Yu Zhang,Wei Huo,Kunpeng Jian,Ji Shi,Longquan Liu,Yanyan Zou,Chao Zhang,Baoxu Liu

DOI: https://doi.org/10.1186/s42400-021-00091-9

2021-07-19

Abstract:Abstract SOHO (small office/home office) routers provide services for end devices to connect to the Internet, playing an important role in cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited due to the lack of input specification, lack of routers’ internal running states, and lack of testing environment recovery mechanisms. Moreover, existing works for device fuzzing are more likely to detect memory corruption vulnerabilities.In this paper, we propose a solution ESRFuzzer to address these issues. It is a fully automated fuzzing framework for testing physical SOHO devices. It continuously and effectively generates test cases by leveraging two input semantic models, i.e., KEY-VALUE data model and CONF-READ communication model, and automatically recovers the testing environment with power management. It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities. With the guidance of the two semantic models, ESRFuzzer can work in two ways: general mode fuzzing and D-CONF mode fuzzing. General mode fuzzing can discover both issues which occur in the CONF and READ operation, while D-CONF mode fuzzing focus on the READ-op issues especially missed by general mode fuzzing.We ran ESRFuzzer on 10 popular routers across five vendors. In total, it discovered 136 unique issues, 120 of which have been confirmed as 0-day vulnerabilities we found. As an improvement of SRFuzzer, ESRFuzzer have discovered 35 previous undiscovered READ-op issues that belong to three vulnerability types, and 23 of them have been confirmed as 0-day vulnerabilities by vendors. The experimental results show that ESRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.

computer science, information systems, interdisciplinary applications, software engineering

Longjuan Wang,Chunjie Cao,Jun Ye,Wenjie Zhong

DOI: https://doi.org/10.1155/2022/5311295

2022-04-25

Wireless Communications and Mobile Computing

Abstract:As the main routing device of the network, most routers can be set up and managed through their web enabled admin portal. This paper proposes a new method for router admin portal vulnerability mining fuzzing test (RW-fuzzer: Router Web fuzzer). The mutation samples that generated by Boofuzz are used to construct the test sample set for fuzzy testing. The constructed mutation test cases are more suitable for the attack load or critical value of the router’s Web interface. They can cause unexpected errors for the devices more easily, which achieves the goal of discover potential vulnerabilities, and the practicality is excellent. Based on the proposed RW-fuzzer method, this work conducted fuzzing tests on 4 widely sold router models from manufacturers. Four nday vulnerabilities and one 0day vulnerability have been found. Experiment results show that the proposed RW-fuzzer method is effective.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yixuan Cheng,Wenqing Fan,Wei Huang,Jingyu Yang,Gaoqing Yu,Wen Liu

DOI: https://doi.org/10.1186/s42400-023-00186-5

2023-11-08

Abstract:The popularity of small office and home office routers has brought convenience, but it also caused many security issues due to vulnerabilities. Black-box fuzzing through network protocols to discover vulnerabilities becomes a viable option. The main drawbacks of state-of-the-art black-box fuzzers can be summarized as follows. First, the feedback process neglects to discover the missing fields in the raw message. Secondly, the guidance of the raw message content in the mutation process is aimless. Finally, the randomized validity of the test case structure can cause most fuzzing tests to end up with an invalid response of the tested device. To address these challenges, we propose a novel black-box fuzzing framework called MSLFuzzer. MSLFuzzer infers the raw message structure according to the response from a tested device and generates a message segment list. Furthermore, MSLFuzzer performs semantic, sequence, and stability analyses on each message segment to enhance the complementation of missing fields in the raw message and guide the mutation process. We construct a dataset of 35 real-world vulnerabilities and evaluate MSLFuzzer. The evaluation results show that MSLFuzzer can find more vulnerabilities and elicit more types of responses from fuzzing targets. Additionally, MSLFuzzer successfully discovered 10 previously unknown vulnerabilities.

