UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and ha...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2023
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/172200 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| Summary: | SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and handle external data directly. Fuzzing is the most popular technique for discovering such vulnerabilities. Previously proposed approaches generate fuzzing seeds in a valid format by analyzing the front-end. Unfortunately, the generated seeds are over-constrained by front-end code legality checks because malicious data can bypass the front-end inspection and be sent directly to the back-end. Moreover, such seeds ignore the semantics of the back-end, which makes the back-end's checking logic hinder the fuzzing's efficiency. In this paper, we propose a novel approach to fuzzing SOHO routers by generating high-quality test cases via static analysis on the back-end binary. Specifically, we first obtain all communication interfaces in the back-end to avoid missing non-visible front-end interfaces. Then, we extract constraint information of all data fields using data-flow analysis on each interface. Ultimately, efficient and in-depth test cases can be generated only in meaningful test spaces based on constraint information. We implement our approach in a tool named UCRF. To illustrate the effectiveness of UCRF, it is evaluated on 10 real-world firmware from 4 vendors. UCRF found significantly more vulnerabilities of memory corruptions and command injection than the state-of-the-art work SRFuzzer on the five routers we had. Furthermore, UCRF found 41 0-day back-end vulnerabilities in total, 20 of which can be triggered only when the extracted constraints are satisfied. |
|---|