Rilevazione di comportamenti anomali e malevoli in dispositivi IoT: un nuovo approccio per la verifica delle funzioni = Detection of anomalous and malicious behavior in IoT devices: a new approach for function verification

The increasing complexity of software systems and the growing importance of reverse engineering in cybersecurity have driven the development of advanced analysis tools. This thesis presents an innovative approach to automated ARM binary analysis using a Python-based framework. The developed script integrates libraries such as r2pipe, networkx, and pygraphviz, to facilitate the dissection and comprehensive understanding of ARM32 binaries. The primary objectives are to identify critical system calls, extract and map strings, and construct a function call graph for network analysis, revealing insights into binary structures and their interdependencies. The methodology begins with leveraging r2pipe to interact programmatically with Radare2, a powerful open-source reverse engineering tool. The script initiates a full analysis of the binary, focusing on detecting ARM32-specific system calls through precise pattern matching. A predefined dictionary maps syscall numbers to their human-readable names, enabling efficient identification and categorization. The script then extracts strings embedded within the binary and associates them with their respective function references. This association aids in better understanding the binary’s behavioral patterns. A critical component of the research is the construction of a function call graph using networkx. Functions are represented as nodes, with directed edges indicating dependencies and imports. The graph is enriched with string usage data and system call mappings, providing a detailed visualization of the binary’s internal structure. Advanced network analysis techniques, such as centrality measures (betweenness, closeness, degree) and PageRank scoring, are applied to identify influential functions within the binary. Community detection methods, like the Louvain algorithm, are also employed to uncover modular structures, which can highlight distinct subsystems or functionalities. The results demonstrate the efficacy of using graph-based approaches for binary analysis, offering deeper insights into complex codebases. By automating the process, the script provides cybersecurity analysts and reverse engineers with a powerful tool to quickly assess and understand ARM binaries, potentially expediting vulnerability assessment and malware analysis. This research contributes to the broader field of binary analysis by demonstrating the integration of modern Python libraries with established reverse engineering frameworks, paving the way for further advancements in automated software analysis. Overall, the thesis underscores the potential of combining data-driven graph analysis with traditional disassembly techniques, presenting a robust solution for understanding and deconstructing complex software binaries.