# IOTFUZZER: Discovering Memory Corruptions in IoT Through App-based Fuzzing --- ## Abstract Existing binary analysis based approaches only work on firmware > 對目前對IOT設備 binary 進行漏洞分析的方法就只有從firmware (但這種方式蠻多缺點) we present in this paper a novel automatic fuzzing framework, called IOTFUZZER > 這邊提出一個新的自動 fuzzing 檢測工具 叫做 IOTFUZZER ， 專門檢測記憶體損壞的漏洞 The key idea is based upon the observation that most IoT devices are controlled through their official mobile apps > 這個想法是因為:大多數IOT設備由官方APP控制，這些裡面會也會有重要的資訊 by identifying and reusing program-specific logic (e.g., encryption) to mutate the test case (particularly message fields), we are able to effectively probe IoT targets without relying on any knowledge about its protocol specifications > 通過識別和重用特定於程序的邏輯（例如加密）來改變測試用例（特別是消息字段），我們能夠有效地探究IoT目標，而無需依賴於有關其協議規範的任何知識 --- ## Introduction (介紹攻擊事件、firmware檢測會遇到的難點) more than 90 independent IOT attack incidents have benn report from 2014 to 2016 e.g: Mirai botnet , Reaper An important target of IoT attacks is implementation flaws within a device’s firmware The difficulty in firmware acquisition because many vendors don't make their firmware images publicly available > 韌體獲取方面的困難，許多供應商沒有公開提供其固件映像 given the diversity of compression (even encryption) formats, how to unpack the obtained firmware is nontrivial as well > 壓縮（甚至加密）格式的多樣性，如何解壓縮所獲得的固件也不是一件容易的事。 或者，我們可以從主板上轉儲映像，但是，它需要來自啟用的調試端口的支持，由於其簡單性，許多物聯網設備可能不存在這些調試端口。 their approach: A unique property of IOTFUZZER is that it runs a protocol-guided fuzz and utilizes the information carried by the IoT app it performs a dynamic analysis to identify the content inside the app that forms the messages to be delivered to the target device, and automatically mutates such content during the runtime so as to use the app’s program logics to produce meaningful test cases for probing the target firmware > 執行動態分析以識別廣告內容 形成要傳遞到目標設備的消息的應用程序， 並在運行時自動更改此類內容 以便使用該應用的程序邏輯產生有意義的 測試目標固件的測試用例 IOTFUZZER is not designed to precisely locate software flaws [43], [44]. Like other fuzz tests, all it does is to report the presence of the problem, through a crash triggered by a test case, which is used to guide the follow-up security analysis to find out the root cause of the flaw. In our research, IOTFUZZER並非旨在精確地 找到軟件缺陷[43]，[44]。像其他的模糊測試一樣 只是通過崩潰報告問題的存在 由測試用例觸發，用於指導後續操作 安全分析以找出漏洞的根本原因 --- ## Background 1. Typical IoT Communication Architecture 2. Obstacles in Firmware Analysis * Firmware Acquisition * Firmware Unpacking * Executable Analysis. 這部分先提出韌體設計的困難點後 ，作者們想到一個透過APP直接來做fuzzing也是合適的方法 3. Challenges in IOTFUZZER Design 5. --- ## Detaled design --- ## Vulnerability Detection in IOT Devices Firmware acquisition : vendors may not make their firmware images publicy available Fireware identification and unpacking: unknown architecture ,proprietary compression / encryption algo. Executable analysis : > static analysis : disassembling errors , inaccurate points- to analysis metc > dynamic analysis: disable debugging port ,emulation problems for extracted program(多樣性的架構) ,etc --- ## IOT Fuzzer A firmware -free fuzzing framework that: > aims at detecting memory corruptions(記憶體損壞) in IOT device > utilizes program logic in official mobile apps of IOT to produce meaningful messages > fuzzes in a protocol-guided way without explicitly reverse engineering the protocol --- ## deital design UI detect The purpose of UI analysis is to facilitate data-flow analysis and fuzzing in the following steps data flow analysis In order to identify the program elements (e.g., string constant, input from system APIs, etc.) whose values are related to the content of the message to be sent to the IoT devic > 找到那些傳送message 的元素 (字串、API) --- # debugging port --- ## Architecture of extension --- ###### tags: `thesis`