Semantic-Enhanced Static Vulnerability Detection in Baseband Firmware.

Saved in:
Bibliographic Details
Title: Semantic-Enhanced Static Vulnerability Detection in Baseband Firmware.
Authors: Liu, Yiming1,2,3,4 liuyiming@iie.ac.cn, Zhang, Cen5 cen001@e.ntu.edu.sg, Li, Feng1,2,3,4 lifeng@iie.ac.cn, Li, Yeting1,2,3,4 liyeting@iie.ac.cn, Zhou, Jianhua1,2,3,4 zhoujianhua@iie.ac.cn, Wang, Jian1,2,3,4 wangjian411x@iie.ac.cn, Zhan, Lanlan1,2,3,4 zhanlanlan@iie.ac.cn, Liu, Yang5 yangliu@ntu.edu.sg, Huo, Wei1,2,3,4 huowei@iie.ac.cn
Source: ICSE: International Conference on Software Engineering. 2024, p1-12. 12p.
Subjects: Semantics, Computer firmware, Mobile communication systems, Detectors, Data analysis
Abstract: Cellular network is the infrastructure of mobile communication. Baseband firmware, which carries the implementation of cellular network, has critical security impact on its vulnerabilities. To handle the inherent complexity in cellular communication, cellular protocols are usually implemented as message-centric systems, containing the common message processing phase and message specific handling phase. Though the latter takes most of the code (99.67%) and exposed vulnerabilities (74%), it is rather under-studied: existing detectors either cannot sufficiently analyze it or focused on analyzing the former phase. To fill this gap, we proposed a novel semantic-enhanced static vulnerability detector named BVFinder focusing on message specific phase vulnerability detection. Generally, it identifies a vulnerability by locating whether a predefined sensitive memory operation is tainted by any attacker-controllable input. Specifically, to reach high automation and preciseness, it made two key improvements: a semantic-based taint source identification and an enhanced taint propagation. The former employs semantic search techniques to identify registers and memory offsets that carry attacker-controllable inputs. This is achieved by matching the inputs to their corresponding message and data types using textual features and addressing patterns within the assemblies. On the other hand, the latter technology guarantees effective taint propagation by employing additional indirect call resolution algorithms. The evaluation shows that BVFinder outperforms the state-of-the-art detectors by detecting three to four times of amount of vulnerabilities in the dataset. Till now, BVFinder has found four zero-day vulnerabilities, with four CVEs and 12,410 USD bounty assigned. These vulnerabilities can potentially cause remote code execution to phones using Samsung shannon baseband, affecting hundreds of millions of end devices. [ABSTRACT FROM AUTHOR]
Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Database: Engineering Source
Full text is not displayed to guests.
FullText Links:
  – Type: pdflink
Text:
  Availability: 1
Header DbId: egs
DbLabel: Engineering Source
An: 185196438
AccessLevel: 6
PubType: Conference
PubTypeId: conference
PreciseRelevancyScore: 0
IllustrationInfo
Items – Name: Title
  Label: Title
  Group: Ti
  Data: Semantic-Enhanced Static Vulnerability Detection in Baseband Firmware.
– Name: Author
  Label: Authors
  Group: Au
  Data: <searchLink fieldCode="AR" term="%22Liu%2C+Yiming%22">Liu, Yiming</searchLink><relatesTo>1,2,3,4</relatesTo><i> liuyiming@iie.ac.cn</i><br /><searchLink fieldCode="AR" term="%22Zhang%2C+Cen%22">Zhang, Cen</searchLink><relatesTo>5</relatesTo><i> cen001@e.ntu.edu.sg</i><br /><searchLink fieldCode="AR" term="%22Li%2C+Feng%22">Li, Feng</searchLink><relatesTo>1,2,3,4</relatesTo><i> lifeng@iie.ac.cn</i><br /><searchLink fieldCode="AR" term="%22Li%2C+Yeting%22">Li, Yeting</searchLink><relatesTo>1,2,3,4</relatesTo><i> liyeting@iie.ac.cn</i><br /><searchLink fieldCode="AR" term="%22Zhou%2C+Jianhua%22">Zhou, Jianhua</searchLink><relatesTo>1,2,3,4</relatesTo><i> zhoujianhua@iie.ac.cn</i><br /><searchLink fieldCode="AR" term="%22Wang%2C+Jian%22">Wang, Jian</searchLink><relatesTo>1,2,3,4</relatesTo><i> wangjian411x@iie.ac.cn</i><br /><searchLink fieldCode="AR" term="%22Zhan%2C+Lanlan%22">Zhan, Lanlan</searchLink><relatesTo>1,2,3,4</relatesTo><i> zhanlanlan@iie.ac.cn</i><br /><searchLink fieldCode="AR" term="%22Liu%2C+Yang%22">Liu, Yang</searchLink><relatesTo>5</relatesTo><i> yangliu@ntu.edu.sg</i><br /><searchLink fieldCode="AR" term="%22Huo%2C+Wei%22">Huo, Wei</searchLink><relatesTo>1,2,3,4</relatesTo><i> huowei@iie.ac.cn</i>
– Name: TitleSource
  Label: Source
  Group: Src
  Data: <searchLink fieldCode="JN" term="%22ICSE%3A+International+Conference+on+Software+Engineering%22">ICSE: International Conference on Software Engineering</searchLink>. 2024, p1-12. 12p.
