scholarly journals FirmHunter: State-Aware and Introspection-Driven Grey-Box Fuzzing towards IoT Firmware

2021 ◽  
Vol 11 (19) ◽  
pp. 9094
Author(s):  
Qidi Yin ◽  
Xu Zhou ◽  
Hangwei Zhang
Keyword(s):  
Web Application ◽  
State Of The Art ◽  
Test Cases ◽  
Security Testing ◽  
Iot Security ◽  
Web Interfaces ◽  
Ip Camera ◽  
Vulnerability Discovery ◽  
Iot Devices ◽  
The Web

IoT devices are exponentially increasing in all aspects of our lives. Via the web interfaces of IoT devices, attackers can control IoT devices by exploiting their vulnerabilities. In order to guarantee IoT security, testing these IoT devices to detect vulnerabilities is very important. In this work, we present FirmHunter, an automated state-aware and introspection-driven grey-box fuzzer towards Linux-based firmware images on the basis of emulation. It employs a message-state queue to overcome the dependency problem in test cases. Furthermore, it implements a scheduler collecting execution information from system introspection to drive fuzzing towards more interesting test cases, which speeds up vulnerability discovery. We evaluate FirmHunter by emulating and fuzzing eight firmware images including seven routers and one IP camera with a state-of-the-art IoT fuzzer FirmFuzz and a web application scanner ZAP. Our evaluation results show that (1) the message-state queue enables FirmHunter to parse the dependencies in test cases and find real-world vulnerabilities that other fuzzers cannot detect; (2) our scheduler accelerates the discovery of vulnerabilities by an average of 42%; and (3) FirmHunter is able to find unknown vulnerabilities.

scholarly journals SIoTFuzzer: Fuzzing Web Interface in IoT Firmware via Stateful Message Generation

2021 ◽  
Vol 11 (7) ◽  
pp. 3120
Author(s):  
Hangwei Zhang ◽  
Kai Lu ◽  
Xu Zhou ◽  
Qidi Yin ◽  
Pengfei Wang ◽  
...  
Keyword(s):  
Cyber Attacks ◽  
Test Case ◽  
Detection Mechanism ◽  
Web Interfaces ◽  
Ip Camera ◽  
Valid Test ◽  
Iot Devices ◽  
Status Analysis ◽  
Web Management ◽  
The Web

Cyber attacks against the web management interface of Internet of Things (IoT) devices often have serious consequences. Current research uses fuzzing technologies to test the web interfaces of IoT devices. These IoT fuzzers generate messages (a test case sent from the client to the server to test its functionality) without considering their dependency, which is unlikely to bypass the early check of the server. These invalid test cases significantly reduce the efficiency of fuzzing. To overcome this problem, we propose a stateful message generation (SMG) mechanism for IoT web fuzzing. SMG addresses two problems in IoT fuzzing. First, we retrieve the message dependency by using web front-end analysis and status analysis. These dependent messages, which can easily bypass the server check, are used as a valid seed. Second, we adopt a multi-message seed format to preserve the dependency of the messages when mutating the seed to get a valid test case, so that the test case can bypass the state check of the server to make a valid test. Message dependency preservation is implemented by our proposed parameter mutation and structural mutation methods. We implement SMG in our IoT fuzzer, SIoTFuzzer, which applies IoT firmware on the latest Linux-based simulation tool, FirmAE. We test nine IoT devices including a router and an IP camera and adopt a vulnerability detection mechanism. Our evaluation results show that (1) SIoTFuzzer is capable of finding real-world vulnerabilities in IoT devices; (2) our SMG is effective as it enables Boofuzz (a popular protocol fuzzer) to find command injection and cross-site scripting (XSS) vulnerabilities; and (3) compared to FirmFuzz, SIoTFuzzer found all the vulnerabilities in our benchmarks, while FirmFuzz found only four—the efficiency of our tool increased by 20.57% on average.

scholarly journals A Sign of Things to Come: Predicting the Perception of Above-the-Fold Time in Web Browsing

2021 ◽  
Vol 13 (2) ◽  
pp. 50
Author(s):  
Hamed Z. Jahromi ◽  
Declan Delaney ◽  
Andrew Hines
Keyword(s):  
Web Application ◽  
Web Applications ◽  
State Of The Art ◽  
Influencing Factor ◽  
The State ◽  
Experimental Result ◽  
Web Page ◽  
To Come ◽  
Web Quality ◽  
The Web

