Nonstandard Sinks Matter: A Comprehensive and Efficient Taint Analysis Framework for Vulnerability Detection in Embedded Firmware

The discovery of vulnerabilities in embedded firmware has received significant attention from security researchers. However, current vulnerability detection methods still suffer from false negatives and inefficiency, which limit detection effectiveness and require substantial analysis time. To allev...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing S. 1 - 17
Hauptverfasser: Song, Enzhou, Zhao, Yuhao, Zhang, Can, Zhai, Jinyuan, Cai, Ruijie, Liu, Long, Yang, Qichao, Yin, Xiaokang, Liu, Shengli
Format: Journal Article
Sprache:Englisch
Veröffentlicht: IEEE 2025
Schlagworte:
Buffer overflows
Codes
Emulation
Filtering
Manuals
Microprogramming
Optimization methods
Security
Testing
ISSN:1545-5971, 1941-0018
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:The discovery of vulnerabilities in embedded firmware has received significant attention from security researchers. However, current vulnerability detection methods still suffer from false negatives and inefficiency, which limit detection effectiveness and require substantial analysis time. To alleviate the above problems, we propose a bidirectional path and data flow analysis method, named BPDA, that effectively compensates for the limitations in detecting firmware vulnerabilities at nonstandard sink points. Our key insight is that, some vulnerabilities arise in nonstandard library sinks, and not all user inputs can reach each corresponding sink. Guided by these insights, we design a more comprehensive sink identification algorithm and leverage accurate backward data flow tracking to eliminate the non-vulnerable paths. After that, we execute forward taint analysis and generate the final Proof of Concepts (PoCs). To evaluate the effectiveness of BPDA, we evaluated it on 84 firmware samples (including both Linux and VxWorks firmware) from 8 major brands, comparing it with state-of-the-art methods (i.e., SaTC and Mango). BPDA discovered 163 real vulnerabilities, including 34 0-day vulnerabilities, of which 32 have been confirmed by CVE/CNVD. Besides, results show that BPDA completed its analysis in just 6% of the time required by SaTC, and remarkably identified 21 vulnerabilities that SaTC and Mango had not detected. It also resolved the issue of Mango failing to analyze specific firmware. In addition, we also performed an ablation study to verify the effectiveness of optimization methods in taint analysis. These results demonstrate the superiority of BPDA in terms of effectiveness and efficiency in detecting embedded firmware vulnerabilities.
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2025.3619200