research-article

On Designing an Efficient Distributed Black-Box Fuzzing System for Mobile Devices

Authors:

Murali Srirangam Ramanujam,

S.P.T. KrishnanAuthors Info & Claims

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Pages 31 - 42

https://doi.org/10.1145/2714576.2714607

Published: 14 April 2015 Publication History

Abstract

Security researchers who jailbreak iOS devices have usually crowdsourced for system level vulnerabilities [1] for iOS. However, their success has depended on whether a particular device owner encountered a crash in system-level code. To conduct voluntary security testing, black-box fuzzing is one of the ideal low-cost and simple techniques to find system level vulnerabilities for the less technical crowd. However, it is not the most effective method due to the large fuzzing space. At the same time, when fuzzing mobile devices such as today's smartphones, it is extremely time consuming to instrument mobile devices of varying versions of system software across the world. This paper, describes Mobile Vulnerability Discovery Pipeline (MVDP), a semi-automated, vulnerability discovery pipeline for mobile devices. MVDP is a carefully crafted process targeted to produce malicious output that is very likely to crash the target leading to vulnerability discovery. MVDP employs a few novel black-box fuzzing techniques such as distributed fuzzing, parameter selection, mutation position optimisation and selection of good seed files. To date, MVDP has discovered around 1900 unique crashing inputs and helped to identify 7 unique vulnerabilities across various Android and iOS phone models.

References

[1]

A. Imran, Chronic Dev Team Announces "Tool of Mass Exploitation", Install It Now To Help Community Find Exploits For Untethered Jailbreak redmonpie.com, November 27, 2011.

[2]

J. Drake, Reversing and Auditing Android's Propietary Bits RECon, June, 2013.

[3]

Michael Sutton, Adam Greene, and Pedram Amini. 2007. Fuzzing: Brute Force Vulnerability Discovery. Addison-Wesley Professional.

Digital Library

[4]

Sophos Press Release: Users Weighed Down by Multiple Gadgets and Mobile Devices, New Sophos Survey Reveals March 18 2013, Sophos Ltd.

[5]

National Cyber Awareness System - Vulnerability Summary for CVE-2012-0003 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0003

[6]

National Cyber Awareness System - Vulnerability Summary for CVE-2013-0976: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0976

[7]

National Cyber Awareness System - Vulnerability Summary for CVE-2013-1750 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1750

[8]

A. Rebert, S. K. Cha, T. Avgerinos, J. Foote, D. Warren, G. Grieco, D. Brumley. Optimising Seed Selection for fuzzing In Proc. 23rd USENIX Security Symposium, 2014.

Digital Library

[9]

Graphics Interchange Format, Version 89a, W3C; 31 July 1990.

[10]

H.C.Kim, Y.H.Choi, D.H.Lee. Efficient file fuzz testing using automated analysis of binary file format. Journal of Systems Architecture-Embedded Systems Design, vol. 57, no. 3, pages 259--268, 2011.

Digital Library

[11]

Maverick Woo, Sang Kil Cha, Samantha Gottlieb, and David Brumley. 2013. Scheduling black-box mutational fuzzing. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS '13). ACM, New York, NY, USA, 511--522.

Digital Library

[12]

Open-source software for volunteer computing and grid computing. https://boinc.berkeley.edu/

[13]

SETI@home http://setiathome.ssl.berkeley.edu/

[14]

C. Miller. How smart is intelligent fuzzing or - How stupid is dumb fuzzing? Independent Security Evaluators, August 3, 2007.

[15]

Google Custom Search Engine. https://www.google.com/cse/

[16]

Bing Search API. http://datamarket.azure.com/dataset/bing/search

[17]

Hachoir Project. https://pypi.python.org/pypi/hachoir-core

[18]

Information technology - Computer graphics and image processing - Portable Network Graphics (PNG): Functional specification. ISO/IEC 15948:2003 W3C Recommendation 10 November 2003.

[19]

Skia 2D graphics library - https://code.google.com/p/skia/

[20]

Apple iOS ImageIO - https://developer.apple.com/library/ios/documentation/GraphicsImaging/Conceptual/ImageIOGuide

[21]

A. D. Householder and J. M. Foote. Probability-Based Parameter Selection for Black-Box Fuzz Testing. Technical Report August, CERT, 2012

[22]

!exploitable http://msecdbg.codeplex.com/

[23]

Binary Diff Utility FreeBSD Man Pages

[24]

Mac Developer Library: Apple Technical Note TN233, Accessing CrashWrangler to analyze crashes for security implications, March 2014

[25]

(SIGSEGV), fault addr deadbaad https://groups.google.com/forum/#!topic/android-ndk/jQg6DM6-D6o

[26]

C. Labs. zzuf: multi-purpose fuzzer. http://caca.zoy.org/wiki/zzuf.

[27]

B. P. Miller, L. Fredriksen, and B. So. An Empirical Study of the Reliability of UNIX Utilities. Communications of the ACM, 33(12):32(44), 1990.

