基于模型的物联网设备芯片漏洞分析方法

doi:10.12305/j.issn.1001-506X.2026.06.13

系统工程与电子技术 ›› 2026, Vol. 48 ›› Issue (6): 1913-1924.doi: 10.12305/j.issn.1001-506X.2026.06.13

基于模型的物联网设备芯片漏洞分析方法

潘虎¹, 黄周晨²^,³, 杨兆瑞⁴^,*, 张祎²^,³, 陈波²^,³

1. 北京航空航天大学可靠性与系统工程学院，北京 100191
2. 航天科工防御技术研究试验中心，北京 100854
3. 元器件应用验证技术创新中心，北京 100854
4. 电子科技大学信息与通信工程学院，四川成都 611731

收稿日期:2025-01-10 修回日期:2025-05-18 出版日期:2026-06-25 发布日期:2026-03-16
通讯作者: 杨兆瑞
作者简介:潘　虎（1981—），男，博士研究生，主要研究方向为电子信息
黄周晨（1994—），男，工程师，博士，主要研究方向为信息安全、漏洞检测
张　祎（1998—），男，助理工程师，硕士，主要研究方向为侧信道攻击、漏洞挖掘
陈　波（1987—），男，研究员，硕士，主要研究方向为元器件可靠性技术

A model-based method for chip vulnerability analysis in IoT device

Hu PAN¹, Zhouchen HUANG²^,³, ZhaoRui YANG⁴^,*, Yi ZHANG²^,³, Bo CHEN²^,³

1. School of Reliability and Systems Engineering，Beihang University，Beijing 100191，China
2. Aerospace Science & Industry Defense Technology Research and Test Center，Beijing 100854，China
3. Innovation Center for Components Application Verification Technology，Beijing 100854，China
4. School of Information and Communication Engineering，University of Electronic Science and Technology of China，Chengdu 611731，China

Received:2025-01-10 Revised:2025-05-18 Online:2026-06-25 Published:2026-03-16
Contact: ZhaoRui YANG

摘要/Abstract

摘要：

随着物联网设备的大规模应用，芯片漏洞成为设备安全的重要隐患。现有方法多聚焦于漏洞存在性的检测，忽视其可利用性分析，易导致“假阳性”问题。本文提出一种基于模型的芯片漏洞分析方法，融合设备模型与漏洞检测信息，挖掘潜在攻击链，并基于多架构统一建模语言构建设备与攻击者的混合状态机模型以模拟真实攻击过程。通过行为仿真评估系统是否异常，从而判断漏洞是否可被利用。以智能家居系统为例，成功验证了手机全球定位系统芯片漏洞的可利用性，并在实测中复现了攻击效果致使手机崩溃，验证了方法的有效性。

关键词: 漏洞验证, 混合状态机, 模型仿真, 多架构统一建模语言

Abstract:

With the widespread deployment of internet of things （IoT） devices, chip vulnerabilities become critical threats to device security. Existing approaches primarily focus on detecting vulnerabilities, while overlooking validating the exploitability of vulnerability, resulting in the problem of false positives. To address this problem, this paper proposes a model-based method for chip vulnerability analysis. The method integrates device models with vulnerability detection data to uncover potential attack chains, and constructs hybrid state machine models representing both device and attacker behaviors to simulate real-world attack scenarios according to kombination of architecture model specificAtion （KARMA）. By conducting behavioral simulation, the method evaluates whether the system exhibits abnormal behavior to determine the exploitability of the detected vulnerability. Experiments using a smart home system as a case study demonstrate the exploitability of the global positioning system （GPS） chip vulnerability in the phone within the system. Furthermore, the vulnerability is successfully exploited in a real-world environment to crash the mobile device, verifying the effectiveness of the proposed method.

Key words: vulnerability validation, hybrid automata, model simulation, kombination of architecture model specificAtion (KARMA)

中图分类号:

潘虎, 黄周晨, 杨兆瑞, 张祎, 陈波. 基于模型的物联网设备芯片漏洞分析方法[J]. 系统工程与电子技术, 2026, 48(6): 1913-1924.

Hu PAN, Zhouchen HUANG, ZhaoRui YANG, Yi ZHANG, Bo CHEN. A model-based method for chip vulnerability analysis in IoT device[J]. Systems Engineering and Electronics, 2026, 48(6): 1913-1924.

