EWVHunter: Grey-Box Fuzzing with Knowledge Guide on Embedded Web Front-Ends

Wang, Enze; Wang, Baosheng; Xie, Wei; Wang, Zhenhua; Luo, Zhenhao; Yue, Tai

doi:10.3390/app10114015

Cited by 11 publications

(7 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…IoTHunter uses multi-level message generation mechanism to test the some standard protocols in IoT firmware, such as SNMP, FTP, BGP. Besides, Wang et al [17] presented EWV Hunter, a grey-box fuzzer for embedded IoT devices. EWV Hunter constructed a prior knowledge base about the web front-end and filled data at the input source.…”

Section: Generation-based Fuzzingmentioning

confidence: 99%

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

et al. 2021

Self Cite

View full text Add to dashboard Cite

Cyber attacks against the web management interface of Internet of Things (IoT) devices often have serious consequences. Current research uses fuzzing technologies to test the web interfaces of IoT devices. These IoT fuzzers generate messages (a test case sent from the client to the server to test its functionality) without considering their dependency, which is unlikely to bypass the early check of the server. These invalid test cases significantly reduce the efficiency of fuzzing. To overcome this problem, we propose a stateful message generation (SMG) mechanism for IoT web fuzzing. SMG addresses two problems in IoT fuzzing. First, we retrieve the message dependency by using web front-end analysis and status analysis. These dependent messages, which can easily bypass the server check, are used as a valid seed. Second, we adopt a multi-message seed format to preserve the dependency of the messages when mutating the seed to get a valid test case, so that the test case can bypass the state check of the server to make a valid test. Message dependency preservation is implemented by our proposed parameter mutation and structural mutation methods. We implement SMG in our IoT fuzzer, SIoTFuzzer, which applies IoT firmware on the latest Linux-based simulation tool, FirmAE. We test nine IoT devices including a router and an IP camera and adopt a vulnerability detection mechanism. Our evaluation results show that (1) SIoTFuzzer is capable of finding real-world vulnerabilities in IoT devices; (2) our SMG is effective as it enables Boofuzz (a popular protocol fuzzer) to find command injection and cross-site scripting (XSS) vulnerabilities; and (3) compared to FirmFuzz, SIoTFuzzer found all the vulnerabilities in our benchmarks, while FirmFuzz found only four—the efficiency of our tool increased by 20.57% on average.

show abstract

Section: Generation-based Fuzzingmentioning

confidence: 99%

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

et al. 2021

Self Cite

View full text Add to dashboard Cite

show abstract

“…In the front-end fuzzing, the inputs are user operations, including GET requests, filling forms, and JS events. EWVHunter [14] implements web crawlers to interact with network applications which crawl the static resources from the front-end and explore input fields like URLs and forms. After filling randomly generated values in fields, EWVHunter clicks buttons to send mutated test cases and then checks the response message as well as the connection status to detect potential vulnerabilities.…”

Section: Iot Fuzzing Via Web Interfacementioning

confidence: 99%

“…However, writing templates requires full knowledge of the design of protocols. To this end, some works implement crawlers [10][11][12][13][14][15] to traverse the web application and capture the traffic messages. After that, customized strategies are applied to mutate these captured messages to generate test cases.…”

Section: Introductionmentioning

confidence: 99%

“…Although some works focus on stateful fuzzing, they have bad performance on more complex IoT devices. FirmFuzz [10] and EWVHunter [14] implement web crawlers to maintain authenticated state, but intramessage and inter-message dependencies are often neglected. SIoTFuzzer [16] extracts messages between page responds to gain a stateful seed while not analyzing the intramessage dependencies in these messages.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

FirmHunter: State-Aware and Introspection-Driven Grey-Box Fuzzing towards IoT Firmware

2021

View full text Add to dashboard Cite

IoT devices are exponentially increasing in all aspects of our lives. Via the web interfaces of IoT devices, attackers can control IoT devices by exploiting their vulnerabilities. In order to guarantee IoT security, testing these IoT devices to detect vulnerabilities is very important. In this work, we present FirmHunter, an automated state-aware and introspection-driven grey-box fuzzer towards Linux-based firmware images on the basis of emulation. It employs a message-state queue to overcome the dependency problem in test cases. Furthermore, it implements a scheduler collecting execution information from system introspection to drive fuzzing towards more interesting test cases, which speeds up vulnerability discovery. We evaluate FirmHunter by emulating and fuzzing eight firmware images including seven routers and one IP camera with a state-of-the-art IoT fuzzer FirmFuzz and a web application scanner ZAP. Our evaluation results show that (1) the message-state queue enables FirmHunter to parse the dependencies in test cases and find real-world vulnerabilities that other fuzzers cannot detect; (2) our scheduler accelerates the discovery of vulnerabilities by an average of 42%; and (3) FirmHunter is able to find unknown vulnerabilities.

show abstract

“…Therefore, "smart" fuzzer can produce testcases with lower blindness and randomness and higher efficiency. For example, Peach [6], BooFuzz [7] and AFLNET [8] are "smart" fuzzers. Taking BooFuzz to test the SMTP protocol for example, BooFuzz is a kind of "smart" fuzz testing framework.…”

Section: Previous Workmentioning

confidence: 99%

PNFUZZ: A Stateful Network Protocol Fuzzing Approach Based on Packet Clustering

He¹,

Wang²

2020

Computer Science &Amp; Information Technology (CS &Amp; IT)

View full text Add to dashboard Cite

Due to the interactivity of stateful network protocol, network protocol fuzzing has higher blindness and lower testcase validity. The existing blackbox-based fuzzing has the disadvantages of high randomness and blindness. The manual description of protocol specification which requires more expert knowledge, is tedious and does not support the protocol without public document, which limits the effect of current network protocol fuzzer. In this paper, we present PNFUZZ, a fuzzer that adopts the state inference based on packet clustering algorithm and coverage oriented mutation strategy. We train a clustering model through the target protocol packet, and use the model to identify the server’s protocol state, thereby optimizing the process of testcase generation. The experimental results show that the proposed approach has a certain improvement in fuzzing effect.

show abstract

EWVHunter: Grey-Box Fuzzing with Knowledge Guide on Embedded Web Front-Ends

Cited by 11 publications

References 27 publications

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

FirmHunter: State-Aware and Introspection-Driven Grey-Box Fuzzing towards IoT Firmware

PNFUZZ: A Stateful Network Protocol Fuzzing Approach Based on Packet Clustering

Contact Info

Product

Resources

About