A journal of IEEE and CAA , publishes high-quality papers in English on original theoretical/experimental research and development in all areas of automation
Volume 10 Issue 1
Jan.  2023

IEEE/CAA Journal of Automatica Sinica

  • JCR Impact Factor: 15.3, Top 1 (SCI Q1)
    CiteScore: 23.5, Top 2% (Q1)
    Google Scholar h5-index: 77, TOP 5
Turn off MathJax
Article Contents
X. T. Feng, X. G. Zhu, Q.-L. Han, W. Zhou, S. Wen, and Y. Xiang, “Detecting vulnerability on IoT device firmware: A survey,” IEEE/CAA J. Autom. Sinica, vol. 10, no. 1, pp. 25–41, Jan. 2023. doi: 10.1109/JAS.2022.105860
Citation: X. T. Feng, X. G. Zhu, Q.-L. Han, W. Zhou, S. Wen, and Y. Xiang, “Detecting vulnerability on IoT device firmware: A survey,” IEEE/CAA J. Autom. Sinica, vol. 10, no. 1, pp. 25–41, Jan. 2023. doi: 10.1109/JAS.2022.105860

Detecting Vulnerability on IoT Device Firmware: A Survey

doi: 10.1109/JAS.2022.105860
More Information
  • Internet of things (IoT) devices make up 30% of all network-connected endpoints, introducing vulnerabilities and novel attacks that make many companies as primary targets for cybercriminals. To address this increasing threat surface, every organization deploying IoT devices needs to consider security risks to ensure those devices are secure and trusted. Among all the solutions for security risks, firmware security analysis is essential to fix software bugs, patch vulnerabilities, or add new security features to protect users of those vulnerable devices. However, firmware security analysis has never been an easy job due to the diversity of the execution environment and the close source of firmware. These two distinct features complicate the operations to unpack firmware samples for detailed analysis. They also make it difficult to create visual environments to emulate the running of device firmware. Although researchers have developed many novel methods to overcome various challenges in the past decade, critical barriers impede firmware security analysis in practice. Therefore, this survey is motivated to systematically review and analyze the research challenges and their solutions, considering both breadth and depth. Specifically, based on the analysis perspectives, various methods that perform security analysis on IoT devices are introduced and classified into four categories. The challenges in each category are discussed in detail, and potential solutions are proposed subsequently. We then discuss the flaws of these solutions and provide future directions for this research field. This survey can be utilized by a broad range of readers, including software developers, cyber security researchers, and software security engineers, to better understand firmware security analysis.

     

