SMuF: State machine based mutational fuzzing framework for internet of things

Neeraj Karamchandani; Vinay Sachidananda; Suhas Setikere; Jianying Zhou; Yuval Elovici

doi:10.1007/978-3-030-05849-4_8

SMuF: State machine based mutational fuzzing framework for internet of things

Neeraj Karamchandani, Vinay Sachidananda, Suhas Setikere, Jianying Zhou, Yuval Elovici

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The Internet of Things (IoT) exposes vulnerabilities at various levels. In this paper, we propose a mutation-based fuzzing framework called SMuF in order to find various vulnerabilities in IoT devices. We harness the power of state machine to generate distinct states of a protocol. In addition, we also generate legitimate packets as levels and sub-levels to intelligently mutate the data fields in the packet. Our mutation technique lies in mutation based on location, context and time. We propose a probability score for selecting the inputs for fuzzing based on payload length. We implemented and evaluated the proposed framework in our IoT security testbed. Using SMuF, we have discovered various vulnerabilities such as Denial of Service (DoS), Buffer Overflow, Session Hijacking etc.

Original language	American English
Title of host publication	Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers
Editors	Eric Luiijf, Inga Žutautaitė, Bernhard M. Hämmerli
Publisher	Springer Verlag
Pages	101-112
Number of pages	12
ISBN (Print)	9783030058487
DOIs	https://doi.org/10.1007/978-3-030-05849-4_8
State	Published - 1 Jan 2019
Externally published	Yes
Event	13th International Conference on Critical Information Infrastructures Security, CRITIS 2018 - Kaunas, Lithuania Duration: 24 Sep 2018 → 26 Sep 2018

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11260 LNCS

Conference

Conference	13th International Conference on Critical Information Infrastructures Security, CRITIS 2018
Country/Territory	Lithuania
City	Kaunas
Period	24/09/18 → 26/09/18

Keywords

IoT security
Mutational fuzzing
Vulnerability discovery

All Science Journal Classification (ASJC) codes

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-05849-4_8

Cite this

Karamchandani, N., Sachidananda, V., Setikere, S., Zhou, J., & Elovici, Y. (2019). SMuF: State machine based mutational fuzzing framework for internet of things. In E. Luiijf, I. Žutautaitė, & B. M. Hämmerli (Eds.), Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers (pp. 101-112). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11260 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-05849-4_8

Karamchandani, Neeraj ; Sachidananda, Vinay ; Setikere, Suhas et al. / SMuF : State machine based mutational fuzzing framework for internet of things. Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers. editor / Eric Luiijf ; Inga Žutautaitė ; Bernhard M. Hämmerli. Springer Verlag, 2019. pp. 101-112 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{f0fc974bf8fe4dff8a46db1d2196b34f,

title = "SMuF: State machine based mutational fuzzing framework for internet of things",

abstract = "The Internet of Things (IoT) exposes vulnerabilities at various levels. In this paper, we propose a mutation-based fuzzing framework called SMuF in order to find various vulnerabilities in IoT devices. We harness the power of state machine to generate distinct states of a protocol. In addition, we also generate legitimate packets as levels and sub-levels to intelligently mutate the data fields in the packet. Our mutation technique lies in mutation based on location, context and time. We propose a probability score for selecting the inputs for fuzzing based on payload length. We implemented and evaluated the proposed framework in our IoT security testbed. Using SMuF, we have discovered various vulnerabilities such as Denial of Service (DoS), Buffer Overflow, Session Hijacking etc.",

keywords = "IoT security, Mutational fuzzing, Vulnerability discovery",

author = "Neeraj Karamchandani and Vinay Sachidananda and Suhas Setikere and Jianying Zhou and Yuval Elovici",

note = "Publisher Copyright: {\textcopyright} 2019, Springer Nature Switzerland AG.; 13th International Conference on Critical Information Infrastructures Security, CRITIS 2018 ; Conference date: 24-09-2018 Through 26-09-2018",

