Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality

  • Sam L. ThomasEmail author
  • Tom Chothia
  • Flavio D. Garcia
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10493)


Finding undocumented functionality in commercial off-the-shelf (COTS) device firmware is an important and challenging task. This paper proposes a new static analysis method that measures the influence individual pieces of static data (such as strings) have upon the control flow of binaries in firmware. Our method automatically identifies static data comparison functions within binaries, then labels each function’s basic blocks with the set of sequences of static data that must be matched against to reach them. Then using these sets, it assigns a score to each function, which measures the extent to which the function’s branching is influenced by static data. Special keywords triggering backdoor functionality will have a large impact on the program flow. This allows us to identify three authentication backdoors – two of which previously undocumented. Moreover, we show our method is effective in aiding the recovery of both previously known and proprietary text-based protocols. We have developed a tool, Stringer which implements our technique; we demonstrate the effectiveness of our approach as well as its applicability to lightweight analysis by running it on a data set of 2,451,532 binaries from 30 different COTS device vendors.


  1. 1.
    Brumley, D., Jager, I., Avgerinos, T., Schwartz, E.J.: BAP: a binary analysis platform. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 463–469. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-22110-1_37CrossRefGoogle Scholar
  2. 2.
    Caballero, J., Yin, H., Liang, Z., Song, D.: Polyglot: automatic extraction of protocol message format using dynamic binary analysis. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, CCS 2007. ACM (2007)Google Scholar
  3. 3.
    Cadar, C., Dunbar, D., Engler, D.: KLEE: unassisted and automatic generation of high-coverage tests for complex systems programs. In: Proceedings of the 8th USENIX Conference on Operating Systems Design and Implementation, OSDI 2008. USENIX Association (2008)Google Scholar
  4. 4.
    Chen, D.D., Egele, M., Woo, M., Brumley, D.: Towards automated dynamic analysis for Linux-based embedded firmware. In: Network and Distributed System Security (NDSS) Symposium, NDSS 2016 (2016)Google Scholar
  5. 5.
    Chipounov, V., Kuznetsov, V., Candea, G.: S2E: a platform for in-vivo multi-path analysis of software systems. In: Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS XVI. ACM (2011)Google Scholar
  6. 6.
    Cojocar, L., Zaddach, J., Verdult, R., Bos, H., Francillon, A., Balzarotti, D.: PIE: parser identification in embedded systems. In: Proceedings of the 31st Annual Computer Security Applications Conference. ACM (2015)Google Scholar
  7. 7.
    Comparetti, P.M., Wondracek, G., Kruegel, C., Kirda, E.: Prospex: protocol specification extraction. In: 2009 IEEE Symposium on Security and Privacy (2009)Google Scholar
  8. 8.
    Costin, A., Zaddach, J., Francillon, A., Balzarotti, D.: A large-scale analysis of the security of embedded firmwares. In: 23rd USENIX Security Symposium, USENIX Security 2014 (2014)Google Scholar
  9. 9.
    Costin, A., Zarras, A., Francillon, A.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: 11th ACM Asia Conference on Computer and Communications Security (AsiaCCS), ASIACCS 2016 (2016)Google Scholar
  10. 10.
    Cui, W., Peinado, M., Chen, K., Wang, H.J., Irun-Briz, L.: Tupni: automatic reverse engineering of input formats. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008. ACM (2008)Google Scholar
  11. 11.
    Davidson, D., Moench, B., Ristenpart, T., Jha, S.: Fie on firmware: finding vulnerabilities in embedded systems using symbolic execution. In: 22nd USENIX Security Symposium (USENIX Security 2013) (2013)Google Scholar
  12. 12.
    Lin, Z., Jiang, X., Xu, D., Zhang, X.: Automatic protocol format reverse engineering through context-aware monitored execution. In: NDSS 2008 (2008)Google Scholar
  13. 13.
    McCabe, T.J.: A complexity measure. IEEE Trans. Softw. Eng. 2, 308–320 (1976)MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Pewny, J., Garmany, B., Gawlik, R., Rossow, C., Holz, T.: Cross-architecture bug search in binary executables. In: 2015 IEEE Symposium on Security and Privacy (2015)Google Scholar
  15. 15.
    Schuster, F., Holz, T.: Towards reducing the attack surface of software backdoors. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 2013. ACM (2013)Google Scholar
  16. 16.
    Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., Vigna, G.: Firmalice - automatic detection of authentication bypass vulnerabilities in binary firmware. In: Network and Distributed System Security (NDSS) Symposium, NDSS 2015 (2015)Google Scholar
  17. 17.
    Subramanyan, P., Malik, S., Khattri, H., Maiti, A., Fung, J.: Verifying information flow properties of firmware using symbolic execution. In: 2016 Design, Automation  & Test in Europe Conference & Exhibition (DATE). IEEE (2016)Google Scholar
  18. 18.
    Thomas, S.L., Garcia, F.D., Chothia, T.: HumIDIFy: a tool for hidden functionality detection in firmware. In: Polychronakis, M., Meier, M. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 279–300. Springer, Cham (2017). doi: 10.1007/978-3-319-60876-1_13CrossRefGoogle Scholar
  19. 19.
    Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares. In: Network and Distributed System Security (NDSS) Symposium, NDSS 2014 (2014)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Sam L. Thomas
    • 1
    Email author
  • Tom Chothia
    • 1
  • Flavio D. Garcia
    • 1
  1. 1.School of Computer ScienceUniversity of BirminghamBirminghamUK

Personalised recommendations