  • loading
  • [1]
    P. Gandhi, S. Khanna, and S. Ramaswamy, “Which industries are the most digital (and why)?” [Online]. Available: https://hbr.org/2016/04/a-chart-that-shows-which-industries-are-the-most-digital-and-why, Accessed on: Apr. 1, 2016.
    [2]
    K. Wiles, “First all-digital nuclear reactor system in the U.S. installed at Purdue University,” [Online]. Available: https://www.purdue.edu/newsroom/releases/2019/Q3/first-all-digital-nuclear-reactor-control-system-in-the-u.s.-installed-at-purdue-university.html, Accessed on: Jul. 8, 2019.
    [3]
    O. Friha, M. A. Ferrag, L. Shu, L. Maglaras, and X. C. Wang, “Internet of things for the future of smart agriculture: A comprehensive survey of emerging technologies,” IEEE/CAA J. Autom. Sinica, vol. 8, no. 4, pp. 718–752, Apr. 2021. doi: 10.1109/JAS.2021.1003925
    [4]
    M. A. Ferrag, L. Shu, and K. K. R. Choo, “Fighting COVID-19 and future pandemics with the internet of things: Security and privacy perspectives,” IEEE/CAA J. Autom. Sinica, vol. 8, no. 9, pp. 1477–1499, Sept. 2021. doi: 10.1109/JAS.2021.1004087
    [5]
    StatInvestor, “Internet of things-number of connected devices worldwide 2015–2025,” [Online]. Available: https://statinvestor.com/ata/33967/iot-number-of-connected-devices-worldwide/. Access on: Feb. 10, 2022.
    [6]
    C. Brook, “Travel routers, NAS devices among easily hacked IoT devices,” [Online]. Available: https://threatpost.com/travel-routers-nas-devices-among-easily-hacked-iot-devices/124877/, Accessed on: Apr. 10, 2017.
    [7]
    R. Ackerman Jr, “Lack of IoT security could undermine growth,” [Online]. Available: https://www.rsaconference.com/library/blog/lack-of-iot-security-could-undermine-growth, Accessed on: Jan. 20, 2021.
    [8]
    Keen Security Lab of Tencent, “Car hacking research: Remote attack tesla motors,” [Online]. Available: https://keenlab.tencent.com/en/2016/09/19/Keen-Security-Lab-of-Tencent-Car-Hacking-Research-Remote-Attack-to-Tesla-Cars/, Accessed on: Sept. 19, 2016.
    [9]
    C. Valasek and C. Miller, “Remote exploitation of an unaltered passenger vehicle,” [Online]. Available: https://ioactive.com/pdfs/IOActive_Remote_Car_Hacking.pdf. Access on: Sept. 11, 2021.
    [10]
    Johnk, “$20M in bounties paid and $100M in sight,” [Online]. Available: https://www.hackerone.com/ethical-hacker/20m-bounties-paid-and-100m-sight, Accessed on: Aug. 30, 2017.
    [11]
    CISO Mag, “Tesla offers US$1 Million and a car as bug bounty reward,” [Online]. Available: https://www.trustedsec.com/news/ciso-mag-tesla-offers-us1-million-and-a-car-as-bug-bounty-reward/, Accessed on: Jan. 13, 2020.
    [12]
    M. Fernando, R. I. Augusto, and M. Jemimah, “Mirai botnet exploit weaponized to attack IoT devices via CVE-2020-5902,” Security Intelligence Blog, Tech. Rep., [Online]. Available: https://www.trendmicro.com/en_us/research/20/g/mirai-botnet-attack-iot-devices-via-cve-2020-5902.html, Accessed on: Jul. 28, 2020.
    [13]
    Paloalto, “2020 unit 42 IoT threat report,” [Online]. Available: https://iotbusinessnews.com/download/white-papers/UNIT42-IoT-Threat-Report.pdf. Access on: Sept. 10, 2021.
    [14]
    J. Zhang, L. Pan, Q.-L. Han, C. Chen, S. Wen, and Y. Xiang, “Deep learning based attack detection for cyber-physical system cybersecurity: A survey,” IEEE/CAA J. Autom. Sinica, vol. 9, no. 3, pp. 377–391, Mar. 2022. doi: 10.1109/JAS.2021.1004261
    [15]
    Y. Miao, C. Chen, L. Pan, Q.-L. Han, J. Zhang, and Y. Xiang, “Machine learning-based cyber attacks targeting on controlled information: A survey,” ACM Comput. Surv., vol. 54, no. 7, p. 139, Sept. 2022.
    [16]
    G. J. Lin, S. Wen, Q.-L. Han, J. Zhang, and Y. Xiang, “Software vulnerability detection using deep neural networks: A survey,” Proc. IEEE, vol. 108, no. 10, pp. 1825–1848, Oct. 2020. doi: 10.1109/JPROC.2020.2993293
    [17]
