A firmware vulnerability intelligent identification method based on semantic analysis and model reasoning
By constructing a high-level semantic model of the firmware program and combining semantic analysis and model reasoning, the problems of vulnerability variant identification and result interpretability in firmware vulnerability detection technology are solved, and efficient automated detection and remediation guidance for complex vulnerabilities are achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- NANJING NANZI DIGITAL SECURITY TECH CO LTD
- Filing Date
- 2026-03-11
- Publication Date
- 2026-06-12
AI Technical Summary
Existing firmware vulnerability detection technologies struggle to accurately identify vulnerability variants when faced with complex program structures and diverse vulnerability behaviors. Furthermore, their high-level semantic relationship modeling capabilities are insufficient, resulting in inadequate interpretability and automation of detection results.
Employing a semantic analysis and model reasoning approach, a high-level semantic model of the firmware program is constructed through firmware parsing, static analysis, semantic modeling, and vulnerability identification modules. Combining control flow, data flow, and function call relationships, machine learning is used for vulnerability identification and risk assessment, generating detailed vulnerability remediation suggestions.
It improves the ability to identify complex vulnerabilities and their variants, enhances the stability and interpretability of detection results, is applicable to different processor architectures and firmware formats, reduces manual intervention, and improves the efficiency of batch firmware detection and the guidance for vulnerability remediation.
Smart Images

Figure CN122197030A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of firmware security detection technology, and in particular relates to an intelligent identification method for firmware vulnerabilities based on semantic analysis and model reasoning. Background Technology
[0002] With the widespread deployment of IoT devices and embedded systems in various application scenarios, firmware, as the core software running on embedded devices, directly impacts the stable operation and data security of these devices. Since firmware typically runs in resource-constrained and long-term online environments, the existence and exploitation of security vulnerabilities can lead to device malfunctions, information leaks, or remote control. Therefore, effective security analysis of firmware is of paramount importance.
[0003] Existing firmware vulnerability detection technologies mainly include static analysis and dynamic analysis. Static analysis technology identifies potential vulnerabilities by parsing firmware programs and combining rule or feature matching methods. It has the advantages of high analysis efficiency and low dependence on the runtime environment. However, when faced with vulnerability scenarios with complex program structures and diverse behavioral characteristics, its detection effectiveness depends to some extent on the completeness of the rule construction. For vulnerability variants with significant structural changes or vulnerability types with similar behavioral characteristics, traditional static analysis methods still have room for improvement in terms of expressive power and matching accuracy.
[0004] Dynamic analysis techniques monitor the runtime behavior of firmware programs to uncover potential security risks. While these methods can reflect the behavioral characteristics of programs under specific operating conditions, in practical applications, the firmware's dependence on underlying hardware and the runtime environment makes constructing a dynamic analysis environment quite complex. In multi-architecture, multi-device scenarios, the adaptation cost of dynamic analysis is high, and the analysis process typically consumes significant computational resources, making it difficult to efficiently cover large-scale firmware samples.
[0005] Furthermore, as firmware programs become larger and more complex, vulnerability behaviors often involve multiple layers of control flow, data flow, and function call relationships. Existing technologies still have room for improvement in systematically modeling these high-level semantic relationships, particularly in vulnerability variant identification, similar vulnerability correlation analysis, and the interpretability of detection results; they struggle to simultaneously achieve both accuracy and automation. Summary of the Invention
[0006] The purpose of this invention is to provide a firmware vulnerability intelligent identification method based on semantic analysis and model reasoning, which solves the technical problems of accurately identifying vulnerability variants, increasing the ability to model high-level semantic relationships of programs, and enabling detection results to effectively guide vulnerability remediation in firmware vulnerability detection technology.
[0007] To achieve the above objectives, the present invention adopts the following technical solution:
[0008] A firmware vulnerability intelligent identification method based on semantic analysis and model reasoning includes the following steps:
[0009] Step 1: The firmware parsing module parses the firmware file to be tested. Specifically, it analyzes the firmware file header information and compression format to identify the compression type of the firmware, and uses the decompression method corresponding to the compression type to unpack the firmware. It then parses the file system structure of the unpacked firmware, extracts the kernel image, configuration files and applications from the firmware, and obtains the processor architecture type, operating system information and runtime environment parameters corresponding to the firmware to generate an environment description result of the firmware runtime environment.
