Determining Image Base of ARM Firmware Based on Matching String Addresses

ZHU Rui-jin; ZHANG Bao-feng; MAO Jun-jie; LUO Yang; TAN Yu-an; ZHANG Quan-xin

doi:10.3969/j.issn.0372-2112.2017.06.028

您当前的位置：

首页 >

文章列表页 >

Determining Image Base of ARM Firmware Based on Matching String Addresses

更新时间：2025-07-16

- Determining Image Base of ARM Firmware Based on Matching String Addresses
- Acta Electronica Sinica Vol. 45, Issue 6, Pages: 1475-1482(2017)
- 作者机构：
  
  1. 中国信息安全测评中心,北京,100085
  2. 北京理工大学计算机学院,北京,100081
  3. 北京市海量语言信息处理与云计算应用工程技术研究中心,北京,100081
  4. 中国信息安全测评中心,北京,100085
  5. 北京理工大学计算机学院,北京,100081
  6. 北京市海量语言信息处理与云计算应用工程技术研究中心,北京,100081
- 作者简介：
- 基金信息：
  
  National Natural Science Foundation of China (No.61370063);National Key Research and Development Program of China in Cyber Security
- DOI：10.3969/j.issn.0372-2112.2017.06.028
  CLC： TP311.5
- Published：2017
- 稿件说明：
移动端阅览
ZHU Rui-jin, ZHANG Bao-feng, MAO Jun-jie, et al. Determining Image Base of ARM Firmware Based on Matching String Addresses[J]. Acta Electronica Sinica, 2017, 45(6): 1475-1482.
DOI：

ZHU Rui-jin, ZHANG Bao-feng, MAO Jun-jie, et al. Determining Image Base of ARM Firmware Based on Matching String Addresses[J]. Acta Electronica Sinica, 2017, 45(6): 1475-1482. DOI： 10.3969/j.issn.0372-2112.2017.06.028.

摘要

固件是嵌入式系统的灵魂，当对固件进行安全检测或者深入理解固件中的运行机制时，对固件进行反汇编是一个必经的步骤.对固件反汇编时，首先要确定固件的装载基址及其运行环境的处理器类型.通常我们可以通过拆解硬件设备或者查阅产品手册获得处理器类型，但目前尚没有自动化工具可获知固件的装载基址.鉴于目前大部分嵌入式系统中的处理器为ARM类型，本文以ARM固件为研究目标，提出了一种自动化方法来判定固件的装载基址.首先通过研究固件中字符串的存储规律及其加载方式，提出了两个算法可分别求出固件中字符串偏移量和LDR指令加载的字符串地址.然后利用这些字符串信息，提出了DBMAS（Determining image Base by Matching Addresses of Strings）算法来判定固件的装载基址.实验证明本文提出的方法可以成功判定使用LDR指令加载字符串地址的固件装载基址.

Abstract

Firmware is the soul of an embedded system

and disassembly is a necessary step to understand the operational mechanism or detect the vulnerabilities of the firmware.When disassembling a firmware

it should first determine the processor type of running environment and the image base of firmware.In general

the processor type can be got by tearing down the device or consulting the product manual.However

at present there is still no automated tool that can be used to obtain the image base of firmware.Since the processors of majority embedded systems are ARM architecture

in this paper we focus on the firmwares in ARM and propose an automated method to determine the base address.Firstly

by studying the storage rule and loading mode of the string we present two algorithms to calculate the string offset and the string address loaded by LDR instruction.Then with these information

we proposed a DBMAS (Determining image Base by Matching Addresses of Strings) algorithm to determine the image base.Experimental results indicate the proposed method can successfully determine the image base of firmware that uses the LDR instruction to load string address.

关键词

Keywords

references

Views

下载量

CSCD

Alert me when the article has been cited

提交

Tools

Publicity Resources

No data

Related Author

No data

Related Institution

No data

⁰