Basic Search / Detailed Display

Author: 許家善
Chia-Shan Hsu
Thesis Title: IoTcaptor Plus: 利用網路服務關聯資訊引導動態符號執行的物聯網漏洞檢測框架
IoTcaptor Plus: Leveraging Web Service Correlation Information for Guiding Concolic Execution in IoT Vulnerability Detection Framework
Advisor: 鄭欣明
Shin-Ming Cheng
Committee: 黃俊穎
Chun-Ying Huang
Hsu-Chun Hsiao
Shih-Wei Li
Degree: 碩士
Department: 電資學院 - 資訊工程系
Department of Computer Science and Information Engineering
Thesis Publication Year: 2023
Graduation Academic Year: 111
Language: 英文
Pages: 43
Keywords (in Chinese): 物聯網安全漏洞檢測動態符號執行韌體模擬共享關鍵字
Keywords (in other languages): IoT Security, vulnerability detection, concolic execution, firmware emulation, shared keyword
Reference times: Clicks: 526Downloads: 0
School Collection Retrieve National Library Collection Retrieve Error Report

IoTcaptor 運用了 Concolic Execution 技術來緩解這個問題,結合了符號執行和具體執行,以有效地探索長路徑和跨函數漏洞。儘管這種方法非常有效,但是IoTcaptor 需要大量的時間和人力來手動定位符號執行的 source;並且從 socket 處理函數來注入符號值,使得距離目標函數路徑過長導致路徑爆炸。同時,路徑還會包含太多符號執行引擎難以處理的記憶體操作函數,導致分析失敗。
為了應對這些問題,本文介紹了 IoTcaptor Plus。透過引用並改進了 SaTC 的共享關鍵字定位使用者輸入點技術,解決手動定位 source 的問題。同時,還提出了透過 API 注入符號值的方法,不僅能直接精簡路徑,還能提高效率。
在實驗中,我們使用真實世界的韌體評估 IoTcaptor Plus 的效能和效果。實驗結果顯示,IoTcaptor Plus 在檢測漏洞方面超越了現有同類型的漏洞檢測框架。在優化符號注入的實驗環節中,IoTcaptor Plus 成功檢測出原有符號注入方法無法發現的漏洞。這表明 IoTcaptor Plus 具有更高的漏洞檢測效果和潛力。

With the proliferation of Internet of Things (IoT) devices, security has become a pivotal concern. In recent years, symbolic execution technology has garnered increasing attention in the field of vulnerability detection. However, symbolic execution encounters the problem of path explosion, making it challenging to analyze complex real-world firmware.
IoTcaptor leverages Concolic Execution technology to alleviate this issue, combining
symbolic execution with concrete execution to effectively explore long paths and cross function vulnerabilities. Despite the effectiveness of this approach, IoTcaptor requires significant time and effort for manual localization of the symbolic execution source, and the injection of symbolic values from the socket handling function results in overly long paths to the target function, leading to path explosion. Furthermore, the paths often contain memory operation functions that are difficult for the symbolic execution engine to handle, resulting in analysis failures.
To address these issues, this paper introduces IoTcaptor Plus. By referencing and
improving SaTC’s shared keyword localization of user input points technique, we resolve the issue of manual source localization. We also propose a method to inject symbolic values through APIs, which can not only directly streamline the path but also enhance efficiency.
In experiments, we used real-world firmware to evaluate the performance and effec-
tiveness of IoTcaptor Plus. The results showed that IoTcaptor Plus surpasses existing
vulnerability detection frameworks of its type in detecting vulnerabilities. In the optimization of symbolic injection, IoTcaptor Plus successfully detected vulnerabilities that were undetectable with the original symbolic injection method. These findings suggest that IoTcaptor Plus holds superior potential and effectiveness in vulnerability detection.

Chinese Abstract i Abstract ii Table of Contents iii List of Tables v List of Illustrations vi List of Algorithms vii 1 Introduction 1 2 Related Work 5 2.1 Static Analysis 5 2.2 Dynamic Analysis 5 2.3 Symbolic Execution 6 3 IoTcaptor: Overview and Challenges 9 3.1 IoTcaptor Overview 9 3.1.1 Static Analysis Module 9 3.1.2 Concolic Execution 10 3.2 IoTcaptor Challenges 11 3.2.1 Manual Source Locating 11 3.2.2 Symbolic Injection 12 4 Methodology 13 4.1 Locating Source and Sink through Shared Keywords 14 4.1.1 Keyword Extraction 14 4.1.2 Identification of Entry Points 15 4.1.3 Locating Sensitive Functions 16 4.2 Symbolic Value Injection Method 17 4.2.1 Matching Entry Points with APIs 18 4.2.2 Injecting Symbolic Values through APIs 20 5 Implementation 21 5.1 Source & Sink Location through Shared Keywords 21 5.2 Concolic Execution 22 6 Evaluation 23 6.1 Vulnerability Detection Capability of IoTcaptor Plus 23 6.2 Effectiveness of Symbolic Value Injection Method 25 7 Discussion and Future Work 27 7.1 Extension to MIPS Architecture 27 7.2 The Importance of Precise API Matching 27 7.2.1 Function Name Loss 28 7.2.2 Alternative String Similarity Algorithms 29 8 Conclusion 30 References 31

