poster

Poster: Fuzzing IoT Firmware via Multi-stage Message Generation

Authors:

Bo Yu,

Pengfei Wang,

Tai Yue,

Yong TangAuthors Info & Claims

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Pages 2525 - 2527

https://doi.org/10.1145/3319535.3363247

Published: 06 November 2019 Publication History

Get Access

Abstract

In this work, we present IoTHunter, the first grey-box fuzzer for fuzzing stateful protocols in IoT firmware. IoTHunter addresses the state scheduling problem based on a multi-stage message generation mechanism on runtime monitoring of IoT firmware. We evaluate IoTHunter with a set of real-world programs, and the result shows that IoTHunter outperforms black-box fuzzer boofuzz, which has a 2.2x, 2.0x, and 2.5x increase for function coverage, block coverage, and edge coverage, respectively. IoTHunter also found five new vulnerabilities in the firmware of home router Mikrotik, which have been reported to the vendor.

References

[1]

2019. American fuzzy lop. [Online]. http://lcamtuf.coredump.cx/afl/.

Google Scholar

[2]

2019. Boofuzz. [Online]. https://boofuzz.readthedocs.io/en/latest/.

Google Scholar

[3]

Andrea Biondo. 2018. Coverage-guided fuzzing of embedded firmware with avatar2. [Online]. https://siagas.math.unipd.it/siagas/getTesi.php?id=2030.

Google Scholar

[4]

Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFengWang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In NDSS.

Google Scholar

[5]

Lesly-Ann Daniel, Erik Poll, and Joeri de Ruiter. 2018. Inferring OpenVPN State Machines Using Protocol State Fuzzing. In 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 11--19.

Google Scholar

[6]

Joeri De Ruiter and Erik Poll. 2015. Protocol State Fuzzing of TLS Implementations. In 24th USENIX Security Symposium (USENIX Security 15). 193--206.

Google Scholar

[7]

Marius Muench, Dario Nisi, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar 2: A multi-target orchestration platform. In Workshop on Binary Analysis Research (colocated with NDSS Symposium)(February 2018), BAR, Vol. 18.

Google Scholar

[8]

Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation. In 28th USENIX Security Symposium (USENIX Security 19). 1099--1114.

Google Scholar

Cited By

View all

Ma XYan CWang YWei QWang Y(2024)A Vulnerability Scanning Method for Web Services in Embedded FirmwareApplied Sciences10.3390/app1406237314:6(2373)Online publication date: 12-Mar-2024
https://doi.org/10.3390/app14062373
Chen LWang YLinghu JHou QCai QGuo SXue Z(2024)SaTC: Shared-Keyword Aware Taint Checking for Detecting Bugs in Embedded SystemsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330743021:4(2421-2433)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3307430
Andarzian SDaniele CPoll E(2024)On the (in)efficiency of fuzzing network protocolsAnnals of Telecommunications10.1007/s12243-024-01058-wOnline publication date: 13-Aug-2024
https://doi.org/10.1007/s12243-024-01058-w
Show More Cited By

Index Terms

Poster: Fuzzing IoT Firmware via Multi-stage Message Generation
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Ankou: guiding grey-box fuzzing towards combinatorial difference
ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Grey-box fuzzing is an evolutionary process, which maintains and evolves a population of test cases with the help of a fitness function. Fitness functions used by current grey-box fuzzers are not informative in that they cannot distinguish different ...
Ember-IO: Effective Firmware Fuzzing with Model-Free Memory Mapped IO
ASIA CCS '23: Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security

Exponential growth in embedded systems is driving the research imperative to develop fuzzers to automate firmware testing to uncover software bugs and security vulnerabilities. But, employing fuzzing techniques in this context present a uniquely ...
SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing
ACSAC '22: Proceedings of the 38th Annual Computer Security Applications Conference

Mutation-based fuzzing has become one of the most common vulnerability discovery solutions over the last decade. Fuzzing can be optimized when targeting specific programs, and given that, some studies have employed online optimization methods to do it ...

