"Identifying Software Vulnerabilities Quickly and Efficiently"
Fuzzware is a new system developed by researchers at Ruhr University Bochum's Horst Görtz Institute for Information Technology (IT) Security that specializes in analyzing embedded systems, which are minicomputers found in smart light bulbs, intelligent thermostats, Industrial Control Systems (ICS), and more. In order to detect errors in program code, the group employs fuzzing. Fuzzers are algorithms that feed random inputs into tested software to see if they can cause the application to crash. If there are programming errors, the software will crash. The fuzzer diversifies the input to explore as many program components as possible. Fuzzing is already used for testing operating systems such as Windows or Linux. However, it has not yet been widely used to test embedded systems because they present several challenges. The software, known as firmware, is embedded in the hardware with which it interacts. The systems often have limited memory and slow processors, thus presenting a problem if researchers want to perform direct fuzzing on the system. Testing all possible inputs and waiting for the system's response would take significant time, so the team does not examine the firmware in the industrial control unit or the light bulb directly. Instead, they virtually recreate the hardware in a process known as emulation. The emulator convinces the firmware that it is inside the real device by interacting with the program in the same way that the real hardware would. The researchers add another step to the fuzzing process to accelerate the procedure by narrowing down the possible inputs. They created a framework in which the inputs must be placed in order to be logical for the firmware. The Bochum team used Fuzzware to test 77 firmwares with colleagues from Santa Barbara and Amsterdam. In comparison to traditional fuzzing methods, they sorted out up to 95.5 percent of all possible inputs. This article continues to discuss the concept of fuzz testing and the development behind the new Fuzzware system.
Ruhr University Bochum reports "Identifying Software Vulnerabilities Quickly and Efficiently"