Gaoning Pan,Tianxiang Luo,Yiming Tao,Xiao Lei,Shuangxi Chen,Hui Liu,Chunming Wu

DOI: https://doi.org/10.1109/PST58708.2023.10319984

2023-01-01

Abstract:With the popularity of computers and mobile devices and the development of the Internet, browsers (applications used to retrieve and display information resources on the World Wide Web) are often included by default and have become an indispensable software. Therefore, research on browser security issues is essential for protecting information assets. Among many browsers in the industry, Chrome, as a cross-platform web browser developed by Google, occupies a large market share in desktop browsers, and its security risks are further amplified as its kernel is used by many other browsers. Therefore, the research on the security issues of Chrome browser is critical for browser security. This paper focuses on the vulnerability detection of the process communication interface in Chrome browser, and designs and implements a fuzzing framework, auto-mojo-fuzz (AMF). The fuzzing process mainly designs a sample optimization technique to ensure the effectiveness of input samples and improve the efficiency of fuzzing. After implementing the AMF solution, we evaluate the generated test samples to demonstrate the effectiveness of the sample optimization technique. We also prove the possibility of discovering more vulnerabilities with AMF, and tests it with the latest version of Chrome browser, finding five unique crashes, four of which are verified as security vulnerabilities, effectively proving the automatic and efficient ability of this framework to discover vulnerabilities in the process communication interfaces in browsers.

Libo Chen,Quanpu Cai,Zhenbang Ma,Yanhao Wang,Hong Hu,Minghang Shen,Yue Liu,Shanqing Guo,Haixin Duan,Kaida Jiang,Zhi Xue

DOI: https://doi.org/10.1145/3548606.3559367

2022-01-01

Abstract:ABSTRACTReal-Time Operating System (RTOS) has become the main category of embedded systems. It is widely used to support tasks requiring real-time response such as printers and switches. The security of RTOS has been long overlooked as it was running in special environments isolated from attackers. However, with the rapid development of IoT devices, tremendous RTOS devices are connected to the public network. Due to the lack of security mechanisms, these devices are extremely vulnerable to a wide spectrum of attacks. Even worse, the monolithic design of RTOS combines various tasks and services into a single binary, which hinders the current program testing and analysis techniques working on RTOS. In this paper, we propose SFuzz, a novel slice-based fuzzer, to detect security vulnerabilities in RTOS. Our insight is that RTOS usually divides a complicated binary into many separated but single-minded tasks. Each task accomplishes a particular event in a deterministic way and its control flow is usually straightforward and independent. Therefore, we identify such code from the monolithic RTOS binary and synthesize a slice for effective testing. Specifically, SFuzz first identifies functions that handle user input, constructs call graphs that start from callers of these functions, and leverages forward slicing to build the execution tree based on the call graphs and pruning the paths independent of external inputs. Then, it detects and handles roadblocks within the coarse-grain scope that hinder effective fuzzing, such as instructions unrelated to the user input. And then, it conducts coverage-guided fuzzing on these code snippets. Finally, SFuzz leverages forward and backward slicing to track and verify each path constraint and determine whether a bug discovered in the fuzzer is a real vulnerability. SFuzz successfully discovered 77 zero-day bugs on 35 RTOS samples, and 67 of them have been assigned CVE or CNVD IDs. Our empirical evaluation shows that SFuzz outperforms the state-of-the-art tools (e.g., UnicornAFL) on testing RTOS.

