隨著物聯網發展越來越成熟，相關的安全議題也逐漸受到重視，目前許多物聯網設備中會引入第三方函式庫來擴充功能。但如果函式庫中發生漏洞，經常會讓一系列的產品受到影響，當這些存在有弱點的設備暴露在網路上，很容易就成為駭客攻擊的目標，也導致研究人員在後續的修補和檢測將面臨一大挑戰。
研究人員在檢測設備時，主要會先從韌體開始。但韌體可能橫跨多種不同架構，會造成分析上的困難之外，檔案系統中複雜的結構也會增加分析上的成本，因此通常需要配合工具協助檢測。該如何有效的利用這些工具開始檢測，除了要對設備架構有一定的熟悉度之外，也仰賴研究人員的經驗。
本研究目的是開發一套自動化跨架構韌體漏洞檢測系統，將統整先前的研究方法，設計神經網路模型用來與漏洞程式碼進行相似度檢測，辨別出可能是危險的函式，同時也從韌體檔案系統中找尋敏感資訊，經過系統分析後會產生對應的結果報告，輔助研究人員能夠初步辨別目標設備可能存在的風險，降低需要耗費的時間成本。

As the prevalence of the Internet of Things and its flourishing advancement, many industries and organization has taken advantage of Internet of Thing in their daily operations, and the IoT security has become a significant issue. Nowadays, third-party libraries are usually imported to IoT device in order to expand their functionalities. However, once there are vulnerabilities in third-party libraries, many IoT devices will be influenced and more prone to cyber-attacks. Moreover, the widespread vulnerable third-party libraries will also be the adversities for researcher to detect and patch the system.
Firmware analysis is usually the primary method when examining IoT devices. However, the diversity of firmware architectures and humongous amounts of files in file system can procrastinate the progress of firmware analysis significantly. Therefore, conducting firmware analysis effectively requires researchers to possess certain sophisticated expertise and experiences.
To solve the abovementioned issues and mitigate workloads from researchers, this study developed an automated cross-platform firmware detection system. This study summarized previous methodology and design a neural network model to perform similarity check with vulnerable code segments. The proposed system can identify potential malicious function as well as discover sensitive information in file system. The analysis report can help researchers and investigators examine the IoT devices and discover embryonic security risks.

目錄
論文審定書 i
摘要 ii
Abstract iii
目錄 iv
圖次 vi
表次 vii
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 5
第二章 文獻探討 7
2.1 韌體 7
2.2 動態分析 8
2.3 靜態分析 10
2.3 相似度檢測 11
2.4 控制流程圖(Control Flow Graph,CFG) 13
2.5 韌體分析工具 14
2.5.1 拆解工具 14
2.5.2 檢測工具 15
2.5.3 二進制檔分析工具 15
2.6 神經網路模型 17
2.6.1 深度神經網路(DNN) 18
2.6.2 孿生神經網路(Siamese Networks) 18
第三章 研究方法 20
3.1 韌體解壓縮模組 24
3.2 敏感資訊檢索模組 25
3.3 函式特徵提取模組 28
3.3.1. 屬性控制流程圖特徵 29
3.3.2.特徵預處理 32
3.4 檢測模組 34
3.4.1神經網路模型訓練 36
3.4.2 相似度計算 37
第四章 系統評估 38
4.1 實驗一 ACFG特徵提取方法比較 41
4.2 實驗二 相似度模型評估 44
4.3 實驗三 系統成效驗證 50
4.4 實驗四 韌體分析工具比較 52
第五章 研究貢獻與未來展望 55
參考文獻 56

[1] H. Tankovska, "Internet of Things (IoT) active device connections installed base worldwide from 2015 to 2025," Statista2020, Available: https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/.[Accessed on: May 12, 2021].
[2] 余至浩, "IoT雙周報第90期：2020年全球IoT惡意軟體攻擊以66％增長創新高，一年高達5,690萬次," 2021, Available: https://www.ithome.com.tw/news/143466. [Accessed on: May 12, 2021].
[3] D. Webimprints, "Zoomeye — Find open servers, Webcams, Porn sites vulnerabilities," 2018, Available: https://medium.com/@danielwebimprints/zoomeye-find-open-servers-webcams-porn-sites-vulnerabilities-c8096e05b45. [Accessed on: May 12, 2021].
[4] H. Al-Alami, A. Hadi, and H. Al-Bahadili, "Vulnerability scanning of IoT devices in Jordan using Shodan," in 2017 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes & Systems (IT-DREPS), 2017, pp. 1-6: IEEE.
[5] "FORTINET 發布《台灣最新資安威脅情報》：迎戰新型態網路攻擊 整合各種資安防禦工具才能突圍," vol. 2021 Available: https://m.fortinet.com.tw/site/integrating-various-information-security-defense-tools-to-breakthrough/#_news_note1. [Accessed on: May 12, 2021].