[0010] Step 2: The static analysis module obtains the environment description results, performs static reverse analysis on the unpacked firmware program, extracts the symbol information, function boundaries and data segment structure of the firmware program, constructs the module division and calling relationship of the firmware program, and, combined with data flow analysis and execution path analysis, extracts the potential system call sequence and data flow characteristics of the firmware, and generates structural analysis results describing the static behavior characteristics of the firmware. The structural analysis results include control flow information and data transmission relationships.
[0011] Step 3: The semantic modeling module retrieves the structural analysis results, models the syntax structure of the firmware program, associates the control flow information and data transfer relationships, extracts the firmware's execution path, function call relationships and data transfer semantics, and generates semantic modeling results to describe the overall behavior semantics of the firmware.
[0012] Step 4: The vulnerability identification module retrieves the semantic modeling results, extracts feature vectors from the firmware's control flow information, data transmission relationships, and semantic features, and calculates the similarity between the feature vectors and the pre-built vulnerability semantic library to identify potential vulnerabilities in the firmware that match known vulnerability types; at the same time, it uses a machine learning model to perform cluster analysis on the firmware features to identify potential security risks that are similar to known vulnerability families or belong to vulnerability variants, and generates vulnerability identification results.
[0013] Step 5: The risk assessment module retrieves the vulnerability identification results, performs a comprehensive risk assessment on the detected vulnerabilities based on their impact scope, exploitation difficulty, and controllability, determines the risk level of the vulnerabilities, generates corresponding risk assessment results, and automatically generates vulnerability remediation suggestions and vulnerability management reports based on the risk assessment results.
[0014] Preferably, when performing step 1, the compression format identification algorithm used for analyzing the compression format includes LZMA, gzip, or SquashFS.
[0015] The firmware parsing module uses firmware analysis tools to unpack the firmware file and parse the file system structure, extracting the kernel image, configuration files, and applications from the firmware to obtain the complete data structure of the firmware; it also uses static analysis tools to automatically extract the CPU architecture type, operating system information, and runtime environment of the firmware file.
[0016] Preferably, when performing step 2, the static analysis module specifically performs the following steps:
[0017] Step 2-1: Extract the symbol table, function boundaries, and data segment structure from the firmware using static reverse engineering techniques to identify the basic modules of the firmware program and their calling relationships;
[0018] Step 2-2: Using the TaintAnalysis and PointerAnalysis algorithms, simulate the firmware execution path and extract potential system call sequences and data flow information to identify and locate potential runtime behavior characteristics in the firmware.
[0019] Steps 2-3: Perform in-depth analysis by combining the control flow graph (CFG) and data flow graph (DFG) to extract the firmware's control flow information, function call information, and data transfer paths, and generate structural analysis results that describe the firmware's static behavior characteristics.
[0020] Preferably, when performing step 3, the semantic modeling module specifically performs the following steps:
[0021] Step 3-1: Model the firmware source code structure using an abstract syntax tree, capture the high-level syntax information of the program, and generate the firmware's control flow graph and data flow graph through static analysis.
[0022] Step 3-2: Combine the variable flow information in the control flow graph and data flow graph to extract the specific execution path, function call and data transfer details of the firmware;
[0023] Step 3-3: Combine the abstract syntax tree and the intermediate language generator to construct the firmware's code attribute graph or semantic vector representation, and obtain the semantic modeling results used to describe the overall behavior semantics of the firmware.
