Finding Vulnerabilities in Internal-binary of Firmware with Clues

Embedded devices, represented by Internet of Things devices, bring great convenience to our daily life. Firmware is the core of the embedded device operation. However, vulnerabilities in the firmware can be exploited remotely by hackers through the network. Unfortunately, existing methods are only suitable for finding vulnerabilities in binaries (border-binary) that interact directly with users. When applied to other binaries (internal-binary) that indirectly interact with users, the lack of analysis sources and constraint conditions leads to many false negatives and false positives. In this paper, we propose a new keyword-sensitive data flow analysis approach to address the challenge. Specifically, we leverage crawlers to collect clues related to vulnerability reports from the Internet. Then we use the clues and communication paradigm finders to establish the relationship between different binaries in the firmware sample to form binary dependency graphs. At the same time, based on the functional features, we further dig out the binary relationships that have no Internet clues. Finally, we perform static taint analysis based on binary dependency graphs to determine vulnerabilities. We implemented and evaluated our prototype system FBI. Compared with Karonte, a state-of-the-art tool, FBI found significantly more true positives in Karonte's data set.