    J. Y. Qiu, J. Zhang, W. Luo, L. Pan, S. Nepal, and Y. Xiang, “A survey of android malware detection with deep neural models,” ACM Comput. Surv., vol. 53, no. 6, p. 126, Nov. 2020.
    [18]
    N. Sun, J. Zhang, P. Rimba, S. Gao, L. Y. Zhang, and Y. Xiang, “Data-driven cybersecurity incident prediction: A survey,” IEEE Commun. Surv. Tutorials, vol. 21, no. 2, pp. 1744−1772, Dec. 2018.
    [19]
    D. Davidson, B. Moench, S. Jha, and T. Ristenpart, “FIE on firmware: Finding vulnerabilities in embedded systems using symbolic execution,” in Proc. 22nd USENIX Conf. Security, Washington, USA, 2013, pp. 463−478.
    [20]
    Y. David and E. Yahav, “Tracelet-based code search in executables,” in Proc. 35th ACM SIGPLAN Conf. Programming Language Design and Implementation, New York, USA, 2014, pp. 349−360.
    [21]
    Y. Shoshitaishvili, R. Y. Wang, C. Hauser, C. Kruegel, and G. Vigna, “Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware,” in Proc. 22nd Annu. Network and Distributed System Security Symp., San Diego, USA, 2015.
    [22]
    D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic analysis for Linux-based embedded firmware,” in Proc. 23rd Annu. Network and Distributed System Security Symp., San Diego, USA, 2016.
    [23]
    Z. M. Jiang, J. J. Bai, K. J. Lu, and S. M. Hu, “Fuzzing error handling code using context-sensitive software fault injection,” in Proc. 29th USENIX Conf. Security Symp., USENIX Association, 2020, pp. 146.
    [24]
    F. Corno, L. De Russis, and J. Sáenz, “On the challenges novice programmers experience in developing IoT systems: A survey,” J. Syst. Softw., vol. 157, p. 110389, Nov. 2019. doi: 10.1016/j.jss.2019.07.101
    [25]
    A. Makhshari and A. Mesbah, “IoT bugs and development challenges,” in Proc. IEEE/ACM 43rd Int. Conf. Software Engineering, Madrid, Spain, 2021, pp. 460−472.
    [26]
    B. L. R. Stojkoska and K. V. Trivodaliev, “A review of internet of things for smart home: Challenges and solutions,” J. Cleaner Prod., vol. 140, pp. 1454–1464, Jan. 2017. doi: 10.1016/j.jclepro.2016.10.006
    [27]
    F. Corno, L. De Russis, and J. Sáenz, “How is open source software development different in popular IoT projects?” IEEE Access, vol. 8, pp. 28337–28348, Feb. 2020. doi: 10.1109/ACCESS.2020.2972364
    [28]
    M. Muench, J. Stijohann, F. Kargl, A. Francillon, and D. Balzarotti, “What you corrupt is not what you crash: Challenges in fuzzing embedded devices,” in Proc. 25th Annu. Network and Distributed System Security Symp., San Diego, USA, 2018.
    [29]
    O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose, “Sok: Security evaluation of home-based IoT deployments,” in Proc. IEEE Symp. Security and Privacy (SP), San Francisco, USA, 2019, pp. 1362−1380.
    [30]
    C. Wright, W. A. Moeglein, S. Bagchi, M. Kulkarni, and A. A. Clements, “Challenges in firmware re-hosting, emulation, and analysis,” ACM Comput. Surv., vol. 54, no. 1, pp. 5, Jan. 2022.
    [31]
    A. Qasem, P. Shirani, M. Debbabi, L. Y. Wang, B. Lebel, and B. L. Agba, “Automatic vulnerability detection in embedded devices and firmware: Survey and layered taxonomies,” ACM Comput. Surv., vol. 54, no. 2, p. 25, Mar. 2022.
    [32]
    K. Arakadakis, P. Charalampidis, A. Makrogiannakis, and A. Fragkiadakis, “Firmware over-the-air programming techniques for IoT networks-a survey,” ACM Comput. Surv., vol. 54, no. 9, p. 178, Dec. 2022.
    [33]
    A. A. Clements, E. Gustafson, T. Scharnowski, P. Grosen, D. Fritz, C. Kruegel, G. Vigna, S. Bagchi, and M. Payer, “HALucinator: Firmware re-hosting through abstraction layer emulation,” in Proc. 29th USENIX Conf. Security Symp., USENIX Association, 2020, pp. 68.
    [34]
    B. Feng, A. Mera, and L. Lu, “P2IM: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling,” in Proc. 29th USENIX Conf. Security Symp., USENIX Association, 2020, pp. 70.
    [35]
