Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques inef...Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques ineffective.When peripheral responses are missing or incorrect,fuzzing a firmware may crash or exit prematurely,significantly limiting code coverage.While prior re-hosting approaches have made progress in simulating Memory-Mapped Input/Output(MMIO)and interrupt-based peripherals,they either ignore Direct Memory Access(DMA)or handle it oversimplified.In this work,we present ADFEmu,a novel automated firmware re-hosting framework that enables effective fuzzing of DMA-enabled firmware.ADFEmu integrates concolic execution with large language models(LLMs)to semantically emulate DMA operations and synthesize peripheral input sequences intelligently.Specifically,it learns DMA transfer patterns from the firmware’s context and employs guided symbolic execution to explore deeper and more diverse execution paths.This approach allows firmware to operate stably without hardware dependencies while achieving higher fidelity in emulation.Evaluated on real-world embedded firmware samples,ADFEmu achieves a 100%re-hosting success rate,improves total execution path exploration by 5.31%,and triggers more crashes compared to the state-of-the-art.These results highlight ADFEmu’s effectiveness in overcoming long-standing limitations of DMA emulation and its potential to advance automated vulnerability discovery in peripheral-rich embedded environments.展开更多
The development of the Internet of Things(IoT)has brought convenience to people’s lives,but it also introduces significant security risks.Due to the limitations of IoT devices themselves and the challenges of re-host...The development of the Internet of Things(IoT)has brought convenience to people’s lives,but it also introduces significant security risks.Due to the limitations of IoT devices themselves and the challenges of re-hosting technology,existing fuzzing for IoT devices is mainly conducted through black-box methods,which lack effective execution feedback and are blind.Meanwhile,the existing static methods mainly rely on taint analysis,which has high overhead and high false alarm rates.We propose a new directed fuzz testing method for detecting bugs in web service programs of IoT devices,which can test IoT devices more quickly and efficiently.Specifically,we identify external input entry points using multiple features.Then we quickly find sensitive targets and paths affected by external input sources based on sensitive data flow analysis of decompiled code,treating them as testing objects.Finally,we performa directed fuzzing test.We use debugging interfaces to collect execution feedback and guide the programto reach sensitive targets based on programpruning techniques.We have implemented a prototype system,AntDFuzz,and evaluated it on firmware fromten devices across five well-known manufacturers.We discovered twelve potential vulnerabilities,seven of which were confirmed and assigned bug id by China National Vulnerability Database(CNVD).The results show that our approach has the ability to find unknown bugs in real devices and is more efficient compared to existing tools.展开更多
Memory leak is a common software vulnerability that can decrease the reliability of an application and,in severe cases,even cause program crashes.If there are intentionally triggerable memory leak vulnerabilities in a...Memory leak is a common software vulnerability that can decrease the reliability of an application and,in severe cases,even cause program crashes.If there are intentionally triggerable memory leak vulnerabilities in a program,attackers can exploit these bugs to launch denial-of-service attacks or induce the program to exhibit unexpected behaviors due to low memory conditions.Existing fuzzing techniques primarily focus on improving code coverage,and specialized fuzzing techniques for individual memory-related defects like uncontrolled memory allocation do not address memory leak vulnerabilities.MemLock is the first fuzzing technique to address memory consumption vulnerabilities including memory leakage.However,the coverage-centric guidance mechanism of MemLock introduces a degree of aimlessness in the testing process,that results in low seed quality and slow bug exposure speed.To address this issue,we propose a risk areas guidance-based fuzzing technique called RBZZER.First,RBZZER retains MemLock’s memory consumption-guided mechanism and introduces a novel distance-guided approach to expedite the arrival of fuzzing at the potential memory areas.Second,we introduce a new seed scheduling strategy called risk areas-based seed scheduling,which classifies seeds based on potential memory leak areas in the program and further schedules them,thereby effectively improving the efficiency of discovering memory leak vulnerabilities.Experiments demonstrate that RBZZER outperforms the state-of-the-art fuzzing techniques by finding 52%more program unique crashes than the second-best counterpart.In particular,RBZZER can discover the amount of memory leakage at least 112%more than the other baseline fuzzers.Besides,RBZZER detects memory leaks at an average speed that is 9.10x faster than MemLock.展开更多
