Comprehensive IoT Firmware Characterization Based on a Large-Scale Firmware Dataset

Comprehensive IoT Firmware Characterization Based on a Large-Scale Firmware Dataset

연구 분야: Analysis

학회: ICCSIE '24: Proceedings of the 2024 9th International Conference on Cyber Security and Information Engineering

With the development of Internet of Things (IoT) technology, the number and complexity of IoT devices have increased rapidly. As the basic enabling software of IoT devices, firmware provides rich functions such as communication, collection and management. Nevertheless, developers do not fully consider security when developing firmware, leaving the firmware vulnerable to exploitation by malware. IoT firmware security analysis has become the focus of research. However, existing works for the security of firmware pay less attention to nested third-party components (TPCs) including the TPCs directly and indirectly referenced. Meanwhile, these works lack a quantitatively analysis of the complexity brought by TPCs to firmware. In this paper, we propose a nested TPCs identification method and introduce firmware complexity metric at the firmware supply chain level. Then, we propose FirmRadar to automatically and comprehensively analyze IoT firmware characterization, including basic information, TPC characterization, CVE characterization and firmware complexity metric. Based on FirmRadar, we conduct a large-scale analysis of 11,988 firmware from 14 vendors. We successfully identify 5,365 TPCs and detect 516,280 potential vulnerabilities caused by 590 CVEs. We further find that although firmware may reference a large number of TPCs, most of the vulnerabilities are concentrated on a few TPCs. Moreover, by analyzing the nested TPCs in firmware, we discover that the number of TPCs directly referenced is less than the number of TPCs indirectly referenced. Finally, we quantitatively analyze firmware complexity metric of each vendor and find that the firmware referencing more TPCs and TPCs functions does not always contain more vulnerabilities.