    X. G. Zhu, X. T. Feng, X. Z. Meng, S. Wen, S. Camtepe, Y. Xiang, and K. Ren, “CSI-Fuzz: Full-speed edge tracing using coverage sensitive instrumentation,” IEEE Trans. Dependable Secure Comput., vol. 19, no. 2, pp. 912–923, Mar.–Apr. 2022.
    [36]
    X. G. Zhu and M. Böhme, “Regression Greybox fuzzing,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, New York, USA, 2021, pp. 2169−2182.
    [37]
    X. G. Zhu, S. Wen, S. Camtepe, and Y. Xiang, “Fuzzing: A survey for roadmap,” ACM Comput. Surv., to be published. DOI: 10.1145/3512345.
    [38]
    K. P. Zhang, X. Xiao, X. G. Zhu, R. X. Sun, M. H. Xue, and S. Wen, “Path transitions tell more: Optimizing fuzzing schedules via runtime program states,” in Proc. 44th Int. Conf. Software Engineering, Pittsburgh, PA, USA: IEEE, May 2022, pp. 1658−1668.
    [39]
    X. G. Zhu, X. T. Feng, T. Y. Jiao, S. Wen, Y. Xiang, S. Camtepe, and J. L. Xue, “A feature-oriented corpus for understanding, evaluating and improving fuzz testing,” in Proc. ACM Asia Conf. Computer and Communications Security, Auckland, New Zealand, May 2019, pp. 658−663.
    [40]
    V. J. M. Manès, H. S. Han, C. Han, S. K. Cha, M. Egele, E. J. Schwartz, and M. Woo, “The art, science, and engineering of fuzzing: A survey,” IEEE Trans. Softw. Eng., vol. 47, no. 11, pp. 2312–2331, Nov. 2021. doi: 10.1109/TSE.2019.2946563
    [41]
    S. Rawat, V. Jain, A. Kumar, L. Cojocar, C. Giuffrida, and H. Bos, “Vuzzer: Application-aware evolutionary fuzzing,” in Proc. 24th Annu. Network and Distributed System Security Symp., San Diego, USA, 2017.
    [42]
    G. Klees, A. Ruef, B. Cooper, S. Y. Wei, and M. Hicks, “Evaluating fuzz testing,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, Toronto, Canada, 2018, pp. 2123−2138.
    [43]
    lcamtuf, “American fuzzy lop,” [Online]. Available: https://lcamtuf.coredump.cx/afl/.
    [44]
    C. Miller, “Fuzz by number – more data about fuzzing than you ever wanted to know,” [Online]. Available: https://www.ise.io/wp-content/uploads/2019/11/cmiller_cansecwest2008.pdf, Accessed on: Mar. 28, 2008.
    [45]
    C. Cadar, D. Dunbar, and D. Engler, “KLEE: Unassisted and automatic generation of high-coverage tests for complex systems programs,” in Proc. 8th USENIX Conf. Operating Systems Design and Implementation, San Diego, California, USA, 2008, pp. 209−224.
    [46]
    V. Chipounov, V. Kuznetsov, and G. Candea, “S2E: A platform for in-vivo multi-path analysis of software systems,” in Proc. 16th Int. Conf. Architectural Support for Programming Languages and Operating Systems, Newport Beach, USA, 2011, pp. 265−278.
    [47]
    F. Bellard, “QEMU, a fast and portable dynamic translator,” in Proc. USENIX Annu. Technical Conf., Anaheim, USA, 2005, pp. 41.
    [48]
    J. Feist, L. Mounier, and M. L. Potet, “Statically detecting use after free on binary code,” J. Comput. Virol. Hack. Techn., vol. 10, no. 3, pp. 211–217, 2014. doi: 10.1007/s11416-014-0203-1
    [49]
    J. J. Bai, Y. P. Wang, J. Yin, and S. M. Hu, “Testing error handling code in device drivers using characteristic fault injection,” in Proc. USENIX Annu. Technical Conf., Denver, USA, 2016, pp. 635−647.
    [50]
    P. Y. Liu, S. L. Ji, X. H. Zhang, Q. M. Dai, K. J. Lu, L. R. Fu, W. Z. Chen, P. Cheng, W. H. Wang, and R. Beyah, “IFIZZ: Deep-state and efficient fault-scenario generation to test IoT firmware,” in Proc. 36th IEEE/ACM Int. Conf. Automated Software Engineering, Melbourne, Australia, 2021, pp. 805−816.
    [51]
    A. Ruef and A. Dinaburg, “Static translation of x86 instruction semantics to LLVM with McSema,” [Online]. Available: https://infocondb.org/con/recon/recon-2014/static-translation-of-x86-instruction-semantics-to-llvm-with-mcsema. 2014.
    [52]
    Hex-Ray, “A powerful disassembler and a versatile debugger,” [Online]. Available: https://hex-rays.com/ida-pro/. Access on: Apr. 4, 2022.
    [53]
