一种基于匹配字符串地址判定ARM固件装载基址的方法

doi:10.3969/j.issn.0372-2112.2017.06.028

电子学报 ›› 2017, Vol. 45 ›› Issue (6): 1475-1482.DOI: 10.3969/j.issn.0372-2112.2017.06.028

一种基于匹配字符串地址判定ARM固件装载基址的方法

朱瑞瑾¹, 张宝峰¹, 毛军捷¹, 骆扬¹, 谭毓安^2,3, 张全新^2,3

1. 中国信息安全测评中心, 北京 100085;
2. 北京理工大学计算机学院, 北京 100081;
3. 北京市海量语言信息处理与云计算应用工程技术研究中心, 北京 100081

收稿日期:2015-11-05 修回日期:2016-11-28 出版日期:2017-06-25
- 通讯作者:
- 张全新
- 作者简介:
- 朱瑞瑾 男,1985年生,山东菏泽人.中国信息安全测评中心助理研究员,研究方向为软件安全、嵌入式系统安全、固件安全、逆向工程.E-mail:ruijinzhu@gmail.com;张宝峰 男,1983年生,山东日照人.中国信息安全测评中心副研究员,研究方向为网络安全、嵌入式设备安全;毛军捷 男,1984年生,北京人,中国信息安全测评中心副研究员,研究方向为可信计算、固件安全;骆扬男,1984年生,河北石家庄人,中国信息安全测评中心做博士后,研究方向为硬件木马、硬件蠕虫、智能芯片安全性;谭毓安 男,1972年生,重庆巫溪人,北京理工大学计算机学院教授,北京理工大学计算机实验教学中心主任,中国计算机学会高性能计算专委会委员,信息存储技术专委会委员.研究方向为信息安全、网络存储、嵌入式系统
- 基金资助:
- 国家自然科学基金 (No.61370063）; 国家重点研发计划网络空间安全重点专项

Determining Image Base of ARM Firmware Based on Matching String Addresses

ZHU Rui-jin¹, ZHANG Bao-feng¹, MAO Jun-jie¹, LUO Yang¹, TAN Yu-an^2,3, ZHANG Quan-xin^2,3

1. China Information Technology Security Evaluation Center, Beijing 100085, China;
2. School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China;
3. Beijing Engineering Research Center of Massive Language Information Processing and Cloud Computing Application, Beijing 100081, China

Received:2015-11-05 Revised:2016-11-28 Online:2017-06-25 Published:2017-06-25
- Supported by:
- National Natural Science Foundation of China (No.61370063); National Key Research and Development Program of China in Cyber Security

摘要/Abstract

摘要：

固件是嵌入式系统的灵魂，当对固件进行安全检测或者深入理解固件中的运行机制时，对固件进行反汇编是一个必经的步骤.对固件反汇编时，首先要确定固件的装载基址及其运行环境的处理器类型.通常我们可以通过拆解硬件设备或者查阅产品手册获得处理器类型，但目前尚没有自动化工具可获知固件的装载基址.鉴于目前大部分嵌入式系统中的处理器为ARM类型，本文以ARM固件为研究目标，提出了一种自动化方法来判定固件的装载基址.首先通过研究固件中字符串的存储规律及其加载方式，提出了两个算法可分别求出固件中字符串偏移量和LDR指令加载的字符串地址.然后利用这些字符串信息，提出了DBMAS（Determining image Base by Matching Addresses of Strings）算法来判定固件的装载基址.实验证明本文提出的方法可以成功判定使用LDR指令加载字符串地址的固件装载基址.

关键词: 装载基址, 固件, ARM, 反汇编

Abstract:

Firmware is the soul of an embedded system,and disassembly is a necessary step to understand the operational mechanism or detect the vulnerabilities of the firmware.When disassembling a firmware,it should first determine the processor type of running environment and the image base of firmware.In general,the processor type can be got by tearing down the device or consulting the product manual.However,at present there is still no automated tool that can be used to obtain the image base of firmware.Since the processors of majority embedded systems are ARM architecture,in this paper we focus on the firmwares in ARM and propose an automated method to determine the base address.Firstly,by studying the storage rule and loading mode of the string we present two algorithms to calculate the string offset and the string address loaded by LDR instruction.Then with these information,we proposed a DBMAS (Determining image Base by Matching Addresses of Strings) algorithm to determine the image base.Experimental results indicate the proposed method can successfully determine the image base of firmware that uses the LDR instruction to load string address.

