Nonstandard Sinks Matter: A Comprehensive and Efficient Taint Analysis Framework for Vulnerability Detection in Embedded Firmware
The discovery of vulnerabilities in embedded firmware has received significant attention from security researchers. However, current vulnerability detection methods still suffer from false negatives and inefficiency, which limit detection effectiveness and require substantial analysis time. To allev...
Saved in:
| Published in: | IEEE transactions on dependable and secure computing pp. 1 - 17 |
|---|---|
| Main Authors: | , , , , , , , , |
| Format: | Journal Article |
| Language: | English |
| Published: |
IEEE
2025
|
| Subjects: | |
| ISSN: | 1545-5971, 1941-0018 |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | The discovery of vulnerabilities in embedded firmware has received significant attention from security researchers. However, current vulnerability detection methods still suffer from false negatives and inefficiency, which limit detection effectiveness and require substantial analysis time. To alleviate the above problems, we propose a bidirectional path and data flow analysis method, named BPDA, that effectively compensates for the limitations in detecting firmware vulnerabilities at nonstandard sink points. Our key insight is that, some vulnerabilities arise in nonstandard library sinks, and not all user inputs can reach each corresponding sink. Guided by these insights, we design a more comprehensive sink identification algorithm and leverage accurate backward data flow tracking to eliminate the non-vulnerable paths. After that, we execute forward taint analysis and generate the final Proof of Concepts (PoCs). To evaluate the effectiveness of BPDA, we evaluated it on 84 firmware samples (including both Linux and VxWorks firmware) from 8 major brands, comparing it with state-of-the-art methods (i.e., SaTC and Mango). BPDA discovered 163 real vulnerabilities, including 34 0-day vulnerabilities, of which 32 have been confirmed by CVE/CNVD. Besides, results show that BPDA completed its analysis in just 6% of the time required by SaTC, and remarkably identified 21 vulnerabilities that SaTC and Mango had not detected. It also resolved the issue of Mango failing to analyze specific firmware. In addition, we also performed an ablation study to verify the effectiveness of optimization methods in taint analysis. These results demonstrate the superiority of BPDA in terms of effectiveness and efficiency in detecting embedded firmware vulnerabilities. |
|---|---|
| AbstractList | The discovery of vulnerabilities in embedded firmware has received significant attention from security researchers. However, current vulnerability detection methods still suffer from false negatives and inefficiency, which limit detection effectiveness and require substantial analysis time. To alleviate the above problems, we propose a bidirectional path and data flow analysis method, named BPDA, that effectively compensates for the limitations in detecting firmware vulnerabilities at nonstandard sink points. Our key insight is that, some vulnerabilities arise in nonstandard library sinks, and not all user inputs can reach each corresponding sink. Guided by these insights, we design a more comprehensive sink identification algorithm and leverage accurate backward data flow tracking to eliminate the non-vulnerable paths. After that, we execute forward taint analysis and generate the final Proof of Concepts (PoCs). To evaluate the effectiveness of BPDA, we evaluated it on 84 firmware samples (including both Linux and VxWorks firmware) from 8 major brands, comparing it with state-of-the-art methods (i.e., SaTC and Mango). BPDA discovered 163 real vulnerabilities, including 34 0-day vulnerabilities, of which 32 have been confirmed by CVE/CNVD. Besides, results show that BPDA completed its analysis in just 6% of the time required by SaTC, and remarkably identified 21 vulnerabilities that SaTC and Mango had not detected. It also resolved the issue of Mango failing to analyze specific firmware. In addition, we also performed an ablation study to verify the effectiveness of optimization methods in taint analysis. These results demonstrate the superiority of BPDA in terms of effectiveness and efficiency in detecting embedded firmware vulnerabilities. |
