The global surge in electric vehicle(EV)adoption is proportionally expanding the EV charging station(EVCS)infrastructure,thereby increasing the attack surface and potential impact of security breaches within this crit...The global surge in electric vehicle(EV)adoption is proportionally expanding the EV charging station(EVCS)infrastructure,thereby increasing the attack surface and potential impact of security breaches within this critical ecosystem.While ISO 15118 standardizes EV-EVCS communication,its underspecified security guidelines and the variability in manufacturers’implementations frequently result in vulnerabilities that can disrupt charging services,compromise user data,or affect power grid stability.This research introduces a systematic black-box fuzzing methodology,accompanied by an open-source tool,to proactively identify and mitigate such security flaws in EVCS firmware operating under ISO 15118.The proposed approach systematically evaluates EVCS behavior by leveraging the state machine defined in the ISO 15118 standard for test case generation and execution,enabling platform-agnostic testing at the application layer.Message sequences,corresponding to valid andmutated traversals of the protocol’s state machine,are generated to uncover logical errors and improper input handling.Themethodology comprises state-aware initial sequence generation,simulated V2G session establishment,targeted message mutation correlated with defined protocol states,and rigorous response analysis to detect anomalies and system crashes.Experimental validation on an open-source EVCS implementation identified five vulnerabilities.These included session integrity weaknesses allowing unauthorized interruptions,billing manipulation through invalid metering data acceptance,and resource exhaustion vulnerabilities from specific parameter malformations leading to denial-of-service.The findings confirm the proposed method’s capability in pinpointing vulnerabilities often overlooked by standard conformance tests,thus offering a robust and practical solution for enhancing the security and resilience of the rapidly growing EV charging infrastructure.展开更多
Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques inef...Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques ineffective.When peripheral responses are missing or incorrect,fuzzing a firmware may crash or exit prematurely,significantly limiting code coverage.While prior re-hosting approaches have made progress in simulating Memory-Mapped Input/Output(MMIO)and interrupt-based peripherals,they either ignore Direct Memory Access(DMA)or handle it oversimplified.In this work,we present ADFEmu,a novel automated firmware re-hosting framework that enables effective fuzzing of DMA-enabled firmware.ADFEmu integrates concolic execution with large language models(LLMs)to semantically emulate DMA operations and synthesize peripheral input sequences intelligently.Specifically,it learns DMA transfer patterns from the firmware’s context and employs guided symbolic execution to explore deeper and more diverse execution paths.This approach allows firmware to operate stably without hardware dependencies while achieving higher fidelity in emulation.Evaluated on real-world embedded firmware samples,ADFEmu achieves a 100%re-hosting success rate,improves total execution path exploration by 5.31%,and triggers more crashes compared to the state-of-the-art.These results highlight ADFEmu’s effectiveness in overcoming long-standing limitations of DMA emulation and its potential to advance automated vulnerability discovery in peripheral-rich embedded environments.展开更多
By the analysis of vulnerabilities of Android native system services,we find that some vulnerabilities are caused by inconsistent data transmission and inconsistent data processing logic between client and server.The ...By the analysis of vulnerabilities of Android native system services,we find that some vulnerabilities are caused by inconsistent data transmission and inconsistent data processing logic between client and server.The existing research cannot find the above two types of vulnerabilities and the test cases of them face the problem of low coverage.In this paper,we propose an extraction method of test cases based on the native system services of the client and design a case construction method that supports multi-parameter mutation based on genetic algorithm and priority strategy.Based on the above method,we implement a detection tool-BArcherFuzzer to detect vulnerabilities of Android native system services.The experiment results show that BArcherFuzzer found four vulnerabilities of hundreds of exception messages,all of them were confirmed by Google and one was assigned a Common Vulnerabilities and Exposures(CVE)number(CVE-2020-0363).展开更多
