Dynamic taint analysis method and system for firmware full-system simulation

By introducing a taint tracking mechanism and TCG instruction instrumentation technology into the full system firmware simulation, the problem of insufficient taint information tracking in existing tools during simulation is solved, enabling efficient and accurate firmware analysis and improving simulation success rate and security.

CN117556388BActive Publication Date: 2026-07-14NAT UNIV OF DEFENSE TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
NAT UNIV OF DEFENSE TECH
Filing Date
2023-11-03
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Existing dynamic taint analysis tools struggle to track taint information accurately and in real time during full-system firmware simulation, resulting in low simulation success rates and insufficient security analysis capabilities.

Method used

By introducing a taint tracking mechanism into the firmware full system simulation, shadow memory and shadow registers are established, taint propagation rules are configured, TCG instructions are instrumented, and taint detection modules are set at designated nodes to detect taint information in real time and generate a taint propagation trajectory map.

Benefits of technology

It enables real-time and accurate taint information tracking for full system firmware simulation, improving simulation success rate and security analysis capabilities. It is applicable to QEMU 6.2 and above and supports dynamic taint analysis at the system-wide level.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117556388B_ABST
    Figure CN117556388B_ABST
Patent Text Reader

Abstract

The application discloses a dynamic taint analysis method and system for firmware full-system simulation, and the method comprises the following steps: S1, after starting the taint tracking function, when receiving the data to be analyzed, the physical memory address of the current data in the virtual machine is found, and the specified part is marked as taint in the shadow memory; S2, during the execution cycle of the taint marked data to be analyzed, the TCG instruction of the client instruction disassembled is instrumented, and the preset taint propagation instruction is inserted before each instruction to manipulate the propagation of taint information, so that the TCG instruction after being instrumented realizes the flow of taint information during the interpretation execution process; S3, the taint detection module detects the taint information in real time, and when it is detected that the register or shadow memory storing the key information is marked as taint, the taint propagation is ended and the pollution state information is output. The application can track taint information in real time and accurately during firmware full-system simulation.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of security detection and analysis technology for Internet of Things (IoT) devices, and in particular to a dynamic taint analysis method and system for firmware full-system simulation. Background Technology

[0002] Internet of Things (IoT) devices are various physical devices connected to the Internet through network connectivity and communication technologies. Given the sheer number of IoT devices and their vulnerability to cyberattacks, tools such as Firmmadyne and FirmAE have been developed for full-system firmware simulation. Compared to hardware simulation, full-system firmware simulation for IoT devices offers greater controllability, repeatability, scalability, efficiency, and cost-effectiveness in analysis.

[0003] For analyzing firmware under full system simulation, various analysis methods exist in existing technologies. Among them, dynamic taint analysis technology is widely used due to its ability to quickly gain in-depth understanding of the system, locate security vulnerabilities, and improve analysis efficiency. For example, DECAF and PANDA are dynamic taint analysis tools under full system firmware simulation. DECAF extends taint tracing and analysis capabilities on QEMU, allowing analysis of tainted data streams in user space and kernel space. It also provides rich plugins for various binary analysis tasks, such as instruction tracing, keylogger detection, and API tracing. However, DECAF's implementation is based on QEMU version 1.0, which has insufficient simulation capabilities, making it unable to analyze most firmware. PANDA is another system-level dynamic taint analysis framework based on QEMU, providing recording and playback mechanisms and supporting a wide range of architectures and operating systems. However, it struggles to trace control flow and data flow during full system firmware simulation, and the addition of TCG instructions cannot trace taint information. Summary of the Invention

[0004] The technical problem to be solved by this invention is: In view of the technical problems existing in the prior art, this invention provides a dynamic taint analysis method and system for firmware full system simulation, which can track taint information in real time and accurately during firmware full system simulation, thereby improving the success rate of firmware full system simulation and firmware security analysis capabilities.

[0005] To solve the above-mentioned technical problems, the technical solution proposed by this invention is as follows:

[0006] A dynamic taint analysis method for firmware-wide system simulation includes the following steps:

[0007] Step S1: Taint Marking: Create shadow memory based on the memory used during firmware emulation and configure shadow registers for registers in the virtual CPU; after starting the taint tracking function, when data to be analyzed is received, filter the current data to be analyzed according to the taint marking requirements, find the physical storage address of the filtered data on the client machine, and mark the taint at the corresponding location in the shadow memory.

[0008] Step S2: Taint Propagation: During the execution loop, the TCG instructions disassembled from the client instructions are instrumented on the data to be analyzed after being marked with taints. Preset taint propagation instructions are inserted before each instruction to manipulate the propagation of taint information, so that the instrumented TCG instructions can realize the flow of taint information during the interpretation and execution process.

[0009] Step S3: Turbidity Detection: A taint detection module is set up in advance at a designated node. The taint detection module detects taint information in real time. When a register or shadow memory storing key information is detected as a taint, the taint tracking function is turned off, the taint propagation is ended, and the contamination status information is output.

[0010] Furthermore, step S1 also includes establishing a shadow memory of the same size as the memory used during firmware emulation. The shadow memory is indexed using a two-level page table, with each bit corresponding one-to-one with the client's memory. The input data to be analyzed is filtered according to the input marking requirements. After filtering out the data to be analyzed, the physical storage address of the data in the client is located. A taint label is then applied to the corresponding position in the shadow memory according to the marking requirements. In step S3, when it is determined that the shadow memory corresponding to the target address in the client has a value of 0, it is determined that the data at the target address has not been contaminated; otherwise, it is determined that it has been contaminated.

[0011] Furthermore, step S2 includes:

[0012] TCG commands are divided into multiple categories according to their functions, and taint propagation rules are configured for each type of TCG command.

[0013] After the client code is disassembled into a doubly linked list of TCG instructions, the doubly linked list of TCG instructions is passed as a parameter to the taint propagation module.

