北京邮电大学学报

  • EI核心期刊

北京邮电大学学报 ›› 2020, Vol. 43 ›› Issue (1): 46-53.doi: 10.13190/j.jbupt.2019-085

• 论文 • 上一篇    下一篇

嵌入式固件脆弱哈希函数自动识别与破解方法

张国栋1,2, 应欢3, 杨寿国1,2, 石志强1,2, 李霁远4   

  1. 1. 中国科学院 信息工程研究所, 北京 100093;
    2. 中国科学院大学 网络空间安全学院, 北京 100049;
    3. 中国电力科学研究院有限公司, 北京 100192;
    4. 国网浙江省电力有限公司电力科学研究院, 杭州 310014
  • 收稿日期:2019-05-21 出版日期:2020-02-28 发布日期:2020-03-27
  • 通讯作者: 石志强(1970-),男,正研级高级工程师,博士生导师,E-mail:shizhiqiang@iie.ac.cn. E-mail:shizhiqiang@iie.ac.cn
  • 作者简介:张国栋(1991-),男,硕士生.
  • 基金资助:
    国家电网有限公司总部科技项目"电网嵌入式终端漏洞挖掘与攻击检测关键技术研究"(52110418001K)

Automatic Identification and Cracking Method for Vulnerable Hash Functions of Embedded Firmwares

ZHANG Guo-dong1,2, YING Huan3, YANG Shou-guo1,2, SHI Zhi-qiang1,2, LI Ji-yuan4   

  1. 1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
    2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;
    3. China Electric Power Research Institute, Beijing 100192, China;
    4. State Grid Zhejiang Electric Power Research Institute, Hangzhou 310014, China
  • Received:2019-05-21 Online:2020-02-28 Published:2020-03-27
  • Supported by:
     

摘要: 针对现有固件脆弱哈希函数识别误报率高、定位不准确、破解难度大等问题,提出一种嵌入式固件脆弱哈希函数自动识别与破解方法,基于机器学习模型和结构化匹配的脆弱哈希函数识别与定位技术以及基于VEX中间表达式(VEX IR)符号执行的Z3约束求解器(Z3 SMT)的求解方法,构建了从固件二进制文件的脆弱哈希函数的识别与定位到破解的完整自动化分析流程.实验结果表明,所提方法对多种架构和不同编译优化选项下编译的二进制文件的脆弱哈希函数的识别与定位的准确率高达98%,对类似于BKDR哈希函数(BKDRHash)结构的脆弱哈希函数能够准确定位,并快速破解出多个碰撞值.

关键词: 嵌入式设备固件, 特征提取, 机器学习, 脆弱哈希函数识别与破解, 约束求解

Abstract: There exist some problems for the existing firmware vulnerable Hash functions mining technology, for the reason that the identification error rate is high, the positioning is not accurate, the cracking is difficult and so on. To solve these problems, a method that uses vulnerable Hash functions identification and positioning technique based on machine learning model and a structured matching method is proposed. Meantime, constraint solution of Z3 satisfiability modulo theories (Z3 SMT) based on VEX intermediate representation (VEX IR) and symbol execution techniques for an automatic identification and cracking method or vulnerable Hash functions of embedded firmwares are proposed. A complete automated analysis process is constructed for the vulnerable Hash functions in the firmware binaries from being identified and positioned to being cracked. Experiments show that the method can identify and position the vulnerable Hash functions in the binary files which compiled by multiple architectures and compiler optimization options with the accuracy rate as high as 98%, vulnerable Hash functions with a structure similar to the BKDRHash Hash function structure can be accurately positioned and quickly cracked out of many collision values.

Key words: embedded device firmware, feature extraction, machine learning, identification and cracking of vulnerable Hash functions, constraint solution

中图分类号: