Journal of Beijing University of Posts and Telecommunications

  • EI核心期刊

Journal of Beijing University of Posts and Telecommunications ›› 2020, Vol. 43 ›› Issue (1): 46-53.doi: 10.13190/j.jbupt.2019-085

• Papers • Previous Articles     Next Articles

Automatic Identification and Cracking Method for Vulnerable Hash Functions of Embedded Firmwares

ZHANG Guo-dong1,2, YING Huan3, YANG Shou-guo1,2, SHI Zhi-qiang1,2, LI Ji-yuan4   

  1. 1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;
    2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;
    3. China Electric Power Research Institute, Beijing 100192, China;
    4. State Grid Zhejiang Electric Power Research Institute, Hangzhou 310014, China
  • Received:2019-05-21 Online:2020-02-28 Published:2020-03-27
  • Supported by:
     

Abstract: There exist some problems for the existing firmware vulnerable Hash functions mining technology, for the reason that the identification error rate is high, the positioning is not accurate, the cracking is difficult and so on. To solve these problems, a method that uses vulnerable Hash functions identification and positioning technique based on machine learning model and a structured matching method is proposed. Meantime, constraint solution of Z3 satisfiability modulo theories (Z3 SMT) based on VEX intermediate representation (VEX IR) and symbol execution techniques for an automatic identification and cracking method or vulnerable Hash functions of embedded firmwares are proposed. A complete automated analysis process is constructed for the vulnerable Hash functions in the firmware binaries from being identified and positioned to being cracked. Experiments show that the method can identify and position the vulnerable Hash functions in the binary files which compiled by multiple architectures and compiler optimization options with the accuracy rate as high as 98%, vulnerable Hash functions with a structure similar to the BKDRHash Hash function structure can be accurately positioned and quickly cracked out of many collision values.

Key words: embedded device firmware, feature extraction, machine learning, identification and cracking of vulnerable Hash functions, constraint solution

CLC Number: