Research On Grey-box Fuzzing Test Of IoT Devices Based On Full-system Emulation

The rapid development of IoT has brought convenience to people’s life and at the same time has laid security risks.Due to the characteristics of limited computing resources,lack of security mechanisms,and low update frequency,IoT devices are more likely to receive attacks.Fuzzing test,as a common vulnerability mining method,detects vulnerabilities by observing abnormal behavior of the target while sending a large number of randomly generated test cases to the target devices.Lots of researches have focused on fuzzig test of IoT devices.However,there are two major problems in the fuzzing test of IoT devices that affect the discovery efficiency of fuzzing test: the lack of protocol state dependency resolution and test case scheduling mechanism.On the one hand,the inputs of IoT fuzzing are often in protocol format,which needs to satisfy authentication dependencies,inter-message dependencies and intra-message dependencies.Once the input violates the dependencies,it will be rejected by the devcies as an invalid input.On the other hand,the test case scheduling mechanism can allocate different test resources to test cases according to the test case characteristics to accelerate the vulnerability discovery,and the lack of scheduling mechanism can easily lead to a large amount of computing resources wasted on generating meaningless test cases.In order to effectively detect vulnerabilities of IoT devices,this paper studies the grey-box fuzzing test of IoT device based on full-system emulation.The main research contents are divided into three points: 1)Construction of stateaware message queue.In order to satisfy the three types of state dependencies in the protocol,this paper uses a crawler to obtain real-time communication messages of devices,parse them to obtain the fields of the state dependencies and combine the messages with dependencies into a message queue,which is feeded to the target device as a test case; 2)Research on seed scheduling mechanism for IoT devices.By customizing the Linux kernel to obtain system calls and writing QEMU plugins to track the execution of basic blocks,the secondary scheduler proposed in this paper schedules test cases based on the above information and gives priority to test cases that bring new execution paths;3)The construction of the prototype system Firm Hunter.This paper builds Firm Hunter,a prototype system for gray-box fuzzing test of IoT devices based on full-system emulation,which can detect BO(buffer overflow)vulnerabilities,NPD(null pointer reference)vulnerabilities,CI(command injection)vulnerabilities and XSS(cross-site scripting)vulnerabilities in firmwares.In order to evaluate the effectiveness and advancement of the proposed methods,we conducted a replication experiment on 10 1-day vulnerabilities and a large-scale testing experiment for 1051 firmwares.The replication experiment on the 10 1-day vulnerabilities shows that the experimental group that builds a state-aware message queue can effectively detect the state-dependent fields and find more 1-day vulnerabilities,and the experimental group that deploys the scheduling mechanism can improve the efficiency of vulnerability detection by 60.2% on average.At the same time,the Firm Hunter built in this paper can find more 1-day vulnerabilities faster than the mainstream testing tools FirmFuzz and ZAP.In the large-scale testing experiment with 1051 firmwares,Firm Hunter found 8 0-day vulnerabilities in 258 firmwares that could successfully emulate and provide WEB services.