Firmware Disassembly System

US 20150248556A1
Filed: 02/27/2015
Published: 09/03/2015
Est. Priority Date: 02/28/2014
Status: Abandoned Application

First Claim

Patent Images

1. A method for disassembling firmware, the method comprising:

receiving a binary firmware image;

dividing the binary firmware image using a sliding window into a plurality of segments;

classifying segments of the plurality of segments as file types;

identifying code file types among the classified segments of the plurality of segments;

classifying code architectures of the identified code file types of the classified plurality of segments; and

disassembling at least the code file types of the binary firmware image based on the classified code architecture.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the invention provide a method for disassembling firmware. A binary firmware image is received. If portions of the image are compressed, those portions are uncompressed. The binary firmware image is divided using a sliding window into a plurality of segments. Segments of the plurality of segments are classified as file types. Code file types are identified among the classified segments of the plurality of segments. Code architectures of the identified code file types of the classified plurality of segments are then classified. At least the classified code file types of the binary firmware image are disassembled based on the classified code architecture. The disassembled binary firmware image is evaluated for malware.

Citations

23 Claims

1. A method for disassembling firmware, the method comprising:
- receiving a binary firmware image;
  
  dividing the binary firmware image using a sliding window into a plurality of segments;
  
  classifying segments of the plurality of segments as file types;
  
  identifying code file types among the classified segments of the plurality of segments;
  
  classifying code architectures of the identified code file types of the classified plurality of segments; and
  
  disassembling at least the code file types of the binary firmware image based on the classified code architecture.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - evaluating the disassembled binary firmware image for malware.
  - 3. The method of claim 1, wherein a size of the sliding window is set such that it divides the binary firmware image into a configurable number of segments.
  - 4. The method of claim 3, wherein a step size for the sliding window is set equal to the size of the sliding window.
  - 5. The method of claim 1, wherein identifying code file types and classifying code architectures utilizes a group consisting of:
    - boosted and unboosted decision trees, support vector machines, and combinations thereof.
  - 6. The method of claim 1, wherein classifiers utilized for identifying code file types and classifying code architectures build and utilize models to determine which model best matches the segmenting being identified or classified.
  - 7. The method of claim 1, wherein identified code file types of the binary firmware image are disassembled at all likely offsets for the classified architecture of the identified code file type.
  - 8. The method of claim 7, wherein the likely offsets are selected from a group consisting of:
    - zero bytes, one byte, two bytes, three bytes, and combinations thereof.
  - 9. The method of claim 7, wherein the likely offsets are any byte value up to an instruction size of the classified architecture.

10. A method for disassembling firmware, the method comprising:
- receiving a binary firmware image;
  
  uncompressing all compressed segments within the binary firmware image;
  
  dividing the uncompressed binary firmware image using a sliding window into a plurality of segments;
  
  classifying segments of the plurality of segments as file types;
  
  identifying code file types among the classified segments of the plurality of segments;
  
  classifying code architectures of the identified code file types of the classified plurality of segments; and
  
  disassembling at least the code file types of the binary firmware image based on the classified code architecture.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, further comprising:
    - evaluating the disassembled binary firmware image for malware.
  - 12. The method of claim 10, wherein a size of the sliding window is set such that it divides the binary firmware image into a configurable number of segments.
  - 13. The method of claim 12, wherein a step size for the sliding window is set equal to the size of the sliding window.
  - 14. The method of claim 10, wherein identifying code file types and classifying code architectures utilizes a group consisting of:
    - boosted and unboosted decision trees, support vector machines, and combinations thereof.
  - 15. The method of claim 10, wherein classifiers utilized for identifying code file types and classifying code architectures build and utilize models to determine which model best matches the segmenting being identified or classified.
  - 16. The method of claim 10, wherein identified code file types of the binary firmware image are disassembled at all likely offsets for the classified architecture of the identified code file type.
  - 17. The method of claim 16, wherein the likely offsets are selected from a group consisting of:
    - zero bytes, one byte, two bytes, three bytes, and combinations thereof.
  - 18. The method of claim 16, wherein the likely offsets are any byte value up to an instruction size of the classified architecture.

19. An apparatus, comprising:
- a memory;
  
  a processor; and
  
  program code resident in the memory and configured to be executed by the processor configured to disassembling firmware, the program code further configured to receive a binary firmware image in the memory, divide the binary firmware image using a sliding window into a plurality of segments, classify segments of the plurality of segments as file types, identify code file types among the classified segments of the plurality of segments, classify code architectures of the identified code file types of the classified plurality of segments, and disassemble the binary firmware image based on the classified code architecture.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The apparatus of claim 19, wherein the program code is further configured to:
    - evaluate the disassembled binary firmware image for malware.
  - 21. The method of claim 19, wherein identifying code file types and classifying code architectures utilizes a group consisting of:
    - boosted and unboosted decision trees, support vector machines, and combinations thereof.
  - 22. The method of claim 19, wherein identified code file types of the binary firmware image are disassembled at all likely offsets for the classified architecture of the identified code file type selected from a group consisting of:
    - zero bytes, one byte, two bytes, three bytes, and combinations thereof.
  - 23. The method of claim 19, wherein identified code file types of the binary firmware image are disassembled at offsets consisting of any byte value up to an instruction size of the classified architecture.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
US Department of The Air Force (U.S. Department Of Defense)
Original Assignee
US Department of The Air Force (U.S. Department Of Defense)
Inventors
Dube, Thomas E., Sickendick, Karl A., Butts, Jonathan W., Mullins, Barry E.

Application Number

US14/634,032
Publication Number

US 20150248556A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/563 by source code analysis

Firmware Disassembly System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Firmware Disassembly System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links