Ben Kallus,Prashant Anantharaman,Michael Locasto,Sean W. Smith

2024-05-28

Abstract:HTTP/1.1 parsing discrepancies have been the basis for numerous classes of attacks against web servers. Previous techniques for discovering HTTP parsing discrepancies have focused on blackbox differential testing of HTTP gateway servers, despite evidence that the most significant parsing anomalies occur within origin servers. While these techniques can detect some vulnerabilities, not all parsing discrepancy-related vulnerabilities are detectable by examining a gateway server's output alone. Our system, the HTTP Garden, examines both origin servers' interpretations and gateway servers' transformations of HTTP requests. It also includes a coverage-guided differential fuzzer for HTTP/1.1 origin servers that is capable of mutating all components of a request stream, paired with an interactive REPL that facilitates the automatic discovery of meaningful HTTP parsing discrepancies and the rapid development of those discrepancies into attack payloads. Using our tool, we have discovered and reported over 100 HTTP parsing bugs in popular web servers, of which 68 have been fixed following our reports. We designate 39 of these to be exploitable. We release the HTTP Garden to the public on GitHub under a free software license to allow researchers to further explore new parser discrepancy-based attacks against HTTP/1.1 servers.

Cryptography and Security,Networking and Internet Architecture

Xiang Chen,Hongyan Liu,Tingxin Sun,Qun Huang,Dong Zhang,Xuan Liu,Boyang Zhou,Haifeng Zhou,Chunming Wu

DOI: https://doi.org/10.1109/infocom53939.2023.10229080

2023-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernel-based tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools result in unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for DDoS defense solutions. The key idea is to leverage the programmable switch to perform testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. Our experiments on a 64×100Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Junchi Xing,Mingliang Yang,Haifeng Zhou,Chunming Wu,Wei Ruan

DOI: https://doi.org/10.1109/IPCCC47392.2019.8958776

2019-01-01

Abstract:Network reconnaissance aims at gathering as much information as possible before an attack is launched. Meanwhile, static host address configuration facilitates network reconnaissance. Currently, more sophisticated network reconnaissance has been emerged with the adaptive and cooperative features. To address this, in this paper, we present Hiding and Trapping (HaT), which is a deceptive approach to disrupt adversarial network reconnaissance with the help of the software-defined networking (SDN) paradigm. HaT is able to hide valuable hosts from attackers and to trap them into decoy nodes through strategic and holistic host address mutation according to characteristic of adversaries. We implement a prototype of HaT, and evaluate its performance by experiments. The experimental results show that HaT is capable to effectively disrupt adversarial network reconnaissance with better deceptive performance than the existing address randomization approach.

Linkai Zheng,Xiang Li,Chuhan Wang,Run Guo,Haixin Duan,Jianjun Chen,Chao Zhang,Kaiwen Shen

DOI: https://doi.org/10.14722/ndss.2024.24031

2024-01-01

Abstract:Content Delivery Networks (CDNs) are ubiquitous middleboxes designed to enhance the performance of hosted websites and shield them from various attacks.Numerous notable studies show that CDNs modify a client's request when forwarding it to the original server.Multiple inconsistencies in this forwarding operation have been found to potentially result in security vulnerabilities like DoS attacks.Nonetheless, existing research lacks a systematic approach to studying CDN forwarding request inconsistencies.In this work, we present REQSMINER, an innovative fuzzing framework developed to discover previously unexamined inconsistencies in CDN forwarding requests.The framework uses techniques derived from reinforcement learning to generate valid test cases, even with minimal feedback, and incorporates real field values into the grammar-based fuzzer.With the help of REQSMINER, we comprehensively test 22 major CDN providers and uncover a wealth of hitherto unstudied CDN forwarding request inconsistencies.Moreover, the application of specialized analyzers enables REQSMINER to extend its capabilities, evolving into a framework capable of detecting specific types of attacks.By extension, our work further identifies three novel types of HTTP amplification DoS attacks and uncovers 74 new potential DoS vulnerabilities with an amplification factor that can reach up to 2,000 generally, and even 1,920,000 under specific conditions.The vulnerabilities detected were responsibly disclosed to the affected CDN vendors, and mitigation suggestions were proposed.Our work contributes to fortifying CDN security, thereby enhancing their resilience against malicious attacks and preventing misuse.

