Moye: A Wallbreaker for Monolithic Firmware

As embedded devices become increasingly popular, monolithic firmware, known for its execution efficiency and simplicity, is widely used in resource-constrained devices. Different from ordinary firmware, the monolithic firmware image is packed without the file that indicates its format, which challen...

Full description

Saved in:
Bibliographic Details
Published in:Proceedings / International Conference on Software Engineering pp. 116 - 128
Main Authors: Huang, Jintao, Yang, Kai, Wang, Gaosheng, Shi, Zhiqiang, Pan, Zhiwen, Lv, Shichao, Sun, Limin
Format: Conference Proceeding
Language:English
Published: IEEE 26.04.2025
Subjects:
Codes
Function Identification
Image segmentation
Microprogramming
Monolithic Firmware
Registers
Reverse engineering
Robustness
Software engineering
Unformatted Binary
ISSN:1558-1225
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Abstract As embedded devices become increasingly popular, monolithic firmware, known for its execution efficiency and simplicity, is widely used in resource-constrained devices. Different from ordinary firmware, the monolithic firmware image is packed without the file that indicates its format, which challenges the reverse engineering of monolithic firmware. Function identification is the prerequisite of monolithic firmware's analysis. Prior works on function identification are less effectiveness when applied to monolithic firmware due to their heavy reliance on file formats. In this paper, we propose Moye, a novel method to identify functions in monolithic firmware. We leverage the important insight that the use of registers must conform to some constraints. In particular, our approach segments the firmware, locate code sections and output the instructions. We use a masked language model to learn hiding relationships among the instructions to identify the function boundaries. We evaluate Moye using 1,318 monolithic firmware images, including 48 samples collected from widely used devices. The evaluation demonstrates that our approach significantly outperforms current works, achieving a precision greater than 98 % and a recall rate greater than 97 % across most datasets, showing robustness to complicated compilation options.
AbstractList As embedded devices become increasingly popular, monolithic firmware, known for its execution efficiency and simplicity, is widely used in resource-constrained devices. Different from ordinary firmware, the monolithic firmware image is packed without the file that indicates its format, which challenges the reverse engineering of monolithic firmware. Function identification is the prerequisite of monolithic firmware's analysis. Prior works on function identification are less effectiveness when applied to monolithic firmware due to their heavy reliance on file formats. In this paper, we propose Moye, a novel method to identify functions in monolithic firmware. We leverage the important insight that the use of registers must conform to some constraints. In particular, our approach segments the firmware, locate code sections and output the instructions. We use a masked language model to learn hiding relationships among the instructions to identify the function boundaries. We evaluate Moye using 1,318 monolithic firmware images, including 48 samples collected from widely used devices. The evaluation demonstrates that our approach significantly outperforms current works, achieving a precision greater than 98 % and a recall rate greater than 97 % across most datasets, showing robustness to complicated compilation options.