[6] R. N. Vaibhav Singhal, Zhibin Zhang,Asher Davila, "New Mirai Variant Targeting Network Security Devices," 2021, Available: https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/.[Accessed on: Jul. 15, 2021].
[7] OWASP, "OWASP IOT TOP 10," 2018.
[8] 陳曉莉, "資安業者Finite State：近1萬款華為設備韌體中，有55%含有潛在後門," 2019, Available: https://www.ithome.com.tw/news/131516. [Accessed on: Jul. 15, 2021].
[9] T. Yovtchev, "Remote code execution (RCE), explained: what it is and how to prevent it," 2021, Available: https://blog.sqreen.com/remote-code-execution-rce-explained/.[Accessed on: Jul. 22, 2021].
[10] P. LANTZ, "TP-Link WDR4300 - Remote Code Execution " 2020, Available: https://www.exploit-db.com/exploits/48994. [Accessed on: Aug. 2, 2021].
[11] "OS Command Injection in D-Link DAP-1860," 2020, Available: https://www.cybersecurity-help.cz/vdb/SB2020072426. [Accessed on: Aug. 2, 2021].
[12] OWASP, "OWASP Internet of Things Project," 2018, Available: https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project. [Accessed on: Aug. 2, 2021].
[13] OWASP, "Firmware Analysis Project," 2019, Available: https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Firmware_Analysis. [Accessed on: Aug. 2, 2021].
[14] T. L. 趨勢科技全球技術支援與研發中心, "保護物聯網(IOT)應用程式安全," 2021, vol. 2021 Available: https://blog.trendmicro.com.tw/?p=66445. [Accessed on: May. 16, 2021].
[15] OWASP, "OWASP Firmware Security Testing Methodology," 2018, Available: https://scriptingxss.gitbook.io/firmware-security-testing-methodology/?fbclid=IwAR0HQHFmSe0_WZuaJU59hPDxQBHstZcNCCmisoK-WmstZMfs-v_M6WiG4hI. [Accessed on: May. 16, 2021].
[16] F. Bellard, "QEMU, a fast and portable dynamic translator," in USENIX Annual Technical Conference, FREENIX Track, 2005, vol. 41, p. 46.
[17] google, "Fireware Mod Kit ", Available: https://github.com/amitv87/firmware-mod-kit. [Accessed on: May. 16, 2021].
[18] ReFirmLabs, "Binwalk - Firmware Analysis Tool," 2010, Available: https://github.com/ReFirmLabs/binwalk. [Accessed on: May. 16, 2021].
[19] H. Rays, "About IDA," Available: https://www.hex-rays.com/products/ida/.[Accessed on: May. 16, 2021].
[20] S. Alvarez, "Radare2 - Libre and Portable Reverse Engineering Framework," 2006, Available: https://rada.re/n/.[Accessed on: May. 16, 2021].
[21] Zyxel, "Zyxel security advisory for hardcoded credential vulnerability," 2021, Available: https://www.zyxel.com/tw/zh/support/hardcoded-FTP-credential-vulnerability-of-access-points.shtml. [Accessed on: Oct. 7, 2021].
[22] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna, "Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware," in NDSS, 2015.
[23] S. Quanjiang, S. Yan, Y. Xiaohu, L. Tinghui, H. Daojing, and Y. Guisong, "Large Scale Firmware Analysis For Open Source Components, Hard Coding and Weak Passwords," in 2021 IEEE International Conference on Consumer Electronics and Computer Engineering (ICCECE), 2021, pp. 232-236: IEEE.
[24] A. Own, "OpenSSL Heartbleed 全球駭客的殺戮祭典，你參與了嗎？," DEVCORE2014, Available: https://devco.re/blog/2014/04/11/openssl-heartbleed-how-to-hack-how-to-protect/.[Accessed on: Dec. 2, 2020].
[25] Ranjith, "Firmware Analysis Toolkit : To Emulate Firmware And Analyse It For Security Vulnerabilities," 2019, Available: https://kalilinuxtutorials.com/firmware-analysis-toolkit/.
[26] Z. Gui, H. Shu, F. Kang, and X. J. I. A. Xiong, "FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution," vol. 8, pp. 29826-29841, 2020.
[27] D. D. Chen, M. Woo, D. Brumley, and M. Egele, "Towards Automated Dynamic Analysis for Linux-based Embedded Firmware," in NDSS, 2016, vol. 16, pp. 1-16.
[28] D. Zhao et al., "CVSkSA: cross-architecture vulnerability search in firmware based on kNN-SVM and attributed control flow graph," vol. 27, no. 3, pp. 1045-1068, 2019.
[29] Y. Wang, J. Shen, J. Lin, and R. J. I. A. Lou, "Staged method of code similarity analysis for firmware vulnerability detection," vol. 7, pp. 14171-14185, 2019.
[30] H. Lin et al., "Cvssa: cross-architecture vulnerability search in firmware based on support vector machine and attributed control flow graph," in 2017 International Conference on Dependable Systems and Their Applications (DSA), 2017, pp. 35-41: IEEE.