Xiang Chen,Hongyan Liu,Qun Huang,Dong Zhang,Haifeng Zhou,Chunming Wu,Xuan Liu

DOI: https://doi.org/10.1109/tnet.2023.3281449

2024-01-01

Abstract:To date, security researchers evaluate their solutions of mitigating distributed denial-of-service (DDoS) attacks via kernel-based or kernel-bypassing testing tools. However, kernelbased tools exhibit poor scalability in attack traffic generation while kernel-bypassing tools incur unacceptable monetary cost. We propose Excalibur, a scalable and low-cost testing framework for evaluating DDoS defense solutions. The key idea is to leverage the emerging programmable switch to empower testing tasks with Tbps-level scalability and low cost. Specifically, Excalibur offers intent-based primitives to enable academic researchers to customize testing tasks on demand. Moreover, in view of switch resource limitations, Excalibur coordinates both a server and a programmable switch to jointly perform testing tasks. It realizes flexible attack traffic generation, which requires a large number of resources, in the server while using the switch to increase the sending rate of attack traffic to Tbps-level. We have implemented Excalibur on a 64 x 100 Gbps Tofino switch. Our experiments on a 64 x 100 Gbps Tofino switch show that Excalibur achieves orders-of-magnitude higher scalability and lower cost than existing tools.

Yu Zhang,Wei Huo,Kunpeng Jian,Jingxue Shi,Haoliang Lu,Longquan Liu,Chen Wang,Dandan Sun,Chao Zhang,Baoxu Liu

DOI: https://doi.org/10.1145/3359789.3359826

2019-01-01

Abstract:SOHO (small office/home office) routers provide services for end devices to connect to the Internet, playing an important role in the cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited, due to the lack of input specification, lack of routers' internal running states, and lack of testing environment recovery mechanisms. Moreover, fuzzing in general only reports memory corruption vulnerabilities, and fails to discover other vulnerabilities, e.g., web-based vulnerabilities.

Qi-Xian Huang,Min-Yi Chiu,Ying-Feng Chen,Hung-Min Sun

DOI: https://doi.org/10.1155/2022/3121177

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Until the development of HTTP request smuggling in 2005, individual HTTP requests were considered as independent entities and could not be split or merged. This is a security problem caused by inconsistent content length interpretation approach between web servers, or the web server is not fully implemented in accordance with the RFC standard. It is especially dangerous for web services with complex web architectures. It can route the victims to receive malicious responses, amplify the impact of certain low-threat vulnerabilities, steal user credentials, or bypass network devices’ defenses. However, since its concept and implementation are quite difficult to overcome, it is often ignored by many network administrators, making users who browse such websites vulnerable to the HTTP request smuggling attacks. This paper proposes a general solution to deal with various HTTP request smuggling attacks. A reverse proxy implemented by Flask validates and cleans dubious HTTP requests from the client side and ensures that the original requests comply with RFC standards. Therefore, the website administrators no longer need to configure complicated network settings or customize some open-source project codes to resist or minimize the risk of the HTTP request smuggling attacks. A series of experiments demonstrate that this method is effective and practical.

Enze Wang,Jianjun Chen,Wei Xie,Chuhan Wang,Yifei Gao,Zhenhua Wang,Haixin Duan,Yang Liu,Baosheng Wang

DOI: https://doi.org/10.1109/sp54263.2024.00198

2024-01-01

Abstract:Server-Side Request Forgery (SSRF) vulnerability poses significant security risks to web applications, enabling adversaries to exploit web applications as stepping stones for unauthorized access of internal-only services or even performing arbitrary commands. Despite its recent emergence as a distinct category in the 2021 OWASP Top 10 web security risks and its increasing prevalence in modern web applications, there remains a lack of effective approaches to detect SSRF vulnerabilities systematically.We present a novel methodology, SSRFuzz, to effectively identify SSRF vulnerability in PHP web applications. Our methodology consists of three phases. In the initial phase, we designed an SSRF oracle to examine functions in PHP manuals and identify sinks that provide server-side request capabilities. This process yielded a total of 86 sensitive PHP sinks out of 2101 PHP functions. The second stage involves dynamic taint inference and the utilization of the identified sinks to examine the source code of target web applications, pinpointing all feasible input points that could trigger these sinks. The final phase employs fuzzing techniques. We generate testing HTTP requests with SSRF payloads, send them to the previously identified input points within the target web applications, and detect if an SSRF vulnerability is triggered. We implemented a prototype of SSRFuzz and evaluated it on 27 real-world applications, including Joomla and WordPress. In total, we discovered 28 SSRF vulnerabilities, 25 of which were previously unreported. We reported all the vulnerabilities to the affected vendors, and 16 new CVE IDs were assigned.