    OllyDbg, “OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®,” [Online]. Available: https://www.ollydbg.de/. Access on: Jun. 20, 2022.
    [54]
    G. Hernandez, F. Fowze, D. Tian, T. Yavuz, and K. R. B. Butler, “FirmUSB: Vetting USB device firmware using domain informed symbolic execution,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, Dallas, USA, 2017, pp. 2245–2262.
    [55]
    “lifting-bits/remill” [Online]. Available: https://github.com/lifting-bits/remill. 2018.
    [56]
    Angr, “Angr,” [Online]. Available: http://angr.io/. 2018.
    [57]
    M. J. Renzelmann, A. Kadav, and M. M. Swift, “SymDrive: Testing drivers without devices,” in Proc. 10th USENIX Symp. Operating Systems Design and Implementation, Hollywood, USA, 2012, pp. 279–292.
    [58]
    M. Kammerstetter, C. Platzer, and W. Kastner, “Prospect: Peripheral proxying supported embedded code testing,” in Proc. 9th ACM Symp. Information, Computer and Communications Security, Kyoto, Japan, 2014, pp. 329–340.
    [59]
    J. Zaddach, L. Bruno, A. Francillon, and D. Balzarotti, “Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares,” in Proc. 21st Annu. Network and Distributed System Security Symp., San Diego, USA, 2014.
    [60]
    K. Koscher, T. Kohno, and D. Molnar, “SURROGATES: Enabling near-real-time dynamic analyses of embedded systems,” in Proc. 9th USENIX Conf. Offensive Technologies, Washington, USA, 2015, pp. 7.
    [61]
    A. Costin, A. Zarras, and A. Francillon, “Automated dynamic firmware analysis at scale: A case study on embedded web interfaces,” in Proc. 11th ACM Asia Conf. Computer and Communications Security, Xi’an, China, 2016, pp. 437–448.
    [62]
    M. Muench, D. Nisi, A. Francillon, and D. Balzarotti, “Avatar2: A multi-target orchestration platform,” in Proc. Workshop Binary Analysis Research, San Diego, USA, 2018.
    [63]
    E. Gustafson, M. Muench, C. Spensky, N. Redini, A. Machiry, Y. Fratantonio, D. Balzarotti, A. Francillon, Y. R. Choe, C. Kruegel, and G. Vigna, “Toward the analysis of embedded firmware through automated re-hosting,” in Proc. 22nd Int. Symp. Research in Attacks, Intrusions and Defenses, Beijing, China, 2019, pp. 135–150.
    [64]
    P. Srivastava, H. Peng, J. Li, H. Okhravi, H. Shrobe, and M. Payer, “FirmFuzz: Automated IoT firmware introspection and analysis,” in Proc. 2nd Int. ACM Workshop Security and Privacy for the Internet-of-Things, London, UK, 2019, pp. 15–21.
    [65]
    Y. W. Zheng, A. Davanian, H. Yin, C. Y. Song, H. S. Zhu, and L. M. Sun, “FIRM-AFL: High-throughput greybox fuzzing of IoT firmware via augmented process emulation,” in Proc. 28th USENIX Conf. Security Symp., Santa Clara, USA, 2019, pp. 1099–1114.
    [66]
    D. Song, F. Hetzelt, D. Das, C. Spensky, Y. Na, S. Volckaert, G. Vigna, C. Kruegel, J. P. Seifert, and M. Franz, “PeriScope: An effective probing and fuzzing framework for the hardware-OS boundary,” in Proc. 26th Annu. Network and Distributed System Security Symp., San Diego, USA, 2019.
    [67]
    C. Cao, L. Guan, J. Ming, and P. Liu, “Device-agnostic firmware execution is possible: A concolic execution approach for peripheral emulation,” in Proc. Annu. Computer Security Applications Conf., Austin, USA, 2020, pp. 746–759.
    [68]
    M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim, “FirmAE: Towards large-scale emulation of IoT firmware for dynamic analysis,” in Proc. Annu. Computer Security Applications Conf., Austin, USA, 2020, pp. 733–745.
    [69]
    E. Johnson, M. Bland, Y. F. Zhu, J. Mason, S. Checkoway, S. Savage, and K. Levchenko, “Jetset: Targeted firmware rehosting for embedded systems,” in Proc. 30th USENIX Security Symp., USENIX Association, 2021, pp. 321–338.
    [70]
    M. H. Jiang, L. Ma, Y. J. Zhou, Q. Liu, C. Zhang, Z. Wang, X. P. Luo, L. Wu, and K. Ren, “ECMO: Peripheral transplantation to Rehost embedded Linux kernels,” in Proc. New York, USA, ACM SIGSAC Conf. Computer and Communications Security, New York, USA, 2021, pp. 734–748.
