Battling against Protocol Fuzzing: Protecting Networked Embedded Devices from Dynamic Fuzzers
Article No.: 108, Pages 1 - 26
Abstract
Networked Embedded Devices (NEDs) are increasingly targeted by cyberattacks, mainly due to their widespread use in our daily lives. Vulnerabilities in NEDs are the root causes of these cyberattacks. Although deployed NEDs go through thorough code audits, there can still be considerable exploitable vulnerabilities. Existing mitigation measures like code encryption and obfuscation adopted by vendors can resist static analysis on deployed NEDs, but are ineffective against protocol fuzzing. Attackers can easily apply protocol fuzzing to discover vulnerabilities and compromise deployed NEDs. Unfortunately, prior anti-fuzzing techniques are impractical as they significantly slow down NEDs, hampering NED availability.
To address this issue, we propose Armor—the first anti-fuzzing technique specifically designed for NEDs. First, we design three adversarial primitives–delay, fake coverage, and forged exception–to break the fundamental mechanisms on which fuzzing relies to effectively find vulnerabilities. Second, based on our observation that inputs from normal users consistent with the protocol specification and certain program paths are rarely executed with normal inputs, we design static and dynamic strategies to decide whether to activate the adversarial primitives. Extensive evaluations show that Armor incurs negligible time overhead and effectively reduces the code coverage (e.g., line coverage by 22%-61%) for fuzzing, significantly outperforming the state of the art.
References
[1]
AFL. 2020. Accessed 2022-10-20. https://github.com/google/AFL
[2]
AFL++. 2022. Accessed 2022-10-20. https://github.com/AFLplusplus/AFLplusplus
[3]
Ross Anderson and Tyler Moore. 2007. Information security economics–and beyond. In Annual International Cryptology Conference. Springer, 68–91.
[4]
Theodoros Apostolopoulos, Vasilios Katos, Kim-Kwang Raymond Choo, and Constantinos Patsakis. 2021. Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks. Future Generation Computer Systems 116 (2021), 393–405.
[5]
Jinsheng Ba, Marcel Böhme, Zahra Mirzamomen, and Abhik Roychoudhury. 2022. Stateful greybox fuzzing. In 31st USENIX Security Symposium (USENIX Security’22). 3255–3272.
[6]
BooFuzz. 2022. Accessed 2022-10-20. https://github.com/jtpereyda/boofuzz
[7]
David J. Brantley. 2005. Accessed 2022-10-20. https://www.cs.utexas.edu/users/EWD/transcriptions/EWD03xx/EWD303.html
[8]
David Brumley, Ivan Jager, Thanassis Avgerinos, and Edward J. Schwartz. 2011. BAP: A binary analysis platform. In Computer Aided Verification: 23rd International Conference, CAV 2011, Snowbird, UT, USA, July 14–20, 2011. Proceedings 23. Springer, 463–469.
[9]
Muhammad Arif Butt, Zarafshan Ajmal, Zafar Iqbal Khan, Muhammad Idrees, and Yasir Javed. 2022. An in-depth survey of bypassing buffer overflow mitigation techniques. Applied Sciences 12, 13 (2022), 6702.
[10]
G. Casteur, A. Aubaret, B. Blondeau, V. Clouet, A. Quemat, V. Pical, and R. Zitouni. 2020. Fuzzing attacks for vulnerability discovery within MQTT protocol. In 2020 International Wireless Communications and Mobile Computing (IWCMC’20). 420–425. DOI:
[11]
Lorenzo Cavallaro, Prateek Saxena, and R. Sekar. 2007. Anti-taint-analysis: Practical evasion techniques against information flow based malware defense. Secure Systems Lab at Stony Brook University, Tech. Rep (2007), 1–18.
[12]
Daming D. Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards automated dynamic analysis for Linux-based embedded firmware. In NDSS, Vol. 1. 1–1.