[0014] A new doubly linked list is created by the processing function in the taint propagation module. The original instruction chain is backed up to the new linked list, the original instruction chain is cleared, and a pointer op_ptr is created to point to the first instruction of the new instruction chain.

[0015] According to the taint propagation rules, the TCG instruction generation function is used to generate the taint propagation instruction pointed to by op_str, and the newly generated taint propagation instruction is added to the original instruction chain.

[0016] Remove the instruction pointed to by pointer op_str from the new instruction chain and add it after the taint propagation instruction in the original instruction chain;

[0017] The pointer op_ptr points to the next instruction. If the next instruction is empty, the translator translates the newly generated TCG instruction chain to generate binary instructions for the host machine, which are executed by the host machine's CPU. During execution, taint information is propagated; otherwise, it returns to execute the next instruction.

[0018] Furthermore, the TCG instruction classification includes instructions for functional operations, instructions for performing arithmetic operations, instructions for data interaction with the CPU, and instructions for data interaction with memory. For instructions for functional operations, no corresponding taint propagation rules are set. For instructions for performing arithmetic operations, the taint propagation rules are configured as follows: bit-granular taint propagation rules are configured using Boolean logic. For instructions for data interaction with the CPU, if the target instruction transfers data from a specified register to the destination space, a preset instruction is inserted before the target instruction to transfer the data from the specified register to a shadow variable in the destination space, thus completing the process. The taint propagation rules for the specified registers on the TCG layer are configured as follows: a detection transfer function is inserted before the instruction to detect and propagate taints. The virtual address of the client and the function parameters are passed to the detection transfer function as parameters. The detection transfer function converts the virtual address addr into the physical address phy_addr, locates the address in the shadow memory, reads and records the taint information according to the function parameters, stores the read taint information in a temporary register in the CPU structure, and passes the taint information in the temporary register to the shadow variable of the TCG IR variable in the current instruction to complete the taint information transfer between the shadow memory and the TCG layer.

[0019] Furthermore, step S3 also includes:

[0020] Obtain kernel information and symbol information from firmware files, and pass them to the real-time detection module;

[0021] When the client system starts running, the real-time detection module monitors the process and module information of each translation block before each translation block is generated. It obtains the offset of the task_struct structure in the kernel process and compares it with the offset stored in the semantic table to confirm the kernel version. Then, it obtains the content of the task_struct structure of the kernel process based on the offset of the task_struct structure and uses the semantic table to match the process and module information in it to form a high-level semantic information mapping table. The high-level semantic information mapping table contains the mapping relationship between each translation block and process and module information.

[0022] After the pollution propagation ends, an instruction stream log and a pollution log are generated based on the information monitored by the real-time detection module.

[0023] Furthermore, after step S3, the method further includes step S4, which involves analyzing the stains to generate a pollution propagation trajectory map. Step S4 includes:

[0024] The taint propagation log is parsed to form an information block, which includes information about the code block, process information, module information, a first set of physical addresses of the tainted data read from memory by the code block, and a second set of physical addresses of the tainted data output from memory by the code block.

[0025] The information block is backtracked to generate a pollution propagation trajectory map. During each backtracking, an address equal to the first set is searched in the second set of the current information block. If the search is successful, the information block is set as a node, and the previous node points to this node as a directed edge. Otherwise, the next search is performed until all addresses are searched. All nodes and directed edges are collected to generate the taint propagation trajectory map.

[0026] Furthermore, the step S4 of generating a pollution propagation trajectory map by tracing back the information block includes:

[0027] Step S4.1. Let the set of information blocks be msg_block = {block0, block1, ..., block...} n}, msg_block[k] = block k The first set of physical addresses of the data with pollution markers read from memory by the code block in the information block is load_addrs = {load_addr0, load_addr1, ..., load_addr...} m}, load_addrs[i] = load_addr i The second set of physical addresses of the data with pollution marks output to memory by the code block is store_addrs = {store_addr0, store_addr1, ..., store_addr...} K}, store_addrs[j]=store_addr j , where n represents the number of information blocks, m is the number of addresses in the first set, and K is the number of addresses in the second set;

[0028] Step S4.2. Initialize variable k = n, and set the kth information block as the initial node;

[0029] Step S4.3. Initialize variable i = 0;

[0030] Step S4.4. Select the k-th information block and the i-th address in the first set, i.e., msg_block[k]::load_addrs[i];

[0031] Step S4.5.k = k-1, search for an address in the second set store_addrs of the kth information block msg_block[k] that is equal to the address in the currently selected first set. If the search is successful, set the current information block as a node, and the previous node points to this node as a directed edge, and go to step S4.4. If it is unsuccessful, go to step S4.6.

[0032] Step S4.6. Determine if k is 0. If it is 0, i = i + 1. If i > m, proceed to step S4.7. Otherwise, proceed to step S4.4. If it is not 0, proceed to step S4.5.

[0033] Step S4.7. Collect all nodes and directed edges to generate a taint propagation trajectory graph, in which the process, module, and function information of all nodes are marked.

[0034] A dynamic taint analysis system for firmware full-system simulation includes:

[0035] The taint marking module is used to establish shadow memory based on the memory used during firmware emulation and to configure shadow registers for registers in the virtual CPU. After the taint tracing function is started, when data to be analyzed is received, the current data to be analyzed is filtered according to the taint marking requirements, the filtered data is located at the physical storage address of the client machine, and taint marking is performed at the corresponding location in the shadow memory.

[0036] The taint propagation module is used to instrument the TCG instructions disassembled from the client instructions during the execution loop of the data to be analyzed after being marked with taints. It inserts preset taint propagation instructions before each instruction to manipulate the propagation of taint information, so that the instrumented TCG instructions can realize the flow of taint information during the interpretation and execution process.

[0037] The taint detection module is used to pre-set taint detection modules at designated nodes. The taint detection module detects taint information in real time. When a register or shadow memory storing key information is marked as a taint, the taint tracking function is turned off, the taint propagation is terminated, and the contamination status information is output.

