利用應用程式和封包分析引導物聯網黑箱模糊測試

宋哲寬; Che-Kuan Sung

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88118

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	蕭旭君	zh_TW
dc.contributor.advisor	Hsu-Chun Hsiao	en
dc.contributor.author	宋哲寬	zh_TW
dc.contributor.author	Che-Kuan Sung	en
dc.date.accessioned	2023-08-08T16:22:45Z	-
dc.date.available	2023-11-09	-
dc.date.copyright	2023-08-08	-
dc.date.issued	2023	-
dc.date.submitted	2023-07-17	-
dc.identifier.citation	[1] 2017 was ＇worst year ever＇in data breaches and cyberattacks, thanks to ransomware. [2] Android developers. 2017. ui/application exerciser monkey. (september 2017). [3] boofuzz: Network protocol fuzzing for humans. [4] Frida: Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. [5] Iot market by componment. [6] D. D. Chen, M. Woo, D. Brumley, and M. Egele. Towards automated dynamic analysis for linux-based embedded firmware. In NDSS, volume 1, pages 1–1, 2016. [7] J. Chen, W. Diao, Q. Zhao, C. Zuo, Z. Lin, X. Wang, W. C. Lau, M. Sun, R. Yang, and K. Zhang. Iotfuzzer: Discovering memory corruptions in iot through app-based fuzzing. In NDSS, 2018. [8] A. Cortesi, M. Hils, T. Kriechbaumer, and contributors. mitmproxy: A free and open source interactive HTTPS proxy, 2010–. [Version 9.0]. [9] B. Feng, A. Mera, and L. Lu. {P2IM}: Scalable and hardware-independent firmware testing via automatic peripheral interface modeling. In 29th USENIX Security Symposium (USENIX Security 20), pages 1237–1254, 2020. [10] X. Feng, R. Sun, X. Zhu, M. Xue, S. Wen, D. Liu, S. Nepal, and Y. Xiang. Snipuzz: Black-box fuzzing of iot firmware via message snippet inference. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 337–350, 2021. [11] Fitblip. Sulley - a pure-python fully automated and unattended fuzzing framework. [12] M. Kim, D. Kim, E. Kim, S. Kim, Y. Jang, and Y. Kim. Firmae: Towards large-scale emulation of iot firmware for dynamic analysis. In Annual computer security applications conference, pages 733–745, 2020. [13] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas. Ddos in the iot: Mirai and other botnets. Computer, 50(7):80–84, 2017. [14] Z. Liu, C. Chen, J. Wang, X. Che, Y. Huang, J. Hu, and Q. Wang. Fill in the blank: Context-aware automated text input generation for mobile gui testing. arXiv preprint arXiv:2212.04732, 2022. [15] A. Martin-Lopez, S. Segura, and A. Ruiz-Cortés. Test coverage criteria for restful web apis. In Proceedings of the 10th ACM SIGSOFT International Workshop on Automating TEST Case Design, Selection, and Evaluation, pages 15–21, 2019. [16] N. Redini, A. Continella, D. Das, G. De Pasquale, N. Spahn, A. Machiry, A. Bianchi, C. Kruegel, and G. Vigna. Diane: Identifying fuzzing triggers in apps to generate under-constrained inputs for iot devices. In 2021 IEEE Symposium on Security and Privacy (SP), pages 484–500. IEEE, 2021. [17] X. Wang, Y. Sun, S. Nanda, and X. Wang. Looking from the mirror: Evaluating {IoT} device security through mobile companion apps. In 28th USENIX Security Symposium (USENIX Security 19), pages 1151–1167, 2019. [18] M. You, Y. Kim, J. Kim, M. Seo, S. Son, S. Shin, and S. Lee. Fuzzdocs: An automated security evaluation framework for iot. IEEE Access, 2022. [19] Y. Zheng, A. Davanian, H. Yin, C. Song, H. Zhu, and L. Sun. {FIRM-AFL}:{High-Throughput} greybox fuzzing of {IoT} firmware via augmented process emulation. In 28th USENIX Security Symposium (USENIX Security 19), pages 1099–1114, 2019. [20] W. Zhou, Y. Jia, Y. Yao, L. Zhu, L. Guan, Y. Mao, P. Liu, and Y. Zhang. Discovering and understanding the security hazards in the interactions between {IoT} devices, mobile apps, and clouds on smart home platforms. In 28th USENIX security symposium (USENIX security 19), pages 1133–1150, 2019. [21] C. Zuo, W. Wang, Z. Lin, and R. Wang. Automatic forgery of cryptographically consistent messages to identify security vulnerabilities in mobile services. In NDSS, 2016.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/88118	-
dc.description.abstract	物聯網設備在現今生活中變得普及，引起了安全問題的重要性。模糊測試是一種用於檢測物聯網韌體中安全漏洞的常用技術。在各種類型的模糊測試中，黑盒模糊測試成為相對有效的解決方案，因為它不需要韌體的獲取和仿真。然而，如何生成可以被目標設備接受的有效輸入成為一個關鍵問題。此外，一般的突變策略不適合在保持結構良好的輸入的同時高效突變請求，因為涉及到複雜的數據格式。在本文中，我們提出了一個名為 APAfuzzer 的自動化黑盒模糊測試框架，旨在克服先前提到的問題。在以往的研究中，實現結構良好的輸入通常涉及繁重的應用程序分析或使用文檔生成種子的方法。然而，這些方法往往難以在效果和自動化之間取得平衡。相比之下，我們的工作利用應用程序生成種子和封包進行突變，還使用勾子函數來攔截加密功能，從而實現了效果和自動化的雙重目標。我們將 APAfuzzer 與三種最先進的黑盒模糊測試器進行了比較，包括 Diane、Boofuzz 和 Snipuzz。我們在模擬設備和實際設備上對我們的模糊測試器進行了評估。結果顯示，APAfuzzer 能夠觸發已知的 CVE 漏洞，並發現新的漏洞。此外，與其他模糊測試器相比，它表現出更高的效率，並成功觸發更多的漏洞。	zh_TW