[13]
Jiongyi Chen, Wenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. 2018. IoTFuzzer: Discovering memory corruptions in IoT through app-based fuzzing. In NDSS.
[14]
Abraham Clements, Eric Gustafson, Tobias Scharnowski, Paul Grosen, David Fritz, Christopher Kruegel, Giovanni Vigna, Saurabh Bagchi, and Mathias Payer. 2020. HALucinator: Firmware re-hosting through abstraction layer emulation. In Proceedings of the 29th USENIX Security Symposium.
[15]
Drew Davidson, Benjamin Moench, Thomas Ristenpart, and Somesh Jha. 2013. FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution. In USENIX Security Symposium. 463–478.
[16]
Dan Dinculeană and Xiaochun Cheng. 2019. Vulnerabilities and limitations of MQTT protocol used between IoT devices. Applied Sciences 9, 5 (2019), 848.
[17]
Sushant Dinesh, Nathan Burow, Dongyan Xu, and Mathias Payer. 2020. Retrowrite: Statically instrumenting cots binaries for fuzzing and sanitization. In 2020 IEEE Symposium on Security and Privacy (SP’20). IEEE, 1497–1511.
[18]
Emil Edholm and David Goransson. 2016. Escaping the fuzz-evaluating fuzzing techniques and fooling them with anti-fuzzing. (2016). https://odr.chalmers.se/server/api/core/bitstreams/6c48934b-2c6c-4680-8ac0-151031e2c932/content
[19]
Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh. 2016. Jump over ASLR: Attacking branch predictors to bypass ASLR. In 2016 49th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO’16). IEEE, 1–13.
[20]
Bo Feng, Alejandro Mera, and Long Lu. 2020. P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In Proceedings of the 29th USENIX Conference on Security Symposium. 1237–1254.
[21]
Xiaotao Feng, Ruoxi Sun, Xiaogang Zhu, Minhui Xue, Sheng Wen, Dongxi Liu, Surya Nepal, and Yang Xiang. 2021. SNIPUZZ: Black-box fuzzing of IoT firmware via message snippet inference. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 337–350.
[22]
Peach Fuzzer. 2017. Accessed 2022-10-20. https://github.com/MozillaSecurity/peach
[23]
Google. 2019. Accessed 2022-10-20. https://github.com/cisco-sas/kitty
[24]
Serge Gorbunov and Arnold Rosenbloom. 2010. AutoFuzz: Automated network protocol fuzzing framework. IJCSNS 10, 8 (2010), 239.
[25]
Emre Guler, Cornelius Aschermann, and Thorsten Holzl. 2019. AntiFuzz: Impeding fuzzing audits of binary executables. In 28th 861 USENIX Security Symposium. 1931–1947.
[26]
Zhixiu Guo, Zijin Lin, Pan Li, and Kai Chen. 2020. SkillExplorer: Understanding the behavior of skills in large scale. In 29th USENIX Security Symposium (USENIX Security’20). 2649–2666.
[27]
Yi He, Zhenhua Zou, Kun Sun, Zhuotao Liu, Ke Xu, QianWang, Chao Shen, Zhi Wang, and Qi Li. 2022. RapidPatch: Firmware hotpatching for real-time embedded devices. In 31st USENIX Security Symposium (USENIX Security’22). 866 (2022), 2225–2242.
[28]
Ralf Hund, Carsten Willems, and Thorsten Holz. 2013. Practical timing side channel attacks against kernel space ASLR. In 2013 IEEE Symposium on Security and Privacy. IEEE, 191–205.
[29]
Jinho Jung, Hong Hu, David Solodukhin, Daniel Pagan, Kyu Hyung Lee, and Taesoo Kim. 2019. Fuzzification: Anti-fuzzing techniques. In 28th USENIX Security Symposium. 1913–1930.
[30]
Markus Kammerstetter, Christian Platzer, and Wolfgang Kastner. 2014. Prospect: Peripheral proxying supported embedded code testing. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. 329–340.
