Poster

Kim, Juhwan; Yun, Jeong-Han

doi:10.1145/3319535.3363275

Cited by 16 publications

(15 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This technique is more systematic for the static analysis of a target program than other techniques and is accessible from multiple methods. Typical white-box fuzzers are scalable automated guided execution (SAGE) [25], FuSeBMC [26], T-fuzz [27], Driller [28], and DrillerGo [29]. White-box fuzzing can evaluate all possible paths inside the program, but it has a high overhead.…”

Section: White-box Fuzzingmentioning

confidence: 99%

Adaptive Emulation Framework for Multi-Architecture IoT Firmware Testing

Yu¹,

Kim²,

Lee³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

Internet of things (IoT) devices are being increasingly used in numerous areas. However, the low priority on security and various IoT types have made these devices vulnerable to attacks. To prevent this, recent studies have analyzed firmware in an emulation environment that does not require actual devices and is efficient for repeated experiments. However, these studies focused only on major firmware architectures and rarely considered exotic firmware. In addition, because of the diversity of firmware, the emulation success rate is not high in terms of large-scale analyses. In this study, we propose the adaptive emulation framework for multi-architecture (AEMA). In the field of automated emulation frameworks for IoT firmware testing, AEMA considers the following issues: (1) limited compatibility for exotic firmware architectures, (2) emulation instability when configuring an automated environment, and (3) shallow testing range resulting from structured inputs. To tackle these problems, AEMA can emulate not only major firmware architectures but also exotic firmware architectures not previously considered, such as Xtensa, ColdFire, and reduced instruction set computer (RISC) version five, by implementing a minority emulator. Moreover, we applied the emulation arbitration technique and input keyword extraction technique for emulation stability and efficient test case generation. We compared AEMA with other existing frameworks in terms of emulation success rates and fuzz testing. As a result, AEMA succeeded in emulating 864 out of 1,083 overall experimental firmware and detected vulnerabilities at least twice as fast as the experimental group. Furthermore, AEMA found a 0-day vulnerability in realworld IoT devices within 24 h.

show abstract

Section: White-box Fuzzingmentioning

confidence: 99%

Adaptive Emulation Framework for Multi-Architecture IoT Firmware Testing

Yu¹,

Kim²,

Lee³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

show abstract

“…In fact, DGF is in demand because 45.1% of the usual bug reports cannot be reproduced due to missing information and user privacy violations [117]. TortoiseFuzz [27] and DrillerGo [28] utilize CVE vulnerability descriptions as target information, while UAFuzz [24] extracts target information from bug traces, both of which are suitable for this scenario. Knowledge integration.…”

Section: Application Of Dgfmentioning

confidence: 99%

“…Meanwhile, CVE information, commit changes, binary diffing techniques, and tools such as UBSan and AddressSanitizer, are adopted to label various potential vulnerable code regions. Examples include DrillerGo [28], TortoiseFuzz [27], AFLChurn [26], GREY-HOUND [15], DeltaFuzz [25], 1DVUL [23], SAVIOR [100] and HDR-Fuzz [101]. • The fuzzing process has been enhanced with various approaches, such as using data-flow analysis and semantic analysis to generate valid input, using symbolic execution to pass complex constraints.…”

Section: Overviewmentioning

confidence: 99%

“…In order to set target sites reasonably and effectively, researchers use auxiliary metadata, such as code changes from git commit logs [22], information extracted from bug traces [24], semantics from CVE vulnerability descriptions [15,27,28], or deep learning models [30][31][32]. Such auxiliary metadata can help identify vulnerable functions [27,28,[30][31][32], critical sites [96], syntax tokens [90], sanity checks [33,100], and patchrelated branches [23,26] in the code and set such vulnerable code parts or sites as targets. Nevertheless, such target identification schemes still rely on additional efforts to process the information and mark the target on the PUT.…”

Section: Target Locationsmentioning

confidence: 99%

“…Current DGF tools can not only identify targets automatically but also expose target program behavior in a directed manner. A great number of variations have been used to boost software testing under different scenarios, such as patch testing [22][23][24], regression testing [25,26], bug reproduction [24,27,28], knowledge integration [29], result validation [30][31][32][33], energy-saving [15] and special bug detection [15,24,[34][35][36][37][38]. Though fast-growing and useful, DGF has general limitations and challenges that are worth further study.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

The progress, challenges, and perspectives of directed greybox fuzzing

Wang,

Zhou,

Yue

et al. 2023

Software Testing Verif & Rel

View full text Add to dashboard Cite

SummaryGreybox fuzzing is a scalable and practical approach for software testing. Most greybox fuzzing tools are coverage‐guided as reaching high code coverage is more likely to find bugs. However, since most covered codes may not contain bugs, blindly extending code coverage is less efficient, especially for corner cases. Unlike coverage‐guided greybox fuzzing which increases code coverage in an undirected manner, directed greybox fuzzing (DGF) spends most of its time allocation on reaching specific targets (e.g. the bug‐prone zone) without wasting resources stressing unrelated parts. Thus, DGF is particularly suitable for scenarios such as patch testing, bug reproduction, and special bug detection. For now, DGF has become an active research area. However, DGF has general limitations and challenges that are worth further studying. Based on the investigation of 42 state‐of‐the‐art fuzzers that are closely related to DGF, we conducted the first in‐depth study to summarize the empirical evidence on the research progress of DGF. This paper studies DGF from a broader view, which takes into account not only the location‐directed type that targets specific code parts but also the behavior‐directed type that aims to expose abnormal program behaviors. By analyzing the benefits and limitations of DGF research, we try to identify gaps in current research, meanwhile, reveal new research opportunities and suggest areas for further investigation.

show abstract