[31] 王雅慧, "淺談 Embedded System 與 MCU," omni。sci2018, Available: https://www.eebreakdown.com/2018/11/embedded-system-mcu.html. [Accessed on: Dec. 2, 2020].
[32] I. C. Martínez, "The key to everything: Firmware on IoT devices," PUFFIN SECURITY, Available: https://www.puffinsecurity.com/the-key-to-everything-firmware-on-iot-devices/.[Accessed on: Dec. 2, 2020].
[33] J. Chen et al., "IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing," in NDSS, 2018.
[34] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, "Firmae: Towards large-scale emulation of iot firmware for dynamic analysis," in Annual Computer Security Applications Conference, 2020, pp. 733-745.
[35] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti, "A large-scale analysis of the security of embedded firmwares," in 23rd {USENIX} Security Symposium ({USENIX} Security 14), 2014, pp. 95-110.
[36] C.-W. Tien, T.-T. Tsai, Y. Chen, and S.-Y. Kuo, "UFO-Hidden Backdoor Discovery and Security Verification in IoT Device Firmware," in 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2018, pp. 18-23: IEEE.
[37] 王思琪, 缪思薇, 张小玲, 石志强, and 卢新岱, "基于 DS 证据理论的嵌入式固件 Web 代码静态漏洞检测技术," 2019.
[38] jeffsvajlenko, "BigCloneEval - A Clone Detection Tool Evaluation Framework for BigCloneBench " 2015, Available: https://github.com/jeffsvajlenko/BigCloneEval. [Accessed on: Dec. 2, 2020].
[39] W. Tang, D. Chen, and P. Luo, "Bcfinder: A lightweight and platform-independent tool to find third-party components in binaries," in 2018 25th Asia-Pacific Software Engineering Conference (APSEC), 2018, pp. 288-297: IEEE.
[40] J. Pewny, F. Schuster, L. Bernhard, T. Holz, and C. Rossow, "Leveraging semantic signatures for bug search in binary programs," in Proceedings of the 30th Annual Computer Security Applications Conference, 2014, pp. 406-415.
[41] T. Dullien and R. J. S. Rolles, "Graph-based comparison of executable objects (english version)," vol. 5, no. 1, p. 3, 2005.
[42] M. Bourquin, A. King, and E. Robbins, "Binslayer: accurate comparison of binary executables," in Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop, 2013, pp. 1-10.
[43] S. Eschweiler, K. Yakdan, and E. Gerhards-Padilla, "discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code," in NDSS, 2016, vol. 52, pp. 58-79.
[44] T. Zhang, H. Wang, H. Ying, and J. Li, "Similarity Based Binary Backdoor Detection via Attributed Control Flow Graph," in 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), 2020, vol. 1, pp. 453-457: IEEE.
[45] Craig, "Differentiate Encryption From Compression Using Math," 2013, vol. 2021 Available: http://www.devttys0.com/2013/06/differentiate-encryption-from-compression-using-math/.[Accessed on: Feb. 7, 2021].
[46] craigz28, "A simple bash script for searching the extracted or mounted firmware file system.," Available: https://github.com/craigz28/firmwalker.
[47] "Attify IoT Security and Penetration Testing Training," Attify, Inc, Available: https://www.attify.com/attifyos.
[48] Y. Shoshitaishvili et al., "Sok:(state of) the art of war: Offensive techniques in binary analysis," in 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 138-157: IEEE.
[49] X. Xu, C. Liu, Q. Feng, H. Yin, L. Song, and D. Song, "Neural network-based graph embedding for cross-platform binary code similarity detection," in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 363-376.
[50] B. Liu et al., "αdiff: cross-version binary code similarity detection with dnn," in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 2018, pp. 667-678.
[51] I. U. Haq and J. J. a. p. a. Caballero, "A survey of binary code similarity," 2019.
[52] 林妍溱, "51萬臺物聯網裝置的Telnet帳密被公布，史上最多," 2020, Available: https://www.ithome.com.tw/news/135436. [Accessed on: May. 16, 2021]
[53] L. F. Ribeiro, P. H. Saverese, and D. R. Figueiredo, "struc2vec: Learning node representations from structural identity," in Proceedings of the 23rd ACM SIGKDD international conference on knowledge discovery and data mining, 2017, pp. 385-394.
[54] "IDAPython - Hex Rays," Available: https://hex-rays.com/products/ida/support/idapython_docs/.[Accessed on: Dec. 2, 2020].
[55] hex-rays, "IDA Help: Command line switches," Available: https://hex-rays.com/products/ida/support/idadoc/417.shtml. [Accessed on: Dec. 2, 2020].
[56] secjey, "Static firmware analysis," Available: https://github.com/secjey/static-firmware-analysis. [Accessed on: Jun. 6, 2021].
[57] bmaia, "binwally," Available: https://github.com/bmaia/binwally. [Accessed on: Jun. 6, 2021].