Abstract
In vulnerability assessments, software component-based CVE attribution is a common method to identify possibly vulnerable systems at scale. However, such version-centric approaches yield high false-positive rates for binary distributed Linux kernels in firmware images. Not filtering included vulnerable components is a reason for unreliable matching, as heterogeneous hardware properties, modularity, and numerous development streams result in a plethora of vendor-customized builds. To make a step towards increased result reliability while retaining scalability of the analysis method, we enrich version-based CVE matching with kernel-specific build data from binary images using automated static firmware analysis. In a case study with 127 router firmware images, we show that in comparison to naive version matching, our approach identifies 68% of all version CVE matches as false-positives and reliably removes them from the result set. For 12% of all matches it provides additional evidence of issue applicability.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
References
Benthin Sanguino, L.A., Uetz, R.: Software Vulnerability Analysis Using CPE and CVE. ArXiv (2017). https://doi.org/10.48550/arXiv.1705.05347
Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A Large-Scale Analysis of the Security of Embedded Firmwares. In: 23rd USENIX Conference on Security Symposium (SEC ’14). USENIX Association, San Diego, USA (2014)
David, Y., Partush, N., Yahav, E.: FirmUp: precise Static Detection of Common Vulnerabilities in Firmware. In: 23rd International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS ’18). ACM, Williamsburg, USA (2018)
Fraunhofer FKIE: FACT - Firmware Analysis and Comparison Tool. https://github.com/fkie-cad/FACT_core
Haq, I.U., Caballero, J.: A Survey of Binary Code Similarity. ACM Comput. Surv. 54(3), 01–38 (2021)
Kim, M., Kim, D., Kim, E., Kim, S., Jang, Y., Kim, Y.: FirmAE: towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis. In: 2020 Annual Computer Security Applications Conference (ACSAC ’20). ACM, Austin, USA (2020)
Manès, V.J., et al.: The Art, Science, and Engineering of Fuzzing: a Survey. IEEE Trans. Softw. Eng. 47(11), 2312–2331 (2021)
Neshenko, N., Bou-Harb, E., Crichigno, J., Kaddoum, G., Ghani, N.: Demystifying IoT Security: an exhaustive survey on iot vulnerabilities and a first empirical look on internet-scale IoT exploitations. IEEE Commun. Surv. Tutorials 21(3) (2019)
ONEKEY GmbH: ONEKEY Automated Firmware Analysis Platform. Accessed 5 Sep 2022. https://onekey.com/
Qasem, A., Shirani, P., Debbabi, M., Wang, L., Lebel, B., Agba, B.L.: Automatic Vulnerability Detection in Embedded Devices and Firmware: survey and layered taxonomies. ACM Comput. Surv. 54(2), 1–42 (2021)
Tan, X., et al.: Locating the Security Patches for Disclosed OSS Vulnerabilities with Vulnerability-Commit Correlation Ranking. In: 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS ’21). ACM, Virtual, Republic of Korea (2021)
Weidenbach, P., Vom Dorp, J.: Home Router Security Report 2020. Fraunhofer Institute for Communication, Information Processing and Ergonomics (FKIE), Tech. Rep. (2020). https://www.fkie.fraunhofer.de/en/press-releases/Home-Router.html
Wright, C., Moeglein, W.A., Bagchi, S., Kulkarni, M., Clements, A.A.: Challenges in Firmware Re-Hosting, Emulation, and Analysis. ACM Comput. Surv. 54(1), 1–36 (2021)
Zhao, B., et al.: A Large-Scale Empirical Analysis of the Vulnerabilities Introduced by Third-Party Components in IoT Firmware. In: 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA ’22). ACM, South Korea (2022)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Helmke, R., vom Dorp, J. (2023). Extended Abstract: Towards Reliable and Scalable Linux Kernel CVE Attribution in Automated Static Firmware Analyses. In: Gruss, D., Maggi, F., Fischer, M., Carminati, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2023. Lecture Notes in Computer Science, vol 13959. Springer, Cham. https://doi.org/10.1007/978-3-031-35504-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-35504-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-35503-5
Online ISBN: 978-3-031-35504-2
eBook Packages: Computer ScienceComputer Science (R0)