图/表 15

图1

图2

表1

表2

表3

表4

图3

图4

图5

图6

图7

图8

图9

图10

图11

参考文献 30

1	VEERAMACHANENI V. Fortified data transmission for IoT: leveraging trustless networks with adaptive security and energy efficiency[J]. Journal of Advance Research in Mobile Computing, 2025, 7 (1): 22- 32.
2	ZHANG G Q, HU Q W, ZHANG Y, et al. Lightweight cross-domain authentication scheme for securing wireless IoT devices using backscatter communication[J]. IEEE Internet of Things Journal, 2024, 11 (12): 22021- 22035. doi: 10.1109/JIOT.2024.3378476
3	BEYROUTI M, LOUNIS A, LUSSIER B, et al. Vulnerability and threat assessment framework for internet of things systems[C]// Proc. of the 6th Conference on Cloud and Internet of Things, 2023: 62−69.
4	ALMIANI M, RAZAQUE A, YIMU L, et al. Bluetooth application-layer packet-filtering for blueborne attack defending[C]// Proc. of the 4th International Conference on Fog and Mobile Edge Computing, 2019: 142−148.
5	BAKIRTZIS G, CARTER B T, ELKS C R, et al. A model-based approach to security analysis for cyber-physical systems[C]// Proc. of the Annual IEEE International Systems Conference, 2018.
6	MUKHERJEE R, GHOSH A, CHARKABORTY R S. HLS-IRT: hardware trojan insertion through modification of intermediate representation during high-level synthesis[J]. ACM Transaction on Design Automation of Electronic Systems, 2024, 29 (5): 1- 23. doi: 10.1145/3663477
7	NAVEENKUMAR R, SIVAMANGAI N M. Hardware trojans detection and prevention techniques review[J]. Wireless Personal Communications, 2024, 136 (2): 1147- 1182. doi: 10.1007/s11277-024-11334-6
8	PANDEY A K, DAS A K, KUMAR R, et al. Secure cyber engineering for IoT-enabled smart healthcare system[J]. IEEE Internet of Things Magazine, 2024, 7 (2): 70- 77. doi: 10.1109/IOTM.001.2300172
9	KHALIQ Z, KHAN D A, BABA A I, et al. Model-based framework for exploiting sensors of IoT devices using a botnet: a case study with android[J]. Cyber-Physical Systems, 2025, 11 (1): 1- 46. doi: 10.1080/23335777.2024.2350001
10	BAKIRTZIS G, SIMON B J, COLLINS A G, et al. Data-driven vulnerability exploration for design phase system analysis[J]. IEEE Systems Journal, 2019, 14 (4): 4864- 4873.
11	JIANG Y N, ATIF Y. Towards automatic discovery and assessment of vulnerability severity in cyber–physical systems[J]. Array, 2022, 15, 100209- 100220. doi: 10.1016/j.array.2022.100209
12	LI Y J, LIU B. A normalized Levenshtein distance metric[J]. IEEE Trans. on Pattern Analysis and Machine Intelligence, 2007, 29 (6): 1091- 1095. doi: 10.1109/TPAMI.2007.1078
13	BEYROUTI M, LOUNIS A, LUSSIER B, et al. Vulnerability-oriented risk identification framework for IoT risk assessment[J]. Internet of Things, 2024, 27, 101333- 1013368. doi: 10.1016/j.iot.2024.101333
14	GHAZO A T A L, KUMAR R. ANDVI: automated network device and vulnerability identification in scada/ics by passive monitoring[J]. IEEE Trans. on Systems, Man, and Cybernetics: Systems, 2024, 54 (4): 2539- 2550. doi: 10.1109/tsmc.2023.3345254
15	MOGHISS V, SHAMELI-SENDI A. I-RECON: an IoT based search engine for internet-facing services vulnerability reconnaissance[J]. IEEE Access, 2024, 12, 96100- 96112. doi: 10.1109/ACCESS.2024.3425062
16	CHEN R R, LIU Y S, ZHAO J J, et al. Model verification for system design of complex mechatronic products[J]. Systems Engineering, 2019, 22 (2): 156- 171. doi: 10.1002/sys.21470
17	HUANG E, MCGINNIS L F, MITCHELL S W. Verifying SysML activity diagrams using formal transformation to Petri nets[J]. Systems Engineering, 2020, 23 (1): 118- 135. doi: 10.1002/sys.21524
18	RAMIREZ C A, AGRAWAL P, THOMAPSON A E. An approach integrating model-based systems engineering, IoT, and digital twin for the design of electric unmanned autonomous vehicles[J]. Systems, 2025, 13 (2): 73- 96. doi: 10.3390/systems13020073
19	LI Z, KONG Y B, LUO J, et al. VLOG: vehicle identity verification based on local and global behavior analysis[J]. IEEE Trans. on Computational Social Systems, 2024, 11 (5): 7032- 7044. doi: 10.1109/TCSS.2024.3414587
20	ZHANG D H, ZHANG X J, WANG H X, et al. DevPF: device identification through passive fingerprints in IoT[C]// Proc. of the 7th International Symposium on Autonomous System, 2024.
21	GU P F, CHEN Z, ZHANG L, et al. X-SEM: a modeling and simulation-based system engineering methodology[J]. Journal of Manufacturing Systems, 2024, 74, 198- 221. doi: 10.1016/j.jmsy.2024.01.013
22	CAO Y, LIU Y S, PAREDIS C J J. System-level model integration of design and simulation for mechatronic systems based on SysML[J]. Mechatronics, 2011, 21 (6): 1063- 1075. doi: 10.1016/j.mechatronics.2011.05.003
23	SCHLUSE M, PRIGGEMEYER M, ATORF L, et al. Experimentable digital twins streamlining simulation-based systems engineering for industry 4.0[J]. IEEE Trans. on Industrial Informatics, 2018, 14 (4): 1722- 1731. doi: 10.1109/TII.2018.2804917
24	MA J D, WANG G X, LU J Z, et al. Application of multi architecture modelling method in intelligent electric–vehicle design [J]. International Journal of Production Research, 2025, 63(15): 5493−5511.
25	ZHANG L, YE F, XIE K Y, et al. An integrated intelligent modeling and simulation language for model-based systems engineering[J]. Journal of Industrial Information Integration, 2022, 28, 100347- 100365. doi: 10.1016/j.jii.2022.100347
26	CHENG Y X, DU Y J, PENG J, et al. Trusted secure accessing protection framework based on cloud-channel-device cooperation[J]. Proc. of the China Cyber Security Annual Conference, 2018, 165- 176. doi: 10.1007/978-981-13-6621-5_14
27	DING J, RENIERS M, LU J, et al. Integration of modeling and verification for system model based on KARMA language[C]// Proc. of the 18th ACM SIGPLAN International Workshop on Domain-Specific Modeling, 2021: 41−50.
28	LI T, PAJA E, MYLOPOULOS J, et al. Security attack analysis using attack patterns[C]// Proc. of the 10th International Conference on Research Challenges in Information Science, 2016.
29	LU J Z, WANG G X, MA J D, et al. General modeling language to support model-based systems engineering formalisms (part 1)[J]. INCOSE International Symposium, 2020, 30(1): 323−338.
30	VAN BEEK D A, FOKKINK W J, HENDRIKS D, et al. CIF 3: Model-based engineering of supervisory controllers[C]// Proc. of the 20th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, 2014: 575−580.

