隨著物聯網技術快速發展，基於 Linux 系統的路由器以及網路攝影機的數量大量增加，緊迫的開發流程導致設備中可能存在許多漏洞，惡意攻擊者可利用這些漏洞進行攻擊，造成服務中斷或敏感資訊外洩。因此物聯網韌體安全成為近期資安研究人員的重要研究方向。然而路由器等設備經常使用 Non-volatile random-access memory (NVRAM) 儲存內部設定檔，因此產生了一種特殊的漏洞模式，主要是利用 Web 服務設定特定參數或檔案後，後續其他執行檔讀出此參數進行後續處理而造成多執行檔產生的漏洞。過去的研究通常採用靜態方式檢測此類漏洞，但靜態方式容易出現假陽性。因此使用動態分析是必要的，但在大規模檢測中，使用真實設備進行分析會造成成本過高。過去研究提出使用韌體模擬技術建立分析環境，再使用模糊測試進行檢測，但對於此類漏洞檢測有一定侷限性，由於使用一般的模糊測試，只會針對單一執行檔進行測試，很難偵測到此種漏洞，而對於全系統模擬環境進行模糊測試雖然利用同時監控多個 Process 而達成，但全系統模擬環境在執行速度上受到很大的限制。因此，本論文提出一個新的框架，結合靜態和動態分析方式，將原先需要全系統級模擬的模糊測試才能解決之多執行檔組合漏洞，簡化為單一執行檔的模糊測試可解決的問題，並在實驗中實際找到 4 組 1 Day 漏洞的目標 Binary 和可控 Keyword 以及利用 Fuzz testing 找到 1 個 1 Day 漏洞，證明了系統的有效性。

With the rapid development of Internet of Things (IoT) technology, there has been a significant increase in the number of Linux-based routers and network cameras. The rapid development process has resulted in the potential existence of numerous vulnerabilities in these devices that can be exploited by malicious attackers to cause service disruptions or leakage of sensitive information. As a result, IoT firmware security has recently emerged as a critical area of research for cybersecurity researchers. However, devices such as routers often use non-volatile random access memory (NVRAM) to store internal configuration files, resulting in a specific vulnerability pattern. This pattern primarily exploits the use of web services to configure specific parameters or files that are then read by other binaries for further processing, resulting in multi-binary vulnerabilities. Previous research has typically used static methods to detect such vulnerabilities, but these methods are prone to false positives. Therefore, dynamic analysis is required. However, performing analysis on real devices for large-scale detection is prohibitively expensive. Previous studies have suggested using firmware emulation techniques to create an analysis environment, followed by fuzz testing for detection. However, these approaches have certain limitations in detecting vulnerabilities of this type. General fuzz testing only targets individual binaries, making detecting this type of vulnerability difficult. Although fuzz testing in a full-system emulation environment achieves simultaneous monitoring of multi-process, it is severely limited in terms of execution speed. In this paper, we propose a novel framework that combines static and dynamic analysis methods to simplify the detection of combination vulnerabilities that previously required full system-level emulation and fuzz testing. By reducing the problem to fuzzing a single binary, the framework demonstrates its effectiveness by successfully identifying the target binary and controllable keyword associated with 4 sets of 1-day vulnerabilities. In addition, it detects 1 additional 1-day vulnerability using fuzzing. These experimental results provide evidence of the effectiveness of the system.

[1] P. Sivakumaran and J. Blasco, “argXtract: Deriving IoT security configurations
via automated static analysis of stripped ARM Cortex-M binaries,” in Proc.
Annual Computer Security Applications Conference, 2021, pp. 861–876.
[2] B. Hammi, S. Zeadally, R. Khatoun, and J. Nebhen, “Survey on smart homes:
vulnerabilities, risks, and countermeasures,” Computers & Security, vol. 117,
p. 102677, 2022.
[3] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai
and other botnets,” Computer, vol. 50, pp. 80–84, Jul. 2017.
[4] I. Kuzminykh, B. Ghita, and J. M. Such, “The challenges with Internet of
things for business,” arXiv:2012.03589, Dec. 2020.
[5] D. D. Chen, M. Egele, M. Woo, and D. Brumley, “Towards automated dynamic
analysis for Linux-based embedded firmware,” in Proc. Network and Distributed
System Security Symposium, Feb. 2016.
[6] N. Redini, A. Machiry, R. Wang, C. Spensky, A. Continella, Y. Shoshitaishvili,
C. Kruegel, and G. Vigna, “Karonte: Detecting insecure multi-binary inter-
actions in embedded firmware,” in Proc. IEEE Symposium on Security and
Privacy, May 2020, pp. 1544–1561.
[7] L. Chen, Y. Wang, Q. Cai, Y. Zhan, H. Hu, J. Linghu, Q. Hou, C. Zhang,
H. Duan, and Z. Xue, “Sharing more and checking less: Leveraging common
input keywords to detect bugs in embedded systems,” in Proc. USENIX Security
Symposium, Aug. 2021, pp. 303–319.
[8] M. Yu, J. Zhuge, M. Cao, Z. Shi, and L. Jiang, “A survey of security vulner-
ability analysis, discovery, detection, and mitigation on iot devices,” Future
Internet, vol. 12, no. 2, p. 27, 2020.
[9] C. Wright, W. A. Moeglein, S. Bagchi, M. Kulkarni, and A. A. Clements,
“Challenges in firmware re-hosting, emulation, and analysis,” ACM Computing
Surveys, vol. 54, no. 1, pp. 1–36, 2021.
[10] C. Zhang, Y. Wang, and L. Wang, “Firmware fuzzing: The state of the art,”
in Proc. Asia-Pacific Symposium on Internetware, 2020, pp. 110–115.
