Responsive image
博碩士論文 etd-0920121-204357 詳細資訊
Title page for etd-0920121-204357
Automatic Firmware Vulnerability Detection Based on Machine Learning
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
Third-party Library, Firmware, Automation, Cross Architecture, Similarity Detection
本論文已被瀏覽 281 次,被下載 0
The thesis/dissertation has been browsed 281 times, has been downloaded 0 times.
As the prevalence of the Internet of Things and its flourishing advancement, many industries and organization has taken advantage of Internet of Thing in their daily operations, and the IoT security has become a significant issue. Nowadays, third-party libraries are usually imported to IoT device in order to expand their functionalities. However, once there are vulnerabilities in third-party libraries, many IoT devices will be influenced and more prone to cyber-attacks. Moreover, the widespread vulnerable third-party libraries will also be the adversities for researcher to detect and patch the system.
Firmware analysis is usually the primary method when examining IoT devices. However, the diversity of firmware architectures and humongous amounts of files in file system can procrastinate the progress of firmware analysis significantly. Therefore, conducting firmware analysis effectively requires researchers to possess certain sophisticated expertise and experiences.
To solve the abovementioned issues and mitigate workloads from researchers, this study developed an automated cross-platform firmware detection system. This study summarized previous methodology and design a neural network model to perform similarity check with vulnerable code segments. The proposed system can identify potential malicious function as well as discover sensitive information in file system. The analysis report can help researchers and investigators examine the IoT devices and discover embryonic security risks.
目次 Table of Contents
論文審定書 i
摘要 ii
Abstract iii
目錄 iv
圖次 vi
表次 vii
第一章 緒論 1
1.1 研究背景 1
1.2 研究動機 5
第二章 文獻探討 7
2.1 韌體 7
2.2 動態分析 8
2.3 靜態分析 10
2.3 相似度檢測 11
2.4 控制流程圖(Control Flow Graph,CFG) 13
2.5 韌體分析工具 14
2.5.1 拆解工具 14
2.5.2 檢測工具 15
2.5.3 二進制檔分析工具 15
2.6 神經網路模型 17
2.6.1 深度神經網路(DNN) 18
2.6.2 孿生神經網路(Siamese Networks) 18
第三章 研究方法 20
3.1 韌體解壓縮模組 24
3.2 敏感資訊檢索模組 25
3.3 函式特徵提取模組 28
3.3.1. 屬性控制流程圖特徵 29
3.3.2.特徵預處理 32
3.4 檢測模組 34
3.4.1神經網路模型訓練 36
3.4.2 相似度計算 37
第四章 系統評估 38
4.1 實驗一 ACFG特徵提取方法比較 41
4.2 實驗二 相似度模型評估 44
4.3 實驗三 系統成效驗證 50
4.4 實驗四 韌體分析工具比較 52
第五章 研究貢獻與未來展望 55
參考文獻 56