With the increase of software complexity,the security threats faced by the software are also increasing day by day.So people pay more and more attention to the mining of software vulnerabilities.Although source code h...With the increase of software complexity,the security threats faced by the software are also increasing day by day.So people pay more and more attention to the mining of software vulnerabilities.Although source code has rich semantics and strong comprehensibility,source code vulnerability mining has been widely used and has achieved significant development.However,due to the protection of commercial interests and intellectual property rights,it is difficult to obtain source code.Therefore,the research on the vulnerability mining technology of binary code has strong practical value.Based on the investigation of related technologies,this article firstly introduces the current typical binary vulnerability analysis framework,and then briefly introduces the research background and significance of the intermediate language;with the rise of artificial intelligence,a large number of machine learning methods have been tried to solve the problem of binary vulnerability mining.This article divides the current related binary vulnerabilities mining technology into traditional mining technology and machine learning mining technology,respectively introduces its basic principles,research status and existing problems,and briefly summarizes them.Finally,based on the existing research work,this article puts forward the prospect of the future research on the technology of binary program vulnerability mining.展开更多
Paper study the MAC layer security mechanism and data frame structure in ZigBee protocol, improve the algorithm for random Fuzzing test technology, and test method of attack fusion boundary, structure of Fuzzing and t...Paper study the MAC layer security mechanism and data frame structure in ZigBee protocol, improve the algorithm for random Fuzzing test technology, and test method of attack fusion boundary, structure of Fuzzing and the node clone, proposed a ZigBee routing protocol for the MAC layer security comprehensive detection algorithm. Fuzzing test show that the testing algorithm can not only greatly improve the test efficiency in Fuzzing, more than the structure of Fuzzing is increased by 50% in path coverage.展开更多
Dynamic software update(DSU)patches programs on the fly.It often involves the critical task of object transformation that converts live objects of the old-version program to their semantically consistent counterparts ...Dynamic software update(DSU)patches programs on the fly.It often involves the critical task of object transformation that converts live objects of the old-version program to their semantically consistent counterparts under the new-version program.This task is accomplished by invoking an object transformer on each stale object.However,a defective transformer failing to maintain consistency would cause errors or even crash the program.We propose TOAST(Test Object trAnSformaTion),an automated approach to detecting potential inconsistency caused by object transformers.TOAST first analyzes an update to identify multiple target methods and then adopts a fuzzer with specially designed inconsistency guidance to randomly generate object states to drive two versions of a target method.This creates two corresponding execution traces and a pair of old and new objects.TOAST finally performs object transformation to create a transformed object and detects inconsistency between it and the corresponding new object produced from scratch by the new program.Moreover,TOAST checks behavior inconsistency by comparing the return variables and exceptions of the two executions.Experimental evaluation on 130 updates with default transformers shows that TOAST is promising:it got 96.0%precision and 85.7%recall in state inconsistency detection,and 81.4%precision and 94.6%recall in behavior inconsistency detection.The inconsistency guidance improved the fuzzing efficiency by 14.1%for state inconsistency detection and 40.5%for behavior inconsistency detection.展开更多
With the widespread use of agile software development methods,such as agile and scrum,software is iteratively updated more frequently.To ensure the quality of the software,regression testing is conducted before new ve...With the widespread use of agile software development methods,such as agile and scrum,software is iteratively updated more frequently.To ensure the quality of the software,regression testing is conducted before new versions are released.Moreover,to improve the efficiency of regression testing,testing efforts should be concentrated on the modified and impacted parts of a program.However,the costs of manually constructing new test cases for the modified and impacted parts are relatively expensive.Fuzz testing is an effective method for generating test data automatically,but it is usually devoted to achieving higher code coverage,which makes fuzz testing unsuitable for direct regression testing scenarios.For this reason,we propose a fuzz testing method based on the guidance of historical version information.First,the differences between the program being tested and the last version are analyzed,and the results of the analysis are used to locate change points.Second,change impact analysis is performed to find the corresponding impacted basic blocks.Finally,the fitness values of test cases are calculated according to the execution traces,and new test cases are generated iteratively by the genetic algorithm.Based on the proposed method,we implement a prototype tool DeltaFuzz and conduct experiments on six open-source projects.Compared with the fuzzing tool AFLGo,AFLFast and AFL,DeltaFuzz can reach the target faster,and the time taken by DeltaFuzz was reduced by 20.59%,30.05%and 32.61%,respectively.展开更多
基金support of the Korea Internet&Security Agency(KISA)—Information Security Specialized University Support Project(50%)supported by a grant from the Korea Electric Power Corporation(R24XO01-4,50%)for basic research and development projects starting in 2024.
