AISE
/
seminar
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added abstract and instruction. 

Added estimated outline of paper.
Started Background.
main
TuDatTr 2021-06-17 00:13:46 +02:00
parent cd2a2767de
commit 2b0a7e10fd
8 changed files with 344 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

289
bibliography.bib
View File

@ -1,34 +1,265 @@
@Article{exampleArticle, @article{hung2017leading,
author = "Max Mustermann", title={Leading the IoT Gartner Insight on How to Lead in a Cnnected World},
title = "The title of the work", author={Hung, Mark},
journal = "The name of the journal", journal={Gartner Research},
year = "2010", volume={1},
number = "2", pages={1--5},
pages = "22--23", year={2017}
month = "7",
note = "An optional note",
volume = "4",
} }
@MastersThesis{exampleThesis, @incollection{mcmillen2015security,
author = "Max Mustermann", title={Security attacks on industrial control systems},
title = "The title of the work", author={McMillen, David},
school = "The school where the thesis was written", booktitle={Technical Report},
year = "2001", year={2015},
address = "The address of the publisher", publisher={IBM}
month = "7",
note = "An optional note",
} }
@Book{exampleBook, @online{posey2021iot,
author = "Max Mustermann", author = {Posey, Brien},
title = "The title of the work", title = {IoT devices},
publisher = "The name of the publisher", year = 2021,
year = "1999", url = {https://web.archive.org/web/20210520072243/https://internetofthingsagenda.techtarget.com/definition/IoT-device},
volume = "4", urldate = {2021-05-20}
series = "10", }
edition = "1",
month = "7", @online{OWASP2021Fuzzing,
note = "An optional note", author = {The OWASP Foundation},
ISBN = "12-345-67890-1", title = {Fuzzing | OWASP},
year = 2021,
url = {https://web.archive.org/web/20210414111843/https://owasp.org/www-community/Fuzzing},
urldate = {2021-04-14}
}
@article{lowendos,
author = {Oliver Hahm and
Emmanuel Baccelli and
Hauke Petersen and
Nicolas Tsiftes},
title = {Operating Systems for Low-End Devices in the Internet of Things: {A}
Survey},
journal = {{IEEE} Internet Things J.},
volume = {3},
number = {5},
pages = {720--734},
year = {2016},
url = {https://doi.org/10.1109/JIOT.2015.2505901},
doi = {10.1109/JIOT.2015.2505901},
timestamp = {Mon, 08 Jun 2020 22:23:02 +0200},
biburl = {https://dblp.org/rec/journals/iotj/HahmBPT16.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@article{snipuzz,
author = {Xiaotao Feng and
Ruoxi Sun and
Xiaogang Zhu and
Minhui Xue and
Sheng Wen and
Dongxi Liu and
Surya Nepal and
Yang Xiang},
title = {Snipuzz: Black-box Fuzzing of IoT Firmware via Message Snippet Inference},
journal = {CoRR},
volume = {abs/2105.05445},
year = {2021},
url = {https://arxiv.org/abs/2105.05445},
archivePrefix = {arXiv},
eprint = {2105.05445},
timestamp = {Mon, 31 May 2021 08:26:46 +0200},
biburl = {https://dblp.org/rec/journals/corr/abs-2105-05445.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{firmafl,
author = {Yaowen Zheng and
Ali Davanian and
Heng Yin and
Chengyu Song and
Hongsong Zhu and
Limin Sun},
editor = {Nadia Heninger and
Patrick Traynor},
title = {{FIRM-AFL:} High-Throughput Greybox Fuzzing of IoT Firmware via Augmented
Process Emulation},
booktitle = {28th {USENIX} Security Symposium, {USENIX} Security 2019, Santa Clara,
CA, USA, August 14-16, 2019},
pages = {1099--1114},
publisher = {{USENIX} Association},
year = {2019},
url = {https://www.usenix.org/conference/usenixsecurity19/presentation/zheng},
timestamp = {Mon, 01 Feb 2021 08:43:20 +0100},
biburl = {https://dblp.org/rec/conf/uss/ZhengDYSZS19.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{largeanal,
author = {Andrei Costin and
Jonas Zaddach and
Aur{\'{e}}lien Francillon and
Davide Balzarotti},
editor = {Kevin Fu and
Jaeyeon Jung},
title = {A Large-Scale Analysis of the Security of Embedded Firmwares},
booktitle = {Proceedings of the 23rd {USENIX} Security Symposium, San Diego, CA,
USA, August 20-22, 2014},
pages = {95--110},
publisher = {{USENIX} Association},
year = {2014},
url = {https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/costin},
timestamp = {Mon, 01 Feb 2021 08:43:17 +0100},
biburl = {https://dblp.org/rec/conf/uss/CostinZFB14.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{autodyn,
author = {Andrei Costin and
Apostolis Zarras and
Aur{\'{e}}lien Francillon},
editor = {Xiaofeng Chen and
XiaoFeng Wang and
Xinyi Huang},
title = {Automated Dynamic Firmware Analysis at Scale: {A} Case Study on Embedded
Web Interfaces},