參考文獻 References
[1] H. Tankovska, "Internet of Things (IoT) active device connections installed base worldwide from 2015 to 2025," Statista2020, Available:[Accessed on: May 12, 2021].
[2] 余至浩, "IoT雙周報第90期:2020年全球IoT惡意軟體攻擊以66%增長創新高,一年高達5,690萬次," 2021, Available: [Accessed on: May 12, 2021].
[3] D. Webimprints, "Zoomeye — Find open servers, Webcams, Porn sites vulnerabilities," 2018, Available: [Accessed on: May 12, 2021].
[4] H. Al-Alami, A. Hadi, and H. Al-Bahadili, "Vulnerability scanning of IoT devices in Jordan using Shodan," in 2017 2nd International Conference on the Applications of Information Technology in Developing Renewable Energy Processes & Systems (IT-DREPS), 2017, pp. 1-6: IEEE.
[5] "FORTINET 發布《台灣最新資安威脅情報》:迎戰新型態網路攻擊 整合各種資安防禦工具才能突圍," vol. 2021 Available: [Accessed on: May 12, 2021].
[6] R. N. Vaibhav Singhal, Zhibin Zhang,Asher Davila, "New Mirai Variant Targeting Network Security Devices," 2021, Available:[Accessed on: Jul. 15, 2021].
[7] OWASP, "OWASP IOT TOP 10," 2018.
[8] 陳曉莉, "資安業者Finite State:近1萬款華為設備韌體中,有55%含有潛在後門," 2019, Available: [Accessed on: Jul. 15, 2021].
[9] T. Yovtchev, "Remote code execution (RCE), explained: what it is and how to prevent it," 2021, Available:[Accessed on: Jul. 22, 2021].
[10] P. LANTZ, "TP-Link WDR4300 - Remote Code Execution " 2020, Available: [Accessed on: Aug. 2, 2021].
[11] "OS Command Injection in D-Link DAP-1860," 2020, Available: [Accessed on: Aug. 2, 2021].
[12] OWASP, "OWASP Internet of Things Project," 2018, Available: [Accessed on: Aug. 2, 2021].
[13] OWASP, "Firmware Analysis Project," 2019, Available: [Accessed on: Aug. 2, 2021].
[14] T. L. 趨勢科技全球技術支援與研發中心, "保護物聯網(IOT)應用程式安全," 2021, vol. 2021 Available: [Accessed on: May. 16, 2021].
[15] OWASP, "OWASP Firmware Security Testing Methodology," 2018, Available: [Accessed on: May. 16, 2021].
[16] F. Bellard, "QEMU, a fast and portable dynamic translator," in USENIX Annual Technical Conference, FREENIX Track, 2005, vol. 41, p. 46.
[17] google, "Fireware Mod Kit ", Available: [Accessed on: May. 16, 2021].
[18] ReFirmLabs, "Binwalk - Firmware Analysis Tool," 2010, Available: [Accessed on: May. 16, 2021].
[19] H. Rays, "About IDA," Available:[Accessed on: May. 16, 2021].
[20] S. Alvarez, "Radare2 - Libre and Portable Reverse Engineering Framework," 2006, Available:[Accessed on: May. 16, 2021].
[21] Zyxel, "Zyxel security advisory for hardcoded credential vulnerability," 2021, Available: [Accessed on: Oct. 7, 2021].
[22] Y. Shoshitaishvili, R. Wang, C. Hauser, C. Kruegel, and G. Vigna, "Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware," in NDSS, 2015.
[23] S. Quanjiang, S. Yan, Y. Xiaohu, L. Tinghui, H. Daojing, and Y. Guisong, "Large Scale Firmware Analysis For Open Source Components, Hard Coding and Weak Passwords," in 2021 IEEE International Conference on Consumer Electronics and Computer Engineering (ICCECE), 2021, pp. 232-236: IEEE.
[24] A. Own, "OpenSSL Heartbleed 全球駭客的殺戮祭典,你參與了嗎?," DEVCORE2014, Available:[Accessed on: Dec. 2, 2020].
[25] Ranjith, "Firmware Analysis Toolkit : To Emulate Firmware And Analyse It For Security Vulnerabilities," 2019, Available:
[26] Z. Gui, H. Shu, F. Kang, and X. J. I. A. Xiong, "FIRMCORN: Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized Virtual Execution," vol. 8, pp. 29826-29841, 2020.
[27] D. D. Chen, M. Woo, D. Brumley, and M. Egele, "Towards Automated Dynamic Analysis for Linux-based Embedded Firmware," in NDSS, 2016, vol. 16, pp. 1-16.
[28] D. Zhao et al., "CVSkSA: cross-architecture vulnerability search in firmware based on kNN-SVM and attributed control flow graph," vol. 27, no. 3, pp. 1045-1068, 2019.
[29] Y. Wang, J. Shen, J. Lin, and R. J. I. A. Lou, "Staged method of code similarity analysis for firmware vulnerability detection," vol. 7, pp. 14171-14185, 2019.
[30] H. Lin et al., "Cvssa: cross-architecture vulnerability search in firmware based on support vector machine and attributed control flow graph," in 2017 International Conference on Dependable Systems and Their Applications (DSA), 2017, pp. 35-41: IEEE.
[31] 王雅慧, "淺談 Embedded System 與 MCU," omni。sci2018, Available: [Accessed on: Dec. 2, 2020].