| Author | Zhai, Jinyuan Cai, Ruijie Yin, Xiaokang Liu, Long Liu, Shengli Yang, Qichao Song, Enzhou Zhao, Yuhao Zhang, Can |
| Author_xml | – sequence: 1 givenname: Enzhou surname: Song fullname: Song, Enzhou email: songez_ieu@163.com organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 2 givenname: Yuhao surname: Zhao fullname: Zhao, Yuhao email: little_fish02@163.com organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 3 givenname: Can surname: Zhang fullname: Zhang, Can email: 827249870@qq.com organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 4 givenname: Jinyuan surname: Zhai fullname: Zhai, Jinyuan email: booksy2004@163.com organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 5 givenname: Ruijie surname: Cai fullname: Cai, Ruijie email: wsxcrj@163.com organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 6 givenname: Long surname: Liu fullname: Liu, Long email: 164192607@qq.com organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 7 givenname: Qichao surname: Yang fullname: Yang, Qichao email: yangqichaoo@foxmail.com organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 8 givenname: Xiaokang surname: Yin fullname: Yin, Xiaokang email: yxksjtu@sjtu.edu.cn organization: Information Engineering University, Zhengzhou, Henan, China – sequence: 9 givenname: Shengli surname: Liu fullname: Liu, Shengli email: mr_shengliliu@163.com organization: Information Engineering University, Zhengzhou, Henan, China |
| BookMark | eNpFkMtOwzAURC1UJNrCByCx8A-k2InzMLuqD0AqsGhhG93Y18I0cSo7UHXJn5OqldjMzGJmFmdEBq51SMgtZxPOmbzfzNezSczidJJkXMaMXZAhl4JHjPFi0OdUpFEqc35FRiF8MRaLQooh-X1tXejAafCarq3bBvoCXYf-gU7prG12Hj_RBfuDtC_RhTFWWXQd3YDtdeqgPgQb6NJDg_vWb6lpPf34rh16qGxtuwOdY4eqs62j1tFFU6HWqOnS-mYPHq_JpYE64M3Zx-R9udjMnqLV2-PzbLqKFE_SLjICGMSF4VWeGskzEImOdW64yUxVSBCCgYqrHFgumcpAyarQppLaJEKJRCZjwk-_yrcheDTlztsG_KHkrDwyLI8MyyPD8syw39ydNhYR__ucyyzP8uQPbINydw |
| CODEN | ITDSCM |
| ContentType | Journal Article |
| DBID | 97E RIA RIE AAYXX CITATION |
| DOI | 10.1109/TDSC.2025.3619200 |
| DatabaseName | IEEE All-Society Periodicals Package (ASPP) 2005-present IEEE All-Society Periodicals Package (ASPP) 1998-Present IEEE Electronic Library (IEL) CrossRef |
| DatabaseTitle | CrossRef |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library (IEL) url: https://ieeexplore.ieee.org/ sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Computer Science |
| EISSN | 1941-0018 |
| EndPage | 17 |
| ExternalDocumentID | 10_1109_TDSC_2025_3619200 11196767 |
| Genre | orig-research |
| GroupedDBID | .DC 0R~ 29I 4.4 5GY 6IK 8R4 8R5 97E AAJGR AASAJ AAWTH ABAZT ABQJQ ABVLG ACGFO ACIWK AENEX AGQYO AHBIQ AKJIK AKQYR ALMA_UNASSIGNED_HOLDINGS ATWAV BEFXN BFFAM BGNUA BKEBE BPEOZ CS3 DU5 EBS EJD HZ~ IEDLZ IFIPE IPLJI JAVBF LAI O9- OCL P2P Q2X RIA RIE RNS .4S 5VS 7WY 8FE 8FG 8FL AAYXX ABJCF ABUWG AETIX AFFHD AFKRA AGSQL AIBXA ARAPS ARCSS AZQEC BENPR BEZIV BGLVJ BPHCQ CCPQU CITATION DWQXO EDO FRNLG GNUQQ HCIFZ ITG ITH K60 K6V K6~ K7- L6V M0C M43 M7S P62 PHGZM PHGZT PQBIZ PQBZA PQGLB PQQKQ PROAC PTHSS RNI RZB |
| ID | FETCH-LOGICAL-c135t-f4a0a28f1b75f916a43d2d7f1f6fb89a440ac2b7a0790c6ac9b8dfb9df34c4393 |
| IEDL.DBID | RIE |
| ISSN | 1545-5971 |
| IngestDate | Sat Nov 29 07:10:03 EST 2025 Wed Oct 15 14:20:43 EDT 2025 |
| IsPeerReviewed | false |
| IsScholarly | true |