Author Sun, Limin
Wang, Gaosheng
Huang, Jintao
Lv, Shichao
Yang, Kai
Shi, Zhiqiang
Pan, Zhiwen
Author_xml – sequence: 1
  givenname: Jintao
  surname: Huang
  fullname: Huang, Jintao
  email: huangjintao@iie.ac.cn
  organization: Institute of Information Engineering, CAS,Beijing Key Laboratory of IOT Information Security Technology
– sequence: 2
  givenname: Kai
  surname: Yang
  fullname: Yang, Kai
  email: yangkai@gxu.edu.cn
  organization: School of Computer, Electronics and Information, Guangxi University,Nanning,China
– sequence: 3
  givenname: Gaosheng
  surname: Wang
  fullname: Wang, Gaosheng
  email: wanggaosheng@iie.ac.cn
  organization: Institute of Information Engineering, CAS,Beijing Key Laboratory of IOT Information Security Technology
– sequence: 4
  givenname: Zhiqiang
  surname: Shi
  fullname: Shi, Zhiqiang
  email: shizhiqiang@iie.ac.cn
  organization: Institute of Information Engineering, CAS,Beijing Key Laboratory of IOT Information Security Technology
– sequence: 5
  givenname: Zhiwen
  surname: Pan
  fullname: Pan, Zhiwen
  email: panzhiwen@iie.ac.cn
  organization: Institute of Information Engineering, CAS,Beijing Key Laboratory of IOT Information Security Technology
– sequence: 6
  givenname: Shichao
  surname: Lv
  fullname: Lv, Shichao
  email: lvshichao@iie.ac.cn
  organization: Institute of Information Engineering, CAS,Beijing Key Laboratory of IOT Information Security Technology
– sequence: 7
  givenname: Limin
  surname: Sun
  fullname: Sun, Limin
  email: sunlimin@iie.ac.cn
  organization: Institute of Information Engineering, CAS,Beijing Key Laboratory of IOT Information Security Technology
BookMark eNotj01LAzEUAKMo2Nb-gx72Lrvm620Sb2VptdDiQcVjedm84Op2I9mC9N9b0NNchoGZsqshDcTYQvBKCO7uN83LCkBpU0kuoeKcg7pgc2ecVUoAh9qJSzYRALYUUsINm47j51mrtXMTdrdLJ3oolsU79r3PhF-Ui5hysUtD6rvjR9cW6y4ffjDTLbuO2I80_-eMva1Xr81TuX1-3DTLbYmy5scytBSsNIK8V6Qp6kDRaERjA6JT3mIrZIyGwIDVkbzClmQAZxE0cFQztvjrdkS0_87dAfNpf76VzmilfgG5tEVI
CODEN IEEPAD
ContentType Conference Proceeding
DBID 6IE
6IH
CBEJK
RIE
RIO
DOI 10.1109/ICSE55347.2025.00053
DatabaseName IEEE Electronic Library (IEL) Conference Proceedings
IEEE Proceedings Order Plan (POP) 1998-present by volume
IEEE Xplore All Conference Proceedings
IEEE Electronic Library (IEL)
IEEE Proceedings Order Plans (POP) 1998-present
DatabaseTitleList
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISBN 9798331505691
EISSN 1558-1225
EndPage 128
ExternalDocumentID 11029743
Genre orig-research
GrantInformation_xml – fundername: Guangxi Science and Technology Base and Talent Special Project
  grantid: AD21076002
  funderid: 10.13039/501100018571
– fundername: Beijing Natural Science Foundation
  grantid: L234033
  funderid: 10.13039/501100004826
GroupedDBID -~X
.4S
.DC
29O
5VS
6IE
6IF
6IH
6IK
6IL
6IM
6IN
8US
AAJGR
AAWTH
ABLEC
ADZIZ
ALMA_UNASSIGNED_HOLDINGS
ARCSS
AVWKF
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
CBEJK
CHZPO
EDO
FEDTE
I-F
IEGSK
IJVOP
IPLJI
M43
OCL
RIE
RIL
RIO
ID FETCH-LOGICAL-a260t-dced8271ebb3e4ef4def74aa78daa93b8ac12ff7e57584feb3ace2d598a5450a3
IEDL.DBID RIE
ISICitedReferencesCount 0
ISICitedReferencesURI http://www.webofscience.com/api/gateway?GWVersion=2&SrcApp=Summon&SrcAuth=ProQuest&DestLinkType=CitingArticles&DestApp=WOS_CPL&KeyUT=001538318100009&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
IngestDate Wed Aug 27 01:40:13 EDT 2025
IsPeerReviewed false
IsScholarly true
Language English
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-a260t-dced8271ebb3e4ef4def74aa78daa93b8ac12ff7e57584feb3ace2d598a5450a3
PageCount 13
ParticipantIDs ieee_primary_11029743
PublicationCentury 2000
PublicationDate 2025-April-26
PublicationDateYYYYMMDD 2025-04-26
PublicationDate_xml – month: 04
  year: 2025
  text: 2025-April-26
  day: 26
PublicationDecade 2020
PublicationTitle Proceedings / International Conference on Software Engineering
PublicationTitleAbbrev ICSE
PublicationYear 2025
Publisher IEEE
Publisher_xml – name: IEEE
SSID ssj0006499
Score 2.2897496
Snippet As embedded devices become increasingly popular, monolithic firmware, known for its execution efficiency and simplicity, is widely used in resource-constrained...
