Timing Analysis of Body Area Network Applications

Body area network (BAN) applications have stringent timing requirements. The timing behavior of a BAN application is determined not only by the software complexity, inputs, and architecture, but also by the timing behavior of the peripherals. This paper presents systematic timing analysis of such applications, deployed for health-care monitoring of patients staying at home. This monitoring is used to achieve prompt notification of the hospital when a patient shows abnormal vital signs. Due to the safetycritical nature of these applications,worst-case execution time (WCET) analysis is extremely important

Stateful Greybox Fuzzing

Many bugs in protocol implementations may only manifest when the system is in a particular "state". For instance, to trigger one of the bugs we found in an RTSP implementation, the fuzzer must first send two different types of messages to usher the protocol implementation from the INIT via the READY to the PLAY state where the bug is exposed. Without knowledge of the protocol, it is inherently difficult for a fuzzer to discover such stateful bugs. A key challenge in fuzzing stateful systems, therefore, is to cover the state space without an explicit specification of the protocol. So, how can we help our fuzzer navigate an unknown state space? In our analysis of the Top-50 most widely used open-source protocol implementations, we found that every implementation uses state variables that are assigned named constants (such as INIT, READY) to represent the current state. In this work, we propose to automatically identify such state variables and track the sequence of values assigned to them during fuzzing to produce a "map" of the explored state space. Our stateful greybox fuzzing approach uses this map to focus on the most promising regions of the code and state space. Our experiments confirm that our stateful fuzzer discovers stateful bugs twice as fast as the baseline greybox fuzzer that we extended. The state sequence for an input is determined by the sequence of values assigned to the state variables during its execution. Starting from the initial state, our fuzzer exercises one order of magnitude more state sequences and covers the same code two times faster than the baseline fuzzer. Several zero-day bugs in prominent protocol implementations were found by our fuzzer, and 8 CVEs have been assigned