[0024] Preferably, when performing step 4, the vulnerability identification module specifically performs the following steps:
[0025] Step 4-1: Extract a set of feature vectors using the firmware's control flow graph, data flow graph, and semantic modeling results. and , This represents the feature set of the firmware sample. represents the feature vector of the j-th type of vulnerability in the vulnerability semantic library; i represents the firmware sample number; n represents the number of dimensions of the feature vector;
[0026] By calculating semantic similarity The specific formula for determining the potential vulnerability matching degree is as follows: ; Preset similarity threshold ,when At that time, it was determined that the firmware contained a potential vulnerability related to vulnerability type j; Step 4-2: Perform deep learning and variant testing using a clustering algorithm model and a vulnerability semantic database. Let the feature sample set be... Where x represents a sample and m represents the number of samples; through cluster centers Study the distribution of vulnerability patterns, among which This represents the k-th cluster center, where k represents the cluster number. This represents the k-th cluster. This represents the feature vector of the i-th sample; For new samples Calculate the Euclidean distance D between it and each cluster center: ; in, This represents the t-th new sample to be analyzed; Preset distance threshold Determine and generate vulnerability identification results: like If so, it is considered to belong to the known vulnerability family; like If a vulnerability is similar to multiple cluster centers, it is marked as a potential variant vulnerability.
[0027] Preferably, when performing step 5, the risk assessment module performs the following steps: Step 5-1: Based on the vulnerability's impact scope, exploit difficulty, and controllability, assign a comprehensive score R to each vulnerability. Considering impact scope I, exploit difficulty E, controllability C, and propagation potential P, construct the scoring function R as follows: ; in All are weighting coefficients, satisfying ; Preset risk threshold ,when At that time, the vulnerability was marked as high risk; Step 5-2: Generate detailed vulnerability remediation recommendations and vulnerability management reports, defining the report generation function as follows. : ; in, Indicates the characteristics of the vulnerability type. To score risk, To fix the action template, the function This function generates structured reports based on a comprehensive semantic generation model and rule templates. The structured reports include vulnerability remediation suggestions and vulnerability management reports. The vulnerability remediation suggestions include remediation solutions, and the vulnerability management reports include vulnerability causes and impact analysis.
[0028] This invention presents a firmware vulnerability intelligent identification method based on semantic analysis and model reasoning. It addresses the technical challenges of accurately identifying vulnerability variants, enhancing the ability to model high-level semantic relationships within programs, and ensuring that detection results effectively guide vulnerability remediation. This invention constructs a semantic model reflecting the overall behavioral characteristics of the firmware program through joint analysis of its control flow, data flow, and function call relationships, thus freeing vulnerability identification from reliance on single rules or local features. This invention helps improve the identification of vulnerabilities with significant structural variations or similar manifestations, thereby enhancing the stability of vulnerability detection results. The introduction of a model reasoning-based analysis mechanism automates the processing and classification of firmware behavioral characteristics, adapting to different processor architectures and firmware formats, reducing manual intervention, and making it suitable for automated detection of batch firmware. This improves overall analysis efficiency. Based on vulnerability identification, the method performs risk assessment on the detection results and generates an analysis report containing vulnerability cause analysis and remediation suggestions, making the detection results more interpretable. This helps developers understand the causes of vulnerabilities and formulate corresponding remediation measures, thereby improving the practicality of firmware security maintenance. Attached Figure Description
[0029] Figure 1 This is an overall flowchart of the present invention;
[0030] Figure 2 This is a detailed diagram of the intermediate language generator in this invention. Detailed Implementation
[0031] Depend on Figures 1-2 The firmware vulnerability intelligent identification method based on semantic analysis and model reasoning, as shown, includes the following steps:
[0032] Step 1: The firmware parsing module parses the firmware file to be tested. Specifically, it analyzes the firmware file header information and compression format to identify the compression type of the firmware, and uses the decompression method corresponding to the compression type to unpack the firmware. It then parses the file system structure of the unpacked firmware, extracts the kernel image, configuration files and applications from the firmware, and obtains the processor architecture type, operating system information and runtime environment parameters corresponding to the firmware to generate an environment description result of the firmware runtime environment.
[0033] When performing step 1, the compression format analysis may use compression format identification algorithms such as LZMA, gzip, or SquashFS.
[0034] The firmware parsing module uses firmware analysis tools to unpack the firmware file and parse the file system structure, extracting the kernel image, configuration files, and applications from the firmware to obtain the complete data structure of the firmware; it also uses static analysis tools to automatically extract the CPU architecture type, operating system information, and runtime environment of the firmware file.