Jinyan Xu,Yiyuan Liu,Sirui He,Haoran Lin,Yajin Zhou,Cong Wang

DOI: https://doi.org/10.5281/zenodo.8024468

2023-01-01

Abstract:Modern processors are too complex to be bug free. Recently, a few hardware fuzzing techniques have shown promising results in verifying processor designs. However, due to the complexity of processors, they suffer from complex input grammar, deceptive mutation guidance, and model implementation differences. Therefore, how to effectively and efficiently verify processors is still an open problem. This paper proposes MorFuzz, a novel processor fuzzer that can efficiently discover software triggerable hardware bugs. The core idea behind MorFuzz is to use runtime information to generate instruction streams with valid formats and meaningful semantics. MorFuzz designs a new input structure to provide multi-level runtime mutation primitives and proposes the instruction morphing technique to mutate instruction dynamically. Besides, we also extend the co-simulation framework to various microarchitectures and develop the state synchronization technique to eliminate implementation differences. We evaluate MorFuzz on three popular open-source RISC-V processors: CVA6, Rocket, BOOM, and discover 17 new bugs (with 13 CVEs assigned). Our evaluation shows MorFuzz achieves 4.4x and 1.6x more state coverage than the state-of-the-art fuzzer, DifuzzRTL, and the famous constrained instruction generator, riscv-dv.

Dong Wang,Xiaosong Zhang,Ting Chen,Jingwei Li

DOI: https://doi.org/10.1155/2019/5076324

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:A novel approach for discovering vulnerability in commercial off-the-shelf (COTS) IoT devices is proposed in this paper, which will revolutionize the area. Unlike previous work, the web management interface in IoT was used to detect vulnerabilities by leveraging fuzzing technology. To validate and evaluate this scheme, a tool named WMIFuzzer was designed and implemented. There were also two challenges: (1) due to the diversity of web interface implementations, there were no existing seed messages for fuzzing this interface and it was inefficient while taking random messages to launch the fuzzing and (2) because of the highly structured seed message, fuzzing with byte-level mutation could conduce to be rejected by the device at an early stage. To address these challenges, a brute-force UI automation was designed to drive the web interface to generate initial seed messages automatically, as well as a weighted message parse tree (WMPT) was proposed to guide the mutation to generate mostly structure-valid messages. The extensive experimental results show that WMIFuzzer could achieve expected result while 10 vulnerabilities including 6 zero-days in 7 COTS IoT devices were discovered.

Chen Chen,Rahul Kande,Nathan Nguyen,Flemming Andersen,Aakash Tyagi,Ahmad-Reza Sadeghi,Jeyavijayan Rajendran

2023-06-25

Abstract:Recent research has shown that hardware fuzzers can effectively detect security vulnerabilities in modern processors. However, existing hardware fuzzers do not fuzz well the hard-to-reach design spaces. Consequently, these fuzzers cannot effectively fuzz security-critical control- and data-flow logic in the processors, hence missing security vulnerabilities. To tackle this challenge, we present HyPFuzz, a hybrid fuzzer that leverages formal verification tools to help fuzz the hard-to-reach part of the processors. To increase the effectiveness of HyPFuzz, we perform optimizations in time and space. First, we develop a scheduling strategy to prevent under- or over-utilization of the capabilities of formal tools and fuzzers. Second, we develop heuristic strategies to select points in the design space for the formal tool to target. We evaluate HyPFuzz on five widely-used open-source processors. HyPFuzz detected all the vulnerabilities detected by the most recent processor fuzzer and found three new vulnerabilities that were missed by previous extensive fuzzing and formal verification. This led to two new common vulnerabilities and exposures (CVE) entries. HyPFuzz also achieves 11.68$\times$ faster coverage than the most recent processor fuzzer.

Cryptography and Security

Enze Wang,Jianjun Chen,Wei Xie,Chuhan Wang,Yifei Gao,Zhenhua Wang,Haixin Duan,Yang Liu,Baosheng Wang