Key words: image base, firmware, ARM, disassemble

中图分类号:

TP311.5

朱瑞瑾, 张宝峰, 毛军捷, 等. 一种基于匹配字符串地址判定ARM固件装载基址的方法[J]. 电子学报, 2017, 45(6): 1475-1482.

ZHU Rui-jin, ZHANG Bao-feng, MAO Jun-jie, et al. Determining Image Base of ARM Firmware Based on Matching String Addresses[J]. Acta Electronica Sinica, 2017, 45(6): 1475-1482.

参考文献

[1] Kaspersky Lab.Equation:The Death Star of Malware Galaxy[EB/OL].https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/,2015.
[2] Kaspersky Lab.A Fanny Equation:"I am your father,Stuxnet"[EB/OL].https://securelist.com/blog/research/68787/a-fanny-equation-i-am-your-father-stuxnet/,2015.
[3] Langner R.Stuxnet:Dissecting a cyberwarfare weapon[J].IEEE Security & Privacy,2011,9(3):49-51.
[4] Falliere N,Murchu L O,Chien E.W32.Stuxnet Dossier[R].USA:Symantec Corp,2011.9.
[5] Trend Micro.Netis Routers Leave Wide Open Backdoor[EB/OL].http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/,2015.
[6] Craig Heffner.Reverse Engineering a D-Link Backdoor[EB/OL].http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/,2015.
[7] Zach Cutlip.Netgear Root Compromise via Command Injection[EB/OL].http://shadow-file.blogspot.lt/2013/10/netgear-root-compromise-via-command.html,2015.
[8] Craig Heffner.From China,With Love[EB/OL].http://www.devttys0.com/2013/10/from-china-with-love/,2015.
[9] Hex-Rays SA.The IDA Pro Disassembler and Debugger[EB/OL].https://www.hex-rays.com/products/ida/index.shtml,2016.
[10] Schuett C,Butts J,Dunlap S.An evaluation of modification attacks on programmable logic controllers[J].International Journal of Critical Infrastructure Protection,2014,7(1):61-68.
[11] Basnight Z,Butts J,Lopez Jr J,et al.Firmware modification attacks on programmable logic controllers[J].International Journal of Critical Infrastructure Protection,2013,6(2):76-84.
[12] Skochinsky I.Intro to embedded reverse engineering for PC reversers[R].Montreal,Canada:RECON,2010.
[13] Basnight Z H.Firmware Counterfeiting and Modification Attacks on Programmable Logic Controllers[D].Ohio:Air Force Institute of Technology,2013.
[14] Dacosta I,Mehta N,Metrock E,et al.Security analysis of an IP phone:Cisco 7960G[A].Principles,Systems and Applications of IP Telecommunications[C].Berlin:Springer-Verlag,2008.236-255.
[15] Santamarta R.Reverse Mode-Reversing Industrial Firmware for Fun and Backdoors I[EB/OL].http://www.reversemode.com/index.php?option=com_content&task=view&id=80&Itemid=1,2015.
[16] Viehbock S.Reverse engineering an obfuscated firmware image E02-analysis[EB/OL].https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/,2015.
[17] Costin,A,et al.A large-scale analysis of the security of embedded firmwares[A].Proceedings of the 23rd USENIX Conference on Security Symposium[C].San Diego,California:USENIX Association,2014.95-110.
[18] ARM Limited.ARM Architecture Reference Manual[M].Cambridge,England:ARM Limited,2014.

一种基于匹配字符串地址判定ARM固件装载基址的方法

Determining Image Base of ARM Firmware Based on Matching String Addresses

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 5

编辑推荐

Metrics

[1]	成元虎, 黄立波, 崔益俊, 马胜, 王永文, 隋兵才. 基于RISC-V的嵌入式多指令集处理器设计及实现[J]. 电子学报, 2021, 49(11): 2081-2089.
[2]	李磊, 方捻, 王陆唐, 黄肇明. 基于多反馈环结构提高硬件储备池记忆能力[J]. 电子学报, 2018, 46(2): 298-303.
[3]	毕晓君, 张永建, 陈春雨. 基于模糊支配的高维多目标进化算法MFEA[J]. 电子学报, 2014, 42(8): 1653-1659.
[4]	韩志杰;王汝传;;凡高娟;肖甫. 一种基于ARMA的WSN非均衡分簇路由算法[J]. 电子学报, 2010, 38(4): 865-0869.
[5]	左年明;夏丹;蒋田仔;邹宇;潘晓川. 一般直线-圆弧扫描轨迹CT的三维精确重建[J]. 电子学报, 2007, 35(7): 1382-1386.