Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities

Kuball, S.

doi:10.1109/hase.2007.43

Cited by 6 publications

(3 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To find bugs and vulnerabilities in operating systems, some fuzzing approaches [3], [5]- [7], [11], [36]- [38] target kernellevel programs. For example, syzkaller [3] is a well-known kernel fuzzing tool developed and maintained by Google.…”

Section: Related Work a Fuzzingmentioning

confidence: 99%

Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Jiang

Bai

Lawall

et al. 2019

2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

Device drivers remain a main source of runtime failures in operating systems. To detect bugs in device drivers, fuzzing has been commonly used in practice. However, a main limitation of existing fuzzing approaches is that they cannot effectively test error handling code. Indeed, these fuzzing approaches require effective inputs to cover target code, but much error handling code in drivers is triggered by occasional errors (such as insufficient memory and hardware malfunctions) that are not related to inputs. In this paper, based on software fault injection, we propose a new fuzzing approach named FIZZER, to test error handling code in device drivers. At compile time, FIZZER uses static analysis to recommend possible error sites that can trigger error handling code. During driver execution, by analyzing runtime information, it automatically fuzzes error-site sequences for fault injection to improve code coverage. We evaluate FIZZER on 18 device drivers in Linux 4.19, and in total find 22 real bugs. The code coverage is increased by over 15% compared to normal execution without fuzzing.

show abstract

Section: Related Work a Fuzzingmentioning

confidence: 99%

Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Jiang

Bai

Lawall

et al. 2019

2019 IEEE 30th International Symposium on Software Reliability Engineering (ISSRE)

View full text Add to dashboard Cite

show abstract

“…Wi-Fi drivers have been tested for vulnerabilities, but only with as goal to detect general errors such as buffer overflows and NULL pointer dereferences [22,7]. Moreover, they only tested how implementations handle unprotected management frames.…”

Section: Related Workmentioning

confidence: 99%

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

Vanhoef

Schepers

Piessens

2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

We use model-based testing techniques to detect logical vulnerabilities in implementations of the Wi-Fi handshake. This reveals new fingerprinting techniques, multiple downgrade attacks, and Denial of Service (DoS) vulnerabilities. Stations use the Wi-Fi handshake to securely connect with wireless networks. In this handshake, mutually supported capabilities are determined, and fresh pairwise keys are negotiated. As a result, a proper implementation of the Wi-Fi handshake is essential in protecting all subsequent traffic. To detect the presence of erroneous behaviour, we propose a model-based technique that generates a set of representative test cases. These tests cover all states of the Wi-Fi handshake, and explore various edge cases in each state. We then treat the implementation under test as a black box, and execute all generated tests. Determining whether a failed test introduces a security weakness is done manually. We tested 12 implementations using this approach, and discovered irregularities in all of them. Our findings include fingerprinting mechanisms, DoS attacks, and downgrade attacks where an adversary can force usage of the insecure WPA-TKIP cipher. Finally, we explain how one of our downgrade attacks highlights incorrect claims made in the 802.11 standard.

show abstract

“…Existing work on analyzing device-driver interactions typically runs the entire system including device drivers in a controlled environment [32], [44], [47], [49], [54], [60], [62], [66], such as QEMU [20] or S2E [33]. Enabling analysis in such an environment often requires developer efforts tailored to specific drivers or devices, e.g., implementing a virtual device or annotating driver code to keep symbolic execution tractable.…”

Section: Introductionmentioning

confidence: 99%

PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Song¹,

Hetzelt²,

Das³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

The OS kernel is an attractive target for remote attackers. If compromised, the kernel gives adversaries full system access, including the ability to install rootkits, extract sensitive information, and perform other malicious actions, all while evading detection. Most of the kernel's attack surface is situated along the system call boundary. Ongoing kernel protection efforts have focused primarily on securing this boundary; several capable analysis and fuzzing frameworks have been developed for this purpose.

show abstract

Fuzzing Wi-Fi Drivers to Locate Security Vulnerabilities

Cited by 6 publications

References 9 publications

Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Fuzzing Error Handling Code in Device Drivers Based on Software Fault Injection

Discovering Logical Vulnerabilities in the Wi-Fi Handshake Using Model-Based Testing

PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary

Contact Info

Product

Resources

About