Strcmp-like Function Identification Method Based on Data Flow Feature Matching

• Published in: Ji suan ji ke xue Vol. 49; no. 9; pp. 326 - 332
• Main Authors: Hu, An-xiang, Yin, Xiao-kang, Zhu, Xiao-ya, Liu, Sheng-li
• Format: Journal Article
• Language: Chinese
• Published: Chongqing Guojia Kexue Jishu Bu 01.09.2022; Editorial office of Computer Science
• Subjects: Binary codes; Electronic devices; Embedded systems; Flow characteristics; function identification|data flow analysis|feature matching|strcmp-like function|binary program; Identification methods; Intermediate languages; Matching; Passwords; Source code
• ISSN: 1002-137X
• DOI: 10.11896/jsjkx.220200163

Embedded devices have become visible everywhere, and they are used in a range of security-critical and privacy-sensitive applications.However, recent studies show that many embedded devices have backdoor, of which hard-coded backdoor（password backdoor） is the most common.In the triggering process of password backdoor, strcmp-like functions are necessary and important absolutely.However, the current identification of strcmp-like functions mainly relies on function signature and control flow feature matching.The former can't recognize user-defined strcmp-like functions, and the identify effect is greatly affected by the compile environment.The latter has high false positive rate and false negative rate.To solve the above problems, this paper proposes a novel strcmp-like recognition technology CMPSeek.This method builds a model for strcmp-like function identification based on the analysis of control flow and data flow characteristics, which is used to identify strcmp-like functions in binary programs, and is sui