booktitle = {Proceedings of the 11th {ACM} on Asia Conference on Computer and Communications
Security, AsiaCCS 2016, Xi'an, China, May 30 - June 3, 2016},
pages = {437--448},
publisher = {{ACM}},
year = {2016},
url = {https://doi.org/10.1145/2897845.2897900},
doi = {10.1145/2897845.2897900},
timestamp = {Tue, 10 Nov 2020 16:06:16 +0100},
biburl = {https://dblp.org/rec/conf/ccs/CostinZF16.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{avatar,
author = {Jonas Zaddach and
Luca Bruno and
Aur{\'{e}}lien Francillon and
Davide Balzarotti},
title = {{AVATAR:} {A} Framework to Support Dynamic Security Analysis of Embedded
Systems' Firmwares},
booktitle = {21st Annual Network and Distributed System Security Symposium, {NDSS}
2014, San Diego, California, USA, February 23-26, 2014},
publisher = {The Internet Society},
year = {2014},
url = {https://www.ndss-symposium.org/ndss2014/avatar-framework-support-dynamic-security-analysis-embedded-systems-firmwares},
timestamp = {Mon, 01 Feb 2021 08:42:18 +0100},
biburl = {https://dblp.org/rec/conf/ndss/ZaddachBFB14.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@article{firmcorn,
author = {Zhijie Gui and
Hui Shu and
Fei Kang and
Xiaobing Xiong},
title = {{FIRMCORN:} Vulnerability-Oriented Fuzzing of IoT Firmware via Optimized
Virtual Execution},
journal = {{IEEE} Access},
volume = {8},
pages = {29826--29841},
year = {2020},
url = {https://doi.org/10.1109/ACCESS.2020.2973043},
doi = {10.1109/ACCESS.2020.2973043},
timestamp = {Tue, 03 Mar 2020 09:38:04 +0100},
biburl = {https://dblp.org/rec/journals/access/GuiSKX20.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{iotfuzzer,
author = {Jiongyi Chen and
Wenrui Diao and
Qingchuan Zhao and
Chaoshun Zuo and
Zhiqiang Lin and
XiaoFeng Wang and
Wing Cheong Lau and
Menghan Sun and
Ronghai Yang and
Kehuan Zhang},
title = {IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based
Fuzzing},
booktitle = {25th Annual Network and Distributed System Security Symposium, {NDSS}
2018, San Diego, California, USA, February 18-21, 2018},
publisher = {The Internet Society},
year = {2018},
url = {http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018\_01A-1\_Chen\_paper.pdf},
timestamp = {Thu, 09 Aug 2018 10:57:16 +0200},
biburl = {https://dblp.org/rec/conf/ndss/ChenDZZL0LSYZ18.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@article{wmifuzzer,
author = {Dong Wang and
Xiaosong Zhang and
Ting Chen and
Jingwei Li},
title = {Discovering Vulnerabilities in {COTS} IoT Devices through Blackbox
Fuzzing Web Management Interface},
journal = {Secur. Commun. Networks},
volume = {2019},
pages = {5076324:1--5076324:19},
year = {2019},
url = {https://doi.org/10.1155/2019/5076324},
doi = {10.1155/2019/5076324},
timestamp = {Thu, 10 Sep 2020 14:41:04 +0200},
biburl = {https://dblp.org/rec/journals/scn/WangZCL19.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@Misc{binwalk,
title = {Binwalk},
howpublished = {\url{https://github.com/ReFirmLabs/binwalk}},
}
@Misc{IDA,
title = {IDA Pro},
howpublished = {\url{https://hex-rays.com/ida-pro/}},
}
@Misc{boofuzz,
title = {boofuzz},
howpublished = {\url{https://github.com/jtpereyda/boofuzz}},
}
@inproceedings{firmup,
author = {Yaniv David and
Nimrod Partush and
Eran Yahav},
editor = {Xipeng Shen and
James Tuck and
Ricardo Bianchini and
Vivek Sarkar},
title = {FirmUp: Precise Static Detection of Common Vulnerabilities in Firmware},
booktitle = {Proceedings of the Twenty-Third International Conference on Architectural
Support for Programming Languages and Operating Systems, {ASPLOS}
2018, Williamsburg, VA, USA, March 24-28, 2018},
pages = {392--404},
publisher = {{ACM}},
year = {2018},
url = {https://doi.org/10.1145/3173162.3177157},
doi = {10.1145/3173162.3177157},
timestamp = {Mon, 22 Mar 2021 16:55:03 +0100},
biburl = {https://dblp.org/rec/conf/asplos/DavidPY18.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
}
@inproceedings{crash,
author = {Marius Muench and
Jan Stijohann and
Frank Kargl and
Aur{\'{e}}lien Francillon and
Davide Balzarotti},
title = {What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded
Devices},
booktitle = {25th Annual Network and Distributed System Security Symposium, {NDSS}
2018, San Diego, California, USA, February 18-21, 2018},
publisher = {The Internet Society},
year = {2018},
url = {http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018\_01A-4\_Muench\_paper.pdf},
timestamp = {Thu, 09 Aug 2018 10:57:16 +0200},
biburl = {https://dblp.org/rec/conf/ndss/MuenchSKFB18.bib},
bibsource = {dblp computer science bibliography, https://dblp.org}
} }