[0038] Furthermore, it also includes a virtual machine introspection module, which includes an information extraction module and a real-time detection module. The information extraction module obtains kernel information and symbol information from firmware files and passes them to the real-time detection module. The real-time detection module obtains the offset of the task_struct structure in the kernel process and compares it with the offset stored in the semantic table to confirm the kernel version. Based on the offset of the task_struct structure, it obtains the content of the task_struct structure of the kernel process and uses the semantic table to match the process and module information therein.

[0039] A computer system includes a processor and a memory, the memory being used to store a computer program, and the processor being used to execute the computer program to perform the method described above.

[0040] Compared with the prior art, the advantages of the present invention are as follows:

[0041] 1. This invention introduces taint tracing. First, it locates the physical memory address of the current data in the virtual machine, marks a specified portion as a taint in the shadow memory, and then inserts a taint propagation instruction before the TCG instruction during the execution loop. This allows the instrumented TCG instruction to realize the flow of taint information during interpretation and execution, thereby enabling taint tracing of variables, memory, and registers in the TCG instruction. This achieves real-time and accurate tracing of control flow, data flow, and taint information during full-system firmware simulation. It is applicable to various versions of QEMU 6.2 and above to achieve dynamic taint analysis at the system-wide bit level, effectively improving the success rate of full-system firmware simulation and enhancing firmware security analysis capabilities.

[0042] 2. This invention uses a dynamic instrumentation mechanism based on TCG instructions to instantiate taint rules into TCG instructions. During the execution of QEMU, the original TCG instruction chain is dynamically instrumented, inserting taint propagation instructions before each original instruction. This results in a TCG instruction chain with taint propagation function that does not affect the original execution process, thus completing taint propagation and ensuring the real-time and accurate transmission of taint information in the system.

[0043] 3. The present invention further divides TCG instructions according to their functions and configures the taint propagation rules according to the functions of each instruction as described above, thereby enabling bit-granular taint propagation and solving the problem of how the taint propagation rules set at the TCG level can control the correct transfer of tainted data between shadow memory and virtual CPU.

[0044] 4. Furthermore, by employing a virtual machine introspection method, this invention enables real-time monitoring of advanced semantic information such as the processes, modules, and executed functions of the current client machine. Attached Figure Description

[0045] Figure 1 This is a schematic diagram illustrating the implementation process of the dynamic taint analysis method for firmware full-system simulation in this embodiment.

[0046] Figure 2 This is a schematic diagram of the principle of the full-system simulation dynamic taint analysis framework FDTAF constructed in this embodiment.

[0047] Figure 3 This is a schematic diagram of the process of performing dynamic taint analysis of the entire system simulation according to FDTAF in this embodiment.

[0048] Figure 4 This is a schematic diagram of the virtual machine introspection module in the embodiment.

[0049] Figure 5 This is a schematic diagram of the result of the stain propagation trajectory obtained in a specific application embodiment of the present invention. Detailed Implementation

[0050] The present invention will be further described below with reference to the accompanying drawings and specific preferred embodiments, but this does not limit the scope of protection of the present invention.

[0051] like Figure 1 As shown, the steps of the dynamic taint analysis method for firmware full-system simulation in this embodiment include:

[0052] Step S1: Taint Marking: Create shadow memory based on the memory used during firmware emulation and configure shadow registers for registers in the virtual CPU; after starting the taint tracking function, when data to be analyzed is received, filter the current data to be analyzed according to the taint marking requirements, find the physical storage address of the filtered data on the client machine, and mark the taint at the corresponding location in the shadow memory.

[0053] Step S2: Taint Propagation: During the execution loop, the TCG instructions disassembled from the client instructions are instrumented on the data to be analyzed after being marked with taints. Preset taint propagation instructions are inserted before each instruction to manipulate the propagation of taint information, so that the instrumented TCG instructions can realize the flow of taint information during the interpretation and execution process.

[0054] Step S3: Taint Detection: A taint detection module is set up in advance at a designated node. The taint detection module detects taint information in real time. When a register or shadow memory containing critical information is detected and marked as a taint, the taint tracking function is turned off, the taint propagation is ended, and the taint status information is output.

[0055] This embodiment introduces taint tracing. First, it locates the physical memory address of the current data in the virtual machine, marks a specified portion as taint in the shadow memory, and then inserts a taint propagation instruction before the TCG instruction during the execution loop. This allows the instrumented TCG instruction to transfer taint information during interpretation and execution, thereby enabling taint tracing of variables, memory, and registers in the TCG instruction. This achieves real-time and accurate tracking of control flow, data flow, and taint information during full-system firmware simulation. It is applicable to various versions of QEMU 6.2 and above to achieve dynamic taint analysis at the system-wide bit level, effectively improving the success rate of full-system firmware simulation and enhancing firmware security analysis capabilities.

[0056] To ensure the accuracy and completeness of taint marking, step S1 in this embodiment also includes establishing a shadow memory of the same size as the memory used during firmware emulation. The shadow memory is indexed using a two-level page table, with each bit corresponding one-to-one with the client's memory. The input data to be analyzed is filtered according to the input marking requirements. After filtering out the data to be analyzed, the physical storage address of the data in the client is located. A taint label is then applied to the corresponding position in the shadow memory according to the marking requirements. In step S3, if it is determined that the shadow memory corresponding to the target address in the client has a value of 0, it is determined that the data at the target address is not tainted; otherwise, it is determined that it has been tainted.

[0057] The specific steps of step S2 in this embodiment include:

[0058] TCG commands are divided into multiple categories according to their functions, and taint propagation rules are configured for each type of TCG command.

[0059] After the client code is disassembled into a doubly linked list of TCG instructions, the doubly linked list of TCG instructions is passed as a parameter to the taint propagation module.

