Paper Info
Title
Stringer: Measuring The Importance Of Static Data Comparisons To Detect Backdoors And Undocumented Functionality
Abstract
Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function's basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function's branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows us to identify three authentication backdoors - two of which previously undocumented. Moreover, we show our method is effective in aiding the recovery of both previously known and proprietary text-based protocols. We have developed a tool, Stringer which implements our technique; we demonstrate the effectiveness of our approach as well as its applicability to lightweight analysis by running it on a data set of 2,451,532 binaries from 30 different COTS device vendors.
Year
DOI
Venue
2017
10.1007/978-3-319-66399-9_28
COMPUTER SECURITY - ESORICS 2017, PT II
Field
DocType
Volume
Data mining,Authentication,Static data,Computer science,Static analysis,Control flow,Backdoor,Computer engineering,Firmware,Branching (version control),Distributed computing,Stringer
Conference
10493
ISSN
Citations 
PageRank 
0302-9743
0
0.34
References 
Authors
16
3
Name
Order
Citations
PageRank
Sam L. Thomas121.38
Tom Chothia244129.82
Flavio D. Garcia343833.08