SaTC: Shared-Keyword Aware Taint Checking for Detecting Bugs in Embedded Systems

IoT devices have brought invaluable convenience to our daily life. However, their pervasiveness also amplifies the impact of security vulnerabilities. Many widespread vulnerabilities of embedded systems reside in their vulnerable border services. Unfortunately, existing vulnerability detection methods can neither effectively nor efficiently analyze such border services: they either introduce heavy execution overheads or have many false positives and negatives. In this paper, we propose a novel static taint checking solution, SaTC, to effectively detect security vulnerabilities in border services provided by embedded devices. Our key insight is that string literals on border interfaces are commonly shared between front-end files and back-end binaries to encode user input. Thus, we extract common keywords from the front-end and use them to locate reference points in the back-end, which indicate the input entry. Then, we apply targeted data-flow analysis to detect dangerous uses of the untrusted user input accurately. We implemented a prototype of SaTC and evaluated it on 39 firmware samples from six popular vendors. SaTC discovered 36 unknown bugs, of which CVE/CNVD/PSV confirms 33. Compared to the state-of-the-art tool KARONTE, SaTC found significantly more bugs in the test set. It shows that SaTC is effective in discovering bugs in embedded systems.