1
images/fuzzing.drawio Normal file
View File

@ -0,0 +1 @@
<mxfile host="app.diagrams.net" modified="2021-06-15T11:58:13.337Z" agent="5.0 (X11)" etag="u6wF4_Upl5t3IYY2QxIi" version="14.7.7" type="device"><diagram id="RRo4MlS_cUVkArYB42sk" name="Page-1">3VhNc9owEP01PpLxZwLHfKedZCYTDm1OHQUvtjKy5MpyDPz6Sli2rBjTpAUyyQwH7ZO0kvbtvgWc4DxbXHOUp3csBuL4brxwggvH973Q9x31ceNljUzcqAYSjmO9yABTvAINuhotcQyFtVAwRgTObXDGKIWZsDDEOavsZXNG7FNzlEAPmM4Q6aM/cCzSGh1HrsFvACdpc7Ln6pkMNYs1UKQoZlUHCi6d4JwzJupRtjgHooLXxKXedzUw216MAxVv2RD/fljSm1/kevJdjCciup/S+1Go7yaWzYMhlu/XJuMiZQmjiFwa9IyzksagvLrSMmtuGcsl6EnwGYRYajJRKZiEUpERPQsLLH52xo/K1VGkrYuF9rw2lo1BBV/+7BqdXco029ZWs69+n3rUYNg0VLCSz2BLrJr0QzwBsWWd35IrqwJYBvI+ch8HggR+se+BdHom7TrDoBxoEt9BaFM3L4iU+qgp0HidkGTOeAZqjGleio3U36InWcEWXYjghMrxTEYMuARegAssS+RUT2Q4juvMgAKv0NPanwp+zjAV6xdGZ0500dKhHMDC2VC/erOpmi5Rwxncj7b2PnKPvHF0UvvSEjTSkvRmQrT3e/Ua4zqwnPqRvZ/N5wWIHp3tDf+dYb9PMJuLSsapR6ipVMVjlWIB0xytk7yScm3TPEhNr1YGox022dcEZaLtykin1zCbdmTz2N1TOYT+5xM4o2mPlqTtX+A+hcKFQa8A7hjFgnElIxwVqXQrcAZMSdyVCvIXUbqBsBupC33PVqVRsBupeyWgzSn7F7vQ65F9Va5WkpzXlBYVzgiisCMls4XMi/pC5rsbhMwfb1EyfdqDYp8m8uLvOe5k02mveEBEpi1FAs6UghX7IKTPx7f6u4SbAAUus4zRA/ShLcnyVk5b/j6sOXn9YLZK9hkiuCFLD9zdjz+yu5uO/tiZOXh336qbu+v5A5lxoJ5/0quU0/i5LMQX+y1z/LcO71sFuJvu3n6j+p92Lk3zV0a93PwhFFz+AQ==</diagram></mxfile>

BIN
images/fuzzing.pdf Normal file
View File

Binary file not shown.