[0060] A new doubly linked list is created by the processing function in the taint propagation module. The original instruction chain is backed up to the new linked list, the original instruction chain is cleared, and a pointer op_ptr is created to point to the first instruction of the new instruction chain.

[0061] According to the taint propagation rules, the TCG instruction generation function is used to generate the taint propagation instruction pointed to by op_str, and the newly generated taint propagation instruction is added to the original instruction chain.

[0062] Remove the instruction pointed to by pointer op_str from the new instruction chain and add it after the taint propagation instruction in the original instruction chain;

[0063] The pointer op_ptr points to the next instruction. If the next instruction is empty, the translator translates the newly generated TCG instruction chain to generate binary instructions for the host machine, which are executed by the host machine's CPU. During execution, taint information is propagated; otherwise, it returns to execute the next instruction.

[0064] QEMU supports various system architectures through its intermediate language TCG (Target Architecture Independent Code). This embodiment fully leverages the advantages of TCG, enabling a more general analysis framework through bit-granular contamination propagation rules.

[0065] In this embodiment, the TCG instructions are specifically categorized into functional operation instructions, arithmetic operation instructions, instructions for data interaction with the CPU, and instructions for data interaction with memory. For functional operation instructions, no corresponding taint propagation rules are set. For arithmetic operation instructions, taint propagation rules are configured as follows: bit-granular taint propagation rules are configured using Boolean logic. For instructions for data interaction with the CPU, if the target instruction transfers data from a specified register to the destination space, a preset instruction is inserted before the target instruction to transfer the data from the specified register to the destination space as a shadow variable. To complete the propagation of taint information in the specified register at the TCG layer, for instructions that interact with memory, the taint propagation rules are configured as follows: a detection transfer function is inserted before the instruction to detect and propagate taints. The virtual address of the guest and the function parameters are passed to the detection transfer function as parameters. The detection transfer function converts the virtual address addr into the physical address phy_addr, locates the address in the shadow memory, reads and records the taint information according to the function parameters, stores the read taint information in a temporary register in the CPU structure, and passes the taint information in the temporary register to the shadow variable of the TCG IR variable in the current instruction to complete the transfer of taint information between the shadow memory and the TCG layer.

[0066] This embodiment divides TCG instructions into four categories according to their functions. Based on the function of each instruction and configuring taint propagation rules as described above, it achieves bit-granular taint propagation, solving the problem of how taint propagation rules set at the TCG level control the correct transfer of tainted data between shadow memory and virtual CPU. Combined with a dynamic instrumentation mechanism based on TCG instructions, after taint rules are instantiated into TCG instructions, the original TCG instruction chain is dynamically instrumented during QEMU execution. That is, taint propagation instructions are inserted before each original instruction, ultimately forming a TCG instruction chain with taint propagation functionality without affecting the original execution process, thus completing taint propagation and ensuring the real-time and accurate transmission of taint information in the system.

[0067] This embodiment further utilizes firmware simulation for taint marking. Regarding taint accuracy, it configures bit-granular taint storage media, including shadow memory, shadow registers, and shadow variables. By employing bit-granular taint source marking, more accurate taint tracking is achieved. The size of the shadow memory can be configured to be the same as the size of the client's physical address. To save space, only a first-level page table is created during shadow memory initialization, with empty content. As taint information is written, second-level page tables and taint-marked pages are created sequentially. Furthermore, to quickly locate taint information, taint address pools `middle_pool` and `leaf_pool` are created for the first-level and second-level page tables, respectively. When new taint marking requirements arise, new second-level page table addresses are filled into `middle_pool`, and taint page addresses are filled into `leaf_pool`. When the address pools are full, they are cleared. When the value of the shadow memory corresponding to a client address is 0, it indicates that the data at that address is not tainted; otherwise, it is tainted. In addition, shadow registers were set for the registers in the virtual CPUs simulated by different system architectures. For example, the eip register of the virtual CPU under the i386 architecture was set with a shadow register shadow_eip of the same data length.

[0068] In this embodiment, step S3 further includes:

[0069] Obtain kernel information and symbol information from firmware files, and pass them to the real-time detection module;

[0070] When the client system starts running, the real-time detection module monitors the process and module information of each translation block before each translation block is generated. It obtains the offset of the task_struct structure in the kernel process and compares it with the offset stored in the semantic table to confirm the kernel version. Then, it obtains the content of the task_struct structure of the kernel process based on the offset of the task_struct structure and uses the semantic table to match the process and module information in it to form a high-level semantic information mapping table. The high-level semantic information mapping table contains the mapping relationship between each translation block and process and module information.

[0071] After the pollution spreads, instruction stream logs and pollution logs are generated based on the information monitored by the real-time detection module.

[0072] In this embodiment, step S3 is followed by step S4, which involves analyzing the stains to generate a pollution propagation trajectory map. Step S4 includes:

[0073] The taint propagation log is parsed to form information blocks. The information blocks include information about the code block, process information, module information, and a first set of physical addresses of the tainted data read from memory by the code block, and a second set of physical addresses of the tainted data output from memory by the code block.

[0074] The process involves backtracking information blocks to generate a contamination propagation trajectory graph. During each backtracking, an address in the second set of the current information block that is equal to the address in the first set is searched. If the search is successful, the information block is set as a node, and the previous node is pointed to this node as a directed edge. Otherwise, the next search is performed until all addresses are searched. All nodes and directed edges are collected to generate the taint propagation trajectory graph.

[0075] This embodiment specifically configures a virtual machine introspection module to acquire high-level semantic information (such as processes, modules, and functions) of the client machine in real time. Employing virtual machine introspection, it enables real-time monitoring of the current client machine's processes, modules, and executed functions. During taint propagation, the virtual machine introspection module records runtime semantic information in real time. After taint propagation ends, the virtual machine introspection module generates a final taint propagation log and passes it to the taint analysis module. Subsequently, the taint analysis module analyzes the taint propagation process based on the log information, ultimately deriving a taint propagation trajectory diagram for rapid analysis of security vulnerabilities.