Content is a key influencing factor in Web Quality of Experience (QoE) estimation. A web user’s satisfaction can be influenced by how long it takes to render and visualize the visible parts of the web page in the browser. This is referred to as the Above-the-fold (ATF) time. SpeedIndex (SI) has been widely used to estimate perceived web page loading speed of ATF content and a proxy metric for Web QoE estimation. Web application developers have been actively introducing innovative interactive features, such as animated and multimedia content, aiming to capture the users’ attention and improve the functionality and utility of the web applications. However, the literature shows that, for the websites with animated content, the estimated ATF time using the state-of-the-art metrics may not accurately match completed ATF time as perceived by users. This study introduces a new metric, Plausibly Complete Time (PCT), that estimates ATF time for a user’s perception of websites with and without animations. PCT can be integrated with SI and web QoE models. The accuracy of the proposed metric is evaluated based on two publicly available datasets. The proposed metric holds a high positive Spearman’s correlation (rs=0.89) with the Perceived ATF reported by the users for websites with and without animated content. This study demonstrates that using PCT as a KPI in QoE estimation models can improve the robustness of QoE estimation in comparison to using the state-of-the-art ATF time metric. Furthermore, experimental result showed that the estimation of SI using PCT improves the robustness of SI for websites with animated content. The PCT estimation allows web application designers to identify where poor design has significantly increased ATF time and refactor their implementation before it impacts end-user experience.

Morpheus Web Testing: A Tool for Generating Test Cases for Widget Based Web Applications

2021 ◽  
Author(s):  
Romulo de Almeida Neves ◽  
Willian Massami Watanabe ◽  
Rafael Oliveira
Keyword(s):  
User Interfaces ◽  
Web Application ◽  
Web Applications ◽  
Test Cases ◽  
Code Coverage ◽  
Web Testing ◽  
The Cost ◽  
Software Lifecycle ◽  
The Web

Context: Widgets are reusable User Interfaces (UIs) components frequently delivered in Web applications.In the web application, widgets implement different interaction scenarios, such as buttons, menus, and text input.Problem: Tests are performed manually, so the cost associated with preparing and executing test cases is high.Objective: Automate the process of generating functional test cases for web applications, using intermediate artifacts of the web development process that structure widgets in the web application. The goal of this process is to ensure the quality of the software, reduce overall software lifecycle time and the costs associated with tests.Method:We elaborated a test generation strategy and implemented this strategy in a tool, Morpheus Web Testing. Morpheus Web Testing extracts widget information from Java Server Faces artifacts to generate test cases for JSF web applications. We conducted a case study for comparing Morpheus Web Testing with a state of the art tool (CrawlJax).Results: The results indicate evidence that the approach Morpheus Web Testing managed to reach greater code coverage compared to a CrawlJax.Conclusion: The achieved coverage values represent evidence that the results obtained from the proposed approach contribute to the process of automated test software engineering in the industry.

Security Vulnerabilities, Threats, and Attacks in IoT and Big Data

2020 ◽  
pp. 141-167
Author(s):  
Prabha Selvaraj ◽  
Sumathi Doraikannan ◽  
Vijay Kumar Burugari
Keyword(s):  
Big Data ◽  
Case Studies ◽  
Big Data Analytics ◽  
Cloud Services ◽  
Web Interface ◽  
Security Vulnerabilities ◽  
New Techniques ◽  
Iot Security ◽  
Web Interfaces ◽  
The Web

Big data and IoT has its impact on various areas like science, health, engineering, medicine, finance, business, and mainly, the society. Due to the growth in security intelligence, there is a requirement for new techniques which need big data and big data analytics. IoT security does not alone deal with the security of the device, but it also has to care about the web interfaces, cloud services, and other devices that interact with it. There are many techniques used for addressing challenges like privacy of individuals, inference, and aggregation, which makes it possible to re-identify individuals' even though they are removed from a dataset. It is understood that a few security vulnerabilities could lead to insecure web interface. This chapter discusses the challenges in security and how big data can be used for it. It also analyzes the various attacks and threat modeling in detail. Two case studies in two different areas are also discussed.