DOI: https://doi.org/10.1109/sp54263.2024.00198

2024-01-01

Abstract:Server-Side Request Forgery (SSRF) vulnerability poses significant security risks to web applications, enabling adversaries to exploit web applications as stepping stones for unauthorized access of internal-only services or even performing arbitrary commands. Despite its recent emergence as a distinct category in the 2021 OWASP Top 10 web security risks and its increasing prevalence in modern web applications, there remains a lack of effective approaches to detect SSRF vulnerabilities systematically.We present a novel methodology, SSRFuzz, to effectively identify SSRF vulnerability in PHP web applications. Our methodology consists of three phases. In the initial phase, we designed an SSRF oracle to examine functions in PHP manuals and identify sinks that provide server-side request capabilities. This process yielded a total of 86 sensitive PHP sinks out of 2101 PHP functions. The second stage involves dynamic taint inference and the utilization of the identified sinks to examine the source code of target web applications, pinpointing all feasible input points that could trigger these sinks. The final phase employs fuzzing techniques. We generate testing HTTP requests with SSRF payloads, send them to the previously identified input points within the target web applications, and detect if an SSRF vulnerability is triggered. We implemented a prototype of SSRFuzz and evaluated it on 27 real-world applications, including Joomla and WordPress. In total, we discovered 28 SSRF vulnerabilities, 25 of which were previously unreported. We reported all the vulnerabilities to the affected vendors, and 16 new CVE IDs were assigned.

Yisen Wang,Weiyu Dong,Zicong Gao,Rui Chang

DOI: https://doi.org/10.1002/cpe.5756

2020-04-08

Abstract:Fuzzing is an effective approach to detect software vulnerabilities utilizing changeable generated inputs. However, fuzzing the network protocol on the firmware of IoT devices is limited by inefficiency of test case generation, cross‐architecture instrumentation, and fault detection. In this article, we propose the Fw‐fuzz, a coverage‐guided and crossplatform framework for fuzzing network services running in the context of firmware on embedded architectures, which can generate more valuable test cases by introspecting program runtime information and using a genetic algorithm model. Specifically, we propose novel dynamic instrumentation in Fw‐fuzz to collect the running state of the firmware program. Then Fw‐fuzz adopts a genetic algorithm model to guide the generation of inputs with high code coverage. We fully implement the prototype system of Fw‐fuzz and conduct evaluations on network service programs of various architectures in MIPS, ARM, and PPC. By comparing with the protocol fuzzers Boofuzz and Peach in metrics of edge coverage, our prototype system achieves an average growth of 33.7% and 38.4%, respectively. We further verify six known vulnerabilities and discover 5 0‐day vulnerabilities with the Fw‐fuzz, which prove the validity and utility of our framework. The overhead of our system expressed as an additional 5% of memory growth.

Computer Science,Engineering

Jie Liang,Mingzhe Wang,Yuanliang Chen,Yu Jiang,Renwei Zhang

DOI: https://doi.org/10.1109/SANER.2018.8330260

2018-01-01

Abstract:Fuzz testing has helped security researchers and organizations discover a large number of vulnerabilities. Although it is efficient and widely used in industry, hardly any empirical studies and experience exist on the customization of fuzzers to real industrial projects. In this paper, collaborating with the engineers from Huawei, we present the practice of adapting fuzz testing to a proprietary message middleware named libmsg, which is responsible for the message transfer of the entire distributed system department. We present the main obstacles coming across in applying an efficient fuzzer to libmsg, including system configuration inconsistency, system build complexity, fuzzing driver absence. The solutions for those typical obstacles are also provided. For example, for the most difficult and expensive obstacle of writing fuzzing drivers, we present a low-cost approach by converting existing sample code snippets into fuzzing drivers. After overcoming those obstacles, we can effectively identify software bugs, and report 9 previously unknown vulnerabilities, including flaws that lead to denial of service or system crash.