[31]
Mark Kirschenbaum. 2020. A Practical Guide for Cracking AES-128 Encrypted Firmware Update. Accessed 2023-9-20. https://gethypoxic.com/blogs/technical/a-practical-guide-for-cracking-aes-128-encrypted-firmware-updates
[32]
George Klees, Andrew Ruef, Benji Cooper, Shiyi Wei, and Michael Hicks. 2018. Evaluating fuzz testing. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 2123–2138.
[33]
Nir Kshetri. 2006. The simple economics of cybercrimes. IEEE Security & Privacy 4, 1 (2006), 33–39.
[34]
Yingxu Lai, Huijuan Gao, and Jing Liu. 2020. Vulnerability mining method for the modbus TCP using an anti-sample fuzzer. Sensors 20, 7 (2020). DOI:
[35]
Ralph Langner. 2011. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 9, 3 (2011), 49–51.
[36]
Junqiang Li, Senyi Li, Gang Sun, Ting Chen, and Hongfang Yu. 2022. SNPSFuzzer: A fast greybox fuzzer for stateful network protocols using snapshots. IEEE Transactions on Information Forensics and Security 17 (2022), 2673–2687.
[37]
Wenqiang Li, Jiameng Shi, Fengjun Li, Jingqiang Lin, Wei Wang, and Le Guan. 2022. \(\mu\)AFL: Non-intrusive feedback-driven fuzzing for microcontroller firmware. In Proceedings of the 44th International Conference on Software Engineering. 1–12.
[38]
Yuekang Li, Guozhu Meng, Jun Xu, Cen Zhang, Hongxu Chen, Xiaofei Xie, Haijun Wang, and Yang Liu. 2021. Vall-Nut: Principled anti-grey box-fuzzing. In 2021 IEEE 32nd International Symposium on Software Reliability Engineering. IEEE, 288–299.
[39]
Lib60870. 2022. Accessed 2022-10-20. https://github.com/mz-automation/lib60870
[40]
libiec61850. 2023. Accessed 2023-10-1. https://github.com/mz-automation/libiec61850
[41]
Libmodbus. 2022. Accessed 2022-10-20. https://github.com/stephane/libmodbus
[42]
Michael Hale Ligh, Andrew Case, Jamie Levy, and Aaron Walters. 2014. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley & Sons.
[43]
Puzhuo Liu, Yaowen Zheng, Zhanwei Song, Dongliang Fang, Shichao Lv, and Limin Sun. 2022. Fuzzing proprietary protocols of programmable controllers to find vulnerabilities that affect physical control. Journal of Systems Architecture 127 (2022), 102483.
[44]
Zhengxiong Luo, Junze Yu, Feilong Zuo, Jianzhong Liu, Yu Jiang, Ting Chen, Abhik Roychoudhury, and Jiaguang Sun. 2023. BLEEM: Packet sequence oriented fuzzing for protocol implementations. In 32nd USENIX Security Symposium (USENIX Security’23). 4481–4498.
[45]
Zhengxiong Luo, Feilong Zuo, Yu Jiang, Jian Gao, Xun Jiao, and Jiaguang Sun. 2019. Polar: Function code aware fuzz testing of ICS protocol. ACM Transactions on Embedded Computing Systems (TECS) 18, 5s (2019), 1–22.
[46]
Matias Madou, Ludo Van Put, and Koen De Bosschere. 2006. LOCO: An interactive code (de) obfuscation tool. In Proceedings of the 2006 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-based Program Manipulation. 140–144.
[47]
Valentin J. M. Manes, HyungSeok Han, Choongwoo Han, Sang Kil Cha, Manuel Egele, Edward J. Schwartz, and Maverick Woo. 2019. The art, science, and engineering of fuzzing: A survey. IEEE Transactions on Software Engineering 47, 11 (2019), 2312–2331.