[0076] In this embodiment, a taint analysis module is specifically set up to perform taint analysis using a backtracking approach. Specifically, the taint information operations within a code block are divided into input and output parts. The taint information in the output part originates entirely from the input taint data. Starting from the last executed code block, the address of the taint information in the input part of that code block is obtained, and then the search continues upwards to find the code block whose output part contains that address. Once found, the search continues upwards using the address of the new code block's input part as a reference, forming a recursive process. Each found code block is treated as a node, and nodes are connected by a single edge in the order of the recursion. After the recursion ends, a taint propagation trajectory graph is obtained.

[0077] To achieve the above-described method of the present invention, a construction is made as follows in a specific application embodiment: Figure 2The system-wide simulation dynamic taint analysis framework FDTAF, shown, is used for system-wide bit-granular dynamic taint analysis of the new version of QEMU, including analysis of real-world vulnerabilities and malicious code in the firmware. Specifically, it employs a bit-granular taint propagation module to track newly added TCG instruction taint information in QEMU and correctly transfer taint data between shadow memory and virtual CPU; a virtual machine introspection module to acquire and identify high-level semantic information during firmware runtime; a taint marking module using a bit-granular taint storage mechanism and taint source marking method to perform taint marking in the full system simulation state; a taint detection module to detect taints in security-sensitive operations during firmware runtime; and a taint analysis module to analyze large amounts of taint data and extract effective taint propagation trajectories using backtracking.

[0078] Based on the above framework, such as Figure 3 As shown, the framework is first used to perform a full system simulation of the firmware, and then the taint tracing function is enabled. Next, the taint marking requirement is provided, and test data is input to the client. After receiving the test data, the client's interface enters the taint marking module. The taint marking module finds the physical memory address of the data in the virtual machine and marks the specified portion as tainted in the shadow memory. Afterwards, the tainted data is added to the execution loop. During the execution loop, the client instructions are first disassembled into TCG instructions. The taint propagation module instrumentes the TCG instructions, inserting a pre-configured taint propagation instruction before each instruction. This taint propagation instruction manipulates the propagation of taint information. The instrumented TCG instructions are then translated into host machine binary instructions and interpreted and executed on the host machine, thus achieving precise and complete flow of taint information within the system. Simultaneously, a taint detection module is added to critical nodes such as function jumps. If a shadow register or shadow memory corresponding to a register or memory containing critical information such as a jump address is detected as tainted, the taint propagation ends.

[0079] In this embodiment, the detailed steps of generating a pollution propagation trajectory map by tracing back the information block in step S4 include:

[0080] Step S4.1. Let the set of information blocks be msg_block = {block0, block1, ..., block...} n}, msg_block[k] = block k The first set of physical addresses of the data with pollution markers read from memory by the code block in the information block is load_addrs = {load_addr0, load_addr1, ..., load_addr...} m}, load_addrs[i] = load_addri The second set of physical addresses of the data with pollution marks output to memory by the code block is store_addrs = {store_addr0, store_addr1, ..., store_addr...} K}, store_addrs[j]=store_addr j , where n represents the number of information blocks, m is the number of addresses in the first set, and K is the number of addresses in the second set;

[0081] Step S4.2. Initialize variable k = n, and set the kth information block as the initial node;

[0082] Step S4.3. Initialize variable i = 0;

[0083] Step S4.4. Select the k-th information block and the i-th address in the first set, i.e., msg_block[k]::load_addrs[i];

[0084] Step S4.5.k = k-1, search for an address in the second set store_addrs of the kth information block msg_block[k] that is equal to the address in the currently selected first set. If the search is successful, set the current information block as a node, and the previous node points to this node as a directed edge, and go to step S4.4. If it is unsuccessful, go to step S4.6.

[0085] Step S4.6. Determine if k is 0. If it is 0, i = i + 1. If i > m, proceed to step S4.7. Otherwise, proceed to step S4.4. If it is not 0, proceed to step S4.5.

[0086] Step S4.7. Collect all nodes and directed edges to generate a taint propagation trajectory graph, which marks the process, module, and function information of all nodes.

[0087] In a specific application embodiment, the detailed steps for designing and implementing a taint propagation module, generating taint propagation instructions, dynamically instrumenting the original TCG instructions, and generating a new TCG instruction chain that processes taint information without affecting the original execution process are as follows:

[0088] 1) First, design taint propagation rules, dividing TCG instructions into four categories based on their functions: instructions that perform functional operations, instructions that perform arithmetic operations, instructions that interact with the CPU, and instructions that interact with memory. Design taint propagation rules for each of these four categories:

[0089] For some functional operation instructions, such as goto_tb and set_label, no corresponding taint propagation rules are set;

[0090] For instructions that perform arithmetic operations, bit-granular taint propagation rules are designed using Boolean logic. Taking the AND instruction as an example, the opcode of the AND instruction is INDEX_op_and, which has three opcodes (variables). Assuming the opcodes are v0, v1, and v2, the format of the AND instruction is AND v0, v1, v2, and the operation is v0 = v1 and v2. Assuming the shadow variables of v0, v1, and v2 are t0, t1, and t2, respectively, storing the taint status of variables v0, v1, and v2, the expression for t0 is:

[0091]

[0092] This expression represents the taint propagation rule for the AND instruction.

[0093] For instructions that interact with the CPU, taking the instruction `ld tmp0,env,offset_r0` as an example, this instruction transfers the data in register r0 to tmp0. Let tmp0 have a shadow variable `shadow_tmp0`. Before this instruction, insert the instruction `ld shadow_tmp0,env,offset_taint_r0` to transfer the data from `taint_r0` to `shadow_tmp0`. This completes the propagation of pollution information from register r0 at the TCG layer.

