Paper Info
Title
Finding Sands in the Eyes: Vulnerabilities Discovery in IoT With EUFuzzer on Human Machine Interface.
Abstract
In supervisory control and data acquisition (SCADA) systems or the Internet of Things (IoT), human machine interface (HMI) performs the function of data acquisition and control, providing the operators with a view of the whole plant and access to monitoring and interacting with the system. The compromise of HMI will result in lost of view (LoV), which means the state of the whole system is invisible to operators. The worst case is that adversaries can manipulate control commands through HMI to damage the physical plant. HMI often relies on poorly understood proprietary protocols, which are time-sensitive, and usually keeps a persistent connection for hours even days. All these factors together make the vulnerability mining of HMI a tough job. In this paper, we present EUFuzzer, a novel fuzzing tool to assist testers in HMI vulnerability discovery. EUFuzzer first identifies packet fields of the specific protocol and classifies all fields into four types, then using a relatively high efficiency fuzzing method to test HMI. The experimental results show that EUFuzzer is capable of identifying packet fields and revealing bugs. EUFuzzer also successfully triggers flaws of actual proprietary SCADA protocol implementation on HMI, which the SCADA software vendor has confirmed that four were zero-day vulnerabilities and has taken measures to patch up.
Year
DOI
Venue
2019
10.1109/ACCESS.2019.2931061
IEEE ACCESS
Keywords
DocType
Volume
Protocol format parsing,vulnerability mining,fuzzing test,HMI security,IoT
Journal
7
ISSN
Citations 
PageRank 
2169-3536
0
0.34
References 
Authors
0
7
Name
Order
Citations
PageRank
Jiaping Men100.34
Guangquan Xu217133.20
Zhen Han300.34
Zhonghao Sun400.34
Xiaojun Zhou500.68
Wenjuan Lian600.34
Xiao-chun Cheng7129.10