Finding sands in the eyes: vulnerabilities discovery in IoT with EUFuzzer on human machine interface

In supervisory control and data acquisition (SCADA) systems or the Internet of Things (IoT), human machine interface (HMI) performs the function of data acquisition and control, providing the operators with a view of the whole plant and access to monitoring and interacting with the system. The compromise of HMI will result in lost of view (LoV), which means the state of the whole system is invisible to operators. The worst case is that adversaries can manipulate control commands through HMI to damage the physical plant. HMI often relies on poorly understood proprietary protocols, which are time-sensitive, and usually keeps a persistent connection for hours even days. All these factors together make the vulnerability mining of HMI a tough job. In this paper, we present EUFuzzer, a novel fuzzing tool to assist testers in HMI vulnerability discovery. EUFuzzer first identifies packet fields of the specific protocol and classifies all fields into four types, then using a relatively high efficiency fuzzing method to test HMI. The experimental results show that EUFuzzer is capable of identifying packet fields and revealing bugs. EUFuzzer also successfully triggers flaws of actual proprietary SCADA protocol implementation on HMI, which the SCADA software vendor has confirmed that four were zero-day vulnerabilities and has taken measures to patch up

Harvey: A Greybox Fuzzer for Smart Contracts

We present Harvey, an industrial greybox fuzzer for smart contracts, which are programs managing accounts on a blockchain. Greybox fuzzing is a lightweight test-generation approach that effectively detects bugs and security vulnerabilities. However, greybox fuzzers randomly mutate program inputs to exercise new paths; this makes it challenging to cover code that is guarded by narrow checks, which are satisfied by no more than a few input values. Moreover, most real-world smart contracts transition through many different states during their lifetime, e.g., for every bid in an auction. To explore these states and thereby detect deep vulnerabilities, a greybox fuzzer would need to generate sequences of contract transactions, e.g., by creating bids from multiple users, while at the same time keeping the search space and test suite tractable. In this experience paper, we explain how Harvey alleviates both challenges with two key fuzzing techniques and distill the main lessons learned. First, Harvey extends standard greybox fuzzing with a method for predicting new inputs that are more likely to cover new paths or reveal vulnerabilities in smart contracts. Second, it fuzzes transaction sequences in a targeted and demand-driven way. We have evaluated our approach on 27 real-world contracts. Our experiments show that the underlying techniques significantly increase Harvey's effectiveness in achieving high coverage and detecting vulnerabilities, in most cases orders-of-magnitude faster; they also reveal new insights about contract code.Comment: arXiv admin note: substantial text overlap with arXiv:1807.0787