BIN
images/iotnetwork.pdf Normal file
View File

Binary file not shown.

1
images/iotnetwork.xml Normal file
View File

@ -0,0 +1 @@
<mxfile host="app.diagrams.net" modified="2021-06-16T22:11:04.504Z" agent="5.0 (X11)" etag="aJT_GIRSCdXX_Ux4iS2g" version="14.7.7" type="device"><diagram id="omHt0RnPnYEa7tGnQjuQ" name="Page-1">7Vtbc5s4FP41fjQDiIv9GMdxk206m226092+eGSQjVqMPJIc2/31K4HAgPAlGxzHaZ3MOBwkQOc737mJdMD1fP2BwkX0iYQo7thmuO6AYce2Lce2O/LXDDeZpG+6mWBGcagGbQWP+CdSQlNJlzhErDKQExJzvKgKA5IkKOAVGaSUrKrDpiSu3nUBZ0gTPAYw1qVfccijTNpzza38FuFZlN/ZMtWZOcwHKwGLYEhWJRG46YBrSgjP/pqvr1EslZfrJZs32nG2eDCKEn7MhM3HsfvHd/ex9+nD6v6j+3jnzv7qWp56OL7JV0zJMgmRnGR2wIBQHpEZSWB8T8hCCC0h/I443yis4JITIYr4PFZnGYeUX0ndC0EQQ8ZwkItHOM6HZTdGoab/7YKUiJElDdC+VSjDgHSG+L5xdqF3YbCIzBGnGzGRohhy/FR9EKgsZ1aM2ypX/KH0+xxdZ9d9gvFS3ekzWXJENQQWBCdCfvMkFMFypebWI0EJIYsKhCqap+QHuiYxoUKSkERccDAVKs9FHRu4pvwR8hhOUPxAGOaYJOJcjKZCd4MnRDkW9n9fOz0hnJN5acBVjGfyBJdmMRAriXEi7p3TUN4CqiE0I4hcxEKucb6eSW9hkOkUB8gI0ZP4YgbN1CHGLWCAk5kY2bXc7fGX1AC7XmE88lHQer/56GirCaDvZFOUZxKuKTtebXnuKmcVlSjueqeyD1+zBMmOR3Wo4LxAeoJj6XlOduaB6pfVfv+s2gevon2hPLr5R8433Pzw3/K54VpdPDvalI8eEMVitdJDpcK3C6V1ViYBLc49zoVKFpEE8Xesy2JdIBQ5TlUyhklICQ7HwnCSEMbZSrYh0NQCoAgUheg+XUl50EA9fFn2WYUvv53Q6ZmO4daCp6cFT9vRg6fjnCp49t6p+3YuIXg6GuUfaMrrN8L3ACVZZnkKxhcXP0D5KVy3Qz9Ly1wLOpZzV7+Bfv6p4repIf0+6OceST9wTvq5zRF3BXkQabjkVornaeujrN5m4z/ImZRtAxj8mKUAlwg5TT9iSHqzK7YosSc/mOK1NImBep5hxLns7VxJldijIEwsAwckmWJhOtQIxB3tUQg5FF9SzsT3FEEeIdqVapRRZ5SuXJT7PWMhY2jqJ/6UoZBLynj9wp9shfv9hsb1Fmjs+2aNxkAnsamTOJe1T2JLM5aLIPHJSxs19UHGrt34OV4NmMy5qFk1bIrHeEHQNTXaf8OzCRJJ9uhb9yt80rNtqc2UxlVENOuuO4I5DsM4BR8x/BNO0utJ+NNwni7XHXTc4T5iqA6tmtwp+qJlQPeY5U4amQbom1YFibwEeSHAdu2qeYsgv4KI7wydBFq/2aEL0b30A5NlPLl8v+4c9OuTJRNZF2NdRmIcdoWP7wZwgbmwVyaHe9LX34UI7nf1J/DVDmhIuF7TV1v9y/TVBxOu/pE+/aX1TjPlXb+aWjuW+6o+va8R/458EYLbZQPhKxWRYKWXfqoAHp/RVBsKWd99Z2HWWBDV6x8qXIcxQwmiMDYisYL/XX+1wGDX92o9C8fVG/69Bg7bJ+OwviP0N2uomRuVXYFjl1qrjj7XaaFszQbKzK+BCVcMGEuWDquV3UN7CIZAyMXIEItr1ar0nTbYBqy1WtjyfQ1Up2EXxwOnAtXWKSyXm6hMoR1gD/Dl2cBi9Yhj8Hx4W0AR9GzDr7LTbWCn3zeaNuRO1VO03VeJsdtNifKWhGl4vcvYlbCPblGed4NPf9XhfWRMx+v/rOrfv7u91fTNVvqu0XDOikZDx/5aA+iNNusPZDWtNOtXhP4QVpLdsZ3XTbxqotL0ugloiG6net3E1msNzQAaeght7JzstqHGEiJaoDGkywk02ArzIJKvCn133DGbLsYw5u3g44Dapoqn42O/ZnUA9OpAw+fiej72wZ4PJqzrd/MjmQSOVniKiw7Py5G2RbLpVFt7Rd1XAhs0gA1OBrZeNfwGuw2wnfpe6dmR1l+P+ZXdrmvWGm7mud2unhn9okycCAVwQnjUIh19y66/OXR2QuqbLTsBz/nBBLjM4CiIjCWbVC2gKWmupb5m+tmVJ7fV89HMg5I8oR32zXboa/dNowcOJrYWMKyG11FOhqmjh9NbcWkhSRCXqb2O8ArPY9hWP8vqVbeLLFvXiec3WHnh/p6hEnG4/S+SbCNi+7844OY/</diagram></mxfile>

