关键词: 物联网, 软件供应链, 组件识别, 固件安全, 命名实体识别

Abstract: IoT device manufacturers often reuse a large number of open-source components compiled from open-source code in firmware development, with each firmware typically comprising hundreds of such components. If these components are not promptly updated,they may carry unpatched vulnerabilities, thereby posing significant security risks to IoT devices. Therefore, identifying binary components within IoT firmware is crucial for ensuring the security of IoT devices. To address the difficulty of existing methods in identifying binary components on a large scale, a novel method based on Named Entity Recognition (NER) was proposed. This method involves extracting internal binary components from firmware through decompression, and then sem antic information of the component was obtained through two methods: by extracting readable strings and by executing the component. Subsequently, the RoBERTa-BiLSTM-CRF NER model was utilized to identify component names and version numbers. Experimental results, conducted on 6,575 firmware samples released by 12 popular IoT manufacturers, demonstrate that the proposed method achieves an F1 score of 87.67%, successfully identifying 163 binary components. The experimental results show that this method effectively expands the identification range of binary components in IoT firmware, thereby enhancing firmware security from the perspective of the software supply chain.

Key words: internet of things, software supply chain, component identification, firmware security, named entity recognition