Discovering Vulnerabilities in COTS IoT Devices through Blackbox Fuzzing Web Management Interface
作者: Dong Wang , Xiaosong Zhang , Ting Chen , Jingwei Li
DOI: 10.1155/2019/5076324
关键词:
摘要: A novel approach for discovering vulnerability in commercial off-the-shelf (COTS) IoT devices is proposed this paper, which will revolutionize the area. Unlike previous work, web management interface was used to detect vulnerabilities by leveraging fuzzing technology. To validate and evaluate scheme, a tool named WMIFuzzer designed implemented. There were also two challenges: (1) due diversity of implementations, there no existing seed messages it inefficient while taking random launch (2) because highly structured message, with byte-level mutation could conduce be rejected device at an early stage. address these challenges, brute-force UI automation drive generate initial automatically, as well weighted message parse tree (WMPT) guide mostly structure-valid messages. The extensive experimental results show that achieve expected result 10 including 6 zero-days 7 COTS discovered.
hindawi.com参考文章(14)
Roberto Ierusalimschy, Anna Hester, Renato Borges, Building Flexible and Extensible Web Applications with Lua. Journal of Universal Computer Science. ,vol. 4, pp. 748- 762 ,(1998)
Patrice Godefroid, Michael Y. Levin, David Molnar, SAGE Communications of the ACM. ,vol. 55, pp. 40- 44 ,(2012) , 10.1145/2093548.2093564
Mohd Ehmer, Farmeena Khan, A Comparative Study of White Box, Black Box and Grey Box Testing Techniques International Journal of Advanced Computer Science and Applications. ,vol. 3, pp. 12- 15 ,(2012) , 10.14569/IJACSA.2012.030603
Carsten Willems, Thorsten Holz, Felix Freiling, Toward Automated Dynamic Malware Analysis Using CWSandbox ieee symposium on security and privacy. ,vol. 5, pp. 32- 39 ,(2007) , 10.1109/MSP.2007.45
Béla Genge, Călin Enăchescu, ShoVAT: Shodan-based vulnerability assessment tool for Internet-facing services Security and Communication Networks. ,vol. 9, pp. 2696- 2714 ,(2016) , 10.1002/SEC.1262
Iulian Neamtiu, Jeffrey S. Foster, Michael Hicks, Understanding source code evolution using abstract syntax tree matching ACM SIGSOFT Software Engineering Notes. ,vol. 30, pp. 1- 5 ,(2005) , 10.1145/1082983.1083143
Ding Wang, Ping Wang, Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound IEEE Transactions on Dependable and Secure Computing. ,vol. 15, pp. 708- 722 ,(2018) , 10.1109/TDSC.2016.2605087
Jong-Hyouk Lee, Hyoungshick Kim, Security and Privacy Challenges in the Internet of Things [Security and Privacy Matters] IEEE Consumer Electronics Magazine. ,vol. 6, pp. 134- 136 ,(2017) , 10.1109/MCE.2017.2685019
Ding Wang, Haibo Cheng, Ping Wang, Xinyi Huang, Gaopeng Jian, Zipf’s Law in Passwords IEEE Transactions on Information Forensics and Security. ,vol. 12, pp. 2776- 2791 ,(2017) , 10.1109/TIFS.2017.2721359
Marcel Bohme, Van-Thuan Pham, Abhik Roychoudhury, Coverage-Based Greybox Fuzzing as Markov Chain IEEE Transactions on Software Engineering. ,vol. 45, pp. 489- 506 ,(2019) , 10.1109/TSE.2017.2785841