dc.description.abstract	Internet of Things (IoT) devices have become prevalent in nowadays life and bring up the importance of security issues. Fuzzing is a popular technique to detect security vul-nerabilities in IoT firmware. Among various types of fuzzing, black-box fuzzing becomes a relatively effective solution because it requires no firmware acquisition and emulation. However, how to generate valid input, which could be accepted for the target devices, becomes a critical problem. In addition, general mutation strategies are not suitable for efficiently mutating the requests while preserving the input structure due to the complex data format. In this paper, we proposed an automated blackbox fuzzing framework called APAfuzzer to overcome the previously mentioned problems. In previous work, achieving well-structured input often involved heavyweight app analysis or the use of documents to generate seeds. However, these approaches often struggle to strike a balance between effectiveness and automation. In contrast, our work utilizes the app to generate seeds and packets for mutation; hooking encryption functions, allowing us to achieve both effectiveness and automation. We compared APAfuzzer to three state-of-the-art black-box fuzzers, i.e., Diane, Boofuzz, and Snipuzz. We evaluated our fuzzer on both emulated devices and real-world devices. Our results show that APAfuzzer could trigger well-known CVEs and also discover new bugs. Also, compared to other fuzzers, it demonstrates higher efficiency and successfullytriggers more vulnerabilities	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2023-08-08T16:22:45Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2023-08-08T16:22:45Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	Verification Letter from Oral Examination Committee i Acknowledgements iii 摘要 v Abstract vii Contents ix List of Figures xiii List of Tables xv Chapter1 Introduction 1 Chapter2 Background & Related Work 5 2.1 Introduction of IoT devices 5 2.1.1 Importance of well-structured requests in IoT fuzzing 5 2.1.2 IoT communication model 6 2.2 Related work 7 2.2.1 App-based fuzzer 7 2.2.2 API-based fuzzer 8 2.3 Goals and Challenges 9 2.4 Motivation 11 Chapter 3 Design 13 3.1 Target and Assumption 13 3.2 Initial seed creation 14 3.2.1 Proxy creation 14 3.2.2 Encryption 15 3.2.3 Certificate unpinning 15 3.3 App analysis 16 3.3.1 Certificate module hooking 16 3.3.2 Cipher module tracing 17 3.3.3 Keyword extraction 17 3.4 Mutator 18 3.4.1 Request clustering 18 3.4.2 Mutation workflow 19 3.4.3 Encrypted component 19 3.4.4 Mutation strategy 20 3.5 Response monitor 21 3.5.1 Response monitor 21 3.5.2 Crash detection 21 Chapter 4 Implementation and Evaluation 23 4.1 Implementation 24 4.2 Dataset and Environment setup 24 4.2.1 Known bug IoT devices collection 24 4.2.2 Unknown-bug IoT devices collection 25 4.2.3 Environment setup 26 4.2.4 Experiment design 26 4.3 RQ1. Experiment result on emulated devices 27 4.4 RQ2. Experiment result on real-world devices 28 4.5 RQ3. Performance result of each fuzzer 29 Chapter 5 Discussion And Limitations 31 5.1 Discussion 31 5.1.1 APAfuzzer vs. Snipuzz 31 5.1.2 APAfuzzer vs. Diane 32 5.1.3 APAfuzzer vs. Boofuzz 32 5.1.4 Case study: Belkin Wemo smart plug 33 5.2 Limitations 33 5.2.1 Different types of vulnerability 33 5.2.2 Test coverage 34 5.2.3 Custom cryptographic functions 34 5.2.4 Communication mode 34 5.2.5 Manual interaction 35 5.3 Quantifying required manual effort 35 Chapter 6 Conclusion 37 References 39	-
dc.language.iso	en	-
dc.subject	模糊測試	zh_TW
dc.subject	物聯網	zh_TW
dc.subject	IoT	en
dc.subject	Fuzzing	en
dc.title	利用應用程式和封包分析引導物聯網黑箱模糊測試	zh_TW
dc.title	IoT Blackbox Fuzzing Guided by App and Packet Analysis	en
dc.type	Thesis	-
dc.date.schoolyear	111-2	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	黃世昆;黃俊穎;田維誠	zh_TW
dc.contributor.oralexamcommittee	Shih-Kun Huang;Chun-Ying Huang;Wei-Cheng Tian	en
dc.subject.keyword	模糊測試,物聯網,	zh_TW
dc.subject.keyword	Fuzzing,IoT,	en
dc.relation.page	41	-
dc.identifier.doi	10.6342/NTU202301492	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2023-07-18	-
dc.contributor.author-college	電機資訊學院	-
dc.contributor.author-dept	資訊網路與多媒體研究所	-
顯示於系所單位：	資訊網路與多媒體研究所

文件中的檔案：

檔案	大小	格式
ntu-111-2.pdf	950.31 kB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。