– Name: Subject
  Label: Subjects
  Group: Su
  Data: <searchLink fieldCode="DE" term="%22Semantics%22">Semantics</searchLink><br /><searchLink fieldCode="DE" term="%22Computer+firmware%22">Computer firmware</searchLink><br /><searchLink fieldCode="DE" term="%22Mobile+communication+systems%22">Mobile communication systems</searchLink><br /><searchLink fieldCode="DE" term="%22Detectors%22">Detectors</searchLink><br /><searchLink fieldCode="DE" term="%22Data+analysis%22">Data analysis</searchLink>
– Name: Abstract
  Label: Abstract
  Group: Ab
  Data: Cellular network is the infrastructure of mobile communication. Baseband firmware, which carries the implementation of cellular network, has critical security impact on its vulnerabilities. To handle the inherent complexity in cellular communication, cellular protocols are usually implemented as message-centric systems, containing the common message processing phase and message specific handling phase. Though the latter takes most of the code (99.67%) and exposed vulnerabilities (74%), it is rather under-studied: existing detectors either cannot sufficiently analyze it or focused on analyzing the former phase. To fill this gap, we proposed a novel semantic-enhanced static vulnerability detector named BVFinder focusing on message specific phase vulnerability detection. Generally, it identifies a vulnerability by locating whether a predefined sensitive memory operation is tainted by any attacker-controllable input. Specifically, to reach high automation and preciseness, it made two key improvements: a semantic-based taint source identification and an enhanced taint propagation. The former employs semantic search techniques to identify registers and memory offsets that carry attacker-controllable inputs. This is achieved by matching the inputs to their corresponding message and data types using textual features and addressing patterns within the assemblies. On the other hand, the latter technology guarantees effective taint propagation by employing additional indirect call resolution algorithms. The evaluation shows that BVFinder outperforms the state-of-the-art detectors by detecting three to four times of amount of vulnerabilities in the dataset. Till now, BVFinder has found four zero-day vulnerabilities, with four CVEs and 12,410 USD bounty assigned. These vulnerabilities can potentially cause remote code execution to phones using Samsung shannon baseband, affecting hundreds of millions of end devices. [ABSTRACT FROM AUTHOR]
– Name: AbstractSuppliedCopyright
  Label:
  Group: Ab
  Data: <i>Copyright of ICSE: International Conference on Software Engineering is the property of Association for Computing Machinery and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.)
PLink https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=185196438
RecordInfo BibRecord:
  BibEntity:
    Identifiers:
      – Type: doi
        Value: 10.1145/3597503.3639158
    Languages:
      – Code: eng
        Text: English
    PhysicalDescription:
      Pagination:
        PageCount: 12
        StartPage: 1
    Subjects:
      – SubjectFull: Semantics
        Type: general
      – SubjectFull: Computer firmware
        Type: general
      – SubjectFull: Mobile communication systems
        Type: general
      – SubjectFull: Detectors
        Type: general
      – SubjectFull: Data analysis
        Type: general
    Titles:
      – TitleFull: Semantic-Enhanced Static Vulnerability Detection in Baseband Firmware.
        Type: main
  BibRelationships:
    HasContributorRelationships:
      – PersonEntity:
          Name:
            NameFull: Liu, Yiming
      – PersonEntity:
          Name:
            NameFull: Zhang, Cen
      – PersonEntity:
          Name:
            NameFull: Li, Feng
      – PersonEntity:
          Name:
            NameFull: Li, Yeting
      – PersonEntity:
          Name:
            NameFull: Zhou, Jianhua
      – PersonEntity:
          Name:
            NameFull: Wang, Jian
      – PersonEntity:
          Name:
            NameFull: Zhan, Lanlan
      – PersonEntity:
          Name:
            NameFull: Liu, Yang
      – PersonEntity:
          Name:
            NameFull: Huo, Wei
    IsPartOfRelationships:
      – BibEntity:
          Dates:
            – D: 01
              M: 05
              Text: 2024
              Type: published
              Y: 2024
          Titles:
            – TitleFull: ICSE: International Conference on Software Engineering
              Type: main
ResultId 1