[48]
Ruijie Meng, Martin Mirchev, Marcel Böhme, and Abhik Roychoudhury. 2024. Large language model guided protocol fuzzing. In Proceedings of the 31st Annual Network and Distributed System Security Symposium (NDSS’24).
[49]
Alejandro Mera, Bo Feng, Long Lu, and Engin Kirda. 2021. DICE: Automatic emulation of DMA input channels for dynamic firmware analysis. In 2021 IEEE Symposium on Security and Privacy (SP’21). IEEE, 1938–1954.
[50]
Eclipse Mosquitto. 2022. Accessed 2022-10-20. https://github.com/eclipse/mosquitto
[51]
Marius Muench, Dario Nisi, Aurélien Francillon, and Davide Balzarotti. 2018. Avatar 2: A multi-target orchestration platform. In Proc. Workshop Binary Anal. Res. (Colocated NDSS Symp.), Vol. 18. 1–11.
[52]
Roberto Natella. 2022. StateAFL: Greybox fuzzing for stateful network servers. Empirical Software Engineering 27, 7 (2022), 191.
[53]
Matthias Niedermaier, Florian Fischer, and Alexander von Bodisco. 2017. PropFuzz–An IT-security fuzzing framework for proprietary ICS protocols. In 2017 International Conference on Applied Electronics (AE’17). IEEE, 1–4.
[54]
Christian Niesler, Sebastian Surminski, and Lucas Davi. 2021. HERA: Hotpatching of embedded real-time applications. In NDSS, Vol. 1, 1–1.
[55]
70 Percent of IoT Devices Vulnerable to Cyberattacks. 2014. Accessed 2022-10-20. https://www.securityweek.com/70-iot-devices-vulnerable-cyberattacks-hp
[56]
Top Cyber Attacks on IoT Devices in 2021. 2021. Accessed 2022-10-20. https://firedome.io/blog/top-cyber-attacks-on-iot-devices-in-2021
[57]
Van-Thuan Pham, Marcel Böhme, and Abhik Roychoudhury. 2020. AFLNET: A greybox fuzzer for network protocols. In 2020 IEEE 13th International Conference on Software Testing, Validation and Verification (ICST’20). 460–465. DOI:
[58]
Preeny. 2021. Accessed 2022-10-20. https://github.com/zardus/preeny
[59]
Panagiotis Radoglou-Grammatikis, Panagiotis Sarigiannidis, Ioannis Giannoulakis, Emmanouil Kafetzakis, and Emmanouil Panaousis. 2019. Attacking IEC-60870-5-104 SCADA systems. In 2019 IEEE World Congress on Services (SERVICES’19), Vol. 2642-939X. 41–46. DOI:
[60]
Nilo Redini, Andrea Continella, Dipanjan Das, Giulio De Pasquale, Noah Spahn, Aravind Machiry, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2021. DIANE: Identifying fuzzing triggers in apps to generate under-constrained inputs for IoT devices. In 2021 IEEE Symposium on Security and Privacy (SP’21). IEEE, 484–500.
[61]
Tobias Scharnowski, Nils Bars, Moritz Schloegel, Eric Gustafson, Marius Muench, Giovanni Vigna, Christopher Kruegel, Thorsten Holz, and Ali Abbasi. 2022. Fuzzware: Using precise MMIO modeling for effective firmware fuzzing. In 31st USENIX Security Symposium (USENIX Security’22). 1239–1256.
[62]
Sebastian Schrittwieser, Stefan Katzenbeisser, Johannes Kinder, Georg Merzdovnik, and Edgar Weippl. 2016. Protecting software through obfuscation: Can it keep pace with progress in code analysis? ACM Computing Surveys (CSUR) 49, 1 (2016), 1–37.
[63]
Sergej Schumilo, Cornelius Aschermann, Robert Gawlik, Sebastian Schinzel, and Thorsten Holz. 2017. kAFL: Hardware-assisted feedback fuzzing for OS kernels. In USENIX Security Symposium. 167–182.
