Log-based light-weight fuzzer for IoT firmware

Abstract

Linux-based IoT devices such as routers and IP cameras, which are directly related to personal privacy, are threatened by large-scale cyber attacks due to their weak security. To analyze the security of numerous IoT devices, most studies emulate the device's firmware and then utilize dynamic analysis techniques such as fuzzing. However, previous researches have two fundamental problems. First, the overhead generated by emulating the entire system of the target device makes analysis inefficient. Second, the fuzzing environment, such as the input format of the program, should be set by the analyst manually. Due to these problems, existing methods were not suitable for large-scale security analysis of embedded devices. In this study, we present FirmZ, a system that performs an efficient large-scale vulnerability analysis by addressing the above problems. FirmZ builds an independent fuzzing environment for each internal program in target firmware. It then extracts the input formats of each program for fuzzing from the program execution logs. Consequently, FirmZ performs a fully automated analysis of the target device. Using a prototype of FirmZ, we analyzed the CGI programs in 16 D-Link firmware images. FirmZ successfully extracted 51.53% of the execution logs of the CGI programs on average and automatically configured a fuzzing environment for each program. By fuzzing each program in the configured environment for two hours, FirmZ discovered an average of 13.4 unique crashes in each firmware image. Further, it presents 11.3 times better performance than the previous approach in terms of the time for identifying the same vulnerability.