Systematically Detecting Packet Validation Vulnerabilities in Embedded Network Stacks

TL;DR

This paper introduces a systematic testing framework for embedded network stacks that effectively detects vulnerabilities by covering protocol states and systematically modifying packets, outperforming fuzzing in identifying security flaws.

Contribution

The paper presents the first systematic characterization of ENS vulnerabilities and a novel testing framework that improves detection of security flaws over fuzzing techniques.

Findings

Discovered 7 new vulnerabilities in ENSs during systematic testing.

Most ENS defects are in transport and network layers and require minimal packet modifications.

Systematic testing uncovered vulnerabilities missed by prior fuzzing methods.

Abstract

Embedded Network Stacks (ENS) enable low-resource devices to communicate with the outside world, facilitating the development of the Internet of Things and Cyber-Physical Systems. Some defects in ENS are thus high-severity cybersecurity vulnerabilities: they are remotely triggerable and can impact the physical world. While prior research has shed light on the characteristics of defects in many classes of software systems, no study has described the properties of ENS defects nor identified a systematic technique to expose them. The most common automated approach to detecting ENS defects is feedback-driven randomized dynamic analysis ("fuzzing"), a costly and unpredictable technique. This paper provides the first systematic characterization of cybersecurity vulnerabilities in ENS. We analyzed 61 vulnerabilities across 6 open-source ENS. Most of these ENS defects are concentrated in the transport and network layers of the network stack, require reaching different states in the network protocol, and can be triggered by only 1-2 modifications to a single packet. We therefore propose a novel systematic testing framework that focuses on the transport and network layers, uses seeds that cover a network protocol's states, and systematically modifies packet fields. We evaluated this framework on 4 ENS and replicated 12 of the 14 reported IP/TCP/UDP vulnerabilities. On recent versions of these ENSs, it discovered 7 novel defects (6 assigned CVES) during a bounded systematic test that covered all protocol states and made up to 3 modifications per packet. We found defects in 3 of the 4 ENS we tested that had not been found by prior fuzzing research. Our results suggest that fuzzing should be deferred until after systematic testing is employed.