Skip to content

kuc001/EmTaint

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
build/lib/dataflow
build/lib/dataflow
 
 
data
data
 
 
dataflow
dataflow
 
 
dist
dist
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
dataflow.conf
dataflow.conf
 
 
main.py
main.py
 
 
main_test.py
main_test.py
 
 
result_paser.py
result_paser.py
 
 
run.sh
run.sh
 
 
run_backup.sh
run_backup.sh
 
 
setup.py
setup.py
 
 
start_nodes.json
start_nodes.json
 
 
test.py
test.py
 
 
test_api.py
test_api.py
 
 

Repository files navigation

EmTaint

EmTaint, a novel static analysis tool for accurate and fast detection of taint-style vulnerabilities in embedded firmware. In EmTaint, we design a structured symbolic expression-based (SSE-based) on-demand alias analysis technique, which serves as a basis for resolving both implicit data flow and control flow on potential vulnerable paths. Based on it, we come up with indirect call resolution and accurate taint analysis scheme. Combined with sanitization rule checking, EmTaint can eventually discovers a large number of taint-style vulnerabilities accurately within a limited time.

Getting Started

Requirements

EmTaint's execution environment depends on Angr, which we packaged as an docker image and published to the hub (NOTE: thare are some issues in uploading the large docker image file to zenodo, so we upload it to docker hub instead.). The source code for EmTaint is EmTaint.tar.gz. We can execute following commands to start the experiment verification. We suggest users to use Linux system as the host machine.

docker pull doneme123/emtaint:v1.1
tar -zxvf EmTaint.tar.gz
cd EmTaint
docker run -ti --rm -v `pwd`:/work doneme123/emtaint:v1.1
cd /work
workon EmTaint

Basic functionality

We run the following command to test indirect-call resolution and vulnerability detection for binary httpd in firmware R8000_v1.0.4.4.

bash run.sh main.py ./firmware-binaries/

Estimated Time < 15min

Expected Output: The result will be saved in file R8000_v1_0_4_4.json in directory ./data/result_data/.

The basic functionality of EmTaint is evaluated from three aspects: vulnerability discovery, effectiveness and efficiency of indirect call resolution, and effectiveness in finding vulnerability with or without indirect call resolution.

Evaluation for vulnerability discovery

python collect_result.py ./data/result_data/R8000_v1_0_4_4.json alert

Expected Output: the result show the alerts produced by EmTaint for binary httpd in firmware R8000_v1.0.4.4.

Evaluation for Effectiveness and Efficiency of indirect call resolution

python collect_result.py ./data/result_data/R8000_v1_0_4_4.json icall

Expected Output: the result show the effectiveness and efficiency of indirect call resolution for binary httpd in firmware R8000_v1.0.4.4.

Evaluation for Effectiveness in finding vulnerability with or without indirect call resolution

python collect_result.py ./data/result_data/R8000_v1_0_4_4.json compare

Expected Output: the result show the effectiveness and necessity of indirect call resolution for finding vulnerabilities in embedded firmware.

Detailed Description

In Getting Started section, we only evaluate the EmTaint on one binary in a firmware image. In Detailed Description, we describe the evaluation of all claims as follows. For vulnerability discovery and indirect call resolution evaluation, we can evaluate it on all 35 firmware images by modifying shell script run.sh, where run.sh includes commands to evaluate 35 fimware images. We put 32 firmware-related binaries in directory firmware-binaries/. For example, the code in run.sh below will evaluate firmware RV130_v.1.0.3.44 for vulnerability discovery and indirect call resolution.

analyze_binary "rv130_v44/httpd" "rv130" "1_0_3_44"

Expected Output: The result will be saved in file rv130_1_0_3_44.json in directory ./data/result_data/.

In addition to the above methods, we can also run the following command to evaluate the functionality of EmTaint respectively.

# Indirect call resolution
python main.py -f ./firmware-binaries/rv130_v44/httpd -n rv130 -v 1_0_3_44 -i

# vulnerability discovery with indirect call resolution
python main.py -f ./firmware-binaries/rv130_v44/httpd -n rv130 -v 1_0_3_44 -t

# vulnerability discovery without indirect call resolution
python main.py -f ./firmware-binaries/rv130_v44/httpd -n rv130 -v 1_0_3_44 -t --resolve_icall 0

Extension

If the user obtain another firmware, which is not involved in our dataset, you can follow the instructions to attemp to run it in EmTaint.

  1. Use tool binwalk (https://github.com/ReFirmLabs/binwalk) to extract the binaries associated with handling network requests in the firmware.
  2. Extract the binary information by running script ./dataflow/ida_plugin/parse_arm_binary.py in the IDA Pro, which generates two files, {binary-name}_cfg.json and {binary-name}_block_info.json.
  3. Create directory ./data/ida_data/{name}_{version} and copy the above two files to it.
  4. Finally, run command python main.py -f {binary} -n {name} -v {version} -t to perform vulnerability discovery.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

23 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages