨著物聯網設備逐漸成為網路中重要的角色，這些設備的安全性就演變成一個重要的課題。最近針對物聯網設備的資安事件層出不窮，使得物聯網設備的漏洞分析變得不可或缺。特別是危害性強的身份驗證繞過漏洞，攻擊者可以通過該漏洞接管受害者的控制權，是物聯網設備上相當嚴重的安全漏洞。在本篇論文中，我們提出了一種名為 IoTcaptor 的新型動態符號執行框架，以挖掘具有 HTTP 服務的物聯網設備中的身份驗證繞過漏洞。通過符號執行的高程式碼覆蓋範圍與虛擬化的物聯網設備上具體執行的快速執行速度相結合，可以以高效和高準確度的方式探索執行路徑。借助靜態分析識別符號執行中無法解析的函數，並將其重定向到虛擬化的設備上，以保留程式的真實運行狀況。此外，IoTcaptor 通過消除不必要的測試，解決了無窮循環和路徑爆炸的問題，從而提高了執行速度。在實驗上，我們通過自行注入漏洞和現實世界的身份驗證繞過漏洞兩種方式來驗證 IoTcaptor 的效率和準確性，實驗結果表明 IoTcaptor 優於現有的動態符號執行方法，擁有較高的效率和準確度。

Nowadays, the rapid expansion of IoT devices, coupled with increasingly complex hardware architectures, results in challenges on vulnerability discovery in IoT binaries. However, the severe of attacks to IoT devices make an efficient and effective discovery method an unguent issue. In particular, the infamous authentication bypass vulnerability always causes large security breaches in IoT devices since attacker could take over the control of the victim via the vulnerability. In this
thesis, we propose a novel concolic execution framework, named IoTcaptor, to discover authentication bypass in IoT device with HTTP services. By integrating wide testing coverage of symbolic execution with the rapid executing speed of concrete execution ontop of the emulated IoT device, execution paths can be explored in an efficient and effective way. With the aid of offline graph-based static analysis, the unresolved functions in symbolic execution can be identified and redirected to concrete execution on emulated devices to retain the true operation of the program, thereby improving analysis accuracy. Moreover, IoTcaptor resolves the issues of long loop and path explosion by
eliminating unnecessary testing, and thus enhances execution speed. The efficiency and effectiveness of IoTcaptor are evaluated by discovering self-injected and real-world authentication bypass vulnerabilities in the testing binaries and the experiment results demonstrate that IoTcaptor outperforms the existing concolic approaches.

[1]“Growing opportunities in the internet of things,” https://www.mckinsey.com/industries/ private-equity-and-principal-investors/ our-insights/ growing-opportunities-in-the-internet-of-things.
[2]“CVE-2019-17137 detail,” https://nvd.nist.gov/vuln/detail/CVE-2019-17137.
[3]“CVE-2020-24215 detail,” https://nvd.nist.gov/vuln/detail/CVE-2020-24215.
[4]“Zyxel security advisory for hardcoded credential vulnerability,” https://www.zyxel.com/support/CVE-2020-29583.shtml.
[5]C. Cadar, D. Dunbar, D. R. Engleret al., “Klee: unassisted and automaticgeneration of high-coverage tests for complex systems programs.” inProceedingof OSDI, vol. 8, 2008, pp. 209–224.
[6]F. Wang and Y. Shoshitaishvili, “Angr-the next generation of binary analysis,”inIn Proceeding of IEEE SecDev, 2017, pp. 8–9.
[7]V. Chipounov, V. Kuznetsov, and G. Candea, “S2e: A platform for in-vivomulti-path analysis of software systems,”Acm Sigplan Notices, vol. 46, pp.265–278, 2011.
[8]S. Poeplau and A. Francillon, “SymQEMU: Compilation-based symbolic exe-cution for binaries,” inProceeding of NDSS, 2021.
[9]Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna, “Firmal-ice - automatic detection of authentication bypass vulnerabilities in binaryfirmware,” inProceeding of NDSS, 2015.