BIN
images/latex.pdf
View File

Binary file not shown.

BIN
paper.pdf
View File

Binary file not shown.

126
paper.tex
View File

@ -12,7 +12,6 @@
\renewcommand*{\bibfont}{\footnotesize} \renewcommand*{\bibfont}{\footnotesize}
\pagestyle{plain} \pagestyle{plain}
\usepackage{siunitx} \usepackage{siunitx}
\RequirePackage[usenames,dvipsnames,svgnames,table]{xcolor} \RequirePackage[usenames,dvipsnames,svgnames,table]{xcolor}
\usepackage{cleveref} \usepackage{cleveref}
@ -29,87 +28,116 @@
\crefname{lstlisting}{listing}{listing} \crefname{lstlisting}{listing}{listing}
\Crefname{lstlisting}{Listing}{Listings} \Crefname{lstlisting}{Listing}{Listings}
\usepackage{booktabs}
% \usepackage[parfill]{parskip} % \usepackage[parfill]{parskip}
\addbibresource{bibliography.bib} \addbibresource{bibliography.bib}
\usepackage{blindtext} \usepackage{blindtext}
\newcommand\blindsection{{\color{gray}\subsection{Some bindtext}\blindtext}} \newcommand\blindsection{{\color{gray}\subsection{Some bindtext}\blindtext}}
\begin{document} \begin{document} \title{Overview of IoT Fuzzing Techniques}
\title{IEEEtran Template} \author{\IEEEauthorblockN{Tuan-Dat
\author{\IEEEauthorblockN{Vorname Nachname\\\small(3012345)}\\\IEEEauthorblockA{University of Duisburg-Essen\\vorname.nachname@stud.uni-due.de}} Tran\\\small(3012345)}\\\IEEEauthorblockA{University of
Duisburg-Essen\\tuan-dat.tran@stud.uni-due.de}}
\maketitle \maketitle
\begin{abstract} \begin{abstract}
This paper is a short example for the IEEEtran template. It introduces the most basic principles of latex and the paper format. Due to the rising popularity of IoT devices and embedded systems and their usage in, not only in the business sector, but also at home, the view has been shifting on the security of those devices. To address this issue, there have been many approaches in detecting, analyzing and mitigation of security flaws in IoT devices. One of the ideas to detect vulnerabilities in an automated manner is IoT Fuzzing. Contrary to regular fuzzing it comes with its own constraints and techniques to optimize performance and coverage of attack surfaces.
In this paper we are comparing techniques used by IoT fuzzers to circumvent the adversities presented by IoT devices like app-based approaches by IoTFuzzer and Snipuzz or emulation approaches used by Firm-Afl.
Due to the wide range of different IoT fuzzing tools we are dividing the comperison of the techniques based on the type of IoT fuzzing tool. We also outline the evolution of IoT fuzzing techniques to visualize the progress made in the field. This overview can then be used to choose the optimal usage of a specific IoT fuzzing device in a given use case or combine different techniques used in different fuzzing tools to create a novel approach and find new security flaws through an combined usage of IoT fuzzing techniques.
\end{abstract} \end{abstract}
\section{Introduction}% \section{Introduction}
\label{sec:intro} % \label{sec:intro}
For scientific writing it is important to know how to cite related work~\cite{exampleThesis,exampleArticle,exampleBook}. Internet of Things (IoT) devices and embedded systems are becoming more and more prevalent, and with billions of devices being connected to the internet they are an integral part of everyday life\cite{hung2017leading}. Despite IoT devices being so widespread they are riddled with security vulnerabilities, which makes them an easy target for attackers, since many of those vulnerabilities are considered ``low hanging fruits''. This led to over 70 unique attack incidents\cite{mcmillen2015security} between 2010 and 2016, while the number of IoT devices and embedded systems in use is steadily rising and with it the amount of vulnerabilities in the wild.
The bibliography at the end will be auto-generated.