SourceID ieee
SourceType Publisher
StartPage 116
SubjectTerms Codes
Function Identification
Image segmentation
Microprogramming
Monolithic Firmware
Registers
Reverse engineering
Robustness
Software engineering
Unformatted Binary
Title Moye: A Wallbreaker for Monolithic Firmware
URI https://ieeexplore.ieee.org/document/11029743
WOSCitedRecordID wos001538318100009&url=https%3A%2F%2Fcvtisr.summon.serialssolutions.com%2F%23%21%2Fsearch%3Fho%3Df%26include.ft.matches%3Dt%26l%3Dnull%26q%3D
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NTwMhECW28eCpftT4nT14Xbuw7ALeTNNGL00TNemtGWAmNsbWrK3Gfy9st-rFgzcCBzKQYd4MPB5jl6QsoSNKtSWTSi0xBfSQWsh5WUoqFLhabEKNRnoyMeOGrF5zYRCxfnyGV7FZ3-X7hVvFUlkvhCoR8G_eYi2lyjVZ6_vYLQN2b7hxPDO9u_79oChyqUIOKGLdJIv6x78UVOoAMuz8c-pd1v2h4iXj7yCzx7Zwvs86Gy2GpHHNAxac8xOvk5skVsZDmgvPYTQA0iQ4bXzi9jRzyXBWvXxAhV32OBw89G_TRgghhZBuLFPv0GuhOFqbo0SSHklJAKU9gMmtBscFkcKAvbSkkB-DQ-ELoyEApAzyQ9aeL-Z4xBJFSOA5cW19cFcDwkhvDWVE5LjCY9aNxk9f139dTDd2n_zRf8p24vrG-xVRnrH2slrhOdt278vZW3VR79AXeICUnA
linkProvider IEEE
linkToHtml http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1LSwMxEA5aBT3VR8W3e_C6djeb3STepLS0WEvBCr2V2WQGi9jK2ir-e5PtQy8evIXkECZhMt9M8uVj7JpkTmiIQpWTDoUSGAJaCHNI4iwTlEowpdiE7PXUcKj7S7J6yYVBxPLxGd74ZnmXb6dm7ktldRequMO_ySbbSoXg0YKutT54M4fel-y4ONL1TuOxmaaJkC4L5L5yEnkF5F8aKmUIaVX_Ofkeq_2Q8YL-Oszssw2cHLDqSo0hWDrnIXPu-YW3wV3ga-Mu0YUXN-ogaeDc1j9yex6boDUuXj-hwBp7ajUHjXa4lEIIwSUcs9AatIrLGPM8QYEkLJIUAFJZAJ3kCkzMiSQ69KUEuQwZDHKbagUOIkWQHLHKZDrBYxZIQgIbU6xy6xxWA9fC5poiIjKxxBNW88aP3ha_XYxWdp_-0X_FdtqDh-6o2-ndn7Fdv9b-toVn56wyK-Z4wbbNx2z8XlyWu_UNZRaX4w
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=Proceedings+%2F+International+Conference+on+Software+Engineering&rft.atitle=Moye%3A+A+Wallbreaker+for+Monolithic+Firmware&rft.au=Huang%2C+Jintao&rft.au=Yang%2C+Kai&rft.au=Wang%2C+Gaosheng&rft.au=Shi%2C+Zhiqiang&rft.date=2025-04-26&rft.pub=IEEE&rft.eissn=1558-1225&rft.spage=116&rft.epage=128&rft_id=info:doi/10.1109%2FICSE55347.2025.00053&rft.externalDocID=11029743