The global surge in electric vehicle(EV)adoption is proportionally expanding the EV charging station(EVCS)infrastructure,thereby increasing the attack surface and potential impact of security breaches within this crit...The global surge in electric vehicle(EV)adoption is proportionally expanding the EV charging station(EVCS)infrastructure,thereby increasing the attack surface and potential impact of security breaches within this critical ecosystem.While ISO 15118 standardizes EV-EVCS communication,its underspecified security guidelines and the variability in manufacturers’implementations frequently result in vulnerabilities that can disrupt charging services,compromise user data,or affect power grid stability.This research introduces a systematic black-box fuzzing methodology,accompanied by an open-source tool,to proactively identify and mitigate such security flaws in EVCS firmware operating under ISO 15118.The proposed approach systematically evaluates EVCS behavior by leveraging the state machine defined in the ISO 15118 standard for test case generation and execution,enabling platform-agnostic testing at the application layer.Message sequences,corresponding to valid andmutated traversals of the protocol’s state machine,are generated to uncover logical errors and improper input handling.Themethodology comprises state-aware initial sequence generation,simulated V2G session establishment,targeted message mutation correlated with defined protocol states,and rigorous response analysis to detect anomalies and system crashes.Experimental validation on an open-source EVCS implementation identified five vulnerabilities.These included session integrity weaknesses allowing unauthorized interruptions,billing manipulation through invalid metering data acceptance,and resource exhaustion vulnerabilities from specific parameter malformations leading to denial-of-service.The findings confirm the proposed method’s capability in pinpointing vulnerabilities often overlooked by standard conformance tests,thus offering a robust and practical solution for enhancing the security and resilience of the rapidly growing EV charging infrastructure.展开更多
RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes platforms.Existing tools struggle with generating lengthy,high-semantic request sequences that can pass Kubernetes API gate...RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes platforms.Existing tools struggle with generating lengthy,high-semantic request sequences that can pass Kubernetes API gateway checks.To address this,we propose KubeFuzzer,a black-box fuzzing tool designed for Kubernetes RESTful APIs.KubeFuzzer utilizes Natural Language Processing(NLP)to extract and integrate semantic information from API specifications and response messages,guiding the generation of more effective request sequences.Our evaluation of KubeFuzzer on various Kubernetes clusters shows that it improves code coverage by 7.86%to 36.34%,increases the successful response rate by 6.7%to 83.33%,and detects 16.7%to 133.3%more bugs compared to three leading techniques.KubeFuzzer identified over 1000 service crashes,which were narrowed down to 7 unique bugs.We tested these bugs on 10 real-world Kubernetes projects,including major providers like AWS(EKS),Microsoft Azure(AKS),and Alibaba Cloud(ACK),and confirmed that these issues could trigger service crashes.We have reported and confirmed these bugs with the Kubernetes community,and they have been addressed.展开更多
As one of the most effective techniques for finding software vulnerabilities,fuzzing has become a hot topic in software security.It feeds potentially syntactically or semantically malformed test data to a target progr...As one of the most effective techniques for finding software vulnerabilities,fuzzing has become a hot topic in software security.It feeds potentially syntactically or semantically malformed test data to a target program to mine vulnerabilities and crash the system.In recent years,considerable efforts have been dedicated by researchers and practitioners towards improving fuzzing,so there aremore and more methods and forms,whichmake it difficult to have a comprehensive understanding of the technique.This paper conducts a thorough survey of fuzzing,focusing on its general process,classification,common application scenarios,and some state-of-the-art techniques that have been introduced to improve its performance.Finally,this paper puts forward key research challenges and proposes possible future research directions that may provide new insights for researchers.展开更多