\section{Example Code Listing} While implementation flaws and app over-privilege are just some of the many security problems an IoT device can have, detection and mitigation of these security flaws has proven itself to be challenging\cite{crash}. One approach to discover those flaws is called fuzz-testing, or fuzzing. Mitigation of found security flaws can often be hard due to the nature of embedded devices being heavily customized and often not adhering to one specific standard. Therefore, the fixing of security flaws is often left to the manufacturer of the device, since they possess the necessary toolchains, source code and pipelines to provide security patches to their devices.
As can be seen in \Cref{lst:example}, we have an example here. It will print \verb+"Hello"+ several times. Fuzzing is a method to test software for flaws by automatically generating and sending malformed data to the software. There are many ways to generate and send data to the software. An example for a specific type of input generation is mutation based fuzzing, which is utilized by IoT Fuzzer\cite{OWASP2021Fuzzing}. Mutation based fuzzing takes a valid input and changes specific parts of it to trigger an unexpected state in the software and therefore crashing it. Crashing or bringing the software into an unexpected state is the general goal of fuzzing, since behavior like this indicates the presence of a bug.
However, this example is not usable with ROP. For an example with figures, we refer the interested reader to \Cref{sec:figstabs}. We can also use the lame way of referencing another section, as can be evidenced in sections \ref{sec:figstabs} and \ref{sec:intro}.
\blindsection Due to fuzzing being an automated process, fuzzing became a common tool for software testing in software development. Conventional fuzzing of software can be easily done concurrently, since software can, in most cases, be easily executed concurrently\cite{crash}. This increases the throughput of the fuzzer and thus the amount of test cases the software is tested against. This is one of the issues, which IoT fuzzers have to deal with, since the fuzzing IoT devices usually include fuzzing the physical device itself if there is no emulation solution available, while emulation enables another class of issues and complexity to the fuzzing process. An example for an arising problem due to emulation is the acquisition of the firmware. The process of firmware acquisition is different for every device, since it is dependant on the willingness of the manufacturer to publicly release the firmware. If the manufacturer does not release the firmeware for his device the firmware needs to be extracted directly from the device, which can vary in difficulty depending on the device\cite{crash}.
\begin{figure}[b] Alternativly to fuzzing there are other ways to test software for vulnerabilities like static and dynamic firmware analysis. Static firmware analysis is the analysis of firmware without executing it by using tools like binwalk\cite{binwalk} to unpack the firmware and reverse engineering it with an reverse engineering tool like IDA\cite{IDA}\cite{firmup}. For dynamic analysis the firmware is executed to be investigated. This can be done in a multitude of ways, for example running the firmware on the original device or emulating the device to have the firmware run in the emulated environment. The running firmwares behavior is then analyzed\cite{autodyn}. The advantage of static analysis is the possibility to automate and scaling the processes of analyzing the firmware\cite{largeanal}, since the testing does not depend on a physical device. On the other hand, static analysis also yields a high amount of false positives and may not find completly new vulnerabilities, with the usage of its heuristics\cite{firmafl}. Another challenge during static analysis is the handling of packed or obfuscated code. This can be overcome with dynamic analysis\cite{avatar} by emulating the physical device, which increases scalability and eliminates the need to acquire the physical device to test it\cite{autodyn}.
% make figure go to bottom, others are: htbp (here, top, bottom, page). Most of time the default (top) fits best.
\begin{lstlisting}[language=C,firstnumber=17]
int main(int argc, char* argv[],
char* env[])
{
for (size_t i = 0; i < 10; i++) {
// prints Hello some times
printf("Hello %d\n", i);
}
}
\end{lstlisting}
\caption{Example C Code}
\label{lst:example}
\end{figure}
