不依赖版本字符串的开源组件版本识别

由于软件代码复用和第三方SDK的广泛使用，开源组件普遍存在于物联网设备固件中.威胁固件的安全漏洞往往存在于组件的某些特定版本中，识别物联网设备固件中开源二进制组件的版本信息，对于物联网的安全评估与应急响应意义重大.现有的基于版本字符串的版本信息提取方法不适用于组件版本字符串缺失的情况.设计和实现了一种不依赖于版本字符串的开源组件版本识别方法Protues.该方法的核心思想是通过开源组件相邻版本源码间的差异构造一条版本差异链，从而将版本识别问题转化为待查组件在版本差异链上的滑动查询问题.进一步地，为了提高识别准确率，采用条件判断表达式来表征版本差异链上的节点.为了验证该方法的实用性，对来自于4种开源组件Samba，Msmtp，Nginx和Libgcrypt的共428个二进制文件进行了版本识别实验，实验结果表明，该方法能够准确识别的版本数达到418个，识别准确率约为98%.

Open Source Component Version Recognition Without Version Strings

Due to the extensive use of code reuse and third-party SDKs, open source components are ubiquitous in IoT device firmware. The security vulnerabilities which cause threat to the firmware usually exist in some specific versions of the components. The version information identification of open source binary components in the IoT firmware is of great significance for the safety assessment and emergency response of IoT devices. The existing version string based version extraction method is not applicable to the cases with missing version strings. This paper designs and implements a version extraction method (termed as Protues) for open source components that does not depend on version strings. The core idea of this method is to construct a version difference chain by using the differences between the open source components'' neighboring versions of the source code to convert the version identification problem into a query on the version difference chain. Furthermore, in order to improve the recognition accuracy, the conditional judgment expressions are used in this paper to represent the nodes on the version difference chain. To verify the practicability of this method, version identification experiments are performed on a total number of 428 binary files from 4 kinds of open source components Samba, Msmtp, Nginx and Libgcrupt. The experimental results show that the number of versions that can be accurately identified by this method reaches 418, and the recognition accuracy rate is 98%.