Novel approaches for IoT and Embedded Device Fuzzing and its Evaluation
Maialen Eceiza Olaizola
- DIRECTORS: Jose Luis Flores and Mikel Iturbe
- UNIVERSITY: Mondragon Unibertsitatea
Embedded systems are devices capable of creating, transforming, and sending data autonomously. In recent years their presence has increased significantly, and today they can be found in several areas such as transport, energy, or industry. As a result, each of these areas has its security requirements. Additionally, the resources of the individual devices also influence how they can be secured, making this process very challenging in the case of systems with fewer resources. Hence, it is crucial to find vulnerabilities before the end of the development phase. One testing technique that allows vulnerabilities to be detected automatically is fuzzing. This technique makes it possible to introduce various inputs generated with different methods into the system and find vulnerabilities by monitoring the system outputs. The contributions of the thesis are as follows. First, an analysis of the state of the art of fuzzing has been carried out, and the different embedded systems that can be found have been analyzed and classified. The features that a fuzzer should fulfill to work correctly with embedded systems have been detected. Then, the second contribution of the thesis has been to design and develop an experimentation test-bench that includes embedded systems of different types. The following contribution is an evaluation methodology that allows for objectively evaluating fuzzing algorithms, knowing the metrics to be measured, to know which fuzzer gives the best results. After this, a proof of concept was conducted to see the feasibility of using physical signals in the fuzzing field. Finally, as current and future work, this technique is being implemented to detect vulnerabilities in embedded systems. This document describes the work that has been done during the thesis to find the features that a fuzzer must meet to be compatible with embedded systems with fewer resources. The thesis is organized as follows. First, there is a brief introduction, together with the thesis’ hypotheses and objectives. Then, state of the art is described, and after that, the contributions are presented. Finally, the work is concluded, and possible future steps are explained.