\blindsection Since IoT devices offer a large surface area regarding communication e.g.\ network protocols, their companion app or their web interface\cite{iotfuzzer}\cite{boofuzz}\cite{wmifuzzer}. For this reason fuzzers, which were not originally designed to fuzz IoT devices can still be utilized for IoT fuzzing, like in the case of boofuzz, which was developed with the intent to fuzz network protocols\cite{boofuzz}. IoT fuzzers can also make use of techniques used by dynamic analysis, since both approaches require execution of the firmware. This makes emulation a feasable way of testing IoT devices to increase scalability\cite{firmcorn}. In this work we will focus mainly on fuzzers, which were primarily developed for IoT fuzzing, but since techniques used by non-IoT focused fuzzers are also used by fuzzers, that focus on IoT devices, non-IoT focused fuzzers will be considered in the overview.
\section{Examples for figures and tables}% Even though IoT fuzzers are used for finding security vulnerabilities in devices and fixing those errors or learning from them and mitigating them is the next logical step we will not discuss mitigation techniques in this paper, since this is outside of our scope. We will also not dive deep into specific techniques and how they work in detail or are implemented.
\label{sec:figstabs}
By creating an overview of different IoT fuzzing techniques we hope to archive a comprehensive list of IoT fuzzing tools and their properties to help developers and researchers to find the right tool for their job and weight in the positive on negative aspects of existing approaches to improve upon them.
\section{Background}
\subsection{IoT devices and embedded systems}
The terms IoT devices and embedded systems describe a great amount of devices. Embedded systems are devices, interact with their surroundings via sensors and regulators and are built to serve a specific purpose\cite{crash}. IoT devices on the other hand are broadly described as devices, which extend regular devices with an internet connection and enable them to communicate over it\cite{posey2021iot}. The term embedded devices can describe many devices such as cameras or industrial control systems (ICS), which makes it hard to make general statements about embedded devices. The same is the case for IoT devices, which includes the definition of internet capable embedded systems. Ongoing, when we describe IoT devices, the description also fits embedded systems if not explicitly mentioned.
IoT devices, due to being built for specific purposes, don't need as much processing power as a general computer does. This leads to them having an hardware platform specifically tailored to their use case. For this reason the amount of different hardware and software architectures used in IoT devices is diverse and unlistable.
%
The works of Hahm et al.\cite{lowendos} proposes a classification into low-end and high-end IoT devices and deviding those two classificatoins into three subcategories for low-end devices. Those classes represent the complexity and computing capability of those devices with ``Class 0'' having the least resources and ``Class 2'' devices having the most resources.
%
In the works of Muench et al.\cite{crash} a similar classification is done. They are classified in ``Type-0'' to ``Type-III'' systems. T0 (Type-0) systems represent multi-purpose systems, which don't fall under the classification of embedded systems or IoT devices. T1 (Type-1) devices are devices, which use a general purpose operating system like Linux. The OS (operating system) is often modified to be more lightweight and offer a lightweight user environment like busybox. T2 (Type-2) devices run on customized operating systems, which are tailored to the devices use case. In order to save space and computational power typical OS functions like a Memory Management Unit may be omited. T3 (Type-3) devices run on a single control loop. On these devices the firmware and the software, which runs the devices functionalities, are a single instance. This leads to a so called ``monolithic firmware'', consisting of the application and system code compiled together.