[0035] This embodiment identifies the actual packaging and storage method of the firmware by recognizing the firmware file header information and compression format, and then uses a matching decompression and parsing strategy to completely restore the firmware. Because different device manufacturers and embedded platforms use different firmware packaging methods and file system structures, failure to correctly identify the compression type and file system structure will result in incomplete or incorrect firmware content parsing, thus affecting the accuracy of subsequent analysis.
[0036] By parsing the unpacked firmware file system structure and extracting the kernel image, configuration files, and applications, the core program units constituting the firmware's runtime logic can be obtained. Simultaneously, by combining static analysis techniques to extract the processor architecture type, operating system information, and runtime environment parameters corresponding to the firmware, a unified description of the firmware's runtime environment can be formed. This environment description provides a consistent analytical premise for subsequent static analysis, semantic modeling, and vulnerability identification, avoiding analytical biases introduced by architecture or runtime environment mismatches, thereby improving the reliability of the overall vulnerability detection process.
[0037] Step 2: The static analysis module obtains the environment description results, performs static reverse analysis on the unpacked firmware program, extracts the symbol information, function boundaries and data segment structure of the firmware program, constructs the module division and calling relationship of the firmware program, and, combined with data flow analysis and execution path analysis, extracts the potential system call sequence and data flow characteristics of the firmware, and generates structural analysis results describing the static behavior characteristics of the firmware. The structural analysis results include control flow information and data transmission relationships.
[0038] When performing step 2, the static analysis module specifically performs the following steps:
[0039] Step 2-1: Extract the symbol table, function boundaries, and data segment structure from the firmware using static reverse engineering techniques to identify the basic modules of the firmware program and their calling relationships;
[0040] Step 2-2: Using the TaintAnalysis and PointerAnalysis algorithms, simulate the firmware execution path and extract potential system call sequences and data flow information to identify and locate potential runtime behavior characteristics in the firmware.
[0041] Steps 2-3: Perform in-depth analysis by combining the control flow graph (CFG) and data flow graph (DFG) to extract the firmware's control flow information, function call information, and data transfer paths, and generate structural analysis results that describe the firmware's static behavior characteristics.
[0042] In this embodiment, static analysis techniques are used to extract multidimensional features from the binary data in the firmware, including binary structure, symbol table, function boundaries, system call sequence, etc., to construct a high-dimensional behavior model of the firmware.
[0043] This implementation systematically extracts and models the internal structure and potential behavior of the firmware binary program through static reverse engineering without actually running the firmware program. By parsing symbolic information, function boundaries, and data segment structures, the basic module composition of the firmware program and their inter-call relationships can be clearly identified, thus reconstructing the program's organizational form at the structural level.
[0044] By combining data flow analysis methods such as taint analysis and pointer analysis, the propagation path and possible execution path of key data in the program can be simulated, which can identify potential system call sequences and data flow characteristics, thereby revealing the behavioral patterns that firmware programs may trigger under different input conditions.
[0045] By unifying the above analysis results into control flow information and data transmission relationships, a structural analysis result describing the static behavioral characteristics of firmware is formed. This enables subsequent semantic modeling and vulnerability identification to be based on a complete and traceable program structure and behavior, thereby avoiding the one-sidedness of analysis caused by relying solely on local features.
[0046] Step 3: The semantic modeling module retrieves the structural analysis results, models the syntax structure of the firmware program, associates the control flow information and data transfer relationships, extracts the firmware's execution path, function call relationships and data transfer semantics, and generates semantic modeling results to describe the overall behavior semantics of the firmware.
[0047] When performing step 3, the semantic modeling module specifically performs the following steps:
[0048] Step 3-1: Model the firmware source code structure using an abstract syntax tree, capture the high-level syntax information of the program, and generate the firmware's control flow graph and data flow graph through static analysis.
[0049] Step 3-2: Combine the variable flow information in the control flow graph and data flow graph to extract the specific execution path, function call and data transfer details of the firmware;
[0050] Step 3-3: Combine the abstract syntax tree and the intermediate language generator to construct the firmware's code attribute graph or semantic vector representation, and obtain the semantic modeling results used to describe the overall behavior semantics of the firmware.
