VERI: A Large-scale Open-Source Components Vulnerability Detection in IoT Firmware

IoT device manufacturers integrate open-source components (OSCs) to serve necessary and common functions for facilitating firmware development. However, outdated versions of OSC conceal N-day vulnerabilities and continue to function on IoT devices. The security risks can be predicted once we can identify the OSC versions employed in the firmware. Existing works make attempts at OSC version identification but fail to perform vulnerability detection on a large-scale IoT firmware due to i) unsuitable version identification method for IoT firmware scenario. ii) the lack of a large-scale version-vulnerability relation database. To this end, we propose a system VERI for large-scale vulnerability detection based on lightweight version identification. First, for OSC version identification, VERI leverages symbolic execution with static analysis to identify exact OSC versions even though there are many version-like strings in OSC. Second, VERI employs a deep learning-based method to extract OSC names and vulnerable version ranges from vulnerability descriptions, constructs and maintains an OSC version-vulnerability relation database to serve the vulnerability detection. Finally, VERI polls the relation database to confirm the N-day security risk of the OSC with identified version. The evaluation results show that VERI achieves 96.43% accuracy with high efficiency in OSC version identification. Meanwhile, the deep learning model accurately extracts the OSC names and versions from vulnerability descriptions dataset with 97.19% precision and 96.56% recall. Based on the model, we build a large-scale version-vulnerability relation database. Furthermore, we utilize VERI to conduct a large-scale analysis on 28,890 firmware and find 38,654 vulnerable OSCs with 266,109 N-day vulnerabilities, most of which are with high risks. From the detection results, we find that after the official patch for the vulnerability is released, manufacturers delay an average of 473 days to patch the firmware.