[0094] For instructions that interact with memory, taking `qemu_ld` as an example, the form of the `qemu_ld` instruction is: `qemu_ldt0,addr,memopidx`, where `t0` is a TCG IR variable, `addr` is the virtual address of the guest machine, and `memopidx` is a function parameter. This instruction retrieves data from the virtual address `addr` and then saves it to the TCG variable `t0`. During the address retrieval process, `memopidx` selects the TLB index to use, as well as the length and endianness of the data. For the instruction `qemu_ldt0,addr,memopidx`, a helper function `taint_mmu_ld` is first inserted before the `qemu_ld` instruction to detect and pass taints. `addr` and `memopidx` are passed as parameters to the function. In `taint_mmu_ld`, the virtual address `addr` is first converted to the physical address `phy_addr`, then the address is located in the shadow memory, and finally, the taint information is read and recorded based on `memopidx`. The read taint information is stored in a temporary register in the CPU structure. After the helper function, an ld instruction ld temp_t0env,offset_taint_temps needs to be added to pass the taint information of the temporary register to the shadow variable temp_t0 of t0. This completes the transfer of taint information between the shadow memory and the TCG layer.

[0095] In a specific application embodiment, the detailed steps for configuring the taint propagation module for generating and instrumenting taint propagation instructions are as follows:

[0096] 1) The client code is disassembled into a doubly linked list of TCG instructions, and the doubly linked list of TCG instructions is passed as a parameter to the taint propagation module. The main processing function of the taint propagation module is gen_taintcheck_insn().

[0097] 2) In gen_taintcheck_insn(), a new doubly linked list is first created, and the original instruction chain is backed up to the new linked list;

[0098] 3) Clear the original instruction chain;

[0099] 4) In gen_taintcheck_insn(), create a pointer op_ptr that points to the first instruction of the new instruction chain;

[0100] 5) Based on the taint propagation rules, use QEMU's TCG instruction generation function to generate the taint propagation instruction pointed to by op_str. The newly generated taint propagation instruction will be automatically added to the original instruction chain.

[0101] 6) Remove the instruction pointed to by op_str from the new instruction chain and add it after the taint propagation instruction in the original instruction chain;

[0102] 7) The pointer op_ptr points to the next instruction. If the next instruction is null, go to step 8); otherwise, go to step 5.

[0103] 8) The translator translates the newly generated TCG instruction chain to generate binary instructions for the host machine, which are executed by the host machine's CPU. During the execution process, taint information is propagated.

[0104] In a specific application embodiment, the detailed steps of the configuration information extraction module to extract information such as the offset of the task_struct structure in memory in the kernel process and the symbol information of the firmware binary file are as follows:

[0105] 1) Develop a tool for obtaining kernel module information;

[0106] 2) Use QEMU to boot a system with a specified kernel;

[0107] 3) Pass the kernel module information acquisition tool into the system, compile it into kernel.ko using gcc, load kernel.ko into the kernel using the insmod command, and execute the Linux command dmesg to extract information such as the kernel process descriptor task_struct, process creation and deletion functions such as proc_fork_connector and proc_exit_connector, and the offset of module creation and deletion functions such as vma_link and remove_vma in the kernel process, and generate a semantic table;

[0108] 4) Use binwalk to decompress the firmware;

[0109] 5) Use Python to write a tool that can traverse a folder and use the readelf command to extract symbol information of all binary files in the folder;

[0110] 6) Use tools to extract the decompressed firmware and generate a symbol table;

[0111] 7) Pass the two tables to the real-time detection module as data for advanced semantic extraction.

[0112] In a specific application embodiment, this invention is used to detect and analyze a certain vulnerability, such as... Figure 4As shown, this invention can pinpoint the crash point and the source function that caused the crash, such as in vulnerability CVE-2022-34528. Dashed boxes represent crashing functions, and solid boxes represent the root cause function leading to the crash. The diagram shows that the crash point in this vulnerability is the 0x474b50 code block of the `cfg_manage` process, and the root cause function is the `strcpy` function within the `getAttrValue` function. Furthermore, the function flow through which the input tainted data passes can be obtained as: `boa::read_header→boa::write_body→boa::parse_param_line→cfg_manager::mxmlElementSetAttr→cfg_manager::getAttrValue`. This means that this invention can not only pinpoint the crash point and the source function that caused the crash, but also obtain the function flow through which the tainted data passes.

[0113] like Figure 2 As shown, the dynamic taint analysis system for firmware full-system simulation in this embodiment includes:

[0114] The taint marking module is used to find the physical memory address of the current data in the virtual machine when the taint tracking function is started and the data to be analyzed is received, and to mark the specified part as a taint in the shadow memory.

[0115] The taint propagation module is used to instrument the TCG instructions disassembled from the client instructions during the execution loop of the data to be analyzed after being marked with taints. It inserts preset taint propagation instructions before each instruction to manipulate the propagation of taint information, so that the instrumented TCG instructions can realize the flow of taint information during the interpretation and execution process.

[0116] The taint detection module is used to pre-configure taint detection modules on specified nodes. The taint detection module detects taint information in real time. When a register or shadow memory containing critical information is detected and marked as a taint, the taint tracking function is turned off, the taint propagation is terminated, and the taint status information is output.

[0117] This embodiment also includes a virtual machine introspection module, which includes an information extraction module and a real-time detection module. The information extraction submodule obtains kernel information and symbol information in the firmware file and passes them to the real-time detection module. The real-time detection module obtains the offset of the task_struct structure in the kernel process and compares it with the offset stored in the semantic table to confirm the kernel version. Based on the offset of the task_struct structure, it obtains the content of the task_struct structure of the kernel process and uses the semantic table to match the process and module information therein.

