...
(1) where each constant ki is set to maximize the parsing detection capabilities (kbb = 0.5, kbr = 0.4, kcmp = 0.7), whereas kn and kc promote functions that refer to network-encoding keywords and binaries that parse network data, respectively. The optimal values for the last two constants are found empirically. Finally, psj is the parsing score of the j-th function of b. Note that, we introduce our two features as multipliers in order to highlight input-affected network parsers. Since all binaries are likely to have a score greater than zero, we need to distinguish and separate the “most significant” scores. To this end, we leverage the DBSCAN density-based clustering algorithm, which groups binaries whose scores are closely packed together. Then, we select the cluster that contains the binary having the highest parsing score in the Firmware sample, and consider all the binaries belonging to the cluster as the initial set of network-facing binaries. Finally, the algorithm implemented by this module returns the unpacked Firmware sample, the set of identified network-facing binaries, and the program locations containing memory comparisons against network-encoding keywords. These memory comparisons represent the program locations where task attacker-controlled data is more likely to be referenced.
DISCLAIMER: Firmware Reviewer never operates on physical devices.
COPYRIGHT (C) 2014-2020 SECURITY REVIEWER SRL. ALL RIGHTS RESERVED.
...