Litcius/Paper detail

Greyhound: Directed Greybox Wi-Fi Fuzzing

Matheus E. Garbelini, Chundong Wang, Sudipta Chattopadhyay

2020IEEE Transactions on Dependable and Secure Computing20 citationsDOI

Abstract

The recent rise in complex Wi-Fi vulnerabilities, such as KRACK and Dragonslayer, indicates the critical need for effective Wi-Fi protocol testing tools. In this article, we conceptualize, design and implement a directed fuzzing methodology named <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> that automatically tests the Wi-Fi client implementations against vulnerabilities such as crashes or non-compliant behaviors. Leveraging a holistic Wi-Fi protocol model, <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> directs the fuzzer in specific states of target Wi-Fi client. By exchanging mutated packets with a Wi-Fi client, <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> aims to induce the client to exhibit anomalous behaviors that badly deviate from Wi-Fi protocols. We have implemented <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> and evaluated it on a variety of real-world Wi-Fi clients, including smartphone, Raspberry Pi, IoT device microcontrollers and a medical device. Our evaluation indicates that <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> not only automatically discovers known vulnerabilities (including KRACK and Dragonslayer) that would require specialized verification otherwise, but, more importantly, it also has uncovered four new vulnerabilities in popular Wi-Fi client devices. All discovered vulnerabilities have been confirmed by manufacturers and they have been assigned three different common vulnerability exposure (CVE) IDs. We also win a bug bounty of 2,200 USD for discovering the security vulnerabilities. Furthermore, our evaluation with three existing Wi-Fi fuzz testing tools reveals that all such tools fail to discover any of the vulnerabilities (including crashes) uncovered by <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> . Last but not the least, we have deployed <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> to test the Wi-Fi client implementation on automotive head units. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> automatically discovers KRACK, Dragonslayer and other anomalies in these Wi-Fi implementations. Such a real world try-out justifies the necessity and efficacy of <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Greyhound</small> .

Topics & Concepts

Fuzz testingComputer scienceProtocol (science)World Wide WebProgramming languageSoftwareMedicineAlternative medicinePathologyWireless Networks and ProtocolsInternet Traffic Analysis and Secure E-votingBluetooth and Wireless Communication Technologies