Comments

Information & Contributors

Information

Published In

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

November 2019

2755 pages

ISBN:9781450367479

DOI:10.1145/3319535

General Chairs:
Lorenzo Cavallaro
King's College London, UK
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chairs:
XiaoFeng Wang
Indiana University, USA
,
Jonathan Katz
George Mason University, USA

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2019

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

National Natural Science Foundation of China
Natural Science Foundation of Hunan Province

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11 - 15, 2019

London, United Kingdom

Acceptance Rates

CCS '19 Paper Acceptance Rate 149 of 934 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
1,034
Total Downloads

Downloads (Last 12 months)112
Downloads (Last 6 weeks)8

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Ma XYan CWang YWei QWang Y(2024)A Vulnerability Scanning Method for Web Services in Embedded FirmwareApplied Sciences10.3390/app1406237314:6(2373)Online publication date: 12-Mar-2024
https://doi.org/10.3390/app14062373
Chen LWang YLinghu JHou QCai QGuo SXue Z(2024)SaTC: Shared-Keyword Aware Taint Checking for Detecting Bugs in Embedded SystemsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.330743021:4(2421-2433)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3307430
Andarzian SDaniele CPoll E(2024)On the (in)efficiency of fuzzing network protocolsAnnals of Telecommunications10.1007/s12243-024-01058-wOnline publication date: 13-Aug-2024
https://doi.org/10.1007/s12243-024-01058-w
Andarzian SDaniele CPoll E(2024)Green-Fuzz: Efficient Fuzzing for Network Protocol ImplementationsFoundations and Practice of Security10.1007/978-3-031-57537-2_16(253-268)Online publication date: 25-Apr-2024
https://doi.org/10.1007/978-3-031-57537-2_16
Ren MZhang HRen XMing JLei Y(2024)Intelligent Zigbee Protocol Fuzzing via Constraint-Field Dependency InferenceComputer Security – ESORICS 202310.1007/978-3-031-51476-0_23(467-486)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51476-0_23
Huang JYu BLiu RSu J(2023)Automatic discovery of stateful variables in network protocol software based on replay analysis基于重放分析的网络协议软件状态变量自动化发现技术Frontiers of Information Technology & Electronic Engineering10.1631/FITEE.220027524:3(403-416)Online publication date: 27-Mar-2023
https://doi.org/10.1631/FITEE.2200275
Qin SHu FMa ZZhao BYin TZhang C(2023)NSFuzz: Towards Efficient and State-Aware Network Service FuzzingACM Transactions on Software Engineering and Methodology10.1145/358059832:6(1-26)Online publication date: 31-Mar-2023
https://dl.acm.org/doi/10.1145/3580598
Zhou XWang PLiu CYue TLiu YSong CLu KYin QHan X(2023)UltraFuzz: Towards Resource-Saving in Distributed FuzzingIEEE Transactions on Software Engineering10.1109/TSE.2022.321952049:4(2394-2412)Online publication date: 1-Apr-2023
https://doi.org/10.1109/TSE.2022.3219520
Wang CZhao SPeng JZhu J(2023)KVFL: Key-Value-Based Persistent Fuzzing for IoT Web ServersThe Computer Journal10.1093/comjnl/bxad11067:5(1892-1909)Online publication date: 30-Nov-2023
https://doi.org/10.1093/comjnl/bxad110
Wang PZhou XYue TLin PLiu YLu K(2023)The progress, challenges, and perspectives of directed greybox fuzzingSoftware Testing, Verification and Reliability10.1002/stvr.186934:2Online publication date: 14-Dec-2023
https://doi.org/10.1002/stvr.1869
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Ankou: guiding grey-box fuzzing towards combinatorial difference

Ember-IO: Effective Firmware Fuzzing with Model-Free Memory Mapped IO

SLOPT: Bandit Optimization Framework for Mutation-Based Fuzzing