| With the rapid development of the Internet of Things industry,the era of Internet of Everything is coming,and Internet of Things devices play an important role in people's lives and urban infrastructure.But at the same time,these IoT devices,especially the web services in the devices,have security vulnerabilities that greatly threaten users' information security.At present,the most popular solution to this problem is to perform fuzzing on the web service program of the IoT device.However,due to the closedness and performance limitations of IoT devices,the binary instrumentation technology that the existing fuzzing frameworks rely on cannot be applied to the IoT device environment,resulting in the existing fuzzing frameworks lacking the monitoring of the status of the internal programs of the device,and the vulnerability mining effect is difficult to guarantee.In this paper,we propose and implement a QEMU-based IoT web service vulnerability mining technology to address these issues.The contributions of this paper are as follows:1)implemented a QEMU-based dynamic binary instrumentation framework called ELFEMU,which provides cross-architecture and multi-granularity instrumentation for the analysis of IoT firmware programs.2)implemented an IoT binary execution environment support system base on ELFEMU,which enables IoT binaries to run on the x8664 architecture host across architectures through dynamic patches and NVRAM simulation.3)implemented an protocol structure aware and coverage-based IoT web service fuzzer to trigger more execution paths in the process of fuzzing.After experiments and analysis,compared to the existing network protocol fuzzing frameworks Peach and Boofuzz,the QEMU-based IoT device web service vulnerability mining system proposed in this paper can achieve higher code coverage,which means better fuzzing results. |
PDF Full Text Request