Yossi Gilad,Amir Herzberg

DOI: https://doi.org/10.48550/arXiv.1204.6623

2012-04-30

Abstract:We show how an off-path (spoofing-only) attacker can perform cross-site scripting (XSS), cross-site request forgery (CSRF) and site spoofing/defacement attacks, without requiring vulnerabilities in either web-browser or server and circumventing known defenses. Attacker can also launch devastating denial of service (DoS) attacks, even when the connection between the client and the server is secured with SSL/TLS. The attacks are practical and require a puppet (malicious script in browser sandbox) running on a the victim client machine, and attacker capable of IP-spoofing on the Internet. Our attacks use a technique allowing an off-path attacker to learn the sequence numbers of both client and server in a TCP connection. The technique exploits the fact that many computers, in particular those running Windows, use a global IP-ID counter, which provides a side channel allowing efficient exposure of the connection sequence numbers. We present results of experiments evaluating the learning technique and the attacks that exploit it. Finally, we present practical defenses that can be deployed at the firewall level; no changes to existing TCP/IP stacks are required.

Cryptography and Security

Nils Bars,Moritz Schloegel,Nico Schiller,Lukas Bernhard,Thorsten Holz

DOI: https://doi.org/10.1145/3658644.3690274

2024-09-02

Abstract:Network-facing applications are commonly exposed to all kinds of attacks, especially when connected to the internet. As a result, web servers like Nginx or client applications such as curl make every effort to secure and harden their code to rule out memory safety violations. One would expect this to include regular fuzz testing, as fuzzing has proven to be one of the most successful approaches to uncovering bugs in software. Yet, surprisingly little research has focused on fuzzing network applications. When studying the underlying reasons, we find that the interactive nature of communication, its statefulness, and the protection of exchanged messages render typical fuzzers ineffective. Attempts to replay recorded messages or modify them on the fly only work for specific targets and often lead to early termination of communication. In this paper, we discuss these challenges in detail, highlighting how the focus of existing work on protocol state space promises little relief. We propose a fundamentally different approach that relies on fault injection rather than modifying messages. Effectively, we force one of the communication peers into a weird state where its output no longer matches the expectations of the target peer, potentially uncovering bugs. Importantly, this weird peer can still properly encrypt/sign the protocol message, overcoming a fundamental challenge of current fuzzers. In effect, we leave the communication system intact but introduce small corruptions. Since we can turn either the server or the client into the weird peer, our approach is the first that can effectively test client-side network applications. Evaluating 16 targets, we show that Fuzztruction-Net outperforms other fuzzers in terms of coverage and bugs found. Overall, Fuzztruction-Net uncovered 23 new bugs in well-tested software, such as the web servers Nginx and Apache HTTPd and the OpenSSH client.

Cryptography and Security

Yu Zhang,Wei Huo,Kunpeng Jian,Ji Shi,Longquan Liu,Yanyan Zou,Chao Zhang,Baoxu Liu

DOI: https://doi.org/10.1186/s42400-021-00091-9

2021-07-19

Abstract:Abstract SOHO (small office/home office) routers provide services for end devices to connect to the Internet, playing an important role in cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited due to the lack of input specification, lack of routers’ internal running states, and lack of testing environment recovery mechanisms. Moreover, existing works for device fuzzing are more likely to detect memory corruption vulnerabilities.In this paper, we propose a solution ESRFuzzer to address these issues. It is a fully automated fuzzing framework for testing physical SOHO devices. It continuously and effectively generates test cases by leveraging two input semantic models, i.e., KEY-VALUE data model and CONF-READ communication model, and automatically recovers the testing environment with power management. It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities. With the guidance of the two semantic models, ESRFuzzer can work in two ways: general mode fuzzing and D-CONF mode fuzzing. General mode fuzzing can discover both issues which occur in the CONF and READ operation, while D-CONF mode fuzzing focus on the READ-op issues especially missed by general mode fuzzing.We ran ESRFuzzer on 10 popular routers across five vendors. In total, it discovered 136 unique issues, 120 of which have been confirmed as 0-day vulnerabilities we found. As an improvement of SRFuzzer, ESRFuzzer have discovered 35 previous undiscovered READ-op issues that belong to three vulnerability types, and 23 of them have been confirmed as 0-day vulnerabilities by vendors. The experimental results show that ESRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.