[10]J. Zaddach, L. Bruno, A. Francillon, D. Balzarottiet al., “AVATAR: a frame-work to support dynamic security analysis of embedded systems’ firmwares.” inProceeding of NDSS, vol. 14, 2014, pp. 1–16.39
[11]Y. Yao, W. Zhou, Y. Jia, L. Zhu, P. Liu, and Y. Zhang, “Identifying privilegeseparation vulnerabilities in iot firmware with symbolic execution,” inProceed-ing of ESORICS. Springer, 2019, pp. 638–657.
[12]N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshi-taishvili, C. Kruegel, and G. Vigna, “Driller: Augmenting fuzzing through se-lective symbolic execution.” inProceeding of NDSS, vol. 16, no. 2016, 2016, pp.1–16.
[13]W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulationthrough invalidity-guided knowledge inference,” inProceeding of USENIX Se-curity 21, Aug. 2021.
[14]D. Davidson, B. Moench, T. Ristenpart, and S. Jha, “FIE on firmware: Findingvulnerabilities in embedded systems using symbolic execution,” inProceedingof 22nd USENIX Security, 2013, pp. 463–478.
[15]F. Gritti, L. Fontana, E. Gustafson, F. Pagani, A. Continella, C. Kruegel, andG. Vigna, “SYMBION: Interleaving symbolic with concrete execution,” inInProceeding of IEEE CNS, 2020, pp. 1–10.
[16]M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar 2: A multi-target orchestration platform,” inProceeding of Workshop Binary Anal. Res.(Colocated NDSS Symp.), vol. 18, 2018, pp. 1–11.
[17]NSA, “National security agency. 2019. ghidra - software reverse engineeringframework,” https://github.com/NationalSecurityAgency/ghidra, 2019.
[18]N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani, “De-mystifying IoT security: An exhaustive survey on IoT vulnerabilities and afirst empirical look on internet-scale IoT exploitations,”IEEE CommunicationsSurveys Tutorials, vol. 21, no. 3, pp. 2702–2733, 2019.
[19]J. Chen, W. Diao, Q. Zhao, C. Zuo, Z. Lin, X. Wang, W. C. Lau, M. Sun,R. Yang, and K. Zhang, “IoTFuzzer: Discovering memory corruptions in IoTthrough app-based fuzzing.” inProceeding of NDSS, 2018.40
[20]Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL:high-throughput greybox fuzzing of IoT firmware via augmented process emula-tion,” inProceeding of USENIX Security Symposium, Aug. 2019, pp. 1099–1114.
[21]M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towardslarge-scale emulation of iot firmware for dynamic analysis,” inIn proceeding ofACSAC, 2020, pp. 733–745.
[22]Y. Wang, J. Shen, J. Lin, and R. Lou, “Staged method of code similarityanalysis for firmware vulnerability detection,”IEEE Access, vol. 7, pp. 14171–14185, 2019.
[23]D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamicanalysis for linux-based embedded firmware,” inProceeding of The Network andDistributed System Security Symposium, vol. 16, 2016, pp. 1–16.
[24]F. Bellard, “Qemu, a fast and portable dynamic translator.” inProceedings ofUSENIX Annual Technical Conference, FREENIX Track, vol. 41, 2005, p. 46.
[25]L. Zhu, X. Fu, Y. Yao, Y. Zhang, and H. Wang, “FIoT: detecting the memorycorruption in lightweight IoT device firmware,” inProceeding of 18th IEEETrustCom, 2019, pp. 248–255.
[26]C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution ispossible: A concolic execution approach for peripheral emulation,” inAnnualComputer Security Applications Conference, 2020, p. 746–759.
[27]“PSV-2019-0076 detail,” https:// kb.netgear.com/ 000061740/ Security-Advisory-for-Unauthenticated-Remote-Code-Execution-on-R7800-PSV-2019-0076.