Finding Sands in the Eyes: Vulnerabilities Discovery in IoT With EUFuzzer on Human Machine Interface

In supervisory control and data acquisition (SCADA) systems or the Internet of Things (IoT), human machine interface (HMI) performs the function of data acquisition and control, providing the operators with a view of the whole plant and access to monitoring and interacting with the system. The compromise of HMI will result in lost of view (LoV), which means the state of the whole system is invisible to operators. The worst case is that adversaries can manipulate control commands through HMI to damage the physical plant. HMI often relies on poorly understood proprietary protocols, which are time-sensitive, and usually keeps a persistent connection for hours even days. All these factors together make the vulnerability mining of HMI a tough job. In this paper, we present EUFuzzer, a novel fuzzing tool to assist testers in HMI vulnerability discovery. EUFuzzer first identifies packet fields of the specific protocol and classifies all fields into four types, then using a relatively high efficiency fuzzing method to test HMI. The experimental results show that EUFuzzer is capable of identifying packet fields and revealing bugs. EUFuzzer also successfully triggers flaws of actual proprietary SCADA protocol implementation on HMI, which the SCADA software vendor has confirmed that four were zero-day vulnerabilities and has taken measures to patch up.

[1]  Yao Zhang,et al.  A novel efficient MAKA protocol with desynchronization for anonymous roaming service in Global Mobility Networks , 2018, J. Netw. Comput. Appl..

[2]  Barton P. Miller,et al.  An empirical study of the reliability of UNIX utilities , 1990, Commun. ACM.

[3]  S. Henikoff,et al.  Amino acid substitution matrices from protein blocks. , 1992, Proceedings of the National Academy of Sciences of the United States of America.

[4]  O. Gascuel,et al.  SeaView version 4: A multiplatform graphical user interface for sequence alignment and phylogenetic tree building. , 2010, Molecular biology and evolution.

[5]  M. O. Dayhoff,et al.  22 A Model of Evolutionary Change in Proteins , 1978 .

[6]  Xiangliang Zhang,et al.  Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers , 2018, Future Gener. Comput. Syst..

[7]  Sergey Bratus,et al.  Chapter 1 DO-IT-YOURSELF SCADA VULNERABILITY TESTING WITH LZFUZZ , 2011 .

[8]  Roberto Battiti,et al.  Identifying intrusions in computer networks with principal component analysis , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[9]  Xiangliang Zhang,et al.  Characterizing Android apps' behavior for effective detection of malapps at large scale , 2017, Future Gener. Comput. Syst..

[10]  Sencun Zhu,et al.  Privacy Risk Analysis and Mitigation of Analytics Libraries in the Android Ecosystem , 2020, IEEE Transactions on Mobile Computing.

[11]  Jiqiang Liu,et al.  Constructing important features from massive network traffic for lightweight intrusion detection , 2015, IET Inf. Secur..

[12]  Zekeriya Erkin,et al.  eFuzz: A Fuzzer for DLMS/COSEM Electricity Meters , 2014, SEGS@CCS.

[13]  Xiangliang Zhang,et al.  Processing of massive audit data streams for real-time anomaly intrusion detection , 2008, Comput. Commun..

[14]  Yidong Li,et al.  DroidEnsemble: Detecting Android Malicious Applications With Ensemble of String and Structural Static Features , 2018, IEEE Access.

[15]  Herbert Bos,et al.  Dowsing for Overflows: A Guided Fuzzer to Find Buffer Boundary Violations , 2013, USENIX Security Symposium.

[16]  Randy H. Katz,et al.  Protocol-Independent Adaptive Replay of Application Dialog , 2006, NDSS.

[17]  Xiangliang Zhang,et al.  Abstracting massive data for lightweight intrusion detection in computer networks , 2016, Inf. Sci..

[18]  Xiangliang Zhang,et al.  An up-to-date comparison of state-of-the-art classification algorithms , 2017, Expert Syst. Appl..

[19]  Xiangliang Zhang,et al.  Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection , 2014, IEEE Transactions on Information Forensics and Security.

[20]  Christopher Krügel,et al.  Driller: Augmenting Fuzzing Through Selective Symbolic Execution , 2016, NDSS.

[21]  Behrouz A. Forouzan,et al.  Data Communications and Networking , 2000 .

[22]  Xiangliang Zhang,et al.  Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks , 2014, Knowl. Based Syst..

[23]  Sergey Bratus,et al.  LZfuzz: a fast compression-based fuzzer for poorly documented protocols , 2008 .

[24]  George Karypis,et al.  A Comparison of Document Clustering Techniques , 2000 .

[25]  Sergey Bratus,et al.  Identifying Vulnerabilities in SCADA Systems via Fuzz-Testing , 2011, Critical Infrastructure Protection.

[26]  Yao Zhang,et al.  CSP-E2: An abuse-free contract signing protocol with low-storage TTP for energy-efficient electronic transaction ecosystems , 2019, Inf. Sci..

[27]  Wanlei Zhou,et al.  E-AUA: An Efficient Anonymous User Authentication Protocol for Mobile IoT , 2019, IEEE Internet of Things Journal.

[28]  David Brumley,et al.  Optimizing Seed Selection for Fuzzing , 2014, USENIX Security Symposium.

[29]  Barton P. Miller,et al.  Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services , 1995 .

[30]  Wei Wang,et al.  Effective android malware detection with a hybrid model based on deep autoencoder and convolutional neural network , 2018, Journal of Ambient Intelligence and Humanized Computing.

[31]  David Brumley,et al.  Scheduling black-box mutational fuzzing , 2013, CCS.

[32]  Xiangliang Zhang,et al.  Discovering and understanding android sensor usage behaviors with data flow analysis , 2017, World Wide Web.

[33]  Xiangliang Zhang,et al.  Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data , 2006, Comput. Secur..