| Language | English |
| License | https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html https://doi.org/10.15223/policy-029 https://doi.org/10.15223/policy-037 |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-c135t-f4a0a28f1b75f916a43d2d7f1f6fb89a440ac2b7a0790c6ac9b8dfb9df34c4393 |
| PageCount | 17 |
| ParticipantIDs | crossref_primary_10_1109_TDSC_2025_3619200 ieee_primary_11196767 |
| PublicationCentury | 2000 |
| PublicationDate | 2025-00-00 |
| PublicationDateYYYYMMDD | 2025-01-01 |
| PublicationDate_xml | – year: 2025 text: 2025-00-00 |
| PublicationDecade | 2020 |
| PublicationTitle | IEEE transactions on dependable and secure computing |
| PublicationTitleAbbrev | TDSC |
| PublicationYear | 2025 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0024894 |
| Score | 2.3818781 |
| Snippet | The discovery of vulnerabilities in embedded firmware has received significant attention from security researchers. However, current vulnerability detection... |
| SourceID | crossref ieee |
| SourceType | Index Database Publisher |
| StartPage | 1 |
| SubjectTerms | Buffer overflows Codes Emulation Filtering Manuals Microprogramming Optimization methods Security Testing |
| Title | Nonstandard Sinks Matter: A Comprehensive and Efficient Taint Analysis Framework for Vulnerability Detection in Embedded Firmware |
| URI | https://ieeexplore.ieee.org/document/11196767 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| journalDatabaseRights | – providerCode: PRVIEE databaseName: IEEE Electronic Library (IEL) customDbUrl: eissn: 1941-0018 dateEnd: 99991231 omitProxy: false ssIdentifier: ssj0024894 issn: 1545-5971 databaseCode: RIE dateStart: 20040101 isFulltext: true titleUrlDefault: https://ieeexplore.ieee.org/ providerName: IEEE |
| link | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV07T8MwELagYmChPIooL93AhJQ2DyeO2ao-xAAVUgvqFtmOLSLRFIUUxMg_x3YStQsDSxRFjhLd2b7vfHffIXSDA5K6WBInxR5zsM_0PhhH2mvlnvCJwMpTll3_gUyn8WJBn-pidVsLI6W0yWeyZ25tLD9dibU5KuvrdUkNwdgu2iWEVMVaG2K92HY9NJDA0SjZq0OYnkv789FsqF1BP-wFxl8w1WxbRmirq4o1KpP2P3_nEB3U6BEGlbqP0I7Mj1G76cwA9UI9QT_TCvaZQwKYmRgtPFoizTsYgBleyNcqcx30IBhbHgn9MZizTF8bphKYNKlboLEtvKzfDEe1Taf9hpEsbRpXDlkO4yWXegtLYZIVyy9WyA56noznw3unbrbgCC8IS0dh5jI_Vh4nodKYkeEg9VOidRUpHlOGscuEzwlzCXVFxATlcao4TVWAhUY1wSlq5atcniHAiuFQGcOvCOaYaSdJKqmhW8AYJW7URbeN9JP3ilMjsb6ISxOjqsSoKqlV1UUdI_nNwFro5388v0D75vXqlOQStcpiLa_Qnvgss4_i2k6ZXyBmwRY |
| linkProvider | IEEE |
| linkToHtml | http://cvtisr.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV3NT8IwFG8UTfQifmDEz3fwZDLYR0dXbwRYMAIxAQ23pevaSCLDTNB49D-37bbAxYOXZVmabXmv7fu9vvd-D6Fb7JHExoJYCXaYhV2m9sGgpbzW2OEu4Vg60rDrD8hoFEyn9KkoVje1MEIIk3wmGvrWxPKTBV_po7KmWpdUE4xtox0fY9fJy7XW1HqB6XuoQYGlcLJTBDEdmzYn3XFHOYOu3_C0x6Dr2TbM0EZfFWNWwuo_f-gQHRT4Edq5wo_QlkiPUbXszQDFUj1BP6Mc-OljAhjrKC0MDZXmPbRBD8_Ea567DmoQ9AyThPoYTNhMXUuuEgjL5C1Q6BZeVm-apdok1H5DVyxNIlcKsxR681ioTSyBcJbNv1gmaug57E06fatot2Bxx_OXlsTMZm4gnZj4UqFGhr3ETYjSVkvGAWUY24y7MWE2oTZvMU7jIJExTaSHucI13imqpItUnCHAkmFfatMvCY4xU26SkEKBN48xSuxWHd2V0o_ec1aNyHgjNo20qiKtqqhQVR3VtOTXAwuhn__x_Abt9SfDQTR4GD1eoH39qvzM5BJVltlKXKFd_rmcfWTXZvr8AlSJxF0 |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Nonstandard+Sinks+Matter%3A+A+Comprehensive+and+Efficient+Taint+Analysis+Framework+for+Vulnerability+Detection+in+Embedded+Firmware&rft.jtitle=IEEE+transactions+on+dependable+and+secure+computing&rft.au=Song%2C+Enzhou&rft.au=Zhao%2C+Yuhao&rft.au=Zhang%2C+Can&rft.au=Zhai%2C+Jinyuan&rft.date=2025&rft.pub=IEEE&rft.issn=1545-5971&rft.spage=1&rft.epage=17&rft_id=info:doi/10.1109%2FTDSC.2025.3619200&rft.externalDocID=11196767 |
| thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=1545-5971&client=summon |
| thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=1545-5971&client=summon |
| thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=1545-5971&client=summon |