[11] A. Costin, A. Zarras, and A. Francillon, “Automated dynamic firmware analysis
at scale: a case study on embedded web interfaces,” in Proc. Asia Conference
on Computer and Communications Security, May 2016, pp. 437–448.
[12] Q. Feng and W. Dong, “Cinfofuzz: Fuzzing method based on web service cor-
relation information of embedded devices,” in Proc. International Conference
on Information, Communication and Networks, Aug. 2022, pp. 242–249.
[13] Ghidra. [Online]. Available: https://ghidra-sre.org/
[14] Strace. [Online]. Available: https://strace.io/
[15] Systemtap. [Online]. Available: https://sourceware.org/systemtap/
[16] Tshark. [Online]. Available: https://tshark.dev/setup/install/
[17] X. Zhu, S. Wen, S. Camtepe, and Y. Xiang, “Fuzzing: a survey for roadmap,”
ACM Computing Surveys, vol. 54, no. 11s, pp. 1–36, Sep. 2022.
[18] A. Fasano, T. Ballo et al., “SoK: Enabling security analyses of embedded sys-
tems via rehosting,” in Proc. ACM Symposium on Information, Computer and
Communications Security, May 2021, pp. 687–701.
[19] Qemu. [Online]. Available: https://www.qemu.org/
[20] Binwalk. [Online]. Available: https://github.com/ReFirmLabs/binwalk
[21] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towards
large-scale emulation of IoT firmware for dynamic analysis,” in Proc. Annual
Computer Security Applications Conference, Dec. 2020, pp. 733–745.
[22] K. Cheng, Q. Li, L. Wang, Q. Chen, Y. Zheng, L. Sun, and Z. Liang, “Dtaint:
detecting the taint-style vulnerability in embedded device firmware,” in Proc.
Annual IEEE/IFIP International Conference on Dependable Systems and Net-
works, 2018, pp. 430–441.
[23] P. Ferrara, A. K. Mandal, A. Cortesi, and F. Spoto, “Static analysis for discover-
ing iot vulnerabilities,” International Journal on Software Tools for Technology
Transfer, vol. 23, pp. 71–88, 2021.
[24] American fuzzy lop. [Online]. Available: https://lcamtuf.coredump.cx/afl/
[25] boofuzz. [Online]. Available: https://boofuzz.readthedocs.io/en/stable/
index.html
[26] V.-T. Pham, M. Böhme, and A. Roychoudhury, “Aflnet: a greybox fuzzer for
network protocols,” in Proc. IEEE International Conference on Software Test-
ing, Validation and Verification, 2020, pp. 460–465.
[27] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “Firm-AFL: high-
throughput greybox fuzzing of IoT firmware via augmented process emulation,”
in Proc. USENIX Security Symposium, Aug. 2019, pp. 1099–1114.
[28] Y. Zheng, Y. Li, C. Zhang, H. Zhu, Y. Liu, and L. Sun, “Efficient greybox
fuzzing of applications in linux-based iot devices via enhanced user-mode emu-
lation,” in Proc. ACM SIGSOFT International Symposium on Software Testing
and Analysis, 2022, pp. 417–428.
[29] J. Chen, W. Han, M. Yin, H. Zeng, C. Song, B. Lee, H. Yin, and I. Shin,
“SYMSAN: Time and space efficient concolic execution via dynamic data-flow
analysis,” in Proc. USENIX Security Symposium, 2022, pp. 2531–2548.
[30] L. Borzacchiello, E. Coppa, and C. Demetrescu, “Fuzzolic: mixing fuzzing and
concolic execution,” Computers & Security, vol. 108, p. 102368, 2021.
[31] I. Yun, S. Lee, M. Xu, Y. Jang, and T. Kim, “QSYM: A practical concolic
execution engine tailored for hybrid fuzzing,” in Proc. USENIX Security Sym-
posium, 2018, pp. 745–761.
[32] P. Liu, D. Fang, C. Qin, K. Cheng, S. Lv, H. Zhu, and L. Sun, “Finding vulner-
abilities in internal-binary of firmware with clues,” in Proc. IEEE International
Conference on Communications, Aug. 2022, pp. 5397–5402.
[33] L. Yu, L. Li, H. Wang, X. Wang, H. He, and X. Gong, “Towards automated
detection of higher-order memory corruption vulnerabilities in embedded de-
vices,” in Proc. Design, Automation & Test in Europe Conference & Exhibition,
Feb. 2021, pp. 1707–1710.
[34] L. Yu, H. Wang, L. Li, and H. He, “Towards automated detection of higher-
order command injection vulnerabilities in iot devices: Fuzzing with dynamic
data flow analysis,” International Journal of Digital Crime and Forensics,
vol. 13, no. 6, pp. 1–14, 2021.
[35] Y. Gao, X. Zhou, W. Xie, B. Wang, E. Wang, and Z. Wang, “Optimizing iot
web fuzzing by firmware infomation mining,” Applied Sciences, vol. 12, no. 13,
p. 6429, 2022.
[36] Y. Zhang, W. Huo, K. Jian, J. Shi, H. Lu, L. Liu, C. Wang, D. Sun, C. Zhang,
and B. Liu, “Srfuzzer: an automatic fuzzing framework for physical soho router
devices to discover multi-type vulnerabilities,” in Proc. Annual Computer Se-
curity Applications Conference, Dec. 2019, pp. 544–556.
[37] Cve. [Online]. Available: https://cve.mitre.org/
[38] Gnu symbolic debugger. [Online]. Available: https://sourceware.org/gdb/
[39] Selenium. [Online]. Available: https://www.selenium.dev/
[40] Scapy. [Online]. Available: https://scapy.net/