[0051] In this embodiment, by constructing a semantic model of the firmware, high-level structures such as Abstract Syntax Tree (AST), Control Flow Graph (CFG), and Data Flow Graph (DFG) are used to accurately describe the firmware's program control logic, data flow, and function call relationships, thus establishing a semantic representation of the firmware.
[0052] This embodiment further elevates the structured analysis results obtained in step 2 to the semantic level, providing an abstract description of the overall behavior of the firmware program. By modeling the program's syntactic structure using an abstract syntax tree, the high-level logical structure of the program can be captured; combined with control flow graphs and data flow graphs, the control transfer relationships and data transmission relationships under different execution paths can be reflected.
[0053] By correlating control flow information with data transmission relationships, we can extract the complete execution path, function call relationships, and data usage semantics of a program, thereby eliminating the semantic fragmentation problem caused by analysis based solely on a single structure. By constructing code attribute graphs or semantic vector representations, the aforementioned multi-dimensional information is uniformly mapped into computable semantic modeling results, enabling the behavioral characteristics of firmware programs to be expressed in a holistic and continuous semantic form. This semantic modeling result provides direct input for subsequent model inference and vulnerability identification, allowing vulnerability detection to move beyond limited local code features and instead analyze the overall semantics of the program, thus improving the ability to identify complex and variant vulnerabilities.
[0054] like Figure 2 As shown, the intermediate language generator is used to convert the low-level binary instructions of the firmware into an intermediate language representation for semantic analysis. Here, IR stands for Intermediate Representation; Rawcode represents the raw instruction representation obtained directly from the firmware binary instructions; mnemonic represents the instruction mnemonic extracted from the raw instructions, used to describe the basic operational semantics of the instructions; and Highcode represents the architecture-independent high-level intermediate code representation generated based on the instruction mnemonic.
[0055] In the intermediate language, Varnodes are used to represent variable nodes, providing a unified abstract description of operands in the program. Each variable node is uniquely identified by its AddressPace, corresponding Offset, and data Size. AddressPace represents the address space type of the variable, including: Register (processor register space), Ram (main memory address space and its pointers), Stack (function call stack space), Constant (constant address space), and Unique (temporary variable space introduced during intermediate language generation). Offset represents the variable's offset position in the corresponding address space. Size represents the data length occupied by the variable; 0x0 represents an example starting address offset; and 4 indicates that the corresponding variable's data length is 4 bytes.
[0056] Figure 2 The intermediate language generator shown maps register variables, memory variables, stack variables, and constants from different sources and in various forms in the firmware into standardized variable node representations, thereby constructing a program semantic expression form independent of specific processor architecture. This intermediate language representation serves as the basic input to the semantic modeling module in step 3, used to associate the firmware's control flow information, data transfer relationships, and function call structure, and then generate semantic modeling results that describe the overall behavioral semantics of the firmware.
[0057] Step 4: The vulnerability identification module retrieves the semantic modeling results, extracts feature vectors from the firmware's control flow information, data transmission relationships, and semantic features, and calculates the similarity between the feature vectors and the pre-built vulnerability semantic library to identify potential vulnerabilities in the firmware that match known vulnerability types; at the same time, it uses a machine learning model to perform cluster analysis on the firmware features to identify potential security risks that are similar to known vulnerability families or belong to vulnerability variants, and generates vulnerability identification results.
[0058] When performing step 4, the vulnerability identification module performs the following steps:
[0059] Step 4-1: Extract a set of feature vectors using the firmware's control flow graph, data flow graph, and semantic modeling results. and , This represents the feature set of the firmware sample. represents the feature vector of the j-th type of vulnerability in the vulnerability semantic library; i represents the firmware sample number; n represents the number of dimensions of the feature vector;
[0060] By calculating semantic similarity The specific formula for determining the potential vulnerability matching degree is as follows: ; Preset similarity threshold ,when At that time, it was determined that the firmware contained a potential vulnerability related to vulnerability type j; Step 4-2: Perform deep learning and variant testing using a clustering algorithm model and a vulnerability semantic database. Let the feature sample set be... Where x represents a sample and m represents the number of samples; through cluster centers Study the distribution of vulnerability patterns, among which This represents the k-th cluster center, where k represents the cluster number. This represents the k-th cluster. This represents the feature vector of the i-th sample; For new samples Calculate the Euclidean distance D between it and each cluster center: ; in, This represents the t-th new sample to be analyzed; Preset distance threshold Determine and generate vulnerability identification results: like If so, it is considered to belong to the known vulnerability family; like If a vulnerability is similar to multiple cluster centers, it is marked as a potential variant vulnerability.
