IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing

Chen, Jiongyi; Diao, Wenrui; Zhao, Qingchuan; Zuo, Chao; Lin, Zhiqiang; Wang, Xiaofeng; Lau, Wing Cheong; Sun, Min; Yang, Ronghai; Zhang, Kehuan

doi:10.14722/ndss.2018.23159

Cited by 224 publications

(137 citation statements)

References 24 publications

Supporting

Mentioning

137

Contrasting

Order By: Relevance

“…It is worth mentioning that application-specific fuzzers have been attracting great interests, e.g., compiler fuzzing [17,19,38,39,43,60], kernel fuzzing [18,32,57], IoT (Internet of Things) fuzzing [15], OS fuzzing [48], smart contract fuzzing [36], GUI testing [59], and deep learning system testing [44]. It is interesting to investigate how to extend our general-purpose fuzzer (e.g., by designing new mutation operators or feedback mechanisms) to be effective in fuzzing specific applications.…”

Section: Related Workmentioning

confidence: 99%

Superion: Grammar-Aware Greybox Fuzzing

Wang

Chen

Wei

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

160

View full text Add to dashboard Cite

In recent years, coverage-based greybox fuzzing has proven itself to be one of the most effective techniques for finding security bugs in practice. Particularly, American Fuzzy Lop (AFL for short) is deemed to be a great success in fuzzing relatively simple test inputs. Unfortunately, when it meets structured test inputs such as XML and JavaScript, those grammar-blind trimming and mutation strategies in AFL hinder the effectiveness and efficiency.To this end, we propose a grammar-aware coverage-based greybox fuzzing approach to fuzz programs that process structured inputs. Given the grammar (which is often publicly available) of test inputs, we introduce a grammar-aware trimming strategy to trim test inputs at the tree level using the abstract syntax trees (ASTs) of parsed test inputs. Further, we introduce two grammar-aware mutation strategies (i.e., enhanced dictionary-based mutation and tree-based mutation). Specifically, tree-based mutation works via replacing subtrees using the ASTs of parsed test inputs. Equipped with grammar-awareness, our approach can carry the fuzzing exploration into width and depth.We implemented our approach as an extension to AFL, named Superion; and evaluated the effectiveness of Superion on real-life large-scale programs (a XML engine libplist and three JavaScript engines WebKit, Jerryscript and ChakraCore). Our results have demonstrated that Superion can improve the code coverage (i.e., 16.7% and 8.8% in line and function coverage) and bug-finding capability (i.e., 31 new bugs, among which we discovered 21 new vulnerabilities with 16 CVEs assigned and 3.2K USD bug bounty rewards received) over AFL and jsfunfuzz. We also demonstrated the effectiveness of our grammar-aware trimming and mutation.

show abstract

Section: Related Workmentioning

confidence: 99%

Superion: Grammar-Aware Greybox Fuzzing

Wang

Chen

Wei

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

160

View full text Add to dashboard Cite

show abstract

“…For instance, tools for Android, such as Google's Android Monkey [38], generate random test case inputs of user events and system-level events. As another example, IoTFuzzer uses a dynamic analysis to identify IoT app content and mutates that content to detect memory corruptions of IoT devices [22]. To improve test input generation, contemporary approaches use heuristics that guide input generation to cover app source code intelligently, avoid redundant test paths, and enable multi-objective automated testing [18,24,67,79,101].…”

Section: Simulation and Modeling Of Iot Programsmentioning

confidence: 99%

Program Analysis of Commodity IoT Applications for Security and Privacy

et al. 2019

View full text Add to dashboard Cite

Recent advances in Internet of Things (IoT) have enabled myriad domains such as smart homes, personal monitoring devices, and enhanced manufacturing. IoT is now pervasive-new applications are being used in nearly every conceivable environment, which leads to the adoption of device-based interaction and automation. However, IoT has also raised issues about the security and privacy of these digitally augmented spaces. Program analysis is crucial in identifying those issues, yet the application and scope of program analysis in IoT remains largely unexplored by the technical community. In this article, we study privacy and security issues in IoT that require program-analysis techniques with an emphasis on identified attacks against these systems and defenses implemented so far. Based on a study of five IoT programming platforms, we identify the key insights that result from research efforts in both the program analysis and security communities and relate the efficacy of program-analysis techniques to security and privacy issues. We conclude by studying recent IoT analysis systems and exploring their implementations. Through these explorations, we highlight key challenges and opportunities in calibrating for the environments in which IoT systems will be used. CCS Concepts: • Security and privacy → Software and application security; • Software and its engineering → Automated static analysis; Dynamic analysis;

show abstract

“…e main challenge is that it requires a security expert to write the data model, so it cannot be leveraged to test other devices automatically. Chen et al [65] presented IOTFUZZER that performs a protocol-guarded fuzzing on COTS devices; its key idea is that many IoT devices can be controlled through their official mobile apps. So, they firstly adopted a taintbased approach to track the atomic data that are used to construct the network message; then, they mutated these atomic data dynamically to reuse the original code of message building.…”

Section: Related Workmentioning

confidence: 99%

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

Wang

Zhang

Chen

et al. 2019

Security and Communication Networks

View full text Add to dashboard Cite

A novel approach for discovering vulnerability in commercial off-the-shelf (COTS) IoT devices is proposed in this paper, which will revolutionize the area. Unlike previous work, the web management interface in IoT was used to detect vulnerabilities by leveraging fuzzing technology. To validate and evaluate this scheme, a tool named WMIFuzzer was designed and implemented. There were also two challenges: (1) due to the diversity of web interface implementations, there were no existing seed messages for fuzzing this interface and it was inefficient while taking random messages to launch the fuzzing and (2) because of the highly structured seed message, fuzzing with byte-level mutation could conduce to be rejected by the device at an early stage. To address these challenges, a brute-force UI automation was designed to drive the web interface to generate initial seed messages automatically, as well as a weighted message parse tree (WMPT) was proposed to guide the mutation to generate mostly structure-valid messages. The extensive experimental results show that WMIFuzzer could achieve expected result while 10 vulnerabilities including 6 zero-days in 7 COTS IoT devices were discovered.

show abstract

IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing

Cited by 224 publications

References 24 publications

Superion: Grammar-Aware Greybox Fuzzing

Superion: Grammar-Aware Greybox Fuzzing

Program Analysis of Commodity IoT Applications for Security and Privacy

Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface

Contact Info

Product

Resources

About