芯片型号	包含漏洞
NXP i.MX 6	CVE-2022-45163
	CVE-2017-7936
	CVE-2017-7932
Microchip RN4870	CVE-2022-46401
Microchip RN4870	CVE-2022-46399

设备条件	介绍
Communicate（A，B）	设备A与设备B通信
Use_technique（A，T）	设备A使用技术T
Use_data_from（A, B）	设备A使用设备B的数据
Accept_user_input（A）	设备A接受用户的数据
Protected_by（A，S）	设备A由机制S进行保护

攻击效果	目标效果
读取内存	信息泄露
读取应用数据
读取文件或目录
修改数据	代码执行
修改执行逻辑
修改数据内存
修改数据文件或目录
执行未授权代码或命令
DoS: 系统不稳定	DoS
DoS: 放大攻击
DoS: 崩溃/退出/重启
DoS: 资源耗尽（中央处理器）
DoS: 资源耗尽（其他）
DoS: 资源耗尽（内存）
设备处于非预期状态
绕过保护机制	权限提升
获取权限/冒用身份
执行未授权代码或命令
绕过保护机制	绕过机制
隐藏行为	绕过机制

SysML状态机图	混合状态机
SysML状态机图	H
状态属性	X, Event, Inv
状态	Loc
起始状态	Init
状态内的“执行”属性	Flow
转移关系	Edg
转移关系属性	Jump

基于模型的物联网设备芯片漏洞分析方法

A model-based method for chip vulnerability analysis in IoT device

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 15

参考文献 30

相关文章 0

编辑推荐

Metrics

本文评价