隨著物聯網（IoT）裝置的普及，安全性成為一個關鍵問題。近年來，符號執行技術在漏洞檢測領域受到了越來越多的關注。符號執行面臨著路徑爆炸問題，這使得它在處理複雜真實韌體的分析時變得難以實現。
IoTcaptor 運用了 Concolic Execution 技術來緩解這個問題，結合了符號執行和具體執行，以有效地探索長路徑和跨函數漏洞。儘管這種方法非常有效，但是IoTcaptor 需要大量的時間和人力來手動定位符號執行的 source；並且從 socket 處理函數來注入符號值，使得距離目標函數路徑過長導致路徑爆炸。同時，路徑還會包含太多符號執行引擎難以處理的記憶體操作函數，導致分析失敗。
為了應對這些問題，本文介紹了 IoTcaptor Plus。透過引用並改進了 SaTC 的共享關鍵字定位使用者輸入點技術，解決手動定位 source 的問題。同時，還提出了透過 API 注入符號值的方法，不僅能直接精簡路徑，還能提高效率。
在實驗中，我們使用真實世界的韌體評估 IoTcaptor Plus 的效能和效果。實驗結果顯示，IoTcaptor Plus 在檢測漏洞方面超越了現有同類型的漏洞檢測框架。在優化符號注入的實驗環節中，IoTcaptor Plus 成功檢測出原有符號注入方法無法發現的漏洞。這表明 IoTcaptor Plus 具有更高的漏洞檢測效果和潛力。

With the proliferation of Internet of Things (IoT) devices, security has become a pivotal concern. In recent years, symbolic execution technology has garnered increasing attention in the field of vulnerability detection. However, symbolic execution encounters the problem of path explosion, making it challenging to analyze complex real-world firmware.
IoTcaptor leverages Concolic Execution technology to alleviate this issue, combining
symbolic execution with concrete execution to effectively explore long paths and cross function vulnerabilities. Despite the effectiveness of this approach, IoTcaptor requires significant time and effort for manual localization of the symbolic execution source, and the injection of symbolic values from the socket handling function results in overly long paths to the target function, leading to path explosion. Furthermore, the paths often contain memory operation functions that are difficult for the symbolic execution engine to handle, resulting in analysis failures.
To address these issues, this paper introduces IoTcaptor Plus. By referencing and
improving SaTC’s shared keyword localization of user input points technique, we resolve the issue of manual source localization. We also propose a method to inject symbolic values through APIs, which can not only directly streamline the path but also enhance efficiency.
In experiments, we used real-world firmware to evaluate the performance and effec-
tiveness of IoTcaptor Plus. The results showed that IoTcaptor Plus surpasses existing
vulnerability detection frameworks of its type in detecting vulnerabilities. In the optimization of symbolic injection, IoTcaptor Plus successfully detected vulnerabilities that were undetectable with the original symbolic injection method. These findings suggest that IoTcaptor Plus holds superior potential and effectiveness in vulnerability detection.

[1] K. L. Lueth, S. Sinha, M. Hasan, S. Annaswamy, P. Wegner, F. Brügge, and E. Wil-
ford, “Emerging IoT technologies report 2022,” IoT Analytics, Tech. Rep., Mar
2022.
[2] S. B. Bahadur and D. R, “Recent advancements and challenges of internet of things
in smart agriculture: A survey,” Future Generation Computer Systems, vol. 126, pp.
169–184, 2022.
[3] “IOT SECURITY ISSUES IN 2022: A BUSINESS PERSPECTIVE,”
https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/
magazine/internet-threats.
[4] B. R. Chandavarkar, “Hardcoded credentials and insecure data transfer in IoT: Na-
tional and international status,” in Proc. ICCCNT 2020, Jul. 2020, pp. 1–7.
[5] T. Alladi, V. Chamola, B. Sikdar, and K.-K. R. Choo, “Consumer iot: Security vul-
nerability case studies and solutions,” IEEE Consumer Electronics Magazine, vol. 9,
no. 2, pp. 17–25, 2020.
[6] A. Azaz, S. Nafiz, K. T. Aziz, H. M. Ibne, S. Farzana, and H. Mahady, “Auto-
mated testing: Testing top 10 owasp vulnerabilities of government web applications
in bangladesh,” ICSEA 2022, p. 56, 2022.
[7] R. Baldoni, E. Coppa, D. C. D＇elia, C. Demetrescu, and I. Finocchi, “A survey of
symbolic execution techniques,” ACM Computing Surveys, vol. 51, no. 3, pp. 1–39,
Jul. 2018.
[8] C. Cadar, D. Dunbar, and D. Engler, “KLEE: unassisted and automatic generation
of high-coverage tests for complex systems programs,” in Proc. OSDI 2008, Dec.
2008, pp. 209–224.
[9] V. Chipounov, V. Kuznetsov, and G. Candea, “S2E: A platform for in-vivo multi-path analysis of software systems,” in Proc. ASPLOS 2011, Mar. 2011, pp. 265–278.
[10] F. Wang and Y. Shoshitaishvili, “Angr - the next generation of binary analysis,” in Proc. IEEE SecDev 2017, 2017, pp. 8–9.
[11] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna, “Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware,” in Proc.
NDSS 2015, Feb. 2015.
[12] Y. Yao, W. Zhou, Y. Jia, L. Zhu, P. Liu, and Y. Zhang, “Identifying privilege separation vulnerabilities in IoT firmware with symbolic execution,” in Proc. ESORICS
2019, Sep. 2019, pp. 638–657.
[13] W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation through
invalidity-guided knowledge inference,” in Proc. USENIX Security 2021, Aug. 2021,
pp. 2007–2024.
