Osprey: A fast and accurate patch presence test framework for binaries

Abstract

With the rapid development of Internet of Things (IoT), a new paradigm named Mobile Edge Computing (MEC) is proposed to push the cloud computing to the edge devices. However the rapid growth of Internet-of-Things (IoT) and its inadvertent incorporation of vulnerable third-party code have created a massive amount of vulnerable IoT devices. Even worse, the majority of vulnerable devices are left unpatched due to the lack of easy upgrade routine and automated patch management. Thus, it is crucial to test the patch presence in IoT devices rapidly and accurately, for both defenders and attackers. In this paper, we present Osprey, a fast and accurate patch presence test framework for automatically identifying security patches in a firmware. Osprey identifies fine-grain semantic binary changes introduced by the patch in the binary by analyzing data flow slices across the basic blocks. It parses and analyzes these binary changes to extract patch signatures, which incorporate representative operators and the origins of operands. Then, patch presence can be identified by matching patch signatures through lexical comparison. Compared with the state-of-the-art patch presence test approach, Osprey extracts precise patch semantic information from data flow without expensive symbolic execution. We implement and evaluate Osprey against 45 patches and 8 versions of OpenSSL project, and the results show that Osprey is able to perform patch presence test 9.6 times faster than the state-of-the-art approach with high precision that exceeds 90%.