    [71]
    A. Mera, B. Feng, L. Lu, and E. Kirda, “DICE: Automatic emulation of DMA input channels for dynamic firmware analysis,” in Proc. New York, USA, IEEE Symp. Security and Privacy, San Francisco, USA, 2021, pp. 1938–1954.
    [72]
    W. Zhou, L. Guan, P. Liu, and Y. Q. Zhang, “Automatic firmware emulation through invalidity-guided knowledge inference,” in Proc. 30th USENIX Security Symp., USENIX Association, 2021, pp. 2007–2024.
    [73]
    S. Eschweiler, K. Yakdan, and E. Gerhards-Padilla, “DiscovRE: Efficient cross-architecture identification of bugs in binary code,” in Proc. 23rd Annu. Network and Distributed System Security Symp., San Diego, USA, 2016.
    [74]
    Q. Feng, R. D. Zhou, C. C. Xu, Y. Cheng, B. Testa, and H. Yin, “Scalable graph-based bug search for firmware images,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, Vienna, Austria, 2016, pp. 480–491.
    [75]
    X. J. Xu, C. Liu, Q. Feng, H. Yin, L. Song, and D. Song, “Neural network-based graph embedding for cross-platform binary code similarity detection,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, Dallas, USA, 2017, pp. 363–376.
    [76]
    J. Gao, X. Yang, Y. Fu, Y. Jiang, and J. G. Sun, “VulSeeker: A semantic learning based vulnerability seeker for cross-platform binary,” in Proc. 33rd IEEE/ACM Int. Conf. Automated Software Engineering, Montpellier, France, 2018, pp. 896–899.
    [77]
    Y. David, N. Partush, and E. Yahav, “FirmUp: Precise static detection of common vulnerabilities in firmware,” ACM SIGPLAN Notices, vol. 53, no. 2, pp. 392–404, Feb. 2018. doi: 10.1145/3296957.3177157
    [78]
    N. Redini, A. Machiry, R. Y. Wang, C. Spensky, A. Continella, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, “Karonte: Detecting insecure multi-binary interactions in embedded firmware,” in Proc. IEEE Symp. Security and Privacy, San Francisco, USA, 2020, pp. 1544–1561.
    [79]
    L. R. Fu, S. L. Ji, K. J. Lu, P. Y. Liu, X. H. Zhang, Y. X. Duan, Z. H. Zhang, W. Z. Chen, and Y. J. Wu, “CPscan: Detecting bugs caused by code pruning in IoT kernels,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, New York, USA, 2021, pp. 794–810.
    [80]
    L. B. Chen, Y. B. Wang, Q. P. Cai, Y. F. Zhan, H. Hu, J. Q. Linghu, Q. S. Hou, C. Zhang, H. Duan, and Z. Xue, “Sharing more and checking less: Leveraging common input keywords to detect bugs in embedded systems,” in Proc. 30th USENIX Security Symp., USENIX Association, 2021, pp. 303–319.
    [81]
    T. Kim, V. Kumar, J. Rhee, J. Z. Chen, K. Kim, C. H. Kim, D. Y. Xu, and D. Tian, “PASAN: Detecting peripheral access concurrency bugs within bare-metal embedded applications,” in Proc. 30th USENIX Security Symp., USENIX Association, 2021, pp. 249–266.
    [82]
    Z. Q. Wang, Y. Q. Zhang, and Q. X. Liu, “RPFuzzer: A framework for discovering router protocols vulnerabilities based on fuzzing,” KSII Trans. Internet Inf. Syst., vol. 7, no. 8, pp. 1989–2009, Aug. 2013. doi: 10.3837/tiis.2013.08.014
    [83]
    J. Pereyda, “Boofuzz: Network protocol fuzzing for humans,” [Online]. Available: https://boofuzz.readthedocs.io/en/stable/. Access on: Oct. 17, 2019.
    [84]
    J. Y. Chen, W. R. Diao, Q. C. Zhao, C. S. Zuo, Z. Q. Lin, X. F. Wang, W. C. Lau, M. H. Sun, R. H. Yang, and K. H. Zhang, “IoTFuzzer: Discovering memory corruptions in IoT through app-based fuzzing,” in Proc. 25th Annu. Network and Distributed System Security Symp., San Diego, USA, 2018.
    [85]
    Y. Zhang, W. Huo, K. P. Jian, J. Shi, H. L. Lu, L. Q. Liu, C. Wang, D. D. Sun, C. Zhang, and B. X. Liu, “SRFuzzer: An automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities,” in Proc. 35th Annu. Computer Security Applications Conf., San Juan, USA, 2019, pp. 544–556.
    [86]