文摘The global surge in electric vehicle(EV)adoption is proportionally expanding the EV charging station(EVCS)infrastructure,thereby increasing the attack surface and potential impact of security breaches within this critical ecosystem.While ISO 15118 standardizes EV-EVCS communication,its underspecified security guidelines and the variability in manufacturers’implementations frequently result in vulnerabilities that can disrupt charging services,compromise user data,or affect power grid stability.This research introduces a systematic black-box fuzzing methodology,accompanied by an open-source tool,to proactively identify and mitigate such security flaws in EVCS firmware operating under ISO 15118.The proposed approach systematically evaluates EVCS behavior by leveraging the state machine defined in the ISO 15118 standard for test case generation and execution,enabling platform-agnostic testing at the application layer.Message sequences,corresponding to valid andmutated traversals of the protocol’s state machine,are generated to uncover logical errors and improper input handling.Themethodology comprises state-aware initial sequence generation,simulated V2G session establishment,targeted message mutation correlated with defined protocol states,and rigorous response analysis to detect anomalies and system crashes.Experimental validation on an open-source EVCS implementation identified five vulnerabilities.These included session integrity weaknesses allowing unauthorized interruptions,billing manipulation through invalid metering data acceptance,and resource exhaustion vulnerabilities from specific parameter malformations leading to denial-of-service.The findings confirm the proposed method’s capability in pinpointing vulnerabilities often overlooked by standard conformance tests,thus offering a robust and practical solution for enhancing the security and resilience of the rapidly growing EV charging infrastructure.
基金funded by the Science and Technology Project of State Grid Jiangsu Electric Power Company Ltd.,grant number J2024169.
文摘Fuzz testing is a widely adopted technique for uncovering bugs and security vulnerabilities in embedded firmware.However,many embedded systems heavily rely on peripherals,rendering conventional fuzzing techniques ineffective.When peripheral responses are missing or incorrect,fuzzing a firmware may crash or exit prematurely,significantly limiting code coverage.While prior re-hosting approaches have made progress in simulating Memory-Mapped Input/Output(MMIO)and interrupt-based peripherals,they either ignore Direct Memory Access(DMA)or handle it oversimplified.In this work,we present ADFEmu,a novel automated firmware re-hosting framework that enables effective fuzzing of DMA-enabled firmware.ADFEmu integrates concolic execution with large language models(LLMs)to semantically emulate DMA operations and synthesize peripheral input sequences intelligently.Specifically,it learns DMA transfer patterns from the firmware’s context and employs guided symbolic execution to explore deeper and more diverse execution paths.This approach allows firmware to operate stably without hardware dependencies while achieving higher fidelity in emulation.Evaluated on real-world embedded firmware samples,ADFEmu achieves a 100%re-hosting success rate,improves total execution path exploration by 5.31%,and triggers more crashes compared to the state-of-the-art.These results highlight ADFEmu’s effectiveness in overcoming long-standing limitations of DMA emulation and its potential to advance automated vulnerability discovery in peripheral-rich embedded environments.
基金This work was supported by the National Key R&D Program of China(2023YFB3106800)the National Natural Science Foundation of China(Grant No.62072051).We are overwhelmed in all humbleness and gratefulness to acknowledge my depth to all those who have helped me to put these ideas.
文摘By the analysis of vulnerabilities of Android native system services,we find that some vulnerabilities are caused by inconsistent data transmission and inconsistent data processing logic between client and server.The existing research cannot find the above two types of vulnerabilities and the test cases of them face the problem of low coverage.In this paper,we propose an extraction method of test cases based on the native system services of the client and design a case construction method that supports multi-parameter mutation based on genetic algorithm and priority strategy.Based on the above method,we implement a detection tool-BArcherFuzzer to detect vulnerabilities of Android native system services.The experiment results show that BArcherFuzzer found four vulnerabilities of hundreds of exception messages,all of them were confirmed by Google and one was assigned a Common Vulnerabilities and Exposures(CVE)number(CVE-2020-0363).
基金This paper is based on the funding of the following two projects:Research on Key Technologies of User Location Privacy Protection and Data Integrity Verification under Mobile P2P Architecture,Project No.(619QN193)Research on Security Vulnerability Detection Technology of Open Source Software Based on Deep Learning,Project No.(ZDYF2020212).
