Floragasse 7 – 5th floor, 1040 Vienna


Semiautomatic Methods for finding hidden Backdoors

FiBack focuses on the (partially) automated detection of (un)intended built-in backdoors in IT components (third-party software, appliances, IoT devices).


Austrian IT operators face the dilemma that system-critical components (third-party software, appliances, IoT devices) are often developed outside of Austria or Europe. The internal structure of the components is usually not known and it is difficult to understand how they work. In contrast, operators must ensure that the components do not contain any (un)intended backdoors and security vulnerabilities.

Backdoors are secret manipulations and mechanisms in software that allow third parties to bypass authorization, increase privileges or access functions or data without proper authorization. Therefore, running third-party software, as well as using appliances and IoT devices (e.g., routers, firewalls, etc.) requires trust in their manufacturers. Incidents in the past have shown that software can contain both security vulnerabilities and (un)intended backdoors (recent incident Trojan in SolarWinds). Since it is of particular importance to ensure security in critical areas, it is of immanent importance to detect such flaws in software. Until now, this analysis has been very time-consuming, as it is often done manually by analysts. A (partially) automated testing approach promises time and cost savings, greater test coverage and higher accuracy, by automating routine checks and pointing out problematic areas to analysts.

Project Outline

In the FiBack project, new analysis methods are being developed with the aim of automatically finding defined classes of backdoors and marking others as suspicious cases for further analysis. The research focuses on the extraction of firmware from IoT devices as well as on a deeper analysis of these firmware. Here, the project consortium is investigating the use of static and dynamic analysis methods to identify problematic sections in programs on the one hand, and to determine whether this could be a potential backdoor in the program on the other. This requires finding an execution path (a sequence of machine instructions and branch operations) from the start of the program to the backdoor. A proven method for identifying program paths is symbolic execution, but this can cause problems when dealing with more complex programs. For this reason, current state-of-the-art techniques do not yet scale. Making symbolic execution scalable is a major part of the project. Another part of the project is to improve methods for dynamic analysis of firmware.

The goal of the project is to combine these methods and develop a proof-of-concept analysis system based on semi-automated methods to help analysts find and detect hidden backdoors in firmware. This is expected to lead to better security for deployed devices.

Further Information

  • This project is lead by SBA Research.

This project is funded by the FFG.