[1] K. L. Lueth, S. Sinha, M. Hasan, S. Annaswamy, P. Wegner, F. Brügge, and E. Wil-
ford, “Emerging IoT technologies report 2022,” IoT Analytics, Tech. Rep., Mar
[2] S. B. Bahadur and D. R, “Recent advancements and challenges of internet of things
in smart agriculture: A survey,” Future Generation Computer Systems, vol. 126, pp.
169–184, 2022.
[4] B. R. Chandavarkar, “Hardcoded credentials and insecure data transfer in IoT: Na-
tional and international status,” in Proc. ICCCNT 2020, Jul. 2020, pp. 1–7.
[5] T. Alladi, V. Chamola, B. Sikdar, and K.-K. R. Choo, “Consumer iot: Security vul-
nerability case studies and solutions,” IEEE Consumer Electronics Magazine, vol. 9,
no. 2, pp. 17–25, 2020.
[6] A. Azaz, S. Nafiz, K. T. Aziz, H. M. Ibne, S. Farzana, and H. Mahady, “Auto-
mated testing: Testing top 10 owasp vulnerabilities of government web applications
in bangladesh,” ICSEA 2022, p. 56, 2022.
[7] R. Baldoni, E. Coppa, D. C. D'elia, C. Demetrescu, and I. Finocchi, “A survey of
symbolic execution techniques,” ACM Computing Surveys, vol. 51, no. 3, pp. 1–39,
Jul. 2018.
[8] C. Cadar, D. Dunbar, and D. Engler, “KLEE: unassisted and automatic generation
of high-coverage tests for complex systems programs,” in Proc. OSDI 2008, Dec.
2008, pp. 209–224.
[9] V. Chipounov, V. Kuznetsov, and G. Candea, “S2E: A platform for in-vivo multi-path analysis of software systems,” in Proc. ASPLOS 2011, Mar. 2011, pp. 265–278.
[10] F. Wang and Y. Shoshitaishvili, “Angr - the next generation of binary analysis,” in Proc. IEEE SecDev 2017, 2017, pp. 8–9.
[11] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna, “Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware,” in Proc.
NDSS 2015, Feb. 2015.
[12] Y. Yao, W. Zhou, Y. Jia, L. Zhu, P. Liu, and Y. Zhang, “Identifying privilege separation vulnerabilities in IoT firmware with symbolic execution,” in Proc. ESORICS
2019, Sep. 2019, pp. 638–657.
[13] W. Zhou, L. Guan, P. Liu, and Y. Zhang, “Automatic firmware emulation through
invalidity-guided knowledge inference,” in Proc. USENIX Security 2021, Aug. 2021,
pp. 2007–2024.
[14] E. Johnson, M. Bland, Y. Zhu, J. Mason, S. Checkoway, S. Savage, and
K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,” in Proc.
USENIX Security 2021, Aug. 2021, pp. 321–338.
[15] C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,” in Proc. ACSAC
2020, Dec. 2020, p. 746–759.
[16] T. Scharnowski, N. Bars, M. Schloegel, E. Gustafson, M. Muench, G. Vigna,
C. Kruegel, T. Holz, and A. Abbasi, “Fuzzware: using precise MMIO modeling
for effective firmware fuzzing,” in Proc. USENIX Security 2022, Aug. 2022, pp.
[17] C.-Y. Chung, N.-J. Tsai, and S.-M. Cheng, “FirmSE: Integrating taint analysis with symbolic execution for IoT peripheral modeling,” paper submitted to IEEE Trans-
actions on Dependable and Secure Computing Mar 2023.
[18] N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, “Driller: Augmenting fuzzing through selective symbolic execution,” in Proc. NDSS 2016, Feb. 2016.
[19] C. Kai, X. Fei, and L. Li, “Symbolic execution of virtual devices,” in 2013 13th
International Conference on Quality Software, 2013, pp. 1–10.
[20] J.-W. Huang, “IoTcaptor: Discovering authentication bypass in iot devicesthrough
guided concolic execution,” Master’s thesis, National Taiwan University of Science
and Technology, Jul. 2021. [Online]. Available:
[21] “SYMBION: Interleaving symbolic with concrete execution,” in Proc. IEEE CNS
2020, Jun. 2020.
[22] D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic
