UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router

SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and ha...

Full description

Saved in:
Bibliographic Details
Main Authors: Qin, Chuan, Peng, Jiaqian, Liu, Puzhuo, Zheng, Yaowen, Cheng, Kai, Zhang, Weidong, Sun, Limin
Other Authors: School of Computer Science and Engineering
Format: Article
Language:English
Published: 2023
Subjects:
Online Access:https://hdl.handle.net/10356/172200
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Nanyang Technological University
Language: English
id sg-ntu-dr.10356-172200
record_format dspace
spelling sg-ntu-dr.10356-1722002023-11-29T02:47:57Z UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router Qin, Chuan Peng, Jiaqian Liu, Puzhuo Zheng, Yaowen Cheng, Kai Zhang, Weidong Sun, Limin School of Computer Science and Engineering Engineering::Computer science and engineering Binary Static Analysis Vulnerability Detection SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and handle external data directly. Fuzzing is the most popular technique for discovering such vulnerabilities. Previously proposed approaches generate fuzzing seeds in a valid format by analyzing the front-end. Unfortunately, the generated seeds are over-constrained by front-end code legality checks because malicious data can bypass the front-end inspection and be sent directly to the back-end. Moreover, such seeds ignore the semantics of the back-end, which makes the back-end's checking logic hinder the fuzzing's efficiency. In this paper, we propose a novel approach to fuzzing SOHO routers by generating high-quality test cases via static analysis on the back-end binary. Specifically, we first obtain all communication interfaces in the back-end to avoid missing non-visible front-end interfaces. Then, we extract constraint information of all data fields using data-flow analysis on each interface. Ultimately, efficient and in-depth test cases can be generated only in meaningful test spaces based on constraint information. We implement our approach in a tool named UCRF. To illustrate the effectiveness of UCRF, it is evaluated on 10 real-world firmware from 4 vendors. UCRF found significantly more vulnerabilities of memory corruptions and command injection than the state-of-the-art work SRFuzzer on the five routers we had. Furthermore, UCRF found 41 0-day back-end vulnerabilities in total, 20 of which can be triggered only when the extracted constraints are satisfied. This work is financially supported by the National Key Research and Development Program of China, under Grant 2020YFB805405, and National Natural Science Foundation of China under Grant nos. 61702504, U1766215. 2023-11-29T02:47:56Z 2023-11-29T02:47:56Z 2023 Journal Article Qin, C., Peng, J., Liu, P., Zheng, Y., Cheng, K., Zhang, W. & Sun, L. (2023). UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router. Computers and Security, 128, 103157-. https://dx.doi.org/10.1016/j.cose.2023.103157 0167-4048 https://hdl.handle.net/10356/172200 10.1016/j.cose.2023.103157 2-s2.0-85149169642 128 103157 en Computers and Security © 2023 Published by Elsevier Ltd. All rights reserved.
institution Nanyang Technological University
building NTU Library
continent Asia
country Singapore
Singapore
content_provider NTU Library
collection DR-NTU
language English
topic Engineering::Computer science and engineering
Binary Static Analysis
Vulnerability Detection
spellingShingle Engineering::Computer science and engineering
Binary Static Analysis
Vulnerability Detection
Qin, Chuan
Peng, Jiaqian
Liu, Puzhuo
Zheng, Yaowen
Cheng, Kai
Zhang, Weidong
Sun, Limin
UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
description SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and handle external data directly. Fuzzing is the most popular technique for discovering such vulnerabilities. Previously proposed approaches generate fuzzing seeds in a valid format by analyzing the front-end. Unfortunately, the generated seeds are over-constrained by front-end code legality checks because malicious data can bypass the front-end inspection and be sent directly to the back-end. Moreover, such seeds ignore the semantics of the back-end, which makes the back-end's checking logic hinder the fuzzing's efficiency. In this paper, we propose a novel approach to fuzzing SOHO routers by generating high-quality test cases via static analysis on the back-end binary. Specifically, we first obtain all communication interfaces in the back-end to avoid missing non-visible front-end interfaces. Then, we extract constraint information of all data fields using data-flow analysis on each interface. Ultimately, efficient and in-depth test cases can be generated only in meaningful test spaces based on constraint information. We implement our approach in a tool named UCRF. To illustrate the effectiveness of UCRF, it is evaluated on 10 real-world firmware from 4 vendors. UCRF found significantly more vulnerabilities of memory corruptions and command injection than the state-of-the-art work SRFuzzer on the five routers we had. Furthermore, UCRF found 41 0-day back-end vulnerabilities in total, 20 of which can be triggered only when the extracted constraints are satisfied.
author2 School of Computer Science and Engineering
author_facet School of Computer Science and Engineering
Qin, Chuan
Peng, Jiaqian
Liu, Puzhuo
Zheng, Yaowen
Cheng, Kai
Zhang, Weidong
Sun, Limin
format Article
author Qin, Chuan
Peng, Jiaqian
Liu, Puzhuo
Zheng, Yaowen
Cheng, Kai
Zhang, Weidong
Sun, Limin
author_sort Qin, Chuan
title UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
title_short UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
title_full UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
title_fullStr UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
title_full_unstemmed UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
title_sort ucrf: static analyzing firmware to generate under-constrained seed for fuzzing soho router
publishDate 2023
url https://hdl.handle.net/10356/172200
_version_ 1783955628589318144