With the prevalence of machine learning in malware defense,hackers have tried to attack machine learning models to evade detection.It is generally difficult to explore the details of malware detection models,hackers c...With the prevalence of machine learning in malware defense,hackers have tried to attack machine learning models to evade detection.It is generally difficult to explore the details of malware detection models,hackers can adopt fuzzing attack to manipulate the features of the malware closer to benign programs on the premise of retaining their functions.In this paper,attack and defense methods on malware detection models based on machine learning algorithms were studied.Firstly,we designed a fuzzing attack method by randomly modifying features to evade detection.The fuzzing attack can effectively descend the accuracy of machine learning model with single feature.Then an adversarial malware detection model MaliFuzz is proposed to defend fuzzing attack.Different from the ordinary single feature detection model,the combined features by static and dynamic analysis to improve the defense ability are used.The experiment results show that the adversarial malware detection model with combined features can deal with the attack.The methods designed in this paper have great significance in improving the security of malware detection models and have good application prospects.展开更多
By the analysis of vulnerabilities of Android native system services,we find that some vulnerabilities are caused by inconsistent data transmission and inconsistent data processing logic between client and server.The ...By the analysis of vulnerabilities of Android native system services,we find that some vulnerabilities are caused by inconsistent data transmission and inconsistent data processing logic between client and server.The existing research cannot find the above two types of vulnerabilities and the test cases of them face the problem of low coverage.In this paper,we propose an extraction method of test cases based on the native system services of the client and design a case construction method that supports multi-parameter mutation based on genetic algorithm and priority strategy.Based on the above method,we implement a detection tool-BArcherFuzzer to detect vulnerabilities of Android native system services.The experiment results show that BArcherFuzzer found four vulnerabilities of hundreds of exception messages,all of them were confirmed by Google and one was assigned a Common Vulnerabilities and Exposures(CVE)number(CVE-2020-0363).展开更多
基金funded by the Science and Technology Project of State Grid Jiangsu Electric Power Company Ltd.,grant number J2024169.
文摘Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques ineffective.When peripheral responses are missing or incorrect,fuzzing a firmware may crash or exit prematurely,significantly limiting code coverage.While prior re-hosting approaches have made progress in simulating Memory-Mapped Input/Output(MMIO)and interrupt-based peripherals,they either ignore Direct Memory Access(DMA)or handle it oversimplified.In this work,we present ADFEmu,a novel automated firmware re-hosting framework that enables effective fuzzing of DMA-enabled firmware.ADFEmu integrates concolic execution with large language models(LLMs)to semantically emulate DMA operations and synthesize peripheral input sequences intelligently.Specifically,it learns DMA transfer patterns from the firmware’s context and employs guided symbolic execution to explore deeper and more diverse execution paths.This approach allows firmware to operate stably without hardware dependencies while achieving higher fidelity in emulation.Evaluated on real-world embedded firmware samples,ADFEmu achieves a 100%re-hosting success rate,improves total execution path exploration by 5.31%,and triggers more crashes compared to the state-of-the-art.These results highlight ADFEmu’s effectiveness in overcoming long-standing limitations of DMA emulation and its potential to advance automated vulnerability discovery in peripheral-rich embedded environments.
文摘The development of the Internet of Things(IoT)has brought convenience to people’s lives,but it also introduces significant security risks.Due to the limitations of IoT devices themselves and the challenges of re-hosting technology,existing fuzzing for IoT devices is mainly conducted through black-box methods,which lack effective execution feedback and are blind.Meanwhile,the existing static methods mainly rely on taint analysis,which has high overhead and high false alarm rates.We propose a new directed fuzz testing method for detecting bugs in web service programs of IoT devices,which can test IoT devices more quickly and efficiently.Specifically,we identify external input entry points using multiple features.Then we quickly find sensitive targets and paths affected by external input sources based on sensitive data flow analysis of decompiled code,treating them as testing objects.Finally,we performa directed fuzzing test.We use debugging interfaces to collect execution feedback and guide the programto reach sensitive targets based on programpruning techniques.We have implemented a prototype system,AntDFuzz,and evaluated it on firmware fromten devices across five well-known manufacturers.We discovered twelve potential vulnerabilities,seven of which were confirmed and assigned bug id by China National Vulnerability Database(CNVD).The results show that our approach has the ability to find unknown bugs in real devices and is more efficient compared to existing tools.
