iotfuzzer: discovering memory corruptions in iot through app...
TRANSCRIPT
![Page 1: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/1.jpg)
IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing
Jiongyi Chen1, Wenrui Diao2, Qingchuan Zhao3, Chaoshun Zuo3, Zhiqiang Lin3,4, XiaoFeng Wang5,
Wing Cheong Lau1, Menghan Sun1, Rongai Yang1, and Kehuan Zhang1
Chinese University of Hong Kong1, Jinan University2, University of Texas at Dallas3, Ohio State University4, Indiana University Bloomington5
NDSS2018
PresentedByMdMahbuburRahman
WayneStateUniversity
![Page 2: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/2.jpg)
Outline
• IoTTrend• Motivation• IoTFuzzer(Thispaper)• Challenges• Architecture:IoTFuzzer• ImplementationandEvaluation• Conclusion
2
![Page 3: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/3.jpg)
Internet of Things (IoT) Market
• Applications• SmartHome,SmartCity,AgriculturalIoT,etc.
• Marketgrowthby2020• 20.4billionIoTdevices• $3trillion
• SmartHome• $53.45billionby2022
SmartHomemarketvalue(Source:ZionResearchAnalysis2017)
3
![Page 4: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/4.jpg)
Is IoT Secure?
• NOTreally!
• Attacks:2014-2016• Morethan90independentIoTattacks[N.Zhangetal.,CoRR2017]
• MiraibotnetattackonOct12,2016• OnlineIoTdevices(e.g.,IPcameras,homerouters,etc.)areturnedintobots• DistributedDenial-of-service(DDoS)attacksononlineservices
• Reaperbotnetattack
FirmwaresoftheIoTdevicesarenotproperlyimplemented&
protected!!
4
![Page 5: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/5.jpg)
What’s Done!
• Fewattemptshavebeenmadethatcloselydealwithfirmwares.[Davidsonetal.USENIXSec.’13,Cuietal.NDSS’13,ChenBlackHat’09,Shoshitaishvilietal.NDSS’15]
• Limitations• Firmwareacquisition:vendorsmaynotmakeitpublic
• Firmwareidentification&unpacking:unknownarchitecture,proprietarycompression/encryption
• Executableanalysis:requireslotsofmanualeffortsandisnotaccurate
5
ItisworthlookingintotheIoTofficialapplications
![Page 6: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/6.jpg)
IoT Official Application
• ControlsandmanagesIoTapplications
6
ContainsrichinformationabouttheIoTsystem
Courtesy:Authors
![Page 7: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/7.jpg)
IoTFuzzer: A Firmware-free Fuzzing Framework
• DetectsmemorycorruptionsinIoTdevices• Null-pointerexceptions,bufferoverflow,out-of-boundaccesses,etc.
• Leveragesofficialappsandprogramlogicstocreatemeaningfultestmessages
• Fuzzesinaprotocol-guidedwaywithoutexplicitlyreverseengineeringtheprotocols
7
![Page 8: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/8.jpg)
IoTFuzzer: Challenges
• Diversedataformatsandprotocols• XML,JSON,key-valuepairs
• Proprietarycryptographicfunctions
• Crashmonitoring• Howtodeterminethereal-timestatusofthedevice?
