%0 Conference Proceedings
%T Automatic Inference of Taint Sources to Discover Vulnerabilities in SOHO Router Firmware
%+ University of Chinese Academy of Sciences [Beijing] (UCAS)
%+ Chinese Academy of Sciences [Beijing] (CAS)
%+ Nanyang Technological University [Singapour]
%A Cheng, Kai
%A Fang, Dongliang
%A Qin, Chuan
%A Wang, Huizhao
%A Zheng, Yaowen
%A Yu, Nan
%A Sun, Limin
%Z Part 2: Vulnerability Management
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 36th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC)
%C Oslo, Norway
%Y Audun Jøsang
%Y Lynn Futcher
%Y Janne Hagen
%I Springer International Publishing
%3 ICT Systems Security and Privacy Protection
%V AICT-625
%P 83-99
%8 2021-06-22
%D 2021
%R 10.1007/978-3-030-78120-0_6
%Z Computer Science [cs]Conference papers
%X Cyberattacks against SOHO (small office and home office) routers have attracted much attention in recent years. Most of the vulnerabilities exploited by hackers occur in the web servers of router firmware. In vulnerabilities detection, static taint analysis can quickly cover all code without depending on the runtime environment compared to dynamic analysis (e.g., fuzzing). However, existing static analysis techniques suffer from a high false-negative rate due to the lack of resolution of indirect calls, making it challenging to track tainted data from a common source (e.g., recv) to a sink. In this work, we propose a new heuristic approach to address the challenge. Instead of resolving the indirect calls, we automatically infer taint sources through identifying functions with key-value features. We can bypass the indirect calls with the inferred taint sources and track the taint to detect vulnerabilities by static taint analysis. We implement a prototype system and evaluate it on 10 popular routers across 5 vendors. The proposed system discovered 245 vulnerabilities, including 41 1-day vulnerabilities and 204 vulnerabilities never exposed before. The experimental results show that our system can find more bugs compared to a state-of-the-art fuzzing tool.
%G English
%Z TC 11
%2 https://inria.hal.science/hal-03746053/document
%2 https://inria.hal.science/hal-03746053/file/512098_1_En_6_Chapter.pdf
%L hal-03746053
%U https://inria.hal.science/hal-03746053
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-TC11
%~ IFIP-SEC
%~ IFIP-AICT-625