[0061] In this embodiment, AI models and vulnerability semantic databases are combined for intelligent matching. By identifying the behavioral patterns of potential vulnerabilities, especially variant vulnerabilities and fuzzy similar vulnerabilities, the intelligence and accuracy of vulnerability identification are improved.
[0062] This embodiment, based on the semantic modeling results generated in step 3, converts the behavioral characteristics of the firmware program into feature vector form and performs semantic-level matching analysis with a pre-built vulnerability semantic library. By calculating the similarity between the firmware feature vector and the vulnerability semantic feature vector, it can be determined whether the firmware behavior is semantically consistent with known vulnerability types, thereby identifying potential known vulnerabilities.
[0063] Meanwhile, by introducing a clustering analysis model to model the distribution of firmware features, the clustering characteristics of vulnerability behavior patterns can be learned from the overall sample space. New samples that are semantically close to known vulnerability families can be identified as belonging to known vulnerability families; while samples that show partial similarity among multiple vulnerability clusters can be marked as potential vulnerability variants.
[0064] By combining semantic similarity-based matching with model-based reasoning clustering analysis, this step can effectively discover vulnerability variants with significant structural changes or different manifestations while identifying known vulnerabilities, thereby improving the coverage and intelligence level of vulnerability identification.
[0065] Step 5: The risk assessment module retrieves the vulnerability identification results, performs a comprehensive risk assessment on the detected vulnerabilities based on their impact scope, exploitation difficulty, and controllability, determines the risk level of the vulnerabilities, generates corresponding risk assessment results, and automatically generates vulnerability remediation suggestions and vulnerability management reports based on the risk assessment results.
[0066] When performing step 5, the risk assessment module specifically performs the following steps:
[0067] Step 5-1: Based on the vulnerability's impact scope, exploit difficulty, and controllability, assign a comprehensive score R to each vulnerability. Considering impact scope I, exploit difficulty E, controllability C, and propagation potential P, construct the scoring function R as follows: ; in All are weighting coefficients, satisfying ; Preset risk threshold ,when At that time, the vulnerability was marked as high risk; Step 5-2: Generate detailed vulnerability remediation recommendations and vulnerability management reports, defining the report generation function as follows. : ; in, Indicates the characteristics of the vulnerability type. To score risk, To fix the action template, the function This function generates structured reports based on a comprehensive semantic generation model and rule templates. The structured reports include vulnerability remediation suggestions and vulnerability management reports. The vulnerability remediation suggestions include remediation solutions, and the vulnerability management reports include vulnerability causes and impact analysis.
[0068] This embodiment, based on vulnerability identification, performs quantitative assessment and results organization of the detected vulnerabilities to improve the practicality and operability of vulnerability handling. By comprehensively considering factors such as the scope of vulnerability impact, exploitation difficulty, controllability, and propagation, a unified risk scoring model is constructed. This model can objectively quantify the security risks of different vulnerabilities and determine their priority accordingly.
[0069] After obtaining the risk assessment results, and combining vulnerability type characteristics with predefined remediation action templates, a semantic generation model is used to automatically generate structured vulnerability remediation recommendations and vulnerability management reports. This report not only includes vulnerability cause analysis and impact assessment, but also provides targeted remediation solutions, helping developers quickly understand the nature of the vulnerability and take effective remediation measures.
[0070] By unifying the output of vulnerability identification results, risk assessment results, and remediation recommendations, this step achieves closed-loop management from vulnerability discovery to vulnerability handling, thereby improving the application value of firmware vulnerability detection results in actual security operations and maintenance.
