Research On Fuzzing-based Vulnerability Discovery Technique For IoT Devices

Vulnerability discovery method via fuzzing testing is a research hotspot in academia and industry in recent years,since it has the advantages of no source code,less resource limitations,high execution efficiency and insensitive program size.Fuzzing testing has been successfully applied to the exploitation of vulnerabilities in general systems.For example,the US Defense Advanced Research Projects Agency has proposed the fuzzingbased vulnerability discovery in the automatic network offensive and defensive competition,the top global company Microsoft and Google have applied fuzzing testing to discover vulnerabilities of core products.However,fuzzing testing on IoT devices is still in its infancy.This dissertation focuses on the vulnerability discovery techniques for IoT devices.By analyzing the threat surface of IoT devices and the challenges of automated vulnerability discovery methods,this dissertation conduct fuzzing testing research for discovering vulnerabilities in the IoT cloud and the Web communication interface.The main research contents and contributions of this dissertation are as follows.Firstly,this dissertation analyzes the network structure and the technique stack of IoT devices,and the attack techniques of typical IoT security incidents in depth.This dissertation finds: 1)IoT devices have three horizontal threat surfaces about cloud-control-device,and three vertical threat surfaces about sensor-network-application.Current researches are mainly focused on the device-application threat surface.2)Since the underlying hardware and software platforms of IoT devices vary a lot,code-based program analysis techniques have many limitations(e.g.,workload,efficiency,and resource acquisition).However,fuzzing can avoid those limitations effectively.Therefore,this dissertation focuses on the fuzzing research for IoT devices.This research content provides theoretical basis and important references for subsequent researches.Secondly,this dissertation conducts in-depth research on the cloud authentication of IoT devices,and for the first time proposes the vulnerability threat model of SMS authentication code.Based on black-box fuzzing,this dissertation designs and implements the software,named SACIntruderEx,which is able to find the SMS authentication code vulnerability.SACIntruderEx requires neither the source code nor the heavy program analysis,and it has 4 contributions.1)A message generation method based on the graphic interface testing technique is designed to generate device-adaptive password reset messages.2)A protocol field identification method based on input differences is designed to identify message fields that have highly customizable names.3)A hybrid message mutation method is designed to achieve rapid mutation for simple messages and offline mutation for messages that contain a checksum field.4)Multiple monitoring policies are designed to quickly find three types of vulnerabilities.The experiment tests more than 100 IoT devices and discovers dozens of vulnerabilities.The results show that SACIntruderEx can discover SMS authentication code vulnerabilities for different IoT devices.Thirdly,this dissertation conducts in-depth research on the vulnerability discovery method for the Web communication interfaces of IoT devices.Since most vulnerabilities of Web communication interfaces are remotely exploitable,they are the main targets of IoT zombie viruses.Based on mutation-based fuzzing,this dissertation designs and implements the software,named WMIFuzzer,which is able to find vulnerabilites of Web communication interfaces.Unlike SACIntruderEx,WMIFuzzer needs to mutate multiple fields of highly structured Web messages,and it has 4 contributions.1)It is fully automated and does not require users to provide initial seed messages.Users with different roles can use this software to perform security testing on IoT devices.2)A bruteforced graphic interface testing method is designed to generate the initial seeds without pre-defined rules.3)A weighted message parse tree is proposed to generate structurevalid testing messages with malformed data.4)Multiple monitoring rules are designed to find more types of vulnerabilities.The experiment tests 7 IoT devices and discovers 10 vulnerabilities.Compared with two mainstream fuzzers AFL and Sulley,WMIFuzzer can find more vulnerabilities with much faster speed.The results show that WMIFuzzer can effectively and efficiently discover the Web communication interfaces vulnerabilities.Fourthly,this dissertation conducts the research on the vulnerability discovery method for BinaryCGI programs.Among the Web communication interfaces vulnerabilities of IoT devices,the BinaryCGI program vulnerabilities are the most harmful ones.On the one hand,they can be triggered remotely;on the other hand,they can usually cause the underlying system of the device to be compromised.Based on grey-box fuzzing,this dissertation designs and implements the software,named BCFuzzer,which is able to find vulnerabilites of BinaryCGI programs.BCFuzzer has two contributions.1)A lazy input model based on feedback is designed to overcome the challenge of variable environment input.This lazy input model improves the effectiveness of the generated testing messages.2)A selective external function tracking method is designed to monitor those interesting functions that can affect the control flow of the main module.By this new tracking method,BCFuzzer achieves the balance of coverage collection and execution speed.BinaryCGI programs collected from 13 devices are tested and compared with the mainstream greybox fuzzer ACW.The results show that BCFuzzer has better capabilities of path exploring and vulnerability discovering.