[0118] like Figure 4As shown, in this embodiment, the virtual machine introspection module is used to obtain high-level semantic information of the guest machine, such as processes, modules, and functions, in real time. During taint propagation, this module records important runtime information in real time. After taint propagation ends, the module generates a final taint propagation log and hands it over to the taint analysis module. The virtual machine introspection module consists of two parts: an information extraction module and a real-time detection module. First, the information extraction module obtains kernel information and symbol information from firmware files and passes this information to the real-time detection module. Subsequently, when the guest system starts running, the real-time detection module obtains the offset of the `task_struct` structure in the kernel process and compares it with the offset stored in the semantic table to confirm the kernel version. Then, based on the offset of `task_struct`, it obtains the content of the `task_struct` structure of the kernel process and uses the semantic table to match the process and module information within it. The monitoring module records this information during the simulation process and generates instruction stream logs and taint logs after taint propagation ends.

[0119] Tag marking is implemented at the QEMU network interface. Specifically, the marking request is first submitted to the marking module, and then the test data is sent to the client. The marking module first filters the input data according to the input marking request, selects the test data, locates the physical storage address of the test data on the client, and finally marks the taint tag at the corresponding location in the shadow memory according to the request.

[0120] In this embodiment, a taint detection module is added to key nodes such as function jumps. The taint detection module detects the taint status of registers or shadow registers or shadow memory corresponding to key information such as jump addresses in real time. If these places are marked as tainted, the taint propagation ends and the taint status is submitted to the virtual machine introspection module.

[0121] The dynamic taint analysis system for firmware full system simulation in this embodiment corresponds one-to-one with the dynamic taint analysis method for firmware full system simulation described above, and will not be described in detail here.

[0122] This embodiment further provides a computer system, including a processor and a memory, wherein the memory is used to store a computer program and the processor is used to execute the computer program to perform the method as described above.

[0123] It is understood that the method described in this embodiment can be executed by a single device, such as a computer or server, or it can be applied to a distributed scenario where multiple devices cooperate to complete the task. In a distributed scenario, one of the multiple devices may execute only one or more steps of the method described in this embodiment, and the multiple devices interact to complete the method. The processor can be implemented using a general-purpose CPU, microprocessor, application-specific integrated circuit, or one or more integrated circuits, and is used to execute relevant programs to implement the method described in this embodiment. The memory can be implemented using read-only memory (ROM), random access memory (RAM), static storage devices, and dynamic storage devices. The memory can store the operating system and other applications. When the method described in this embodiment is implemented through software or firmware, the relevant program code is stored in the memory and called and executed by the processor.

[0124] This embodiment further provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the method described above.

[0125] Those skilled in the art will understand that the above embodiments of this application can be provided as methods, systems, or computer program products. Therefore, this application can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, this application can take the form of a computer program product embodied on one or more computer-readable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code. This application is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of this application. It should be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create an implementation for the process. Figure 1 One or more processes and / or boxes Figure 1 The computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to operate in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1The functions specified in one or more boxes. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable apparatus for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0126] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention in any way. Although the present invention has been disclosed above with reference to preferred embodiments, it is not intended to limit the invention. Therefore, any simple modifications, equivalent changes, and alterations made to the above embodiments based on the technical essence of the present invention without departing from the scope of the present invention should fall within the protection scope of the present invention.

Claims

1. A dynamic taint analysis method for firmware system-wide simulation, characterized by the following steps: include: Step S1: Taint Marking: Create shadow memory based on the memory used during firmware emulation and configure shadow registers for registers in the virtual CPU; After the taint tracking function is started, when data to be analyzed is received, the data to be analyzed is filtered according to the taint marking requirements, the filtered data is located at the physical storage address of the client machine, and the taint is marked at the corresponding location in the shadow memory. Step S2: Taint Propagation: During the execution loop, the TCG instructions disassembled from the client instructions are instrumented on the data to be analyzed after being marked with taints. Preset taint propagation instructions are inserted before each instruction to manipulate the propagation of taint information, so that the instrumented TCG instructions can realize the flow of taint information during the interpretation and execution process. Step S3: Stain detection: A taint detection module is set up in advance at a designated node. The taint detection module detects taint information in real time. When a register or shadow memory storing key information is detected as a taint, the taint tracking function is turned off, the taint propagation is ended, and the contamination status information is output. Step S2 includes: TCG commands are divided into multiple categories according to their functions, and taint propagation rules are configured for each type of TCG command. After the client code is disassembled into a doubly linked list of TCG instructions, the doubly linked list of TCG instructions is passed as a parameter to the taint propagation module. A new doubly linked list is created by the processing function in the taint propagation module. The original instruction chain is backed up to the new linked list, the original instruction chain is cleared, and a pointer op_ptr is created to point to the first instruction of the new instruction chain. According to the taint propagation rules, the TCG instruction generation function is used to generate the taint propagation instruction pointed to by op_str, and the newly generated taint propagation instruction is added to the original instruction chain. Remove the instruction pointed to by pointer op_str from the new instruction chain and add it after the taint propagation instruction in the original instruction chain; The pointer op_ptr points to the next instruction. If the next instruction is empty, the translator translates the newly generated TCG instruction chain to generate binary instructions for the host machine, which are executed by the host machine's CPU. During execution, taint information is propagated; otherwise, it returns to execute the next instruction. Step S3 also includes: Obtain kernel information and symbol information from firmware files, and pass them to the real-time detection module; When the client system starts running, the real-time detection module monitors the process and module information of each translation block before each translation block is generated. It obtains the offset of the task_struct structure in the kernel process and compares it with the offset stored in the semantic table to confirm the kernel version. Then, it obtains the content of the task_struct structure of the kernel process based on the offset of the task_struct structure and uses the semantic table to match the process and module information in it to form a high-level semantic information mapping table. The high-level semantic information mapping table contains the mapping relationship between each translation block and process and module information. After the pollution propagation ends, an instruction stream log and a pollution log are generated based on the information monitored by the real-time detection module.

