Runhao Liu (National University of Defense Technology), Jiarun Dai (Fudan University), Haoyu Xiao (Fudan University), Yuan Zhang (Fudan University), Yeqi Mou (National University of Defense Technology), Lukai Xu (National University of Defense Technology), Bo Yu (National University of Defense Technology), Baosheng Wang (National University of Defense Technology), Min Yang (Fudan University)

Static taint analysis has become a fundamental technique to detect vulnerabilities implied in web services of Linux-based firmware. However, existing works commonly oversimplify the composition of firmware web services. Specifically, only C binaries (i.e., those extracted from the target firmware) are considered within the scope of vulnerability detection. In this work, we observe that modern firmware extensively combines Lua scripts/bytecode and C binaries to implement hybrid web services, and obviously, those C-binary-oriented vulnerability detection techniques can hardly achieve satisfactory performance. In light of this, we propose FirmCross, an automated taint-style vulnerability detector dedicated for C-Lua hybrid web services. Compared to existing detectors, FirmCross can automatically de-obfuscate the Lua bytecode in target firmware, additionally identify distinctive taint sources in Lua codespace, and systematically capture the C-Lua cross-language taint flow. In the evaluation, FirmCross detects 6.82X ~ 14.5X more vulnerabilities than SoTA approaches (i.e., MangoDFA and LuaTaint) in a dataset containing 73 firmware images from 11 vendors. Notably, FirmCross helps identify 610 0-day vulnerabilities among target firmware images. After reporting these vulnerabilities to vendors, till now, 31 vulnerability IDs have been assigned.

View More Papers

Beyond Conventional Triggers: Auto-Contextualized Covert Triggers for Android Logic...

Ye Wang (Department of Electrical Engineering and Computer Science, Institute for Information Sciences, The University of Kansas), Bo Luo (Department of Electrical Engineering and Computer Science, Institute for Information Sciences, The University of Kansas), Fengjun Li (Department of Electrical Engineering and Computer Science, Institute for Information Sciences, The University of Kansas)

Read More

Work-in-progress: RegTrack: Uncovering Global Disparities in Third-party Advertising and...

Tanya Prasad (University of British Columbia), Rut Vora (University of British Columbia), Soo Yee Lim (University of British Columbia), Nguyen Phong Hoang (University of British Columbia), Thomas Pasquier (University of British Columbia)

Read More

Does Representation Matter? Evaluating IRs for LLM-based Binary Decompilation

Tomás Pelayo-Benedet (Universidad de Zaragoza), Kevin Borgolte (Ruhr University Bochum), Ricardo J. Rodríguez (Universidad de Zaragoza)

Read More