Improving firmware fuzzing through automated seed generation

Abstract

Within the past decade, the rate of internet penetration has drastically increased, resulting in a wider adaptation of the Internet of Things approach towards many aspects of everyday life. This has resulted in the digitization of analog machines, devices or components, everything from lightbulbs, remote cameras and CNC machines now may operate on dedicated firmware linking them to wider a local area network. This opens the possibility of them being vectors for cyberattacks aimed at vulnerable firmware. Thus, the necessity of fuzzing IoT firmware to detect & patch possible zero-days (in particular, network components such as routers & switches) will become as prevalent as the spread of IoT devices. In this project, exported router firmware images have been provided (through Greenhouse) for automated seed generation, with gh3fuzz & AFL++ used (gh3fuzz being a fuzzing harness for AFL++) to fuzz said firmware images with 4 sets of seeds, namely: the default seeds provided, Wireshark selected seeds (manual), the aforementioned ‘automatically-generated’ stateless & stateful seeds, where the Katana crawler integrated with python scripts is used for the automated generation of stateful & stateless seeds. Following this, the paper will compare the fuzzing results from using said four kinds of seeds for factors such as the number of unique crashes detected, along with providing extensive details & documentation to explain how the fuzzing tools work & how to set them up, with the overall goal being to improve upon the process of fuzzing IoT firmware with said automated seed generation. In total, the automated approach to seed generation has provided a comparable to marginally higher number of crash-causing inputs for 3 out of the 4 images fuzzed, when compared to both default & manual seeds combined.