computer science, information systems, interdisciplinary applications, software engineering

Songtao Yang,Yubo He,Kaixiang Chen,Zheyu Ma,Xiapu Luo,Yong Xie,Jianjun Chen,Chao Zhang

DOI: https://doi.org/10.1145/3597926.3598102

2023-01-01

Abstract:1-day vulnerabilities are common in practice and have posed severe threats to end users, as adversaries could learn from released patches to find them and exploit them. Reproducing 1-day vulnerabilities is also crucial for defenders, e.g., to block attack traffic against 1-day vulnerabilities. A core question that affects the effectiveness of recognizing and triggering 1-day vulnerabilities is what is the unique feature of a security patch. After conducting a large-scale empirical study, we point out that a common and unique feature of patches is the trailing call sequence (TCS) and present a novel directed differential fuzzing solution 1dFuzz to efficiently reproduce 1-day vulnerabilities in this paper. Based on the TCS feature, we present a locator 1dLoc able to find candidate patch locations via static analysis, a novel TCS-based distance metric for directed fuzzing, and a novel sanitizer 1dSan able to catch PoCs for 1-day vulnerabilities during fuzzing. We have systematically evaluated 1dFuzz on a set of real-world software vulnerabilities in 11 different settings. Results show that 1dFuzz significantly outperforms state-of-the-art (SOTA) baselines and could find up to 2.26x more 1-day vulnerabilities with a 43% shorter time.

Xi Ling,Jiongchi Yu,Ziming Zhao,Zhihao Zhou,Haitao Xu,Binbin Chen,Fan Zhang

DOI: https://doi.org/10.1007/978-3-031-54773-7_12

2024-01-01

Abstract:With the proliferation of Internet development, Distributed Denial of Service (DDoS) attacks are on the rise. As rule-based traffic analysis frameworks and Deep Packet Inspection (DPI) defense measures can effectively thwart many DDoS attacks, attackers keep exploring various attack surfaces and traffic amplification strategies to nullify the defense. In this paper, we propose DDoSMiner, an automated framework for DDoS attack characterization and vulnerability mining. DDoSMiner analyzes system call patterns of the TCP-based DDoS attack family, then generates Attack Call Flow Graph (ACFG) by discerning the differences between DDoS attack traffic and benign traffic. Furthermore, DDoSMiner identifies and extracts drop nodes and pivotal TCP states from the distinctive characteristics of attack traffic, then passes to the symbolic execution framework for exploring variants of the DDoS attack. We collectively analyze six types of TCP-based DDoS attacks, construct the corresponding ACFG, and identify a set of attack traffic variants. The attack traffic variants are evaluated on the widely used Network Intrusion Detection System (NIDS) Snort with three popular rule sets. The result shows that DDoSMiner indeed discovers the new DDoS attack trace, and the corresponding attack traffic can bypass all three defense toolkits.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Wen-Jie Li,Xiaojing Gong,Bingchang Liu,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (POC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities. In this paper, we propose a new solution revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques:(1) a digraph to characterize a vulnerability's memory layout and its contributor instructions;(2) a fuzz solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs;(3) a stitch solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states. We have developed a prototype of revery based on the binary analysis engine angr, and evaluated it on a set of 19 real world CTF (capture the flag) challenges. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Qifan Zhang,Xuesong Bai,Xiang Li,Haixin Duan,Qi Li,Zhou Li