Digital Library

[28]

Chris Evans, Matt Moore and Tavis Ormandy, Google Security Team: Fuzzing at scale http://googleonlinesecurity.blogspot.sg/2011/08/fuzzing-at-scale.html Friday, August 12, 2011

[29]

Basic Fuzzing Framework. http://www.cert.org/vulnerability-analysis/tools/bff.cfm

[30]

Thanassis Avgerinos, Sang Kil Cha, Alexandre Rebert, Edward J. Schwartz, Maverick Woo, and David Brumley. 2014. Automatic exploit generation. Commun. ACM 57, 2 (February 2014), 74--84.

Digital Library

[31]

Hex-Rays IDA. https://www.hex-rays.com/products/ida/

[32]

D. A. Berry and B. Fristedt. Bandit Problems:Sequential Allocation of Experiments. Chapman and Hall, 1985.

Cited By

Cotroneo DIannillo ANatella RRosiello S(2021)Dependability Assessment of the Android OS Through Fault InjectionIEEE Transactions on Reliability10.1109/TR.2019.295438470:1(346-361)Online publication date: Mar-2021
https://doi.org/10.1109/TR.2019.2954384
Zhang TLee WGao MZhou J(2019) File Guard: automatic format-based media file sanitizationInternational Journal of Information Security10.1007/s10207-019-00440-318:6(701-713)Online publication date: 1-Dec-2019
https://dl.acm.org/doi/10.1007/s10207-019-00440-3
Shin MYu JYoon YKwon T(2017)The Fuzzing Awakens: File Format-Aware Mutational Fuzzing on Smartphone Media Server DaemonsICT Systems Security and Privacy Protection10.1007/978-3-319-58469-0_15(219-232)Online publication date: 4-May-2017
https://doi.org/10.1007/978-3-319-58469-0_15

Recommendations

Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

The proliferation of Internet of Things (IoT) devices has made people's lives more convenient, but it has also raised many security concerns. Due to the difficulty of obtaining and emulating IoT firmware, in the absence of internal execution information, ...
Directed Greybox Fuzzing
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Existing Greybox Fuzzers (GF) cannot be effectively directed, for instance, towards problematic changes or patches, towards critical system calls or dangerous locations, or towards functions in the stack-trace of a reported vulnerability that we wish to ...
Fuzzing: A Survey for Roadmap
Fuzz testing (fuzzing) has witnessed its prosperity in detecting security flaws recently. It generates a large number of test cases and monitors the executions for defects. Fuzzing has detected thousands of bugs and vulnerabilities in various ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

April 2015

698 pages

ISBN:9781450332453

DOI:10.1145/2714576

General Chairs:
Feng Bao
Huawei Technologies Pte Ltd, Singapore
,
Steven Miller
Singapore Management University, Singapore
,
Program Chairs:
Jianying Zhou
Institute for Infocomm Research, Singapore
,
Gail-Joon Ahn
Arizona State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ASIA CCS '15

Sponsor:

SIGSAC

ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security

April 14 - March 17, 2015

Singapore, Republic of Singapore

Acceptance Rates

ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
550
Total Downloads

Downloads (Last 12 months)17
Downloads (Last 6 weeks)1

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cotroneo DIannillo ANatella RRosiello S(2021)Dependability Assessment of the Android OS Through Fault InjectionIEEE Transactions on Reliability10.1109/TR.2019.295438470:1(346-361)Online publication date: Mar-2021
https://doi.org/10.1109/TR.2019.2954384
Zhang TLee WGao MZhou J(2019) File Guard: automatic format-based media file sanitizationInternational Journal of Information Security10.1007/s10207-019-00440-318:6(701-713)Online publication date: 1-Dec-2019
https://dl.acm.org/doi/10.1007/s10207-019-00440-3
Shin MYu JYoon YKwon T(2017)The Fuzzing Awakens: File Format-Aware Mutational Fuzzing on Smartphone Media Server DaemonsICT Systems Security and Privacy Protection10.1007/978-3-319-58469-0_15(219-232)Online publication date: 4-May-2017
https://doi.org/10.1007/978-3-319-58469-0_15

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten