UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router
SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and ha...
Saved in:
Main Authors: | , , , , , , |
---|---|
Other Authors: | |
Format: | Article |
Language: | English |
Published: |
2023
|
Subjects: | |
Online Access: | https://hdl.handle.net/10356/172200 |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Institution: | Nanyang Technological University |
Language: | English |
id |
sg-ntu-dr.10356-172200 |
---|---|
record_format |
dspace |
spelling |
sg-ntu-dr.10356-1722002023-11-29T02:47:57Z UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router Qin, Chuan Peng, Jiaqian Liu, Puzhuo Zheng, Yaowen Cheng, Kai Zhang, Weidong Sun, Limin School of Computer Science and Engineering Engineering::Computer science and engineering Binary Static Analysis Vulnerability Detection SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and handle external data directly. Fuzzing is the most popular technique for discovering such vulnerabilities. Previously proposed approaches generate fuzzing seeds in a valid format by analyzing the front-end. Unfortunately, the generated seeds are over-constrained by front-end code legality checks because malicious data can bypass the front-end inspection and be sent directly to the back-end. Moreover, such seeds ignore the semantics of the back-end, which makes the back-end's checking logic hinder the fuzzing's efficiency. In this paper, we propose a novel approach to fuzzing SOHO routers by generating high-quality test cases via static analysis on the back-end binary. Specifically, we first obtain all communication interfaces in the back-end to avoid missing non-visible front-end interfaces. Then, we extract constraint information of all data fields using data-flow analysis on each interface. Ultimately, efficient and in-depth test cases can be generated only in meaningful test spaces based on constraint information. We implement our approach in a tool named UCRF. To illustrate the effectiveness of UCRF, it is evaluated on 10 real-world firmware from 4 vendors. UCRF found significantly more vulnerabilities of memory corruptions and command injection than the state-of-the-art work SRFuzzer on the five routers we had. Furthermore, UCRF found 41 0-day back-end vulnerabilities in total, 20 of which can be triggered only when the extracted constraints are satisfied. This work is financially supported by the National Key Research and Development Program of China, under Grant 2020YFB805405, and National Natural Science Foundation of China under Grant nos. 61702504, U1766215. 2023-11-29T02:47:56Z 2023-11-29T02:47:56Z 2023 Journal Article Qin, C., Peng, J., Liu, P., Zheng, Y., Cheng, K., Zhang, W. & Sun, L. (2023). UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router. Computers and Security, 128, 103157-. https://dx.doi.org/10.1016/j.cose.2023.103157 0167-4048 https://hdl.handle.net/10356/172200 10.1016/j.cose.2023.103157 2-s2.0-85149169642 128 103157 en Computers and Security © 2023 Published by Elsevier Ltd. All rights reserved. |
institution |
Nanyang Technological University |
building |
NTU Library |
continent |
Asia |
country |
Singapore Singapore |
content_provider |
NTU Library |
collection |
DR-NTU |
language |
English |
topic |
Engineering::Computer science and engineering Binary Static Analysis Vulnerability Detection |
spellingShingle |
Engineering::Computer science and engineering Binary Static Analysis Vulnerability Detection Qin, Chuan Peng, Jiaqian Liu, Puzhuo Zheng, Yaowen Cheng, Kai Zhang, Weidong Sun, Limin UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router |
description |
SOHO (small office and home office) routers are the key elements of the IoT, providing network services for various smart devices. Recent years have seen increased attacks targeting SOHO routers’ web applications. Numerous vulnerabilities are introduced in the process that web servers receive and handle external data directly. Fuzzing is the most popular technique for discovering such vulnerabilities. Previously proposed approaches generate fuzzing seeds in a valid format by analyzing the front-end. Unfortunately, the generated seeds are over-constrained by front-end code legality checks because malicious data can bypass the front-end inspection and be sent directly to the back-end. Moreover, such seeds ignore the semantics of the back-end, which makes the back-end's checking logic hinder the fuzzing's efficiency. In this paper, we propose a novel approach to fuzzing SOHO routers by generating high-quality test cases via static analysis on the back-end binary. Specifically, we first obtain all communication interfaces in the back-end to avoid missing non-visible front-end interfaces. Then, we extract constraint information of all data fields using data-flow analysis on each interface. Ultimately, efficient and in-depth test cases can be generated only in meaningful test spaces based on constraint information. We implement our approach in a tool named UCRF. To illustrate the effectiveness of UCRF, it is evaluated on 10 real-world firmware from 4 vendors. UCRF found significantly more vulnerabilities of memory corruptions and command injection than the state-of-the-art work SRFuzzer on the five routers we had. Furthermore, UCRF found 41 0-day back-end vulnerabilities in total, 20 of which can be triggered only when the extracted constraints are satisfied. |
author2 |
School of Computer Science and Engineering |
author_facet |
School of Computer Science and Engineering Qin, Chuan Peng, Jiaqian Liu, Puzhuo Zheng, Yaowen Cheng, Kai Zhang, Weidong Sun, Limin |
format |
Article |
author |
Qin, Chuan Peng, Jiaqian Liu, Puzhuo Zheng, Yaowen Cheng, Kai Zhang, Weidong Sun, Limin |
author_sort |
Qin, Chuan |
title |
UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router |
title_short |
UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router |
title_full |
UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router |
title_fullStr |
UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router |
title_full_unstemmed |
UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router |
title_sort |
ucrf: static analyzing firmware to generate under-constrained seed for fuzzing soho router |
publishDate |
2023 |
url |
https://hdl.handle.net/10356/172200 |
_version_ |
1783955628589318144 |