[32] I. C. Martínez, "The key to everything: Firmware on IoT devices," PUFFIN SECURITY, Available:[Accessed on: Dec. 2, 2020].
[33] J. Chen et al., "IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing," in NDSS, 2018.
[34] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, "Firmae: Towards large-scale emulation of iot firmware for dynamic analysis," in Annual Computer Security Applications Conference, 2020, pp. 733-745.
[35] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti, "A large-scale analysis of the security of embedded firmwares," in 23rd {USENIX} Security Symposium ({USENIX} Security 14), 2014, pp. 95-110.
[36] C.-W. Tien, T.-T. Tsai, Y. Chen, and S.-Y. Kuo, "UFO-Hidden Backdoor Discovery and Security Verification in IoT Device Firmware," in 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2018, pp. 18-23: IEEE.
[37] 王思琪, 缪思薇, 张小玲, 石志强, and 卢新岱, "基于 DS 证据理论的嵌入式固件 Web 代码静态漏洞检测技术," 2019.
[38] jeffsvajlenko, "BigCloneEval - A Clone Detection Tool Evaluation Framework for BigCloneBench " 2015, Available: [Accessed on: Dec. 2, 2020].
[39] W. Tang, D. Chen, and P. Luo, "Bcfinder: A lightweight and platform-independent tool to find third-party components in binaries," in 2018 25th Asia-Pacific Software Engineering Conference (APSEC), 2018, pp. 288-297: IEEE.
[40] J. Pewny, F. Schuster, L. Bernhard, T. Holz, and C. Rossow, "Leveraging semantic signatures for bug search in binary programs," in Proceedings of the 30th Annual Computer Security Applications Conference, 2014, pp. 406-415.
[41] T. Dullien and R. J. S. Rolles, "Graph-based comparison of executable objects (english version)," vol. 5, no. 1, p. 3, 2005.
[42] M. Bourquin, A. King, and E. Robbins, "Binslayer: accurate comparison of binary executables," in Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop, 2013, pp. 1-10.
[43] S. Eschweiler, K. Yakdan, and E. Gerhards-Padilla, "discovRE: Efficient Cross-Architecture Identification of Bugs in Binary Code," in NDSS, 2016, vol. 52, pp. 58-79.
[44] T. Zhang, H. Wang, H. Ying, and J. Li, "Similarity Based Binary Backdoor Detection via Attributed Control Flow Graph," in 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), 2020, vol. 1, pp. 453-457: IEEE.
[45] Craig, "Differentiate Encryption From Compression Using Math," 2013, vol. 2021 Available:[Accessed on: Feb. 7, 2021].
[46] craigz28, "A simple bash script for searching the extracted or mounted firmware file system.," Available:
[47] "Attify IoT Security and Penetration Testing Training," Attify, Inc, Available:
[48] Y. Shoshitaishvili et al., "Sok:(state of) the art of war: Offensive techniques in binary analysis," in 2016 IEEE Symposium on Security and Privacy (SP), 2016, pp. 138-157: IEEE.
[49] X. Xu, C. Liu, Q. Feng, H. Yin, L. Song, and D. Song, "Neural network-based graph embedding for cross-platform binary code similarity detection," in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 363-376.
[50] B. Liu et al., "αdiff: cross-version binary code similarity detection with dnn," in Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, 2018, pp. 667-678.
[51] I. U. Haq and J. J. a. p. a. Caballero, "A survey of binary code similarity," 2019.
[52] 林妍溱, "51萬臺物聯網裝置的Telnet帳密被公布,史上最多," 2020, Available: [Accessed on: May. 16, 2021]
[53] L. F. Ribeiro, P. H. Saverese, and D. R. Figueiredo, "struc2vec: Learning node representations from structural identity," in Proceedings of the 23rd ACM SIGKDD international conference on knowledge discovery and data mining, 2017, pp. 385-394.
[54] "IDAPython - Hex Rays," Available:[Accessed on: Dec. 2, 2020].
[55] hex-rays, "IDA Help: Command line switches," Available: [Accessed on: Dec. 2, 2020].
[56] secjey, "Static firmware analysis," Available: [Accessed on: Jun. 6, 2021].
[57] bmaia, "binwally," Available: [Accessed on: Jun. 6, 2021].
電子全文 Fulltext
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:開放下載的時間 available 2026-10-20
校外 Off-campus:開放下載的時間 available 2026-10-20

您的 IP(校外) 位址是
現在時間是 2024-04-16
論文校外開放下載的時間是 2026-10-20

Your IP address is
The current date is 2024-04-16
This thesis will be available to you on 2026-10-20.

紙本論文 Printed copies
開放時間 available 2026-10-20

QR Code