Embedded devices are pivotal in many aspects to our everyday life, acting as key elements within our critical infrastructures, e-health sector, and the IoT ecosystem. These devices ship with custom software, dubbed firmware, whose development may not have followed strict security-by-design guidelines and for which no detailed documentation may be available. Given their critical role, testing their software before deploying them is crucial. Software fuzzing is a popular software testing technique that has shown to be quite effective in the last decade. However, the firmware may contain thousands of subcomponents with unexpected interplays. Moreover, operators may have a tight time budget to perform a security evaluation, requiring focused fuzzing on the most critical subcomponents. Also, considering the lack of accurate documentation for a device, it is quite hard for a security operator to understand what to fuzz and how to fuzz a specific device firmware. In this paper, we present FuzzPlanner, a visual analytics solution that enables security operators during the design of a fuzzing campaign over a device firmware. FuzzPlanner helps the operator identify the best candidates for fuzzing using several innovative visual aids. Our contributions include introducing FuzzPlanner, exploring diverse analytical tools to pinpoint critical binaries, and showing its efficacy with two real-world firmware image scenarios.
FuzzPlanner: Visually Assisting the Design of Firmware Fuzzing Campaigns / Coppa, Emilio; Izzillo, Alessio; Lazzeretti, Riccardo; Lenti, Simone. - (2023), pp. 1-11. (Intervento presentato al convegno International Workshop on Visualization for Cyber Security tenutosi a Melbourne; Australia) [10.1109/VizSec60606.2023.00007].
FuzzPlanner: Visually Assisting the Design of Firmware Fuzzing Campaigns
Emilio Coppa;Alessio Izzillo
;Riccardo Lazzeretti;Simone Lenti
2023
Abstract
Embedded devices are pivotal in many aspects to our everyday life, acting as key elements within our critical infrastructures, e-health sector, and the IoT ecosystem. These devices ship with custom software, dubbed firmware, whose development may not have followed strict security-by-design guidelines and for which no detailed documentation may be available. Given their critical role, testing their software before deploying them is crucial. Software fuzzing is a popular software testing technique that has shown to be quite effective in the last decade. However, the firmware may contain thousands of subcomponents with unexpected interplays. Moreover, operators may have a tight time budget to perform a security evaluation, requiring focused fuzzing on the most critical subcomponents. Also, considering the lack of accurate documentation for a device, it is quite hard for a security operator to understand what to fuzz and how to fuzz a specific device firmware. In this paper, we present FuzzPlanner, a visual analytics solution that enables security operators during the design of a fuzzing campaign over a device firmware. FuzzPlanner helps the operator identify the best candidates for fuzzing using several innovative visual aids. Our contributions include introducing FuzzPlanner, exploring diverse analytical tools to pinpoint critical binaries, and showing its efficacy with two real-world firmware image scenarios.| File | Dimensione | Formato | |
|---|---|---|---|
|
Coppa_FuzzPlanner_2023.pdf
solo gestori archivio
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
1.72 MB
Formato
Adobe PDF
|
1.72 MB | Adobe PDF | Contatta l'autore |
|
Coppa_postprint_FUZZPLANNER_2023.pdf
accesso aperto
Note: DOI 10.1109/VizSec60606.2023.00007
Tipologia:
Documento in Post-print (versione successiva alla peer review e accettata per la pubblicazione)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
2.9 MB
Formato
Adobe PDF
|
2.9 MB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
