SHFuzz: Service handler-aware fuzzing for detecting multi-type vulnerabilities in embedded devices

Embedded devices in IoT are of great convenience to our daily lives and industries, but they also introduce multi-type vulnerabilities. Most vulnerabilities reside in various handlers of service program. However, existing fuzzing methods existing fuzzing methods can neither efficiently nor effectively to discover these vulnerabilities: they can not extract the service handler alone and properly pool resources for testing them. In this study, we propose a novel service handlers aware fuzzing method to efficiently discover multi-type vulnerabilities in embedded devices. Our key observation is that service program dispatches the service handlers (the code snippet which implements the desired work of user request) in two general ways. Meanwhile, multi type vulnerabilities usually happen at sensitive APIs during the execution of service handler. So in our method, we first design a static analysis method to extract the info of service handlers and sensitive APIs. Then during fuzzing, the service handler coverage strategy guides the fuzzer to cover more service handlers; after the sensitive APIs are reached, the sensitive APIs exploitation strategy is proposed to strengthen the ability and efficiency of discovering vulnerabilities. Based on our method, we implement a prototype system, named SHFuzz. Experiments on 19 target programs from popular brand devices show that, SHFuzz outperforms the state-of-art tool FIRM-AFL in the coverage of sensitive APIs, the diversity of detected vulnerabilities and efficiency. Furthermore, SHFuzz discovers 16 zero-day vulnerabilities and reports them to vendors.