文摘With the increase of software complexity,the security threats faced by the software are also increasing day by day.So people pay more and more attention to the mining of software vulnerabilities.Although source code has rich semantics and strong comprehensibility,source code vulnerability mining has been widely used and has achieved significant development.However,due to the protection of commercial interests and intellectual property rights,it is difficult to obtain source code.Therefore,the research on the vulnerability mining technology of binary code has strong practical value.Based on the investigation of related technologies,this article firstly introduces the current typical binary vulnerability analysis framework,and then briefly introduces the research background and significance of the intermediate language;with the rise of artificial intelligence,a large number of machine learning methods have been tried to solve the problem of binary vulnerability mining.This article divides the current related binary vulnerabilities mining technology into traditional mining technology and machine learning mining technology,respectively introduces its basic principles,research status and existing problems,and briefly summarizes them.Finally,based on the existing research work,this article puts forward the prospect of the future research on the technology of binary program vulnerability mining.
文摘Paper study the MAC layer security mechanism and data frame structure in ZigBee protocol, improve the algorithm for random Fuzzing test technology, and test method of attack fusion boundary, structure of Fuzzing and the node clone, proposed a ZigBee routing protocol for the MAC layer security comprehensive detection algorithm. Fuzzing test show that the testing algorithm can not only greatly improve the test efficiency in Fuzzing, more than the structure of Fuzzing is increased by 50% in path coverage.
基金supported by the National Natural Science Foundation of China under Grant Nos.62025202 and 61690204。
文摘Dynamic software update(DSU)patches programs on the fly.It often involves the critical task of object transformation that converts live objects of the old-version program to their semantically consistent counterparts under the new-version program.This task is accomplished by invoking an object transformer on each stale object.However,a defective transformer failing to maintain consistency would cause errors or even crash the program.We propose TOAST(Test Object trAnSformaTion),an automated approach to detecting potential inconsistency caused by object transformers.TOAST first analyzes an update to identify multiple target methods and then adopts a fuzzer with specially designed inconsistency guidance to randomly generate object states to drive two versions of a target method.This creates two corresponding execution traces and a pair of old and new objects.TOAST finally performs object transformation to create a transformed object and detects inconsistency between it and the corresponding new object produced from scratch by the new program.Moreover,TOAST checks behavior inconsistency by comparing the return variables and exceptions of the two executions.Experimental evaluation on 130 updates with default transformers shows that TOAST is promising:it got 96.0%precision and 85.7%recall in state inconsistency detection,and 81.4%precision and 94.6%recall in behavior inconsistency detection.The inconsistency guidance improved the fuzzing efficiency by 14.1%for state inconsistency detection and 40.5%for behavior inconsistency detection.
基金supported by the Leading-Edge Technology Program of Jiangsu Natural Science Foundation of China under Grant No.BK20202001the National Natural Science Foundation of China under Grant No.61702041the Beijing Information Science and Technology University“Qin-Xin Talent”Cultivation Project under Grant No.QXTCP C201906.
文摘With the widespread use of agile software development methods,such as agile and scrum,software is iteratively updated more frequently.To ensure the quality of the software,regression testing is conducted before new versions are released.Moreover,to improve the efficiency of regression testing,testing efforts should be concentrated on the modified and impacted parts of a program.However,the costs of manually constructing new test cases for the modified and impacted parts are relatively expensive.Fuzz testing is an effective method for generating test data automatically,but it is usually devoted to achieving higher code coverage,which makes fuzz testing unsuitable for direct regression testing scenarios.For this reason,we propose a fuzz testing method based on the guidance of historical version information.First,the differences between the program being tested and the last version are analyzed,and the results of the analysis are used to locate change points.Second,change impact analysis is performed to find the corresponding impacted basic blocks.Finally,the fitness values of test cases are calculated according to the execution traces,and new test cases are generated iteratively by the genetic algorithm.Based on the proposed method,we implement a prototype tool DeltaFuzz and conduct experiments on six open-source projects.Compared with the fuzzing tool AFLGo,AFLFast and AFL,DeltaFuzz can reach the target faster,and the time taken by DeltaFuzz was reduced by 20.59%,30.05%and 32.61%,respectively.
