Function-call Instruction Characteristic Analysis Based Instruction Set Architecture Recognization Method for Firmwares
The recognition of instruction set architecture is a crucial task for conducting security research on embedded devices,and has significant implications.However,existing studies and tools often suffer from low recognition accuracy and high false positive rates when identifying the firmware instruction set architecture of specific types of embedded devices.To address this is-sue,a new method for recognizing firmware instruction set architecture based on feature analysis of function call instructions is proposed.It identifies function call instructions in the target firmware by simultaneously utilizing the information contained in the operation codes and operands of the instructions,and uses them as key features to classify different instruction set architectures.A prototype system called EDFIR(embedded device firmware instruction set recognizer)has been developed based on this me-thod.Experimental results show that compared to currently widely used and state-of-the-art tools such as IDA Pro,Ghidra,Rada-re2,Binwalk,and ISA detect,the proposed method has higher recognition accuracy,lower false positive rates,and stronger anti-interference capabilities.It achieves a recognition accuracy of 97.9%on 1000 real device firmwares,which is 42.5%higher than the best performing ISA detect.Furthermore,experiments demonstrate that even when the analysis scale is reduced to 1/50 of the complete firmware,it can still maintain a recognition accuracy of 95.31%,indicating an excellent recognition performance.
Instruction set architectureClassification techniquesReverse analysis engineeringEmbedded device securityStatic analysis
NETL
NSTL
万方数据
