OctopusTaint: Advanced Data Flow Analysis for Detecting Taint-Based Vulnerabilities in IoT/IIoT Firmware

The widespread integration of Internet of Things (IoT) and Industrial IoT (IIoT) devices in respectively home and business environments offers both benefits and perils. While these devices, such as IP cameras and network routers improve operational efficiency with their user-friendly web interfaces, they also broaden the potential for cybersecurity vulnerabilities. Recent studies highlight the vulnerability of these devices to taint-based attacks, demonstrating that even attackers with limited permissions can gain control of a device. Current state-of-the-art solutions for mitigating these risks primarily utilize Dynamic Symbolic Execution (DSE). Although effective, DSE is computationally costly and challenging for large-scale analysis. Besides, during inspection, these approaches typically exhibit over-taint behavior by producing a large number of alerts, many of which are false positives due to ineffective handling of sanitization measures that might be in place. To overcome these limitations, we introduce OctopusTaint, an innovative static-based taint analysis approach that integrates advanced data flow analysis with backtracking techniques. OctopusTaint is distinguished by its integration of a sanitization inspection module and sophisticated post-processing filters. These features are specifically designed to minimize false positives effectively while ensuring the accurate identification of genuine security threats. OctopusTaint also excels in tracking transformed tainted inputs across NVRAM, identifying new user-defined taint source functions while addressing the challenges associated with indirect calls and aliasing. Through comparative performance evaluations, OctopusTaint demonstrates superior performance over the current state-of-the-art solutions, SaTC, EmTaint, and MangoDFA. It reports genuine extra tainted sinks in considerable less time (24% faster). Furthermore, OctopusTaint identifies 82% of tainted sinks within EmTaint 's labeled dataset while exhibiting its advanced capability in sanitization inspection. It correctly flags as sanitized 320 sinks, which were misidentified as genuine alerts by EmTaint. Furthermore, OctopusTaint uncovers additional candidates overlooked by EmTaint, leveraging its enhanced detection mechanisms for new taint sources. OctopusTaint successfully identifies 142 n -day vulnerabilities previously reported by SaTC and EmTaint, in addition to discovering dozens of potential 0-day candidates.