[14] E. Johnson, M. Bland, Y. Zhu, J. Mason, S. Checkoway, S. Savage, and
K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,” in Proc.
USENIX Security 2021, Aug. 2021, pp. 321–338.
[15] C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,” in Proc. ACSAC
2020, Dec. 2020, p. 746–759.
[16] T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna,
C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: using precise MMIO modeling
for effective firmware fuzzing,” in Proc. USENIX Security 2022, Aug. 2022, pp.
1239–1256.
[17] C.-Y. Chung, N.-J. Tsai, and S.-M. Cheng, “FirmSE: Integrating taint analysis with symbolic execution for IoT peripheral modeling,” paper submitted to IEEE Trans-
actions on Dependable and Secure Computing Mar 2023.
[18] N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, “Driller: Augmenting fuzzing through selective symbolic execution,” in Proc. NDSS 2016, Feb. 2016.
[19] C. Kai, X. Fei, and L. Li, “Symbolic execution of virtual devices,” in 2013 13th
International Conference on Quality Software, 2013, pp. 1–10.
[20] J.-W. Huang, “IoTcaptor: Discovering authentication bypass in iot devicesthrough
guided concolic execution,” Master’s thesis, National Taiwan University of Science
and Technology, Jul. 2021. [Online]. Available: https://hdl.handle.net/11296/s4bz28
[21] “SYMBION: Interleaving symbolic with concrete execution,” in Proc. IEEE CNS
2020, Jun. 2020.
[22] D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic
analysis for Linux-based embedded firmware,” in Proc. NDSS 2016, 2016, pp. 1–
16.
[23] E. Gustafson, M. Muench et al., “Toward the analysis of embedded firmware through automated Re-hosting,” in Proc. RAID 2019, Sep. 2019, pp. 135–150.
[24] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towards large-
scale emulation of iot firmware for dynamic analysis,” in Proc. ACSAC 2020, Dec.
2020, pp. 733–745.
[25] W. Xie, J. Chen, Z. Wang, C. Feng, E. Wang, Y. Gao, B. Wang, and K. Lu, “Game
of hide-and-seek: Exposing hidden interfaces in embedded web applications of iot
devices,” in Proc. ACM Web Conference 2022, Apr. 2022, pp. 524–532.
[26] L. Borzacchiello, E. Coppa, and C. Demetrescu, “Handling memory-intensive oper-
ations in symbolic execution,” in 15th Innovations in Software Engineering Confer-
ence, 2022, pp. 1–5.
[27] C. Emilio, D. D. Cono, and D. Camil, “Rethinking pointer reasoning in symbolic
execution,” in Proc. ASE 2017, Nov. 2017, pp. 613–618.
[28] B. Luca, C. Emilio, C. D. Daniele, and D. Camil, “Memory models in symbolic exe-
cution: key ideas and new thoughts,” Software Testing, Verification and Reliability,
vol. 29, no. 8, p. e1722, 2019.
[29] C. Libo, W. Yanhao, C. Quanpu, Z. Yunfan, H. Hong, L. Jiaqi, H. Qinsheng, Z. Chao, D. Haixin, and X. Zhi, “Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems,” in Proc. USENIX Security 2021,
Aug. 2021, pp. 303–319.
[30] C. Kai, L. Qiang, W. Lei, C. Qian, Z. Yaowen, S. Limin, and L. Zhenkai, “Dtaint:
detecting the taint-style vulnerability in embedded device firmware,” in Proc. IEEE/
IFIP DSN 2018, Jun. 2018, pp. 430–441.
[31] C. Z. Berkay, B. Leonardo, S. A. Kumar, A. Hidayet, T. Gang, M. Patrick, and U. A. Selcuk, “Sensitive information tracking in commodity iot,” in Proc. USENIX Secu-
rity 2018, Aug. 2018, pp. 1687–1704.
[32] J. Chen, W. Diao, Q. Zhao, C. Zuo, Z. Lin, X. Wang, W. C. Lau, M. Sun, R. Yang, and K. Zhang, “IoTFuzzer: Discovering memory corruptions in IoT through app-based
fuzzing,” in Proc. NDSS 2018, Feb. 2018.
[33] N. Redini, A. Machiry, R. Wang, C. Spensky, A. Continella, Y. Shoshitaishvili,
C. Kruegel, and G. Vigna, “Karonte: detecting insecure multi-binary interactions
in embedded firmware,” in Proc. IEEE S &P 2020, May 2020, pp. 1544–1561.
[34] B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware-independent firmware
testing via automatic peripheral interface modeling,” in Proc. USENIX Security
2020, Aug. 2020, pp. 1237–1254.
[35] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL: high-
throughput greybox fuzzing of IoT firmware via augmented process emulation,” in
Proc. USENIX Security 19, Aug. 2019, pp. 1099–1114.
[36] F. Qi and D. Weiyu, “Cinfofuzz: Fuzzing method based on web service correlation
information of embedded devices,” in Proc. IEEE ICICN 2022, Aug. 2022, pp. 242–
249.
[37] L. Zhu, X. Fu, Y. Yao, Y. Zhang, and H. Wang, “FIoT: detecting the memory cor-
ruption in lightweight IoT device firmware,” in Proc. IEEE TrustCom 2019, Aug.
2019, pp. 248–255.
[38] S. Shah, “Emux (formerly armx) firmware emulation framework,” https://
github.com/therealsaumil/emux, 2022.
[39] M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar 2: A multi-target
orchestration platform,” in Proceeding of Workshop Binary Anal. Res.(Colocated
NDSS Symp.), vol. 18, 2018, pp. 1–11.
[40] NSA, “National security agency. 2019. ghidra - software reverse engineering framework,” https://github.com/NationalSecurityAgency/ghidra, 2019.