【作者】 蒋烈辉；

【导师】 赵荣彩；

【作者基本信息】 解放军信息工程大学 ， 计算机软件与理论， 2007， 博士

【摘要】 固件代码逆向分析是软件逆向工程研究领域的重要分支之一,通过对设备固化可执行代码的处理器类型识别、格式还原和结构分析,实现固件代码的逻辑和功能解读,有助于分析设备构成原理和采用技术,提高其软件系统的剖析能力。特别是随着网络技术的发展和网络密码的广泛应用,开展路由器和加解密系统等网络关键设备逆向分析,对国家安全和信息获取有重要作用。嵌入式电子设备的核心部件是处理器。由于嵌入式技术应用的广泛性和不确定性,处理器的选择具有多样性,要求固件代码逆向分析方法和工具必须能够适应多处理器多指令系统;另一方面,随着处理器类型的不断增多,逆向分析遇到的处理器种类不确定性日益增强,要求代码分析工具必须具有可扩展性(尤其是用户可扩展性)。然而所有的商用可执行代码格式还原工具和代码结构分析技术都不能很好地适用于多处理器多指令系统,在以可视化形式给出代码结构和支持人机交互方式进行结构分析等方面能力不足,不具备用户可扩展性,指令集识别技术的相关研究未见有公开的成果报道。针对上述问题,论文对固件代码逆向分析的理论和技术进行了探索和研究,尤其是对一些固件代码逆向分析实用性关键技术,给出了有效的解决方法,具体如下:1、通过对主流处理器及指令系统结构的分析,提出了一种基于多维可变描述表的处理器结构和指令系统表示模板,并采用数据库技术实现了处理器结构信息和指令系统的管理,解决了多处理器多指令系统适用性问题,可保证以此为基础实现的固件代码逆向分析系统具有用户可扩展性。2、通过对固件代码结构特点的研究,提出了一种基于程序静态流程遍历图和程序流程蕴涵图相结合的反汇编策略,设计了基于指令分组和散列匹配的反汇编引擎,在固件代码反汇编的速度和正确率方面有所提高。3、提出了子程序结构与子程序调用关系的多重链表和层次结构树表示方式,设计了代码结构与流程提取和调整算法。可视化的层次结构展示支持用户以人机交互的方式进行代码逻辑和功能分析,增强了代码分析过程的直观性。4、在挖掘固件代码蕴涵的固有特征基础上,建立了适用于指令集类型识别的代码特征模型,设计了代码特征抽取和基于多属性决策技术的指令集识别算法,可有效解决电子设备解剖工作中遇到的处理器类型不明问题。论文还给出了上述关键技术的实际验证环境,验证结果表明,对上述关键技术的解决方法是有效和实用的。更多还原

【Abstract】 Firm-code reverse analysis is one of the important branches in the field of software reverse engineering. By means of processor type recognition, format restoration and structure analysis for the firm executable code, the logical and functional of firm-code can be unscrambled, redound to analyzing the composing principle and techniques of device and improving the ability to dissect. Especially as the evolution of network techniques and broad application of network cipher, reverse analysis for the key network devices, such as routers and cipher machines, is of importance to national security and intelligence acquirement.The core component of embedded electrical device is processor. Because of universality and uncertainty of embedding application, the selection for processor has multiformity, requesting that the method and tools of firm-code reverse analysis must have the ability to adapt in multiprocessors or multiple instruction-set systems; on the other hand, along with more and more processor types, the uncertainty of processor type boosts up increasingly, so the code analyzing tools must have addition (especially addition for users).However, all of the commercial executable format restoring tools and analyzing techniques cannot adapt in multiprocessors or multiple instruction-set systems very well, having poor ability that the code structure is given out visually and structure analysis is done in the way of man-machine conversation, lacking of addition for users. And the corresponding research on instruction-set recognition is also unseen in public achievement reports.In allusion to the above issues, the dissertation explores and studies the theories and techniques about firm-code reverse analysis, and especially for the key techniques applied in firm-code reverse analysis, it proposes effective methods. The detail is shown as follows:1. According to analysis for the mainstream processors and instruction system structure, the dissertation puts forward a kind of processor structure and instruction system denotation template based upon multidimensional alterable descriptive table, and makes use of database technique in order to realize the management for processor structure information and instruction system. This can solve the applicability of multiprocessors or multiple instruction-set systems, making sure that the reverse analysis system for firm-code has addition for users.2. According to studying on the characteristic of firm-code structure, the dissertation puts forward a disassembly strategy based upon the program static flow traversing graph and program flow implication graph, and designs a disassembly engine on the basis of instruction category and hash matching in order to increase the speed and exactness of disassembly. 3. The dissertation advances multi-linked list, which denotes subroutine structure and subroutine calling relationship, and is displayed by the way of hierarchy structure tree. And according to this, the dissertation designs an algorithm to abstract and adjust the code structure and flows. The visual hierarchy structure display supports logical and functional analysis in the way of man-machine conversation, strengthen the ability to directly perceive through the sense when analyzing codes.4. On the basis of digging the inhere characteristics implied in the firm-code, the dissertation builds up the code characteristics model adapted on instruction type recognition and designs the corresponding algorithm, which abstracts the code characteristics based on multi-attribute decisional technique, effectively recognizing the unidentified processor type when dissecting on electrical devices.The dissertation also shows the real verifying environment. The result indicates that the methods for the above key techniques are effective and available.更多还原