2023-10-05

Abstract:Domain Name System (DNS) is a critical component of the Internet. DNS resolvers, which act as the cache between DNS clients and DNS nameservers, are the central piece of the DNS infrastructure, essential to the scalability of DNS. However, finding the resolver vulnerabilities is non-trivial, and this problem is not well addressed by the existing tools. To list a few reasons, first, most of the known resolver vulnerabilities are non-crash bugs that cannot be directly detected by the existing oracles (or sanitizers). Second, there lacks rigorous specifications to be used as references to classify a test case as a resolver bug. Third, DNS resolvers are stateful, and stateful fuzzing is still challenging due to the large input space. In this paper, we present a new fuzzing system termed ResolverFuzz to address the aforementioned challenges related to DNS resolvers, with a suite of new techniques being developed. First, ResolverFuzz performs constrained stateful fuzzing by focusing on the short query-response sequence, which has been demonstrated as the most effective way to find resolver bugs, based on our study of the published DNS CVEs. Second, to generate test cases that are more likely to trigger resolver bugs, we combine probabilistic context-free grammar (PCFG) based input generation with byte-level mutation for both queries and responses. Third, we leverage differential testing and clustering to identify non-crash bugs like cache poisoning bugs. We evaluated ResolverFuzz against 6 mainstream DNS software under 4 resolver modes. Overall, we identify 23 vulnerabilities that can result in cache poisoning, resource consumption, and crash attacks. After responsible disclosure, 19 of them have been confirmed or fixed, and 15 CVE numbers have been assigned.

Cryptography and Security,Networking and Internet Architecture,Software Engineering

Kaiwen Shen,Jianyu Lu,Yaru Yang,Jianjun Chen,Mingming Zhang,Haixin Duan,Jia Zhang,Xiaofeng Zheng

DOI: https://doi.org/10.1109/dsn53405.2022.00014

2022-01-01

Abstract:The Internet has become a complex distributed network with numerous middle-boxes, where an end-to-end HTTP request is often processed by multiple intermediate servers before it reaches its destination. However, a general problem in this distributed network is the semantic gap attack, which is defined as inconsistent semantic interpretations in the processing chain. While some studies have found individual semantic gap attacks, most of them are based on ad-hoc manual analysis, which is inadequate for fundamentally enhancing the security assurance of a system as complex as the HTTP network.In this work, we propose HDiff, a novel semi-automatic detecting framework, systematically exploring semantic gap attacks in HTTP implementations. We designed a documentation analyzer that employs natural language processing techniques to extract rules from specifications, and utilized differential testing to discover semantic gap attacks. We implemented and evaluated it to find three kinds of semantic gap attacks in 10 popular HTTP implementations. In total, HDiff found 14 vulnerabilities and 29 affected server pairs covering all three types of attacks. In particular, HDiff also discovered three new types of attack vectors. We have already duly reported all identified vulnerabilities to the involved HTTP software vendors and obtained 7 new CVEs from well-known HTTP software, including Apache, Tomcat, Weblogic, and Microsoft IIS Server.

Zhe Yang,Hao Peng,Yanling Jiang,Xingwei Li,Haohua Du,Shuhai Wang,Jianwei Liu

2024-11-18

Abstract:Internet of Things (IoT) devices offer convenience through web interfaces, web VPNs, and other web-based services, all relying on the HTTP protocol. However, these externally exposed HTTP services resent significant security risks. Although fuzzing has shown some effectiveness in identifying vulnerabilities in IoT HTTP services, most state-of-the-art tools still rely on random mutation trategies, leading to difficulties in accurately understanding the HTTP protocol's structure and generating many invalid test cases. Furthermore, These fuzzers rely on a limited set of initial seeds for testing. While this approach initiates testing, the limited number and diversity of seeds hinder comprehensive coverage of complex scenarios in IoT HTTP services. In this paper, we investigate and find that large language models (LLMs) excel in parsing HTTP protocol data and analyzing code logic. Based on these findings, we propose a novel LLM-guided IoT HTTP fuzzing method, ChatHTTPFuzz, which automatically parses protocol fields and analyzes service code logic to generate protocol-compliant test cases. Specifically, we use LLMs to label fields in HTTP protocol data, creating seed templates. Second, The LLM analyzes service code to guide the generation of additional packets aligned with the code logic, enriching the seed templates and their field values. Finally, we design an enhanced Thompson sampling algorithm based on the exploration balance factor and mutation potential factor to schedule seed templates. We evaluate ChatHTTPFuzz on 14 different real-world IoT devices. It finds more vulnerabilities than SNIPUZZ, BOOFUZZ, and MUTINY. ChatHTTPFuzz has discovered 103 vulnerabilities, of which 68 are unique, and 23 have been assigned CVEs.