2. The dynamic taint analysis method for firmware-wide system simulation according to claim 1, characterized in that, Step S1 also includes creating a shadow memory of the same size as the memory used during firmware emulation. The shadow memory is indexed using a two-level page table, with each bit corresponding one-to-one with the client's memory. The input data to be analyzed is filtered according to the input marking requirements. After filtering out the data to be analyzed, the physical storage address of the data in the client is located. A taint label is then applied to the corresponding position in the shadow memory according to the marking requirements. In step S3, if it is determined that the shadow memory corresponding to the target address of the client has a value of 0, it is determined that the data at the target address has not been corrupted; otherwise, it is determined that it has been corrupted.

3. The dynamic taint analysis method for firmware-wide system simulation according to claim 1, characterized in that, The TCG instruction classification includes functional operation instructions, arithmetic operation instructions, instructions that interact with the CPU, and instructions that interact with memory. For functional operation instructions, no corresponding taint propagation rules are set. For arithmetic operation instructions, the taint propagation rules are configured as follows: bit-granular taint propagation rules are configured using Boolean logic. For instructions that perform data interaction, if the target instruction is to transfer data from a specified register to the destination space, a preset instruction is inserted before the target instruction to transfer the data from the specified register to the shadow variable of the destination space, so as to complete the propagation of taint information of the specified register on the TCG layer. For the instructions that perform data interaction with memory, the taint propagation rule is configured as follows: a detection transfer function is inserted before the instruction to detect and transfer taints. The virtual address of the client and the function parameters are passed to the detection transfer function as parameters. The detection transfer function converts the virtual address addr into the physical address phy_addr, and then locates the address in the shadow memory. The taint information is read and recorded according to the function parameters. The read taint information is stored in a temporary register in the CPU structure, and the taint information in the temporary register is passed to the shadow variable of the TCG IR variable in the current instruction, so as to complete the transfer of taint information between the shadow memory and the TCG layer.

4. The dynamic taint analysis method for firmware-wide system simulation according to any one of claims 1 to 3, characterized in that, Following step S3, a step S4 is further included: analyzing the stains to generate a pollution propagation trajectory map. Step S4 includes: The taint propagation log is parsed to form an information block, which includes information about the code block, process information, module information, a first set of physical addresses of the tainted data read from memory by the code block, and a second set of physical addresses of the tainted data output from memory by the code block. The information block is backtracked to generate a pollution propagation trajectory map. During each backtracking, an address equal to the first set is searched in the second set of the current information block. If the search is successful, the information block is set as a node, and the previous node points to this node as a directed edge. Otherwise, the next search is performed until all addresses are searched. All nodes and directed edges are collected to generate the taint propagation trajectory map.

5. The dynamic taint analysis method for firmware-wide system simulation according to claim 4, characterized in that, The step S4, which involves backtracking the information block to generate a pollution propagation trajectory map, includes: Step S4.

1. Let the set of information blocks be msg_block={block0,block1,...,block2}. n }, msg_block[k] = block k The first set of physical addresses of the data with pollution markers read from memory by the code block in the information block is load_addrs = {load_addr0, load_addr1, ..., load_addr...} m } , load_addrs[i] = load_addr i The second set of physical addresses of the data with pollution marks output to memory by the code block is store_addrs = {store_addr0, store_addr1, ..., store_addr}. K }, store_addrs[j] = store_addr j , where n represents the number of information blocks, m is the number of addresses in the first set, and K is the number of addresses in the second set; Step S4.

2. Initialize variable k = n, and set the kth information block as the initial node; Step S4.

3. Initialize variable i = 0; Step S4.

4. Select the k-th information block and the i-th address in the first set, i.e., msg_block[k]::load_addrs[i]; Step S4.

5. k = k-1, search for an address in the second set store_addrs of the kth information block msg_block[k] that is equal to the address in the currently selected first set. If the search is successful, set the current information block as a node, and the previous node points to this node as a directed edge, and go to step S4.

4. If it is unsuccessful, go to step S4.

6. Step S4.

6. Determine if k is 0. If it is 0, i = i + 1. If i > m, proceed to step S4.

7. Otherwise, proceed to step S4.

4. If it is not 0, proceed to step S4.

5. Step S4.

7. Collect all nodes and directed edges to generate a taint propagation trajectory graph, in which the process, module, and function information of all nodes are marked.

6. A system for the dynamic taint analysis method for firmware-based full-system simulation as described in any one of claims 1 to 5, characterized in that, include: The taint marking module is used to create shadow memory based on the memory used during firmware emulation and to configure shadow registers for registers in the virtual CPU. After the taint tracking function is started, when data to be analyzed is received, the data to be analyzed is filtered according to the taint marking requirements, the filtered data is located at the physical storage address of the client machine, and the taint is marked at the corresponding location in the shadow memory. The taint propagation module is used to instrument the TCG instructions disassembled from the client instructions during the execution loop of the data to be analyzed after being marked with taints. It inserts preset taint propagation instructions before each instruction to manipulate the propagation of taint information, so that the instrumented TCG instructions can realize the flow of taint information during the interpretation and execution process. The taint detection module is used to pre-set taint detection modules at designated nodes. The taint detection module detects taint information in real time. When a register or shadow memory storing key information is marked as a taint, the taint tracking function is turned off, the taint propagation is terminated, and the contamination status information is output.

7. The dynamic taint analysis system for firmware full-system simulation according to claim 6, characterized in that, It also includes a virtual machine introspection module, which comprises an information extraction module and a real-time detection module. The information extraction module obtains kernel information and symbol information from firmware files and passes them to the real-time detection module. The real-time detection module obtains the offset of the task_struct structure in the kernel process and compares it with the offset stored in the semantic table to confirm the kernel version. Based on the offset of the task_struct structure, it obtains the content of the task_struct structure of the kernel process and uses the semantic table to match the process and module information therein.

8. A computer system comprising a processor and a memory, the memory being used to store computer programs, characterized in that, The processor is used to execute the computer program to perform the method as described in any one of claims 1 to 5.