A Lightweight Method for Accelerating Discovery of Taint-Style Vulnerabilities in Embedded Systems

  • Yaowen Zheng
  • Kai Cheng
  • Zhi LiEmail author
  • Shiran Pan
  • Hongsong Zhu
  • Limin Sun
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9977)


Nowadays, embedded systems have been widely deployed in numerous applications. Firmwares in embedded systems are typically custom-built to provide a set of very specialized functionalities. They are prone to taint-style vulnerability with a high probability, but traditional whole-program analysis has low efficiency in discovering the vulnerability. In this paper, we propose a two-stage mechanism to accelerate discovery of taint-style vulnerabilities in embedded firmware: first recognizing protocol parsers that are prone to taint-style vulnerabilities from firmware, and then constructing program dependence graph for security-sensitive sinks to analyze their input source. We conduct a real-world experiment to verify the mechanism. The result indicates that the mechanism can help find taint-style vulnerabilities in less time compared with whole-program analysis.


Taint-style vulnerability Embedded security Protocol parser Binary analysis Reverse engineering 



This work was supported in part by the National Key Research and Development Program (Grant No. 2016YFB0800202), the National Defense Basic Research Program of China (Grant No. JCKY2016602B001), the “Strategic Priority Research Program” of the Chinese Academy of Sciences (Grant No. XDA06040100), and the National Defense Science and Technology Innovation Fund, CAS (Grant No. CXJJ-16M118).


  1. 1.
    Binwalk — firmware analysis tool.
  2. 2.
    Cve - common vulnerabilities and exposures (cve).
  3. 3.
    Defensics - fuzzing - fuzz testing - black box testing - negative testing — codenomicon.
  4. 4.
  5. 5.
  6. 6.
    Offensive security exploit database archive.
  7. 7.
    scikit-learn: machine learning in python.
  8. 8.
    Shenzhen tvt digital technology co., ltd.
  9. 9.
  10. 10.
    Allen, F.E.: Control flow analysis. In: ACM Sigplan Notices, vol. 5, pp. 1–19. ACM (1970)Google Scholar
  11. 11.
    Cojocar, L., Zaddach, J., Verdult, R., Bos, H., Francillon, A., Balzarotti, D.: Pie: parser identification in embedded systems. In: Proceedings of the 31st Annual Computer Security Applications Conference, pp. 251–260. ACM (2015)Google Scholar
  12. 12.
    Cytron, R., Ferrante, J., Rosen, B.K., Wegman, M.N., Zadeck, F.K.: Efficiently computing static single assignment form and the control dependence graph. ACM Trans. Program. Lang. Syst. (TOPLAS) 13(4), 451–490 (1991)CrossRefGoogle Scholar
  13. 13.
    Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. (TOPLAS) 9(3), 319–349 (1987)CrossRefzbMATHGoogle Scholar
  14. 14.
    Godefroid, P., Levin, M.Y., Molnar, D.A., et al.: Automated whitebox fuzz testing. In: NDSS, vol. 8, pp. 151–166 (2008)Google Scholar
  15. 15.
    Henderson, A., Prakash, A., Yan, L.K., Hu, X., Wang, X., Zhou, R., Yin, H.: Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: Proceedings of the 2014 International Symposium on Software Testing and Analysis, pp. 248–258. ACM (2014)Google Scholar
  16. 16.
    Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software (2005)Google Scholar
  17. 17.
    Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., Vigna, G.: Driller: augmenting fuzzing through selective symbolic execution. In: Proceedings of the Network and Distributed System Security Symposium (2016)Google Scholar
  18. 18.
    Wang, T., Wei, T., Lin, Z., Zou, W.: Intscope: automatically detecting integer overflow vulnerability in x86 binary using symbolic execution. In: NDSS. Citeseer (2009)Google Scholar
  19. 19.
    Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE (2014)Google Scholar
  20. 20.
    Yamaguchi, F., Maier, A., Gascon, H., Rieck, K.: Automatic inference of search patterns for taint-style vulnerabilities. In: 2015 IEEE Symposium on Security and Privacy, pp. 797–812. IEEE (2015)Google Scholar
  21. 21.
    Shoshitaishvili, Y., Ruoyu Wang, C., Salls, C., Stephens, N., Polino, M., Dutcher, A.: (state of) the art of war: offensive techniques in binary analysis (2016)Google Scholar
  22. 22.
    Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Yaowen Zheng
    • 1
    • 2
    • 3
  • Kai Cheng
    • 1
    • 2
    • 3
  • Zhi Li
    • 1
    • 2
    Email author
  • Shiran Pan
    • 2
    • 3
  • Hongsong Zhu
    • 1
    • 2
    • 3
  • Limin Sun
    • 1
    • 2
    • 3
  1. 1.Beijing Key Laboratory of IOT Information Security TechnologyBeijingChina
  2. 2.Institute of Information EngineeringChinese Academy of SciencesBeijingChina
  3. 3.University of Chinese Academy of SciencesBeijingChina

Personalised recommendations