Fuzzing the Internet of Things: A Review on the Techniques and Challenges for Efficient Vulnerability Discovery in Embedded Systems

Maialen Eceiza,Mikel Iturbe,Jose Luis Flores

doi:10.1109/jiot.2021.3056179

Maialen Eceiza, Mikel Iturbe + Show 1 more

Open Access

https://doi.org/10.1109/jiot.2021.3056179

Copy DOI

Abstract

With a growing number of embedded devices that create, transform, and send data autonomously at its core, the Internet of Things (IoT) is a reality in different sectors, such as manufacturing, healthcare, or transportation. With this expansion, the IoT is becoming more present in critical environments, where security is paramount. Infamous attacks, such as Mirai, have shown the insecurity of the devices that power the IoT, as well as the potential of such large-scale attacks. Therefore, it is important to secure these embedded systems that form the backbone of the IoT. However, the particular nature of these devices and their resource constraints mean that the most cost-effective manner of securing these devices is to secure them before they are deployed, by minimizing the number of vulnerabilities they ship. To this end, fuzzing has proved itself as a valuable technique for automated vulnerability finding, where specially crafted inputs are fed to programs in order to trigger vulnerabilities and crash the system. In this survey, we link the world of embedded IoT devices and fuzzing. For this end, we list the particularities of the embedded world as far as security is concerned, we perform a literature review on fuzzing techniques and proposals, studying their applicability to embedded IoT devices and, finally, we present future research directions by pointing out the gaps identified in the review.

Highlights

T HE Internet of Things (IoT) is the novel networking paradigm, where heterogeneous computing devices, Manuscript received August 28, 2020; revised November 18, 2020 and December 27, 2020; accepted January 26, 2021
The quality of a fuzzer should be measured by using standardized metrics, such as accuracy, the false discovery rate, or other classical metrics found in statistics and machine learning that can reflect with more objectivity the quality
Only a small portion of the authors use subsets of these metrics to assess the performance and the majority of them use their own mechanisms in a specific context to show the advantages, so nowadays, it is not possible to compare the fuzzers only analyzing the literature

Summary

Introduction

T HE Internet of Things (IoT) is the novel networking paradigm, where heterogeneous computing devices, Manuscript received August 28, 2020; revised November 18, 2020 and December 27, 2020; accepted January 26, 2021. Known as IoT devices, interact between them with little to no human intervention to collaborate toward a common goal [1] Examples of such services include predictive maintenance, precision healthcare, security monitoring, smart crop management, or advanced control of a production process. Available: https://lora-alliance.org/about-lorawan [154] ZigBee. Accessed: Nov. 18, 2020.

Results

Discussion

Conclusion