year = "2019",

month = jan,

day = "1",

doi = "10.1007/978-3-030-05849-4_8",

language = "American English",

isbn = "9783030058487",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "101--112",

editor = "Eric Luiijf and Inga {\v Z}utautaitė and H{\"a}mmerli, {Bernhard M.}",

booktitle = "Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers",

address = "Germany",

}

Karamchandani, N, Sachidananda, V, Setikere, S, Zhou, J & Elovici, Y 2019, SMuF: State machine based mutational fuzzing framework for internet of things. in E Luiijf, I Žutautaitė & BM Hämmerli (eds), Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11260 LNCS, Springer Verlag, pp. 101-112, 13th International Conference on Critical Information Infrastructures Security, CRITIS 2018, Kaunas, Lithuania, 24/09/18. https://doi.org/10.1007/978-3-030-05849-4_8

SMuF: State machine based mutational fuzzing framework for internet of things. / Karamchandani, Neeraj; Sachidananda, Vinay; Setikere, Suhas et al.
Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers. ed. / Eric Luiijf; Inga Žutautaitė; Bernhard M. Hämmerli. Springer Verlag, 2019. p. 101-112 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11260 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - SMuF

T2 - 13th International Conference on Critical Information Infrastructures Security, CRITIS 2018

AU - Karamchandani, Neeraj

AU - Sachidananda, Vinay

AU - Setikere, Suhas

AU - Zhou, Jianying

AU - Elovici, Yuval

PY - 2019/1/1

Y1 - 2019/1/1

N2 - The Internet of Things (IoT) exposes vulnerabilities at various levels. In this paper, we propose a mutation-based fuzzing framework called SMuF in order to find various vulnerabilities in IoT devices. We harness the power of state machine to generate distinct states of a protocol. In addition, we also generate legitimate packets as levels and sub-levels to intelligently mutate the data fields in the packet. Our mutation technique lies in mutation based on location, context and time. We propose a probability score for selecting the inputs for fuzzing based on payload length. We implemented and evaluated the proposed framework in our IoT security testbed. Using SMuF, we have discovered various vulnerabilities such as Denial of Service (DoS), Buffer Overflow, Session Hijacking etc.

AB - The Internet of Things (IoT) exposes vulnerabilities at various levels. In this paper, we propose a mutation-based fuzzing framework called SMuF in order to find various vulnerabilities in IoT devices. We harness the power of state machine to generate distinct states of a protocol. In addition, we also generate legitimate packets as levels and sub-levels to intelligently mutate the data fields in the packet. Our mutation technique lies in mutation based on location, context and time. We propose a probability score for selecting the inputs for fuzzing based on payload length. We implemented and evaluated the proposed framework in our IoT security testbed. Using SMuF, we have discovered various vulnerabilities such as Denial of Service (DoS), Buffer Overflow, Session Hijacking etc.

KW - IoT security

KW - Mutational fuzzing

KW - Vulnerability discovery

UR - http://www.scopus.com/inward/record.url?scp=85059939192&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-05849-4_8

DO - 10.1007/978-3-030-05849-4_8

M3 - Conference contribution

SN - 9783030058487

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 101

EP - 112

BT - Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers

A2 - Luiijf, Eric

A2 - Žutautaitė, Inga

A2 - Hämmerli, Bernhard M.

PB - Springer Verlag

Y2 - 24 September 2018 through 26 September 2018

ER -

Karamchandani N, Sachidananda V, Setikere S, Zhou J, Elovici Y. SMuF: State machine based mutational fuzzing framework for internet of things. In Luiijf E, Žutautaitė I, Hämmerli BM, editors, Critical Information Infrastructures Security - 13th International Conference, CRITIS 2018, Revised Selected Papers. Springer Verlag. 2019. p. 101-112. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-05849-4_8

SMuF: State machine based mutational fuzzing framework for internet of things

Abstract

Publication series

Conference

Keywords

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this