Embedded devices are pivotal in many aspects to our everyday life, acting as key elements within our critical infrastructures, e- health sector, and the IoT ecosystem. These devices ship with custom software, dubbed firmware, whose development may not have followed strict security-by-design guidelines and for which no detailed documentation may be available. Given their critical role, testing their software before deploying them is crucial. Software fuzzing is a popular software testing technique that has shown to be quite effective in the last decade. However, the firmware may contain thousands of subcomponents with unexpected interplays. Moreover, operators may have a tight time budget to perform a security evaluation, requiring focused fuzzing on the most critical subcomponents. Also, considering the lack of accurate documentation for a device, it is quite hard for a security operator to understand what to fuzz and how to fuzz a specific device firmware. In this paper, we present F UZZ P LANNER, a visual analytics solu- tion that enables security operators during the design of a fuzzing campaign over a device firmware. F UZZ P LANNER helps the opera- tor identify the best candidates for fuzzing using several innovative visual aids. Our contributions include introducing F UZZ P LANNER, exploring diverse analytical tools to pinpoint critical binaries, and showing its efficacy with two real-world firmware image scenarios.
FuzzPlanner: Visually Assisting the Design of Firmware Fuzzing Campaigns / Coppa, Emilio; Izzillo, Alessio; Lazzeretti, Riccardo; Lenti, Simone. - Proceedings of the 20th IEEE Symposium on Visualization for Cyber Security (VIZSEC 2023), (2023), pp. - (IEEE Symposium on Visualization for Cyber Security (VIZSEC), Melbourne, Australia, 22 ottobre 2023). [10.1109/VizSec60606.2023.00007].
FuzzPlanner: Visually Assisting the Design of Firmware Fuzzing Campaigns
Emilio Coppa;
2023
Abstract
Embedded devices are pivotal in many aspects to our everyday life, acting as key elements within our critical infrastructures, e- health sector, and the IoT ecosystem. These devices ship with custom software, dubbed firmware, whose development may not have followed strict security-by-design guidelines and for which no detailed documentation may be available. Given their critical role, testing their software before deploying them is crucial. Software fuzzing is a popular software testing technique that has shown to be quite effective in the last decade. However, the firmware may contain thousands of subcomponents with unexpected interplays. Moreover, operators may have a tight time budget to perform a security evaluation, requiring focused fuzzing on the most critical subcomponents. Also, considering the lack of accurate documentation for a device, it is quite hard for a security operator to understand what to fuzz and how to fuzz a specific device firmware. In this paper, we present F UZZ P LANNER, a visual analytics solu- tion that enables security operators during the design of a fuzzing campaign over a device firmware. F UZZ P LANNER helps the opera- tor identify the best candidates for fuzzing using several innovative visual aids. Our contributions include introducing F UZZ P LANNER, exploring diverse analytical tools to pinpoint critical binaries, and showing its efficacy with two real-world firmware image scenarios.
| File | Dimensione | Formato | |
|---|---|---|---|
|
main.pdf
Open Access
Descrizione: Accepted article
Tipologia:
Documento in Post-print
Licenza:
Tutti i diritti riservati
Dimensione
2.89 MB
Formato
Adobe PDF
|
2.89 MB | Adobe PDF | Visualizza/Apri |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