VoiceWeb

2011 ◽  
pp. 340-359 ◽  
Author(s):  
Dimitris Spiliotopoulos ◽  
Georgios Kouroupetroglou ◽  
Pepi Stavropoulou
Keyword(s):  
Resource Management ◽  
Web Application ◽  
State Of The Art ◽  
Theoretical Perspective ◽  
Usability Evaluation ◽  
Design Issues ◽  
Web Interfaces ◽  
Conversational Interfaces ◽  
Hands On ◽  
Technical Issues

This chapter presents the state-of-the-art in usability issues and methodologies for VoiceWeb interfaces. It undertakes a theoretical perspective to the usability methodology and provides a framework description for creating and testing usable content and applications for conversational interfaces. The methodologies and their uses are discussed as well as certain technical issues that are of specific importance for each type of system. Moreover, it discusses the hands-on approaches for applying usability methodologies in a spoken dialogue web application environment, including methodological and design issues, resource management, implementation using existing technologies for usability evaluation in several stages of the design and deployment. Finally, the challenging usability issues and parameters of the emerging advanced speech-enabled web interfaces are presented.

scholarly journals A Host-Based Anomaly Detection Framework Using XGBoost and LSTM for IoT Devices

2020 ◽  
Vol 2020 ◽  
pp. 1-13
Author(s):  
Xiali Wang ◽  
Xiang Lu
Keyword(s):  
Anomaly Detection ◽  
Detection System ◽  
Gradient Boosting ◽  
System Call ◽  
Iot Security ◽  
Extreme Gradient Boosting ◽  
Ip Camera ◽  
Iot Devices ◽  
System Call Sequences ◽  
Abnormal Behaviors

The Internet of Things (IoT) is rapidly spreading in various application scenarios through its salient features in ubiquitous device connections, ranging from agriculture and industry to transportation and other fields. As the increasing spread of IoT applications, IoT security is gradually becoming one of the most significant issues to guard IoT devices against various cybersecurity threats. Usually, IoT devices are the main components responsible for sensing, computing, and transmitting; in this case, how to efficiently protect the IoT device itself away from cyber attacks, like malware, virus, and worm, becomes the vital point in IoT security. This paper presents a brand new architecture of intrusion detection system (IDS) for IoT devices, which is designed to identify device- or host-oriented attacks in a lightweight manner in consideration of limited computation resources on IoT devices. To this end, in this paper, we propose a stacking model to couple the Extreme Gradient Boosting (XGBoost) model and the Long Short-Term Memory (LSTM) model together for the abnormal state analysis on the IoT devices. More specifically, we adopt the system call sequence as the indicators of abnormal behaviors. The collected system call sequences are firstly processed by the famous n-gram model, which is a common method used for host-based intrusion detections. Then, the proposed stacking model is used to identify abnormal behaviors hidden in the system call sequences. To evaluate the performance of the proposed model, we establish a real-setting IP camera system and place several typical IoT attacks on the victim IP camera. Extensive experimental evaluations show that the stacking model has outperformed other existing anomaly detection solutions, and we are able to achieve a 0.983 AUC score in real-world data. Numerical testing demonstrates that the XGBoost-LSTM stacking model has excellent performance, stability, and the ability of generalization.

Automated security testing for web applications on industrial automation and control systems

2019 ◽  
Vol 67 (5) ◽  
pp. 383-401
Author(s):  
Steffen Pfrang ◽  
Anne Borcherding ◽  
David Meier ◽  
Jürgen Beyerer
Keyword(s):  
Control Systems ◽  
Cyber Security ◽  
Web Application ◽  
Web Applications ◽  
Security Testing ◽  
Industrial Automation ◽  
Local Networks ◽  
Automation And Control ◽  
And Control ◽  
The Web

