一种基于匹配字符串地址判定ARM固件装载基址的方法

固件是嵌入式系统的灵魂,当对固件进行安全检测或者深入理解固件中的运行机制时,对固件进行反汇编是一个必经的步骤.对固件反汇编时,首先要确定固件的装载基址及其运行环境的处理器类型.通常我们可以通过拆解硬件设备或者查阅产品手册获得处理器类型,但目前尚没有自动化工具可获知固件的装载基址.鉴于目前大部分嵌入式系统中的处理器为ARM类型,本文以ARM固件为研究目标,提出了一种自动化方法来判定固件的装载基址.首先通过研究固件中字符串的存储规律及其加载方式,提出了两个算法可分别求出固件中字符串偏移量和LDR指令加载的字符串地址.然后利用这些字符串信息,提出了DBMAS(Determining image Base by Matching Addresses of Strings)算法来判定固件的装载基址.实验证明本文提出的方法可以成功判定使用LDR指令加载字符串地址的固件装载基址.

Determining Image Base of ARM Firmware Based on Matching String Addresses

Firmware is the soul of an embedded system,and disassembly is a necessary step to understand the operational mechanism or detect the vulnerabilities of the firmware.When disassembling a firmware,it should first determine the processor type of running environment and the image base of firmware.In general,the processor type can be got by tearing down the device or consulting the product manual.However,at present there is still no automated tool that can be used to obtain the image base of firmware.Since the processors of majority embedded systems are ARM architecture,in this paper we focus on the firmwares in ARM and propose an automated method to determine the base address.Firstly,by studying the storage rule and loading mode of the string we present two algorithms to calculate the string offset and the string address loaded by LDR instruction.Then with these information,we proposed a DBMAS (Determining image Base by Matching Addresses of Strings) algorithm to determine the image base.Experimental results indicate the proposed method can successfully determine the image base of firmware that uses the LDR instruction to load string address.