Yung-Tai Cheng
ABSTRACT
With the growth of Internet of Things devices, the number and complexity of these devices are increasing rapidly. Nevertheless, many IoT products are developed without sufficient consideration for security, leaving them vulnerable to exploitation by malware. To proactively address these vulnerabilities before they are discovered by malicious attackers, information security researchers use both static and dynamic analysis techniques to identify vulnerabilities and propose firmware updates.
Due to the variety of IoT firmware architectures, conducting fuzzing tests directly on firmware using a general personal computer is challenging. As a solution, emulation techniques are commonly applied to create virtual environments for vulnerability detection. However, existing emulation-based fuzzing test tools often prioritize efficiency and avoid utilizing full-system emulation. These tools are limited to detecting vulnerabilities in individual programs and are unable to identify deep-seated vulnerabilities that arise from interactions across multiple processes.
To solve this challenge, we have proposed Firmulti Fuzzer, a fuzzing framework leverages full system emulation. In our approach, we do emulation for two times. The first emulation utilizes the existing emulation system to acquire the full system emulation configuration of the firmware. Next, the second emulation uses an emulator with virtual machine introspection (VMI) function to monitor the entire system environment. With Firmulti Fuzzer, we can track the execution status of all programs within the environment and generate notifications upon detecting exceptions, thereby identifying vulnerabilities stemming from interactions among multiple processes.
Experiments have shown the effectiveness of Firmulti Fuzzer in detecting both general vulnerabilities and multi-process vulnerabilities. Most importantly, Firmulti Fuzzer outperforms other fuzzers in identifying multi-process vulnerabilities. Firmulti Fuzzer holds promising potential as a tool for enhancing the security of IoT devices and mitigating the exploitation of vulnerabilities by malicious attackers.
- [n. d.]. QEMU, A generic and open source machine emulator and virtualizer. https: //www.qemu.org/Google Scholar
- Tejasvi Alladi, Vinay Chamola, Biplab Sikdar, and Kim-Kwang Raymond Choo. 2020. Consumer IoT: Security vulnerability case studies and solutions. 9, 2 (Feb. 2020), 17--25.Google Scholar
- C. Cao, L. Guan, J. Ming, and P. Liu. 2020. Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation. In Proc. ACSAC 2020. 746--759.Google ScholarDigital Library
- Daming D. Chen, Manuel Egele, Maverick Woo, and David Brumley. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In Proc. NDSS 2016, Vol. 1.Google ScholarCross Ref
- Jiongyi Chen, Wenrui Diao, et al. 2018. IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing. In Proc. NDSS 2018.Google ScholarCross Ref
- Libo Chen, Yanhao Wang, Quanpu Cai, Yunfan Zhan, Hong Hu, Jiaqi Linghu, Qinsheng Hou, Chao Zhang, Haixin Duan, and Zhi Xue. 2021. Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems.. In Proc. 30th USENIX Security Symposium. 303--319.Google Scholar
- Cheng-Yen Chung. 2022. Integrating Taint Analysis with Symbolic Execution for IoT Peripheral Modeling. Master's thesis. National Taiwan University of Science and Technology. https://hdl.handle.net/11296/bjc948Google Scholar
- Cheng-Yen Chung, Nien-Jen Tsai, and Shin-Ming Cheng. [n. d.]. FirmSE: Integrating taint analysis with symbolic execution for IoT peripheral modeling. ([n. d.]). (Paper submitted to) IEEE Transactions on Dependable and Secure Computing Mar 2023.Google Scholar
- decaf project. [n. d.]. Dynamic Executable Code Analysis Framework. https: //github.com/decaf-project/DECAFGoogle Scholar
- Maialen Eceiza, Jose Luis Flores, and Mikel Iturbe. 2021. Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems. IEEE Internet of Things Journal 8, 13 (2021), 10390--10411. https://doi.org/10.1109/JIOT.2021.3056179Google ScholarCross Ref
- Bo Feng, Alejandro Mera, and Long Lu. 2020. P2IM: Scalable and hardwareindependent firmware testing via automatic peripheral interface modeling. In Proc. 29th USENIX Security Symposium. 1237--1254.Google Scholar
- Qi Feng and Weiyu Dong. 2022. CinfoFuzz: Fuzzing Method Based on Web Service Correlation Information of Embedded Devices. In 10th IEEE International Conference on Information, Communication and Networks (ICICN 2022). 242--249.Google Scholar
- Ghidra. 2021. Ghidra. https://ghidra-sre.org/Google Scholar
- Google. [n. d.]. American Fuzzy Lop. https://lcamtuf.coredump.cx/afl/Google Scholar
- Wan Haslina Hassan et al. 2019. Current research on Internet of Things (IoT) security: A survey. Computer networks 148 (2019), 283--294.Google Scholar
- Andrew Henderson, Aravind Prakash, Lok Kwong Yan, Xunchao Hu, Xujiewen Wang, Rundong Zhou, and Heng Yin. 2014. Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In Proc. 23th International Symposium on Software Testing and Analysis (ISSTA 2014). 248--258.Google ScholarDigital Library