基金supported by the National Key R&D Program of China(No.2021YFB3101803).
文摘Memory leak is a common software vulnerability that can decrease the reliability of an application and,in severe cases,even cause program crashes.If there are intentionally triggerable memory leak vulnerabilities in a program,attackers can exploit these bugs to launch denial-of-service attacks or induce the program to exhibit unexpected behaviors due to low memory conditions.Existing fuzzing techniques primarily focus on improving code coverage,and specialized fuzzing techniques for individual memory-related defects like uncontrolled memory allocation do not address memory leak vulnerabilities.MemLock is the first fuzzing technique to address memory consumption vulnerabilities including memory leakage.However,the coverage-centric guidance mechanism of MemLock introduces a degree of aimlessness in the testing process,that results in low seed quality and slow bug exposure speed.To address this issue,we propose a risk areas guidance-based fuzzing technique called RBZZER.First,RBZZER retains MemLock’s memory consumption-guided mechanism and introduces a novel distance-guided approach to expedite the arrival of fuzzing at the potential memory areas.Second,we introduce a new seed scheduling strategy called risk areas-based seed scheduling,which classifies seeds based on potential memory leak areas in the program and further schedules them,thereby effectively improving the efficiency of discovering memory leak vulnerabilities.Experiments demonstrate that RBZZER outperforms the state-of-the-art fuzzing techniques by finding 52%more program unique crashes than the second-best counterpart.In particular,RBZZER can discover the amount of memory leakage at least 112%more than the other baseline fuzzers.Besides,RBZZER detects memory leaks at an average speed that is 9.10x faster than MemLock.
基金support of the Korea Internet&Security Agency(KISA)—Information Security Specialized University Support Project(50%)supported by a grant from the Korea Electric Power Corporation(R24XO01-4,50%)for basic research and development projects starting in 2024.
文摘The global surge in electric vehicle(EV)adoption is proportionally expanding the EV charging station(EVCS)infrastructure,thereby increasing the attack surface and potential impact of security breaches within this critical ecosystem.While ISO 15118 standardizes EV-EVCS communication,its underspecified security guidelines and the variability in manufacturers’implementations frequently result in vulnerabilities that can disrupt charging services,compromise user data,or affect power grid stability.This research introduces a systematic black-box fuzzing methodology,accompanied by an open-source tool,to proactively identify and mitigate such security flaws in EVCS firmware operating under ISO 15118.The proposed approach systematically evaluates EVCS behavior by leveraging the state machine defined in the ISO 15118 standard for test case generation and execution,enabling platform-agnostic testing at the application layer.Message sequences,corresponding to valid andmutated traversals of the protocol’s state machine,are generated to uncover logical errors and improper input handling.Themethodology comprises state-aware initial sequence generation,simulated V2G session establishment,targeted message mutation correlated with defined protocol states,and rigorous response analysis to detect anomalies and system crashes.Experimental validation on an open-source EVCS implementation identified five vulnerabilities.These included session integrity weaknesses allowing unauthorized interruptions,billing manipulation through invalid metering data acceptance,and resource exhaustion vulnerabilities from specific parameter malformations leading to denial-of-service.The findings confirm the proposed method’s capability in pinpointing vulnerabilities often overlooked by standard conformance tests,thus offering a robust and practical solution for enhancing the security and resilience of the rapidly growing EV charging infrastructure.
基金supported by the National Natural Science Foundation of China(No.62202320)the Fundamental Research Funds for the Central Universities(Nos.SCU2023D008,2023SCU12129)+2 种基金the Natural Science Foundation of Sichuan Province(No.2024NSFSC1449)the Science and Engineering Connotation Development Project of Sichuan University(No.2020SCUNG129)the Key Laboratory of Data Protection and Intelligent Management(Sichuan University),Ministry of Education.