    N. Redini, A. Continella, D. Das, G. De Pasquale, N. Spahn, A. Machiry, A. Bianchi, C. Kruegel, and G. Vigna, “Diane: Identifying fuzzing triggers in apps to generate under-constrained inputs for IoT devices,” in Proc. IEEE Symp. Security and Privacy, San Francisco, USA, 2021, pp. 484–500.
    [87]
    X. T. Feng, R. X. Sun, X. G. Zhu, M. H. Xue, S. Wen, D. X. Liu, S. Nepal, and Y. Xiang, “Snipuzz: Black-box fuzzing of IoT firmware via message snippet inference,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, New York, USA, 2021, pp. 337–350.
    [88]
    Y. Zhang, W. Huo, K. Jian, J. Shi, L. Q. Liu, Y. Y. Zou, C. Zhang, and B. X. Liu, “ESRFuzzer: An enhanced fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities,” Cybersecurity, vol. 4, no. 1, p. 24, 2021. doi: 10.1186/s42400-021-00091-9
    [89]
    T. Kamiya, S. Kusumoto, and K. Inoue, “CCfinder: A multilinguistic token-based code clone detection system for large scale source code,” IEEE Trans. Softw. Eng., vol. 28, no. 7, pp. 654–670, Jul. 2002. doi: 10.1109/TSE.2002.1019480
    [90]
    Z. Li, S. Lu, S. Myagmar, and Y. Zhou, “CP-miner: Finding copy-paste and related bugs in large-scale software code,” IEEE Trans. Softw. Eng., vol. 32, no. 3, pp. 176–192, Mar. 2006. doi: 10.1109/TSE.2006.28
    [91]
    L. X. Jiang, G. Misherghi, Z. D. Su, and S. Glondu, “DECKARD: Scalable and accurate tree-based detection of code clones,” in Proc. 29th Int. Conf. Software Engineering, Minneapolis, USA, 2007, pp. 96–105.
    [92]
    Evozi Team, “Droidsniff,” [Online]. Available: https://github.com/evozi/DroidSniff. Access on: Feb. 6, 2022.
    [93]
    Riccardo Ghetta and Juan Toledo, “EtherApe,” [Online]. Available: https://etherape.sourceforge.io/. Access on: Jun. 13, 2022.
    [94]
    NETRESEC AB, “NetworkMiner,” [Online]. Available: https://www.netresec.com/?page=NetworkMiner. Access on: Feb. 8, 2022.
    [95]
    S. Shah, “ARM-X firmware emulation framework,” [Online]. Available: https://firmwaresecurity.com/2019/10/23/arm-x-firmware-emulation-framework/, Accessed on: Oct. 23, 2019.
    [96]
    K. Cong, L. Lei, Z. K. Yang, and F. Xie, “Automatic fault injection for driver robustness testing,” in Proc. Int. Symp. Software Testing and Analysis, Baltimore, USA, 2015, pp. 361–372.
    [97]
    V. Kuznetsov, V. Chipounov, and G. Candea, “Testing closed-source binary device drivers with DDT,” in Proc. USENIX Conf. Annu. Technical Conf., Boston, USA, 2010, pp. 12.
    [98]
    M. Böhme, V. T. Pham, and A. Roychoudhury, “Coverage-based greybox fuzzing as Markov Chain,” IEEE Trans. Softw. Eng., vol. 45, no. 5, pp. 489–506, May 2019. doi: 10.1109/TSE.2017.2785841
    [99]
    C. Lemieux and K. Sen, “FairFuzz: A targeted mutation strategy for increasing Greybox fuzz testing coverage,” in Proc. 33rd IEEE/ACM Int. Conf. Automated Software Engineering, Montpellier, France, 2018, pp. 475–485.
    [100]
    N. Artenstein, “Broadpwn: Remotely compromising Android and iOS via a bug in Broadcom’s Wi-Fi chipsets,” [Online]. Available: https://www.blackhat.com/us-17/briefings/schedule/#broadpwn-remotely-compromising-android-and-ios-via-a-bug-in-broadcoms-wi-fi-chipsets-7603, Access on: Oct. 20, 2019.
    [101]
    F. Yamaguchi, A. Maier, H. Gascon, and K. Rieck, “Automatic inference of search patterns for taint-style vulnerabilities,” in Proc. IEEE Symp. Security and Privacy, San Jose, USA, 2015, pp. 797–812.
    [102]
    P. Shirani, L. Collard, B. L. Agba, B. Lebel, M. Debbabi, L. Y. Wang, and A. Hanna, “BINARM: Scalable and efficient detection of vulnerabilities in firmware images of intelligent electronic devices,” in Proc. 15th Int. Conf. Detection of Intrusions and Malware, and Vulnerability Assessment, Saclay, France, 2018, pp. 114–138.
    [103]
    J. Pewny, B. Garmany, R. Gawlik, C. Rossow, and T. Holz, “Cross-architecture bug search in binary executables,” in Proc. IEEE Symp. Security and Privacy, San Jose, USA, 2015, pp. 709–724.
    [104]
