Strcmp-like Function Identification Method Based on Data Flow Feature Matching

Embedded devices have become visible everywhere,and they are used in a range of security-critical and privacy-sensitive applications.However,recent studies show that many embedded devices have backdoor,of which hard-coded backdoor(password backdoor) is the most common.In the triggering process of password backdoor,strcmp-like functions are necessary and important absolutely.However,the current identification of strcmp-like functions mainly relies on function signature and control flow feature matching.The former can't recognize user-defined strcmp-like functions,and the identify effect is greatly affected by the compile environment.The latter has high false positive rate and false negative rate.To solve the above problems,this paper proposes a novel strcmp-like recognition technology CMPSeek.This method builds a model for strcmp-like function identification based on the analysis of control flow and data flow characteristics,which is used to identify strcmp-like functions in binary programs,and is suitable for stripped binary programs.Furthermore,ARM,MIPS,PPC and x86/64 instruction sets are supported by converting binary codes to the intermediate language representation VEX IR codes.Experimental results show that CMPSeek has better results in accuracy rate and recall rate than FLIRT and SaTC in the absence of source code,function name and other information.