We will later use these classes, and especially those proposed by Muench et al.\cite{crash} to classify IoT devices when comparing IoT fuzzing techniques, since different types of IoT devices require different approaches to fuzzing.
Due to the heterogenic nature of IoT devices in terms of e.g. OS, instruction sets or memory layouts, analysis of the firmware proves difficult\cite{largeanal}. Reasons for this are the different requirements a manufacturer has for his device like the energy efficiency, real-time capabilty or memory footprint\cite{lowendos}.
\begin{figure} \begin{figure}
\begin{center} \begin{center}
\includegraphics[width=\linewidth]{latex} \includegraphics[width=\linewidth]{iotnetwork}
\end{center} \end{center}
\caption{The word latex in its custom typeface.} \caption{Example of IoT home network.}\label{fig:iotnetwork}
\label{fig:latex}
\end{figure} \end{figure}
You can define the figure anywhere in the section and \LaTeX~(see \Cref{fig:latex}) will make it float to a place nearby. Like mentioned earlier IoT devices, and especially home-based ones, use a multiple ways to connect to the internet. Either directly through WiFi or via a intermediary device like a smartphone and connecting to it with Bluetooth\cite{wmifuzzer}. Another way is having an IoT hub, which acts as proxy between other IoT devices and either another intermediary via Bluetooth or directly WiFi. This leads to many ways an IoT network can be structured, depending on the kind and number of IoT devices (\Cref{fig:iotnetwork}).
You also can use the starred-version (\lstinline[language={[latex]tex}]+\begin{figure*}...\end{figure*}+) to define a figure that spans multiple columns. This was used for \Cref{tab:large-table}
\subsection{Fuzzing}
\begin{figure}
\begin{center}
\includegraphics[width=\linewidth]{fuzzing}
\end{center}
\caption{Generalization of fuzzing process.}\label{fig:fuzzing}
\end{figure}
\section{IoT Fuzzing}
\textbf{Mutation based fuzzing}
\textbf{Taint}
\textbf{Emulation}
\textbf{Message}
\subsection{Adversaries}
\subsection{Whitebox Fuzzing}
\subsection{Blackbox Fuzzing}
\subsection{Greybox Fuzzing}
\section{Overview of IoT Tools and Techniques}
In this section we are going to look the overview of different IoT Fuzzing devices\Cref{tab:toollist}.
\begin{table*} \begin{table*}
\begin{center} \begin{center}
\begin{tabular}{r|lclllllll} \begin{tabular}{rclll}
Data&222222&333333&444444&555555&666666&777777&888888&999999&000000\\ Tool & Year & Fuzzing approach & Techniques & Scope \\
\hline \toprule
111&222222&33333&4444&555555&666666&777777&888888&999999&000000\\ SIoTFuzzer & 2021 & Blackbox & & \\
1111&22222&333&444444&555555&666666&777777&888888&999999&000000\\ IoTFuzzer & 2018 & Blackbox & & \\
11111&2222&3333&44444&555555&666666&777777&888888&999999&000000\\ Firm-AFL\cite{firmafl} & 2019 & Greybox & & \\
111111&222&33333&4444&555555&666666&777777&888888&999999&000000\\ Snipuzz & 2021 & Blackbox & & \\
Firmcorn & 2020 & & & \\
FirmFuzz & 2019 & & & \\
Diane & 2021 & Blackbox & & \\
HFuzz & 2019 & & & \\
IoTHunter & 2019 & & & \\
WMIFuzzer & 2019 & Blackbox & & \\
\bottomrule
\end{tabular} \end{tabular}
\end{center} \end{center}
\caption{A table that spans multiple columns.} \caption{An overview of different IoT fuzzing tools.}\label{tab:toollist}
\label{tab:large-table}
\end{table*} \end{table*}
As we can see the fuzzers requireing firmware, i.e.\ whitebox fuzzers, are mostly designed to fuzz IoT devices, built on top of linux devices. This is due to.
\subsection{Techniques}
\subsection{Classification}
\blindsection \section{Conclusion}
\blindsection In this paper we created an overview of the different IoT fuzzing techniques used by state of the art IoT fuzzing tools and compared their approaches in regards of input generation, execution speed, crash detection heuristics and their device scopes based on the classification in the work of Muench et al.\cite{crash}. The comparison was done seperatly based on whether they were black-/white- or greybox fuzzers.
\balance \printbibliography{}
\printbibliography
\end{document} \end{document}