[0071] In this embodiment, the identified vulnerabilities are scored and detailed explanations are provided for each vulnerability, including the vulnerability discovery path, vulnerability principle, and impact function, to provide a reference for vulnerability remediation and security management.
[0072] In this embodiment, a unified behavioral semantic representation is constructed based on the control flow, data flow, and function call relationships of the firmware program. This behavioral semantic representation is then used as the direct input for model reasoning. Through model reasoning, semantic-level matching and summarization of firmware behavior are performed, thereby achieving intelligent identification of vulnerabilities and their variants.
[0073] This invention presents a firmware vulnerability intelligent identification method based on semantic analysis and model reasoning. It addresses the technical challenges of accurately identifying vulnerability variants, enhancing the ability to model high-level semantic relationships within programs, and ensuring that detection results effectively guide vulnerability remediation. This invention constructs a semantic model reflecting the overall behavioral characteristics of the firmware program through joint analysis of its control flow, data flow, and function call relationships, thus freeing vulnerability identification from reliance on single rules or local features. This invention helps improve the identification of vulnerabilities with significant structural variations or similar manifestations, thereby enhancing the stability of vulnerability detection results. The introduction of a model reasoning-based analysis mechanism automates the processing and classification of firmware behavioral characteristics, adapting to different processor architectures and firmware formats, reducing manual intervention, and making it suitable for automated detection of batch firmware. This improves overall analysis efficiency. Based on vulnerability identification, the method performs risk assessment on the detection results and generates an analysis report containing vulnerability cause analysis and remediation suggestions, making the detection results more interpretable. This helps developers understand the causes of vulnerabilities and formulate corresponding remediation measures, thereby improving the practicality of firmware security maintenance.
Claims
1. A firmware vulnerability intelligent identification method based on semantic analysis and model reasoning, characterized in that: Includes the following steps: Step 1: The firmware parsing module parses the firmware file to be tested. Specifically, it analyzes the firmware file header information and compression format to identify the compression type of the firmware, and uses the decompression method corresponding to the compression type to unpack the firmware. It then parses the file system structure of the unpacked firmware, extracts the kernel image, configuration files and applications from the firmware, and obtains the processor architecture type, operating system information and runtime environment parameters corresponding to the firmware to generate an environment description result of the firmware runtime environment. Step 2: The static analysis module obtains the environment description results, performs static reverse analysis on the unpacked firmware program, extracts the symbol information, function boundaries and data segment structure of the firmware program, constructs the module division and calling relationship of the firmware program, and, combined with data flow analysis and execution path analysis, extracts the potential system call sequence and data flow characteristics of the firmware, and generates structural analysis results describing the static behavior characteristics of the firmware. The structural analysis results include control flow information and data transmission relationships. Step 3: The semantic modeling module retrieves the structural analysis results, models the syntax structure of the firmware program, associates the control flow information and data transfer relationships, extracts the firmware's execution path, function call relationships and data transfer semantics, and generates semantic modeling results to describe the overall behavior semantics of the firmware. Step 4: The vulnerability identification module retrieves the semantic modeling results, extracts feature vectors from the firmware's control flow information, data transmission relationships, and semantic features, and calculates the similarity between the feature vectors and the pre-built vulnerability semantic library to identify potential vulnerabilities in the firmware that match known vulnerability types; at the same time, it uses a machine learning model to perform cluster analysis on the firmware features to identify potential security risks that are similar to known vulnerability families or belong to vulnerability variants, and generates vulnerability identification results. Step 5: The risk assessment module retrieves the vulnerability identification results, performs a comprehensive risk assessment on the detected vulnerabilities based on their impact scope, exploitation difficulty, and controllability, determines the risk level of the vulnerabilities, generates corresponding risk assessment results, and automatically generates vulnerability remediation suggestions and vulnerability management reports based on the risk assessment results.