Jingda Yang,Ying Wang,Yanjun Pan,Tuyen X. Tran

DOI: https://doi.org/10.48550/arXiv.2305.08039

2024-01-05

Abstract:The virtualization and softwarization of 5G and NextG are critical enablers of the shift to flexibility, but they also present a potential attack surface for threats. However, current security research in communication systems focuses on specific aspects of security challenges and lacks a holistic perspective. To address this challenge, a novel systematic fuzzing approach is proposed to reveal, detect, and predict vulnerabilities with and without prior knowledge assumptions from attackers. It also serves as a digital twin platform for system testing and defense simulation pipeline. Three fuzzing strategies are proposed: Listen-and-Learn (LAL), Synchronize-and-Learn (SyAL), and Source-and-Learn (SoAL). The LAL strategy is a black-box fuzzing strategy used to discover vulnerabilities without prior protocol knowledge, while the SyAL strategy, also a black-box fuzzing method, targets vulnerabilities more accurately with attacker-accessible user information and a novel probability-based fuzzing approach. The white-box fuzzing strategy, SoAL, is then employed to identify and explain vulnerabilities through fuzzing of significant bits. Using the srsRAN 5G platform, the LAL strategy identifies 129 RRC connection vulnerabilities with an average detection duration of 0.072s. Leveraging the probability-based fuzzing algorithm, the SyAL strategy outperforms existing models in precision and recall, using significantly fewer fuzzing cases. SoAL detects three man-in-the-middle vulnerabilities stemming from 5G protocol vulnerabilities. The proposed solution is scalable to other open-source and commercial 5G platforms and protocols beyond RRC. Extensive experimental results demonstrate that the proposed solution is an effective and efficient approach to validate 5G security; meanwhile, it serves as real-time vulnerability detection and proactive defense.

Cryptography and Security

Bahruz Jabiyev,Steven Sprecher,Kaan Onarlioglu,Engin Kirda

DOI: https://doi.org/10.1145/3460120.3485384

2021-11-12

Abstract:HTTP Request Smuggling (HRS) is an attack that exploits the HTTP processing discrepancies between two servers deployed in a proxy-origin configuration, allowing attackers to smuggle hidden requests through the proxy. While this idea is not new, HRS is soaring in popularity due to recently revealed novel exploitation techniques and real-life abuse scenarios. In this work, we step back from the highly-specific exploits hogging the spotlight, and present the first work that systematically explores HRS within a scientific framework. We design an experiment infrastructure powered by a novel grammar-based differential fuzzer, test 10 popular server/proxy/CDN technologies in combinations, identify pairs that result in processing discrepancies, and discover exploits that lead to HRS. Our experiment reveals previously unknown ways to manipulate HTTP requests for exploitation, and for the first time documents the server pairs prone to HRS.

Huikai Xu,Miao Yu,Yanhao Wang,Yue Liu,Qinsheng Hou,Zhenbang Ma,Haixin Duan,Jianwei Zhuge,Baojun Liu

DOI: https://doi.org/10.1109/EuroSP53844.2022.00019

2022-01-01

Abstract:MQTT is widely adopted by IoT devices because it allows for the most efficient data transfer over a variety of communication lines. The security of MQTT has received increasing attention in recent years, and several studies have demonstrated the configurations of many MQTT brokers are insecure. Adversaries are allowed to exploit vulnerable brokers and publish malicious messages to subscribers. However, little has been done to understanding the security issues on the device side when devices handle unauthorized MQTT messages. To fill this research gap, we propose a fuzzing framework named SHADOWFUZZER to find client-side vulnerabilities when processing incoming MQTT messages. To avoiding ethical issues, SHADOWFUZZER redirects traffic destined for the actual broker to a shadow broker under the control to monitor vulnerabilities. We select 15 IoT devices communicating with vulnerable brokers and leverage SHADOWFUZZER to find vulnerabilities when they parse MQTT messages. For these devices, SHADOWFUZZER reports 34 zero-day vulnerabilities in 11 devices. We evaluated the exploitability of these vulnerabilities and received a total of 44,000 USD bug bounty rewards. And 16 CVE/CNVD/CN-NVD numbers have been assigned to us.