analysis for Linux-based embedded firmware,” in Proc. NDSS 2016, 2016, pp. 1–
[23] E. Gustafson, M. Muench et al., “Toward the analysis of embedded firmware through automated Re-hosting,” in Proc. RAID 2019, Sep. 2019, pp. 135–150.
[24] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towards large-
scale emulation of iot firmware for dynamic analysis,” in Proc. ACSAC 2020, Dec.
2020, pp. 733–745.
[25] W. Xie, J. Chen, Z. Wang, C. Feng, E. Wang, Y. Gao, B. Wang, and K. Lu, “Game
of hide-and-seek: Exposing hidden interfaces in embedded web applications of iot
devices,” in Proc. ACM Web Conference 2022, Apr. 2022, pp. 524–532.
[26] L. Borzacchiello, E. Coppa, and C. Demetrescu, “Handling memory-intensive oper-
ations in symbolic execution,” in 15th Innovations in Software Engineering Confer-
ence, 2022, pp. 1–5.
[27] C. Emilio, D. D. Cono, and D. Camil, “Rethinking pointer reasoning in symbolic
execution,” in Proc. ASE 2017, Nov. 2017, pp. 613–618.
[28] B. Luca, C. Emilio, C. D. Daniele, and D. Camil, “Memory models in symbolic exe-
cution: key ideas and new thoughts,” Software Testing, Verification and Reliability,
vol. 29, no. 8, p. e1722, 2019.
[29] C. Libo, W. Yanhao, C. Quanpu, Z. Yunfan, H. Hong, L. Jiaqi, H. Qinsheng, Z. Chao, D. Haixin, and X. Zhi, “Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems,” in Proc. USENIX Security 2021,
Aug. 2021, pp. 303–319.
[30] C. Kai, L. Qiang, W. Lei, C. Qian, Z. Yaowen, S. Limin, and L. Zhenkai, “Dtaint:
detecting the taint-style vulnerability in embedded device firmware,” in Proc. IEEE/
IFIP DSN 2018, Jun. 2018, pp. 430–441.
[31] C. Z. Berkay, B. Leonardo, S. A. Kumar, A. Hidayet, T. Gang, M. Patrick, and U. A. Selcuk, “Sensitive information tracking in commodity iot,” in Proc. USENIX Secu-
rity 2018, Aug. 2018, pp. 1687–1704.
[32] J. Chen, W. Diao, Q. Zhao, C. Zuo, Z. Lin, X. Wang, W. C. Lau, M. Sun, R. Yang, and K. Zhang, “IoTFuzzer: Discovering memory corruptions in IoT through app-based
fuzzing,” in Proc. NDSS 2018, Feb. 2018.
[33] N. Redini, A. Machiry, R. Wang, C. Spensky, A. Continella, Y. Shoshitaishvili,
C. Kruegel, and G. Vigna, “Karonte: detecting insecure multi-binary interactions
in embedded firmware,” in Proc. IEEE S &P 2020, May 2020, pp. 1544–1561.
[34] B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware-independent firmware
testing via automatic peripheral interface modeling,” in Proc. USENIX Security
2020, Aug. 2020, pp. 1237–1254.
[35] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun, “FIRM-AFL: high-
throughput greybox fuzzing of IoT firmware via augmented process emulation,” in
Proc. USENIX Security 19, Aug. 2019, pp. 1099–1114.
[36] F. Qi and D. Weiyu, “Cinfofuzz: Fuzzing method based on web service correlation
information of embedded devices,” in Proc. IEEE ICICN 2022, Aug. 2022, pp. 242–
[37] L. Zhu, X. Fu, Y. Yao, Y. Zhang, and H. Wang, “FIoT: detecting the memory cor-
ruption in lightweight IoT device firmware,” in Proc. IEEE TrustCom 2019, Aug.
2019, pp. 248–255.
[38] S. Shah, “Emux (formerly armx) firmware emulation framework,” https://, 2022.
[39] M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar 2: A multi-target
orchestration platform,” in Proceeding of Workshop Binary Anal. Res.(Colocated
NDSS Symp.), vol. 18, 2018, pp. 1–11.
[40] NSA, “National security agency. 2019. ghidra - software reverse engineering framework,”, 2019.

無法下載圖示 Full text public date 2026/07/20 (Intranet public)
Full text public date 2026/07/20 (Internet public)
Full text public date 2026/07/20 (National library)