2. The firmware vulnerability intelligent identification method based on semantic analysis and model reasoning as described in claim 1, characterized in that: When performing step 1, the compression format analysis may use compression format identification algorithms such as LZMA, gzip, or SquashFS. The firmware parsing module uses firmware analysis tools to unpack the firmware file and parse the file system structure, extract the kernel image, configuration files and applications in the firmware, and obtain the complete data structure of the firmware. Static analysis tools can be used to automatically extract the CPU architecture type, operating system information, and runtime environment from firmware files.
3. The firmware vulnerability intelligent identification method based on semantic analysis and model reasoning as described in claim 1, characterized in that: When performing step 2, the static analysis module specifically performs the following steps: Step 2-1: Extract the symbol table, function boundaries, and data segment structure from the firmware using static reverse engineering techniques to identify the basic modules of the firmware program and their calling relationships; Step 2-2: Using the TaintAnalysis and PointerAnalysis algorithms, simulate the firmware execution path and extract potential system call sequences and data flow information to identify and locate potential runtime behavior characteristics in the firmware. Steps 2-3: Perform in-depth analysis by combining the control flow graph (CFG) and data flow graph (DFG) to extract the firmware's control flow information, function call information, and data transfer paths, and generate structural analysis results that describe the firmware's static behavior characteristics.
4. The firmware vulnerability intelligent identification method based on semantic analysis and model reasoning as described in claim 1, characterized in that: When performing step 3, the semantic modeling module specifically performs the following steps: Step 3-1: Model the firmware source code structure using an abstract syntax tree, capture the high-level syntax information of the program, and generate the firmware's control flow graph and data flow graph through static analysis. Step 3-2: Combine the variable flow information in the control flow graph and data flow graph to extract the specific execution path, function call and data transfer details of the firmware; Step 3-3: Combine the abstract syntax tree and the intermediate language generator to construct the firmware's code attribute graph or semantic vector representation, and obtain the semantic modeling results used to describe the overall behavior semantics of the firmware.
5. The firmware vulnerability intelligent identification method based on semantic analysis and model reasoning as described in claim 4, characterized in that: When performing step 4, the vulnerability identification module performs the following steps: Step 4-1: Extract a set of feature vectors using the firmware's control flow graph, data flow graph, and semantic modeling results. and , This represents the feature set of the firmware sample. represents the feature vector of the j-th type of vulnerability in the vulnerability semantic library; i represents the firmware sample number; n represents the number of dimensions of the feature vector; By calculating semantic similarity The specific formula for determining the potential vulnerability matching degree is as follows: ; Preset similarity threshold ,when At that time, it was determined that the firmware contained a potential vulnerability related to vulnerability type j; Step 4-2: Perform deep learning and variant testing using a clustering algorithm model and a vulnerability semantic database. Let the feature sample set be... Where x represents a sample and m represents the number of samples; through cluster centers Study the distribution of vulnerability patterns, among which This represents the k-th cluster center, where k represents the cluster number. This represents the k-th cluster. This represents the feature vector of the i-th sample; For new samples Calculate the Euclidean distance D between it and each cluster center: ; in, This represents the t-th new sample to be analyzed; Preset distance threshold Determine and generate vulnerability identification results: like If so, it is considered to belong to the known vulnerability family; like If a vulnerability is similar to multiple cluster centers, it is marked as a potential variant vulnerability.
6. The firmware vulnerability intelligent identification method based on semantic analysis and model reasoning as described in claim 1, characterized in that: When performing step 5, the risk assessment module specifically performs the following steps: Step 5-1: Based on the vulnerability's impact scope, exploit difficulty, and controllability, assign a comprehensive score R to each vulnerability. Considering impact scope I, exploit difficulty E, controllability C, and propagation potential P, construct the scoring function R as follows: ; in All are weighting coefficients, satisfying ; Preset risk threshold ,when At that time, the vulnerability was marked as high risk; Step 5-2: Generate detailed vulnerability remediation recommendations and vulnerability management reports, defining the report generation function as follows. : ; in, Indicates the characteristics of the vulnerability type. To score risk, To fix the action template, the function This function generates structured reports based on a comprehensive semantic generation model and rule templates. The structured reports include vulnerability remediation suggestions and vulnerability management reports. The vulnerability remediation suggestions include remediation solutions, and the vulnerability management reports include vulnerability causes and impact analysis.