FIoTFuzzer: Response-Based Black-Box fuzzing for IoT Devices

FIoTFuzzer: Response-Based Black-Box fuzzing for IoT Devices

연구 분야: Analysis

학회: 2022 IEEE/ACIS 22nd International Conference on Computer and Information Science (ICIS)

To prevent IoT devices from being exploited, it is particularly important to detect vulnerabilities as many as possible during the device development process. The black-box fuzzing test is widely used in vulnerability detection for IoT devices for several reasons. First of all, the source code of the firmware is rarely provided in public, device response messages are a valuable source of device status. In legacy black-box fuzzing tests, there was a lack of checks on network protocols, message formats and encodings. Byte-to-byte mutation without these checks produced a large amount of garbage input data, which could not reach the deep-level function code. The efficiency and accuracy of fuzzing testing were negatively impacted accordingly. Secondly, communication protocol specification of firmware is rarely provided in public too, and it is difficult for existing grammar-based fuzzing strategies to distinguish the meaning of each field of the message. To solve the above issues, this paper proposes a response-based black-box fuzzing method, named FIoTFuzzer. We set up a message adapter to identify the protocol, format, encoding and other information of original communication packets. To improve the syntax inference capability, FIoTFuzzer divides the message segment based on the response, avoiding blind mutation of the content. This method of using mutation strategy based on message segment under the premise of format specification can reach deep functional components of smart devices. This fuzzing method has lightweight dependencies and does not require reverse engineering. Our tests were evaluated on 12 IoT devices, which included routers, smart bulbs and IP cameras. The results show that: (1) FIoFuzzer is able to detect real-world vulnerabilities in IoT devices; (2) In our benchmark comparison tests with Boofuzz and Sulley, FIoTFuzzer detected 9 vulnerabilities while Boofuzz detected only 5 and Sulley detected only 4 among these 9 vulnerabilities.