Tools and methods for detecting vulnerabilities in embedded devices

用于检测嵌入式设备中的漏洞的工具和方法

• 批准号: 535902-2018
• 负责人: Lie, David
• 金额: $ 5.19万
• 依托单位: University of Toronto
• 依托单位国家: 加拿大
• 项目类别: Collaborative Research and Development Grants
• 财政年份: 2021
• 资助国家: 加拿大
• 起止时间: 2021-01-01 至 2022-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=720086
• 关键词: Tools; methods; detecting; vulnerabilities; embedded

As the age of the ``Internet-of-things'' (IoT) dawns, we face a growing legion of embedded, intelligent and Internet capable devices. From smartphones, to smart-TVs, thermostats, smoke detectors, video cameras, electricity meters and self-driving cars, we are ever surrounded with more and more connected devices. This massive growth creates a dangerous situation where the rate and numbers at which new IoT devices are being introduced makes it impossible to perform security analysis on all of them. Analysis of embedded devices is challenging because of the opaqueness of the devices, which make it impossible to use efficient grey-box analysis techniques, or identify the boundary between valid and invalid inputs, where many vulnerabilities tend to lie. In this project, we plan to research and develop tools and methods that address the challenges set forth by embedded devices. First, to enable the application of grey-box analysis techniques, we will research hardware emulation methods that are able to evade the dependencies the firmware on these devices have on proprietary hardware. Second, to overcome the challenge of identifying the boundary between valid and invalid inputs, we propose techniques that can automatically construct network protocol-specific test-generation tools from open-source software implementations of those protocols.

随着“物联网”（IoT）时代的到来，我们面临着越来越多的嵌入式、智能和互联网设备。 从智能手机到智能电视、恒温器、烟雾探测器、摄像机、电表和自动驾驶汽车，我们被越来越多的互联设备所包围。 这种大规模的增长造成了一种危险的局面，即新物联网设备的引入速度和数量使得不可能对所有设备进行安全分析。 嵌入式设备的分析是具有挑战性的，因为设备的不透明性，这使得它不可能使用有效的灰盒分析技术，或识别有效和无效输入之间的边界，其中许多漏洞往往在于。 在这个项目中，我们计划研究和开发工具和方法，以解决嵌入式设备提出的挑战。 首先，为了实现灰盒分析技术的应用，我们将研究硬件仿真方法，这些方法能够避免这些设备上的固件对专有硬件的依赖性。 其次，为了克服识别有效和无效输入之间的边界的挑战，我们提出了可以从这些协议的开源软件实现自动构建网络协议特定的测试生成工具的技术。