Embedded devices are pivotal in many aspects to our everyday life, acting as key elements within our critical infrastructures, e- health sector, and the IoT ecosystem. These devices ship with custom software, dubbed firmware, whose development may not have followed strict security-by-design guidelines and for which no detailed documentation may be available. Given their critical role, testing their software before deploying them is crucial. Software fuzzing is a popular software testing technique that has shown to be quite effective in the last decade. However, the firmware may contain thousands of subcomponents with unexpected interplays. Moreover, operators may have a tight time budget to perform a security evaluation, requiring focused fuzzing on the most critical subcomponents. Also, considering the lack of accurate documentation for a device, it is quite hard for a security operator to understand what to fuzz and how to fuzz a specific device firmware. In this paper, we present F UZZ P LANNER, a visual analytics solu- tion that enables security operators during the design of a fuzzing campaign over a device firmware. F UZZ P LANNER helps the opera- tor identify the best candidates for fuzzing using several innovative visual aids. Our contributions include introducing F UZZ P LANNER, exploring diverse analytical tools to pinpoint critical binaries, and showing its efficacy with two real-world firmware image scenarios.

FuzzPlanner: Visually Assisting the Design of Firmware Fuzzing Campaigns / Coppa, Emilio; Izzillo, Alessio; Lazzeretti, Riccardo; Lenti, Simone. - Proceedings of the 20th IEEE Symposium on Visualization for Cyber Security (VIZSEC 2023), (2023), pp. - (IEEE Symposium on Visualization for Cyber Security (VIZSEC), Melbourne, Australia, 22 ottobre 2023). [10.1109/VizSec60606.2023.00007].

FuzzPlanner: Visually Assisting the Design of Firmware Fuzzing Campaigns

Emilio Coppa;
2023

Abstract

Embedded devices are pivotal in many aspects to our everyday life, acting as key elements within our critical infrastructures, e- health sector, and the IoT ecosystem. These devices ship with custom software, dubbed firmware, whose development may not have followed strict security-by-design guidelines and for which no detailed documentation may be available. Given their critical role, testing their software before deploying them is crucial. Software fuzzing is a popular software testing technique that has shown to be quite effective in the last decade. However, the firmware may contain thousands of subcomponents with unexpected interplays. Moreover, operators may have a tight time budget to perform a security evaluation, requiring focused fuzzing on the most critical subcomponents. Also, considering the lack of accurate documentation for a device, it is quite hard for a security operator to understand what to fuzz and how to fuzz a specific device firmware. In this paper, we present F UZZ P LANNER, a visual analytics solu- tion that enables security operators during the design of a fuzzing campaign over a device firmware. F UZZ P LANNER helps the opera- tor identify the best candidates for fuzzing using several innovative visual aids. Our contributions include introducing F UZZ P LANNER, exploring diverse analytical tools to pinpoint critical binaries, and showing its efficacy with two real-world firmware image scenarios.
File in questo prodotto:
File Dimensione Formato  
main.pdf

Open Access

Descrizione: Accepted article
Tipologia: Documento in Post-print
Licenza: Tutti i diritti riservati
Dimensione 2.89 MB
Formato Adobe PDF
2.89 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11385/236305
Citazioni
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact