From Constraints to Cracks: Constraint Semantic Inconsistencies as Vulnerability Beacons for Embedded Systems

Embedded systems have a profound impact on our daily lives and work by powering IoT devices and network devices. Ensuring their security is therefore critical. To enhance security and robustness, embedded systems often utilize constraints to validate user inputs. Through an empirical study, we identified that these constraints can be categorized into distinct types and may exhibit semantic inconsistencies across different components. Notably, over 86% of embedded system vulnerabilities originate from such inconsistencies. However, existing static analysis techniques struggle to systematically and accurately identify these inconsistencies, resulting in high false positive rates and an inability to detect certain vulnerabilities effectively.

This paper introduces NÜWA, a novel static analysis technique that leverages constraint semantic inconsistencies to detect vulnerabilities in embedded systems. NÜWA achieves scalable and precise vulnerability discovery by addressing the challenges of identifying constraint semantics across diverse implementations and accurately extracting them. We implemented NÜWA and evaluated it using known vulnerability datasets, including 31 vulnerabilities from 13 vendors, and compared its performance to five state-of-the-art (SOTA) tools. NÜWA identified 18, 22, 6, 17, and 19 more vulnerabilities than the respective SOTA tools. Further analysis demonstrates that NÜWA effectively extracts constraints with minimal false positives. To date, NÜWA has uncovered 152 previously unknown vulnerabilities which are all confirmed by the developers, and 88 were assigned with CVE IDs.