    J. Bromley, J. W. Bentz, L. Bottou, I. Guyon, Y. Lecun, C. Moore, E. Säckinger, and R. Shah, “Signature verification using a “Siamese” time delay neural network,” Int. J. Pattern Recognit. Artif. Intell., vol. 7, no. 4, pp. 669–688, Aug. 1993. doi: 10.1142/S0218001493000339
    [105]
    T. L. Wang, T. Wei, Z. Q. Lin, and W. Zou, “IntScope: Automatically detecting integer overflow vulnerability in X86 binary using symbolic execution,” in Proc. Network and Distributed System Security Symp., San Diego, USA, 2009.
    [106]
    P. Chen, Y. Wang, Z. Xin, B. Mao, and L. Xie, “BRICK: A binary tool for run-time detecting and locating integer-based vulnerability,” in Proc. 4th Int. Conf. Availability, Reliability and Security, Fukuoka, Japan, 2009, pp. 208–215.
    [107]
    M. Neugschwandtner, P. Milani Comparetti, I. Haller, and H. Bos, “The BORG: Nanoprobing binaries for buffer overreads,” in Proc. 5th ACM Conf. Data and Application Security and Privacy, San Antonio, USA, 2015, pp. 87–97.
    [108]
    S. Harit, “Breaking bad: Stealing patient data through medical devices,” 2017. [Online]. Available: https://www.blackhat.com/eu-17/briefings/schedule/#breaking-bad-stealing-patient-data-through-medical-devices-8578, Accessed on: Dec. 6, 2017.
    [109]
    M. R. Yan, J. H. Li, and G. Harpak, “Security research on Mercedes-Benz: From hardware to car control,” Aug. 2020. [Online]. Available: https://i.blackhat.com/USA-20/Thursday/us-20-Yan-Security-Research-On-Mercedes-Benz-From-Hardware-To-Car-Control.pdf. Access on: Oct. 20, 2019.
    [110]
    A. Cui, M. Costello, and S. J. Stolfo, “When firmware modifications attack: A case study of embedded exploitation,” in Proc. 20th Annu. Network and Distributed System Security Symp., San Diego, USA, 2013.
    [111]
    V. Kovah, “Finding new Bluetooth low energy exploits via reverse engineering multiple vendors’ firmwares,” [Online]. Available: https://i.blackhat.com/USA-20/Wednesday/us-20-Kovah-Finding-New-Bluetooth-Low-Energy-Exploits-Via-Reverse-Engineering-Multiple-Vendors-Firmwares.pdf. Access on: Feb. 3, 2022.
    [112]
    Smartthing developer. “Build connected IoT experiences for millions of SmartThings users,” [Online]. Available: https://smartthings.developer.samsung.com/. Access on: Sept. 10, 2021.
    [113]
    Philips developer. “The latest from Philips Hue,” [Online]. Available: https://www.philips-hue.com/en-us. Access on: Sept. 10, 2021.
    [114]
    N. Stephens, J. Grosen, C. Salls, A. Dutcher, R. Y. Wang, J. Corbetta, Y. Shoshitaishvili, C. Kruegel, and G. Vigna, “Driller: Augmenting fuzzing through selective symbolic execution,” in Proc. 23rd Annu. Network and Distributed System Security Symp., San Diego, USA, 2016.
    [115]
    M. Böhme, V. T. Pham, M. D. Nguyen, and A. Roychoudhury, “Directed Greybox fuzzing,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, Dallas, USA, 2017, pp. 2329–2344.
    [116]
    H. X. Chen, Y. X. Xue, Y. K. Li, B. H. Chen, X. F. Xie, X. H. Wu, and Y. Liu, “Hawkeye: Towards a desired directed grey-box fuzzer,” in Proc. ACM SIGSAC Conf. Computer and Communications Security, Toronto, Canada, 2018, pp. 2095–2108.

Catalog

    通讯作者: 陈斌, bchen63@163.com
    • 1. 

      沈阳化工大学材料科学与工程学院 沈阳 110142

    1. 本站搜索
    2. 百度学术搜索
    3. 万方数据库搜索
    4. CNKI搜索

    Figures(2)  / Tables(1)

    Article Metrics

    Article views (3191) PDF downloads(643) Cited by()

    Highlights

    • We collect different techniques which are commonly used in existing vulnerability detection of IoT firmware
    • We propose a taxonomy which classifies vulnerability detection of IoT firmware into different categories by test perspectives. Moreover, we list challenges and corresponding solutions of different vulnerability detection categories
    • We discuss the limitations of existing vulnerability detections and the future directions for readers to follow

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return