Lingyun Situ,Chi Zhang,Le Guan,Zhiqiang Zuo,Linzhang Wang,Xuandong Li,Peng Liu,Jin Shi

DOI: https://doi.org/10.1109/jiot.2023.3303780

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:With the rapid expansion of the Internet of Things, a vast number of microcontroller-based IoT devices are now susceptible to attacks through the Internet. Vulnerabilities within the firmware are one of the most important attack surfaces. Fuzzing has emerged as one of the most effective techniques for identifying such vulnerabilities. However, when applied to IoT firmware, several challenges arise, including: (1) the inability of firmware to execute properly in the absence of peripherals, (2) the lack of support for exploring input spaces of multiple peripherals, (3) difficulties in instrumenting and gathering feedback, and (4) the absence of a fault detection mechanism. To address these challenges, we have developed and implemented an innovative peripheral-independent hybrid fuzzing tool called . This tool enables testing of microcontroller-based firmware without reliance on specific peripheral hardware. First, a unified virtual peripheral was integrated to model the behaviors of various peripherals, thus enabling the physical devices-agnostic firmware execution. Then, a hybrid event generation approach was used to generate inputs for different peripheral accesses. Furthermore, two-level coverage feedback was collected to optimize the testcase generation. Finally, a plugin-based fault detection mechanism was implemented to identify typical memory corruption vulnerabilities. A Large-scale experimental evaluation has been performed to show ’s effectiveness and efficiency.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiaohan Zhang,Cen Zhang,Xinghua Li,Zhengjie Du,Bing Mao,Yuekang Li,Yaowen Zheng,Yeting Li,Li Pan,Yang Liu,Robert Deng

DOI: https://doi.org/10.1145/3696788

IF: 16.6

2024-10-12

ACM Computing Surveys

Abstract:Communication protocols form the bedrock of our interconnected world, yet vulnerabilities within their implementations pose significant security threats. Recent developments have seen a surge in fuzzing-based research dedicated to uncovering these vulnerabilities within protocol implementations. However, there still lacks a systematic overview of protocol fuzzing for answering the essential questions such as what the unique challenges are, how existing works solve them, and so on. To bridge this gap, we conducted a comprehensive investigation of related works from both academia and industry. Our study includes a detailed summary of the specific challenges in protocol fuzzing and provides a systematic categorization and overview of existing research efforts. Furthermore, we explore and discuss potential future research directions in protocol fuzzing.

computer science, theory & methods

Jack Hance,Jeremy Straub

2023-06-07

Abstract:Fuzzing is utilized for testing software and systems for cybersecurity risk via the automated adaptation of inputs. It facilitates the identification of software bugs and misconfigurations that may create vulnerabilities, cause abnormal operations or result in systems' failure. While many fuzzers have been purpose-developed for testing specific systems, this paper proposes a generalized fuzzer that provides a specific capability for testing software and cyber-physical systems which utilize configuration files. While this fuzzer facilitates the detection of system and software defects and vulnerabilities, it also facilitates the determination of the impact of settings on device operations. This later capability facilitates the modeling of the devices in a cybersecurity risk assessment and analysis system. This paper describes and assesses the performance of the proposed fuzzer technology. It also details how the fuzzer operates as part of the broader cybersecurity risk assessment and analysis system.

Cryptography and Security,Software Engineering

Zhe Yang,Hao Peng,Yanling Jiang,Xingwei Li,Haohua Du,Shuhai Wang,Jianwei Liu

2024-11-18

Abstract:Internet of Things (IoT) devices offer convenience through web interfaces, web VPNs, and other web-based services, all relying on the HTTP protocol. However, these externally exposed HTTP services resent significant security risks. Although fuzzing has shown some effectiveness in identifying vulnerabilities in IoT HTTP services, most state-of-the-art tools still rely on random mutation trategies, leading to difficulties in accurately understanding the HTTP protocol's structure and generating many invalid test cases. Furthermore, These fuzzers rely on a limited set of initial seeds for testing. While this approach initiates testing, the limited number and diversity of seeds hinder comprehensive coverage of complex scenarios in IoT HTTP services. In this paper, we investigate and find that large language models (LLMs) excel in parsing HTTP protocol data and analyzing code logic. Based on these findings, we propose a novel LLM-guided IoT HTTP fuzzing method, ChatHTTPFuzz, which automatically parses protocol fields and analyzes service code logic to generate protocol-compliant test cases. Specifically, we use LLMs to label fields in HTTP protocol data, creating seed templates. Second, The LLM analyzes service code to guide the generation of additional packets aligned with the code logic, enriching the seed templates and their field values. Finally, we design an enhanced Thompson sampling algorithm based on the exploration balance factor and mutation potential factor to schedule seed templates. We evaluate ChatHTTPFuzz on 14 different real-world IoT devices. It finds more vulnerabilities than SNIPUZZ, BOOFUZZ, and MUTINY. ChatHTTPFuzz has discovered 103 vulnerabilities, of which 68 are unique, and 23 have been assigned CVEs.

