通信学报
通信學報
통신학보
JOURNAL OF CHINA INSTITUTE OF COMMUNICATIONS
2013年
8期
140-145
,共6页
忽朝俭%薛一波%赵粮%李舟军
忽朝儉%薛一波%趙糧%李舟軍
홀조검%설일파%조량%리주군
嵌入式系统%固件%文件系统%库函数识别%后门检测
嵌入式繫統%固件%文件繫統%庫函數識彆%後門檢測
감입식계통%고건%문건계통%고함수식별%후문검측
embedded system%firmware%file system%library function identification%backdoor detection
在无文件系统嵌入式固件中,系统代码和应用代码集成在单个文件中,无法看到熟悉的系统调用名字,故针对此类固件的分析将更为困难。以此类固件为研究对象,分析了其中的库函数识别问题,并提出了一种针对网络套接字和字符串/内存操作函数的基于启发式规则的识别方法。在此基础上,讨论了多种典型的后门类型检测问题,包括未授权侦听者、非预期功能、隐藏功能和向外的连接请求等,并在一款实际系统上成功检测出多个后门(其中有一个严重级别的)。实验结果表明,提出的针对无文件系统嵌入式固件的库函数识别方法对于此类固件的安全分析具有重要的参考价值。
在無文件繫統嵌入式固件中,繫統代碼和應用代碼集成在單箇文件中,無法看到熟悉的繫統調用名字,故針對此類固件的分析將更為睏難。以此類固件為研究對象,分析瞭其中的庫函數識彆問題,併提齣瞭一種針對網絡套接字和字符串/內存操作函數的基于啟髮式規則的識彆方法。在此基礎上,討論瞭多種典型的後門類型檢測問題,包括未授權偵聽者、非預期功能、隱藏功能和嚮外的連接請求等,併在一款實際繫統上成功檢測齣多箇後門(其中有一箇嚴重級彆的)。實驗結果錶明,提齣的針對無文件繫統嵌入式固件的庫函數識彆方法對于此類固件的安全分析具有重要的參攷價值。
재무문건계통감입식고건중,계통대마화응용대마집성재단개문건중,무법간도숙실적계통조용명자,고침대차류고건적분석장경위곤난。이차류고건위연구대상,분석료기중적고함수식별문제,병제출료일충침대망락투접자화자부천/내존조작함수적기우계발식규칙적식별방법。재차기출상,토론료다충전형적후문류형검측문제,포괄미수권정은자、비예기공능、은장공능화향외적련접청구등,병재일관실제계통상성공검측출다개후문(기중유일개엄중급별적)。실험결과표명,제출적침대무문건계통감입식고건적고함수식별방법대우차류고건적안전분석구유중요적삼고개치。
Any embedded system firmware without file system will integrate its system code and user application code into a single file. This setting has brought some additional difficulties to analyze them. Aimed at this kind of firmware, the problem of library function identification was analyzed, and several heuristic methods to recognize some important function relevant with manipulating network socket and character string/memory were proposed. Based on this analysis, the backdoor detection problem of some typical types including unauthorized listener, unintended function, hidden func-tion, outward connection request etc. were discussed, and several backdoors (one is critical level) in a real world firm-ware were found. The result shows this method of identifying library function can be useful for security analysis to this type of firmware.