8
TP-LinkKasaCodeSnippet
![Page 9: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/9.jpg)
IoTFuzzer: Solutions
• Diversedataformatsandprotocols• Mutateprotocolfieldsbeforetheyareconstructedasmessage
• Proprietarycryptographicfunctions• Reusecryptographicfunctionsintheruntime
• Crashmonitoring• Insertheartbeatmessages
9
![Page 10: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/10.jpg)
IoTFuzzer: Scope and Assumptions
• Goal:Automaticallygenerateprotocol-awaremessagestotheIoTdevicestodiscovermemorycorruptions
• Assumptions• IoTdeviceundertestingareconfigurableandcontrollablewithmobileapps• Wi-Ficommunicationprotocol• Androidapps
10
![Page 11: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/11.jpg)
IoTFuzzer: Architecture
• 2-phasearchitecture
• Phase1:• Appanalysis
11
![Page 12: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/12.jpg)
IoTFuzzer: Architecture
• 2-phasearchitecture
• Phase1:• Appanalysis
• Phase2:• Fuzzing
12
![Page 13: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/13.jpg)
IoTFuzzer: Architecture – Phase 1
q UIAnalysis• CallPathConstruction
• IdentifynetworkingUIelementsbyconstructingcallpathsfromnetworkingAPIstoUIeventhandlers
• NetworkingAPIs:URL.openConnection(),Socket.getOutputStream(),etc• Androguard[1]
• ActivityTransitionGraphConstruction• TotriggernetworkingAPIevents• Monkeyrunner[2]
13
1. “Androguard:Reverseengineering,MalwareandgoodwareanalysisofAndroidapplications,”https://github.com/androguard/androguard2.“monkeyrunner,”https://developer.android.com/studio/test/monkeyrunner/index.html
![Page 14: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/14.jpg)
IoTFuzzer: Architecture – Phase 1
• TaintAnalysis• Identifyprotocolfields(variables)andfunctions• TaintDroid[W.Encketal.TOCS’14]
• TaintSources:strings,systemAPIs,userinputs
• TaintSinks:datausedatnetworkingAPIsandencryptionfunctions
• CryptographicFunctionIdentification• Lotsofrelatedwork• IoTFuzzeremploysalightweighttechnique• Cryptographicfunctionscontainarithmeticoperationsandcalledduringthemessagedeliveryexecution
14
![Page 15: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/15.jpg)
IoTFuzzer: Architecture – Phase 1
15
Codeexample
TaintTrackingOutput
![Page 16: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/16.jpg)
IoTFuzzer: Architecture – Phase 2
q RuntimeMutation• FunctionHooking
• Dynamicallyhookstherecordedfunctionsandmutatetheprotocolfieldsatruntimetogenerateprobemessages
• Xposed[3]
• FuzzingScheduling:tofuzzonlyasubsetofallprotocolfields
• FuzzingPolicy:• Changethelengthofthestringstocheckoverflowandout-of-boundaccess• Changeinteger,double,orfloat(largevalues)tocheckoverflowandout-of-boundaccess• Changeobjecttypesandprovideemptyvaluestocheckmisinterpretationandnull-pointerexepction
161. Rovo89,“XposedModuleRepository,”http://repo.xposed.info/
![Page 17: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/17.jpg)
IoTFuzzer: Architecture – Phase 2
q Responsemonitoring• ResponseTypes
• Expectedresponse• Unexpectedresponse• Noresponse• Disconnection
• CrashDetection• TCP-basedconnection:disconnection• UDP-basedconnection:insertaheartbeatmessageafterevery10probemessages
17
![Page 18: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/18.jpg)
Implementation
• Implementedon17off-the-shelfIoTdevices(appsareavailableonGooglePlay)
18
![Page 19: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/19.jpg)
Evaluation
• TestingEnvironment• UIAnalysis:Ubuntu14-04IntelCorei7quad-core2.81GHzCPU8GBRAM• TaintTracking:Google’sNexus4• Network:FullycontrolledlocalWi-Fi
• 15memorycorruptionswerefoundincluding8previouslyunknown
19
![Page 20: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/20.jpg)
Evaluation
• Fuzzingaccuracy
20
![Page 21: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/21.jpg)
Conclusion
• IoTFuzzer:Limitations• OnlysupportWi-Ficonnections• Canonlyfuzzapp-relatedcodeinIoTdevices• Onlydetectsmemoryrelatedcorruptionsthatleadtocrashes
21
![Page 22: IoTFuzzer: Discovering Memory Corruptions in IoT Through App …webpages.eng.wayne.edu/~fy8421/18fa-csc6991/slides/... · 2018. 11. 12. · IoTFuzzer: Discovering Memory Corruptions](https://reader034.vdocuments.us/reader034/viewer/2022052008/601cad362c7fff4053767eba/html5/thumbnails/22.jpg)
Questions?
22