文摘RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes platforms.Existing tools struggle with generating lengthy,high-semantic request sequences that can pass Kubernetes API gateway checks.To address this,we propose KubeFuzzer,a black-box fuzzing tool designed for Kubernetes RESTful APIs.KubeFuzzer utilizes Natural Language Processing(NLP)to extract and integrate semantic information from API specifications and response messages,guiding the generation of more effective request sequences.Our evaluation of KubeFuzzer on various Kubernetes clusters shows that it improves code coverage by 7.86%to 36.34%,increases the successful response rate by 6.7%to 83.33%,and detects 16.7%to 133.3%more bugs compared to three leading techniques.KubeFuzzer identified over 1000 service crashes,which were narrowed down to 7 unique bugs.We tested these bugs on 10 real-world Kubernetes projects,including major providers like AWS(EKS),Microsoft Azure(AKS),and Alibaba Cloud(ACK),and confirmed that these issues could trigger service crashes.We have reported and confirmed these bugs with the Kubernetes community,and they have been addressed.
基金supported in part by the National Natural Science Foundation of China under Grants 62273272,62303375,and 61873277in part by the Key Research and Development Program of Shaanxi Province under Grant 2023-YBGY-243+1 种基金in part by the Natural Science Foundation of Shaanxi Province under Grant 2020JQ-758in part by the Youth Innovation Team of Shaanxi Universities,and in part by the Special Fund for Scientific and Technological Innovation Strategy of Guangdong Province under Grant 2022A0505030025.
文摘As one of the most effective techniques for finding software vulnerabilities,fuzzing has become a hot topic in software security.It feeds potentially syntactically or semantically malformed test data to a target program to mine vulnerabilities and crash the system.In recent years,considerable efforts have been dedicated by researchers and practitioners towards improving fuzzing,so there aremore and more methods and forms,whichmake it difficult to have a comprehensive understanding of the technique.This paper conducts a thorough survey of fuzzing,focusing on its general process,classification,common application scenarios,and some state-of-the-art techniques that have been introduced to improve its performance.Finally,this paper puts forward key research challenges and proposes possible future research directions that may provide new insights for researchers.
文摘With the prevalence of machine learning in malware defense,hackers have tried to attack machine learning models to evade detection.It is generally difficult to explore the details of malware detection models,hackers can adopt fuzzing attack to manipulate the features of the malware closer to benign programs on the premise of retaining their functions.In this paper,attack and defense methods on malware detection models based on machine learning algorithms were studied.Firstly,we designed a fuzzing attack method by randomly modifying features to evade detection.The fuzzing attack can effectively descend the accuracy of machine learning model with single feature.Then an adversarial malware detection model MaliFuzz is proposed to defend fuzzing attack.Different from the ordinary single feature detection model,the combined features by static and dynamic analysis to improve the defense ability are used.The experiment results show that the adversarial malware detection model with combined features can deal with the attack.The methods designed in this paper have great significance in improving the security of malware detection models and have good application prospects.
基金This work was supported by the National Key R&D Program of China(2023YFB3106800)the National Natural Science Foundation of China(Grant No.62072051).We are overwhelmed in all humbleness and gratefulness to acknowledge my depth to all those who have helped me to put these ideas.
文摘By the analysis of vulnerabilities of Android native system services,we find that some vulnerabilities are caused by inconsistent data transmission and inconsistent data processing logic between client and server.The existing research cannot find the above two types of vulnerabilities and the test cases of them face the problem of low coverage.In this paper,we propose an extraction method of test cases based on the native system services of the client and design a case construction method that supports multi-parameter mutation based on genetic algorithm and priority strategy.Based on the above method,we implement a detection tool-BArcherFuzzer to detect vulnerabilities of Android native system services.The experiment results show that BArcherFuzzer found four vulnerabilities of hundreds of exception messages,all of them were confirmed by Google and one was assigned a Common Vulnerabilities and Exposures(CVE)number(CVE-2020-0363).