Abstract Industrial automation and control systems (IACS) play a key role in modern production facilities. On the one hand, they provide real-time functionality to the connected field devices. On the other hand, they get more and more connected to local networks and the internet in order to facilitate use cases promoted by “Industrie 4.0”. A lot of IACS are equipped with web servers that provide web applications for configuration and management purposes. If an attacker gains access to such a web application operated on an IACS, he can exploit vulnerabilities and possibly interrupt the critical automation process. Cyber security research for web applications is well-known in the office IT. There exist a lot of best practices and tools for testing web applications for different kinds of vulnerabilities. Security testing targets at discovering those vulnerabilities before they can get exploited. In order to enable IACS manufacturers and integrators to perform security tests for their devices, ISuTest was developed, a modular security testing framework for IACS. This paper provides a classification of known types of web application vulnerabilities. Therefore, it makes use of the worst direct impact of a vulnerability. Based on this analysis, a subset of open-source vulnerability scanners to detect such vulnerabilities is selected to be integrated into ISuTest. Subsequently, the integration is evaluated. This evaluation is twofold: At first, willful vulnerable web applications are used. In a second step, seven real IACS, like a programmable logic controller, industrial switches and cloud gateways, are used. Both evaluation steps start with the manual examination of the web applications for vulnerabilities. They conclude with an automated test of the web applications using the vulnerability scanners automated by ISuTest. The results show that the vulnerability scanners detected 53 % of the existing vulnerabilities. In a former study using commercial vulnerability scanners, 54 % of the security flaws could be found. While performing the analysis, 45 new vulnerabilities were detected. Some of them did not only break the web server but crashed the whole IACS, stopping the critical automation process. This shows that security testing is crucial in the industrial domain and needs to cover all services provided by the devices.

scholarly journals SURVEY PAPER ON IOT ATTACKS AND ITS PREVENTION MECHANISMS

2020 ◽  
Vol 3 (2) ◽  
pp. 38-41
Author(s):  
Anand Mohan
Keyword(s):  
State Of The Art ◽  
Security Architecture ◽  
Iot Security ◽  
Survey Paper ◽  
Security Issues ◽  
Prevention Techniques ◽  
Iot Devices

IoT has turned into an amazing system of worldwide and worldwide changes, including numerous internet advisors, interchanges, and information trade. This paper presents state-of-the-art background, introduction, characteristics, challenges, threats, attacks, related work, and security architecture and research limitation of IoT technology. This paper discusses key security issues and attacks over different layers of IOT along with its existing prevention techniques. This paper deals with the security of services used in IoT. In detail, IoT devices are mentioned in this paper, which are the premise of IoT and their significance. In addition, IoT Security Architecture highlights some recent studies. This paper is far from comprehensive and mainly focuses on attacks and IoT devices prevention mechanism and covers related discussion and arguments.

scholarly journals Failure Detection Algorithm for Testing Dynamic Web Applications

2017 ◽  
pp. 37-41
Author(s):  
J. Vijaya Sagar Reddy ◽  
G. Ramesh
Keyword(s):  
Web Sites ◽  
Experimental Evaluation ◽  
Web Application ◽  
Web Applications ◽  
Failure Detection ◽  
Detection Algorithm ◽  
The Internet ◽  
Test Cases ◽  
Dynamic Web ◽  
The Web

Web applications are the most widely used software in the internet. When a web application is developed and deployed in the real environment, It is very severe if any bug found by the attacker or the customer or the owner of the web application. It is the very important to do the proper pre-analysis testing before the release. It is very costly thing if the proper testing of web application is not done at the development location and any bug found at the customer location. For web application testing the existing systems such as DART, Cute and EXE are available. These tools generate test cases by executing the web application on concrete user inputs. These tools are best suitable for testing static web sites and are not suitable for dynamic web applications. The existing systems needs user inputs for generating the test cases. It is most difficult thing for the human being to provide dynamic inputs for all the possible cases. This paper presents algorithms and implementation, and an experimental evaluation that revealed HTML Failures, Execution Failures, Includes in PHP Web applications.

Towards Testing Web Applications: A PFSM-Based Approach

2011 ◽  
Vol 204-210 ◽  
pp. 220-224 ◽  
Author(s):  
Zhong Sheng Qian ◽  
Huai Kou Miao
Keyword(s):  
Web Application ◽  
Significant Contribution ◽  
Web Applications ◽  
Test Cases ◽  
Testing Method ◽  
Web Testing ◽  
Execution Frequency ◽  
Different Parts ◽  
The Web

To ensure the quality of Web applications, Web testing is one of the effective methods. This paper proposes a Web usage model based on probable FSM (PFSM) which provides a way to derive the test cases for a Web application. The testing process is based on the idea that different parts of the Web application have different execution frequency. This testing method is a significant contribution to informed research.

Sign in / Sign up

Export Citation Format

Share Document