Cryptography and Security

François Gauthier,Behnaz Hassanshahi,Benjamin Selwyn-Smith,Trong Nhan Mai,Max Schlüter,Micah Williams

DOI: https://doi.org/10.48550/arXiv.2108.08455

2021-08-19

Cryptography and Security

Abstract:Following the advent of the American Fuzzy Lop (AFL), fuzzing had a surge in popularity, and modern day fuzzers range from simple blackbox random input generators to complex whitebox concolic frameworks that are capable of deep program introspection. Web application fuzzers, however, did not benefit from the tremendous advancements in fuzzing for binary programs and remain largely blackbox in nature. This paper introduces BackREST, a fully automated, model-based, coverage- and taint-driven fuzzer that uses its feedback loops to find more critical vulnerabilities, faster (speedups between 7.4x and 25.9x). To model the server-side of web applications, BackREST automatically infers REST specifications through directed state-aware crawling. Comparing BackREST against three other web fuzzers on five large (>500 KLOC) Node.js applications shows how it consistently achieves comparable coverage while reporting more vulnerabilities than state-of-the-art. Finally, using BackREST, we uncovered nine 0-days, out of which six were not reported by any other fuzzer. All the 0-days have been disclosed and most are now public, including two in the highly popular Sequelize and Mongodb libraries.

Yan Wang,Chao Zhang,Xiaobo Xiang,Zixuan Zhao,Bingchang Liu,Wenjie Li,Xiaorui Gong,Kaixiang Chen,Wei Zou

DOI: https://doi.org/10.1145/3243734.3243847

2018-01-01

Abstract:Automatic exploit generation is an open challenge. Existing solutions usually explore in depth the crashing paths, i.e., paths taken by proof-of-concept (PoC) inputs triggering vulnerabilities, and generate exploits when exploitable states are found along the paths. However, exploitable states do not always exist in crashing paths. Moreover, existing solutions heavily rely on symbolic execution and are not scalable in path exploration and exploit generation. In addition, few solutions could exploit heap-based vulnerabilities.In this paper, we propose a new solution Revery to search for exploitable states in paths diverging from crashing paths, and generate control-flow hijacking exploits for heap-based vulnerabilities. It adopts three novel techniques: (1) a layout-contributor digraph to characterize a vulnerability's memory layout and its contributor instructions; (2) a layout-oriented fuzzing solution to explore diverging paths, which have similar memory layouts as the crashing paths, in order to search more exploitable states and generate corresponding diverging inputs; (3) a control-flow stitching solution to stitch crashing paths and diverging paths together, and synthesize EXP inputs able to trigger both vulnerabilities and exploitable states.We have developed a prototype of Revery based on the binary analysis engine angr, and evaluated it on a set of 19 CTF (capture the flag) programs. Experiment results showed that it could generate exploits for 9 (47%) of them, and generate EXP inputs able to trigger exploitable states for another 5 (26%) of them.

Longjuan Wang,Chunjie Cao,Jun Ye,Wenjie Zhong

DOI: https://doi.org/10.1155/2022/5311295

2022-04-25

Wireless Communications and Mobile Computing

Abstract:As the main routing device of the network, most routers can be set up and managed through their web enabled admin portal. This paper proposes a new method for router admin portal vulnerability mining fuzzing test (RW-fuzzer: Router Web fuzzer). The mutation samples that generated by Boofuzz are used to construct the test sample set for fuzzy testing. The constructed mutation test cases are more suitable for the attack load or critical value of the router’s Web interface. They can cause unexpected errors for the devices more easily, which achieves the goal of discover potential vulnerabilities, and the practicality is excellent. Based on the proposed RW-fuzzer method, this work conducted fuzzing tests on 4 widely sold router models from manufacturers. Four nday vulnerabilities and one 0day vulnerability have been found. Experiment results show that the proposed RW-fuzzer method is effective.

computer science, information systems,telecommunications,engineering, electrical & electronic