Cryptography and Security

Maik Ender,Felix Hahn,Marc Fyrbiak,Amir Moradi,Christof Paar

2024-02-15

Abstract:Fuzzing is a well-established technique in the software domain to uncover bugs and vulnerabilities. Yet, applications of fuzzing for security vulnerabilities in hardware systems are scarce, as principal reasons are requirements for design information access (HDL source code). Moreover, observation of internal hardware state during runtime is typically an ineffective information source, as its documentation is often not publicly available. In addition, such observation during runtime is also inefficient due to bandwidth-limited analysis interfaces (JTAG, and minimal introspection of internal modules). In this work, we investigate fuzzing for 7-Series and UltraScale(+) FPGA configuration engines, the control plane governing the (secure) bitstream configuration within the FPGA. Our goal is to examine the effectiveness of fuzzing to analyze and document the opaque inner workings of FPGA configuration engines, with a primary emphasis on identifying security vulnerabilities. Using only the publicly available chip and dispersed documentation, we first design and implement ConFuzz, an advanced FPGA configuration engine fuzzing and rapid prototyping framework. Based on our detailed understanding of the bitstream file format, we then systematically define 3 novel key fuzzing strategies for Xilinx configuration engines. Moreover, our strategies are executed through mutational structure-aware fuzzers and incorporate various novel custom-tailored, FPGA-specific optimizations. Our evaluation reveals previously undocumented behavior within the configuration engine, including critical findings such as system crashes leading to unresponsive states of the FPGA. In addition, our investigations not only lead to the rediscovery of the starbleed attack but also uncover JustSTART (CVE-2023-20570), capable of circumventing RSA authentication for Xilinx UltraScale(+). Note that we also discuss countermeasures.

Cryptography and Security

Hsin-Wei Hung,Ardalan Amiri Sani

DOI: https://doi.org/10.48550/arXiv.2305.08782

2023-05-16

Abstract:The eBPF technology in the Linux kernel has been widely adopted for different applications, such as networking, tracing, and security, thanks to the programmability it provides. By allowing user-supplied eBPF programs to be executed directly in the kernel, it greatly increases the flexibility and efficiency of deploying customized logic. However, eBPF also introduces a new and wide attack surface: malicious eBPF programs may try to exploit the vulnerabilities in the eBPF subsystem in the kernel. Fuzzing is a promising technique to find such vulnerabilities. Unfortunately, our experiments with the state-of-the-art kernel fuzzer, Syzkaller, shows that it cannot effectively fuzz the eBPF runtime, those components that are in charge of executing an eBPF program, for two reasons. First, the eBPF verifier (which is tasked with verifying the safety of eBPF programs) rejects many fuzzing inputs because (1) they do not comply with its required semantics or (2) they miss some dependencies, i.e., other syscalls that need to be issued before the program is loaded. Second, Syzkaller fails to attach and trigger the execution of eBPF programs most of the times. This paper introduces the BPF Runtime Fuzzer (BRF), a fuzzer that can satisfy the semantics and dependencies required by the verifier and the eBPF subsystem. Our experiments show, in 48-hour fuzzing sessions, BRF can successfully execute 8x more eBPF programs compared to Syzkaller. Moreover, eBPF programs generated by BRF are much more expressive than Syzkaller's. As a result, BRF achieves 101% higher code coverage. Finally, BRF has so far managed to find 4 vulnerabilities (some of them have been assigned CVE numbers) in the eBPF runtime, proving its effectiveness.

Cryptography and Security,Software Engineering