WPAxFuzz: Sniffing Out Vulnerabilities in Wi-Fi Implementations

Kampourakis, Vyron; Chatzoglou, Efstratios; Kambourakis, Georgios; Dolmes, Apostolos; Zaroliagis, Christos

doi:10.3390/cryptography6040053

Cited by 6 publications

(4 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It utilizes messages exchanged between the hub and IoT devices to discover all functions automatically and then initiates a feature-oriented message-semantics-guided fuzz test. In the latest WiFi-security-related works [16][17][18][19], wireless access points (APs) are taken as a research entry point to review the security of actual device WiFi networks, especially the security of web interfaces related to access points (APs).…”

Section: Dynamic Analysis-based Approachesmentioning

confidence: 99%

A Vulnerability Scanning Method for Web Services in Embedded Firmware

Ma,

Yan,

Wang

et al. 2024

Applied Sciences

View full text Add to dashboard Cite

As the Internet of Things (IoT) era arrives, the proliferation of IoT devices exposed to the Internet presents a significant challenge to device security. Firmware is software that operates within Internet of Things (IoT) devices, directly governing their behaviors and functionalities. Consequently, the security of firmware is critical to shielding IoT devices from potential threats. In order to enable users to operate a device intuitively, firmware commonly provides a web interface. Consequently, this interface frequently serves as the primary attack goal in Internet of Things (IoT) devices, rendering them susceptible to numerous cyber-attacks. Unfortunately, web services have complex data interactions and implicit dependencies, and it is not easy to balance efficiency and accuracy during the analysis process, leading to heavy overhead. This paper proposes a lightweight vulnerability scanning approach, WFinder, designed explicitly for embedded firmware web services to perform vulnerability checks on backend binary files in firmware. WFinder uses static analysis to focus on identifying vulnerabilities in boundary binary files related to web services in firmware. Initially, the approach identifies boundary binary files and external data entry points based on front-end and back-end associativity features. Subsequently, rules are formulated to filter hazardous functions to narrow the analysis targets. Finally, the method generates sensitive call paths from the external data input points to the hazardous functions and conducts a lightweight taint analysis along these paths to uncover potential vulnerabilities. We implemented a prototype of WFinder and evaluated it on the firmware of ten devices from five well-known manufacturers. We discovered thirteen potential vulnerabilities, eight of which were confirmed by the CNVD, and assigned them CNVD identification numbers. Compared with the most advanced tool, SATC, WFinder was more efficient at discovering more bugs on the test set. These results indicate that WFinder is effective at detecting bugs in embedded web services.

show abstract

Section: Dynamic Analysis-based Approachesmentioning

confidence: 99%

A Vulnerability Scanning Method for Web Services in Embedded Firmware

Ma,

Yan,

Wang

et al. 2024

Applied Sciences

View full text Add to dashboard Cite

show abstract

“…Based on the degree of understanding of the target program, fuzzers can be classified as black-box [23], grey-box [24], and white-box [25], with each technique being sequential, having more information available that can be leveraged for the analysis of the test target. Otherwise, fuzzers can also be classified, based on the type of input they create, into mutation based [26], generation based [12,27], and hybrid [28]. The first category mutates existing inputs to create new inputs, while the second generates new inputs from scratch from a specification, often based on a specific grammar.…”

Section: Fuzzingmentioning

confidence: 99%

“…Network protocol fuzzing: Fuzzing often involves the security testing of communication protocols [10][11][12]. For instance, in PropFuzz [13], the authors present a protocol fuzzer designed for proprietary ICS protocols.…”

Section: Related Workmentioning

confidence: 99%

“…This paper introduces a novel framework for fuzzing PLC control logic applications to address this shortcoming. Unlike the existing body of work that focuses on industrial protocols [10][11][12][13][14][15], our approach is optimized for fuzzing ST-based control logic applications. The proposed framework offers a general-purpose solution to fuzzing internal logic flaws, indirectly enhancing the reliability and security of ICS devices against external cyber threats.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

StructuredFuzzer: Fuzzing Structured Text-Based Control Logic Applications

Koffi,

Kampourakis,

Song

et al. 2024

Electronics

Self Cite

View full text Add to dashboard Cite

Rigorous testing methods are essential for ensuring the security and reliability of industrial controller software. Fuzzing, a technique that automatically discovers software bugs, has also proven effective in finding software vulnerabilities. Unsurprisingly, fuzzing has been applied to a wide range of platforms, including programmable logic controllers (PLCs). However, current approaches, such as coverage-guided evolutionary fuzzing implemented in the popular fuzzer American Fuzzy Lop Plus Plus (AFL++), are often inadequate for finding logical errors and bugs in PLC control logic applications. They primarily target generic programming languages like C/C++, Java, and Python, and do not consider the unique characteristics and behaviors of PLCs, which are often programmed using specialized programming languages like Structured Text (ST). Furthermore, these fuzzers are ill suited to deal with complex input structures encapsulated in ST, as they are not specifically designed to generate appropriate input sequences. This renders the application of traditional fuzzing techniques less efficient on these platforms. To address this issue, this paper presents a fuzzing framework designed explicitly for PLC software to discover logic bugs in applications written in ST specified by the IEC 61131-3 standard. The proposed framework incorporates a custom-tailored PLC runtime and a fuzzer designed for the purpose. We demonstrate its effectiveness by fuzzing a collection of ST programs that were crafted for evaluation purposes. We compare the performance against a popular fuzzer, namely, AFL++. The proposed fuzzing framework demonstrated its capabilities in our experiments, successfully detecting logic bugs in the tested PLC control logic applications written in ST. On average, it was at least 83 times faster than AFL++, and in certain cases, for example, it was more than 23,000 times faster.

show abstract