[64]
Net Security. 2022. Accessed 2022-10-20. https://www.helpnetsecurity.com/2022/08/29/vulnerability-disclosures-iot-devices/
[65]
Monirul I. Sharif, Andrea Lanzi, Jonathon T. Giffin, and Wenke Lee. 2008. Impeding malware analysis using conditional code obfuscation. In NDSS.
[66]
Yan Shoshitaishvili, Ruoyu Wang, Christophe Hauser, Christopher Kruegel, and Giovanni Vigna. 2015. Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware. In NDSS, Vol. 1. 1–1.
[67]
David A. Solomon, Mark E. Russinovich, and Alex Ionescu. 2009. Windows Internals. Microsoft Press.
[68]
Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vigna. 2016. Driller: Augmenting fuzzing through selective symbolic execution. In NDSS, Vol. 16. 1–16.
[69]
Aurélien Vasselle, Philippe Maurine, and Maxime Cozzi. 2019. Breaking mobile firmware encryption through near-field side-channel analysis. In Proceedings of the 3rd ACM Workshop on Attacks and Solutions in Hardware Security Workshop. 23–32.
[70]
Zhi Wang, Jiang Ming, Chunfu Jia, and Debin Gao. 2011. Linear obfuscation to combat symbolic execution. In Computer Security–ESORICS 2011: 16th European Symposium on Research in Computer Security, Leuven, Belgium, September 12–14, 2011. Proceedings 16. Springer, 210–226.
[71]
Jonas Zaddach, Luca Bruno, Aurelien Francillon, and Davide Balzarotti. 2014. AVATAR: A framework to support dynamic security analysis of embedded systems’ firmwares. In NDSS, Vol. 23. 1–16.
[72]
Yingpei Zeng, Mingmin Lin, Shanqing Guo, Yanzhao Shen, Tingting Cui, Ting Wu, Qiuhua Zheng, and Qiuhua Wang. 2020. MultiFuzz: A coverage-based multiparty-protocol fuzzer for IoT publish/subscribe protocols. Sensors 20, 18 (2020), 5194.
[73]
Yaowen Zheng, Ali Davanian, Heng Yin, Chengyu Song, Hongsong Zhu, and Limin Sun. 2019. FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation. In 28th USENIX Security Symposium. 1099–1114.
[74]
Feilong Zuo, Zhengxiong Luo, Junze Yu, Ting Chen, Zichen Xu, Aiguo Cui, and Yu Jiang. 2022. Vulnerability detection of ICS protocols via cross-state fuzzing. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 41, 11 (2022), 4457–4468.
Index Terms
- Battling against Protocol Fuzzing: Protecting Networked Embedded Devices from Dynamic Fuzzers
Recommendations
Logos: Log Guided Fuzzing for Protocol Implementations
ISSTA 2024: Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and AnalysisNetwork protocols are extensively used in a variety of network devices, making the security of their implementations crucial. Protocol fuzzing has shown promise in uncovering vulnerabilities in these implementations. However traditional methods often ...
Fuzzing Framework for IEC 60870-5-104 Protocol
CSSE '22: Proceedings of the 5th International Conference on Computer Science and Software EngineeringThe importance of SCADA systems within the power grid is currently increasing due to the increased complexity of the grid. Thus, these systems may contain various security vulnerabilities, the exploitation of which may lead to large-scale blackouts. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 20 April 2024
Online AM: 22 January 2024
Accepted: 11 January 2024
Revised: 08 January 2024
Received: 07 June 2023
Published in TOSEM Volume 33, Issue 4
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Key R&D Program of Ministry of Science and Technology
- Natural Science Foundation of Beijing
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 621Total Downloads
- Downloads (Last 12 months)621
- Downloads (Last 6 weeks)54
Reflects downloads up to 15 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in