- Evan Johnson, Maxwell Bland, YiFei Zhu, Joshua Mason, Stephen Checkoway, Stefan Savage, and Kirill Levchenko. 2021. Jetset: Targeted Firmware Rehosting for Embedded Systems. In Proc. USENIX Security 2021. 321--338.Google Scholar
- Mingeun Kim, Dongkwan Kim, Eunsoo Kim, Suryeon Kim, Yeongjin Jang, and Yongdae Kim. 2020. FirmAE: Towards Large-Scale Emulation of IoT Firmware for Dynamic Analysis. In Proc. ACSAC 2020. 733--745.Google ScholarDigital Library
- Tukaram Muske and Uday P. Khedker. 2015. Efficient elimination of false positives using static analysis. In Proc. IEEE 26th International Symposium on Software Reliability Engineering (ISSRE 2015). 270--280. https://doi.org/10.1109/ISSRE.2015. 7381820Google ScholarDigital Library
- NCC-Group. [n. d.]. TriforceAFL. https://github.com/nccgroup/TriforceAFLGoogle Scholar
- Nilo Redini, Aravind Machiry, Ruoyu Wang, Chad Spensky, Andrea Continella, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2020. Karonte: Detecting insecure multi-binary interactions in embedded firmware. In Proc. 41th IEEE Symposium on Security and Privacy (SP 2020). 1544--1561.Google ScholarCross Ref
- Bhagyashri Tushir, Hetesh Sehgal, Rohan Nair, Behnam Dezfouli, and Yuhong Liu. 2021. The Impact of DoS Attacks onResource-constrained IoT Devices:A Study on the Mirai Attack. arXiv:2104.09041 [cs.CR]Google Scholar
- Zhiqiang Wang, Yuqing Zhang, and Qixu Liu. 2013. RPFuzzer: A Framework for Discovering Router Protocols Vulnerabilities Based on Fuzzing. KSII Transactions on Internet and Information Systems (TIIS) 7, 8 (2013), 1989--2009.Google ScholarCross Ref
- Wei Xie, Jiongyi Chen, Zhenhua Wang, Chao Feng, Enze Wang, Yifei Gao, Baosheng Wang, and Kai Lu. 2022. Game of Hide-and-Seek: Exposing Hidden Interfaces in Embedded Web Applications of IoT Devices. In Proc. the ACM Web Conference 2022. 524--532.Google ScholarDigital Library
- Lei Yu, Linyu Li, Haoyu Wang, Xiaoyu Wang, Houhua He, and Xiaorui Gong. 2021. Towards Automated Detection of Higher-Order Memory Corruption Vulnerabilities in Embedded Devices. In Design, Automation & Test in Europe Conference & Exhibition (DATE 2021). 1707--1710.Google Scholar
- Lei Yu, Haoyu Wang, Linyu Li, and Houhua He. 2021. Towards Automated Detection of Higher-Order Command Injection Vulnerabilities in IoT Devices: Fuzzing With Dynamic Data Flow Analysis. International Journal of Digital Crime and Forensics (IJDCF) 13, 6 (2021), 1--14.Google ScholarCross Ref
- Joobeom Yun, Fayozbek Rustamov, Juhwan Kim, and Youngjoo Shin. 2022. Fuzzing of Embedded Systems: A Survey. Comput. Surveys 55, 7 (2022), 1--33.Google ScholarDigital Library
- Chi Zhang, Yu Wang, and Linzhang Wang. 2020. Firmware fuzzing: The state of the art. In Proc. 12th Asia-Pacific Symposium on Internetware. 110--115.Google ScholarDigital Library
- Yu Zhang, Wei Huo, Kunpeng Jian, Ji Shi, Haoliang Lu, Longquan Liu, Chen Wang, Dandan Sun, Chao Zhang, and Baoxu Liu. 2019. SRFuzzer: an automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities. In Proc. 35th annual computer security applications conference. 544--556.Google ScholarDigital Library
- Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: High-Throughput Greybox Fuzzing of IoT Firmware via Augmented Process Emulation. In Proc. USENIX Security Symposium 2019. 1099--1114.Google Scholar
- Yaowen Zheng, Yuekang Li, Cen Zhang, Hongsong Zhu, Yang Liu, and Limin Sun. 2022. Efficient greybox fuzzing of applications in Linux-based IoT devices via enhanced user-mode emulation. In Proc. 31st ACM SIGSOFT International Symposium on Software Testing and Analysis. 417--428.Google ScholarDigital Library
- Wei Zhou, Le Guan, Peng Liu, and Yuqing Zhang. 2021. Automatic Firmware Emulation through Invalidity-guided Knowledge Inference. In Proc. 30th USENIX Security Symposium.Google Scholar
Index Terms
- Firmulti Fuzzer: Discovering Multi-process Vulnerabilities in IoT Devices with Full System Emulation and VMI
Recommendations
Static analysis for discovering IoT vulnerabilities
AbstractThe Open Web Application Security Project (OWASP), released the “OWASP Top 10 Internet of Things 2018” list of the high-priority security vulnerabilities for IoT systems. The diversity of these vulnerabilities poses a great challenge toward ...
Black-box detection of XQuery injection and parameter tampering vulnerabilities in web applications
As web applications become the most popular way to deliver essential services to customers, they also become attractive targets for attackers. The attackers craft injection attacks in database-driven applications through the user-input fields intended ...
Securing native XML database-driven web applications from XQuery injection vulnerabilities
Detects XQuery injection vulnerabilities in web applications using native XML DBs.Implements a prototype system "XQueryFuzzer" based on the proposed approach.Demonstrates the effectiveness of the prototype on benchmark web applications.Three types of ...
Comments