Fuzzing for IoT Security: A Comparative Analysis
摘要
With the explosive growth of the Internet of Things (IoT), security challenges have become more pressing than ever, which pushed automated vulnerability detection towards being a necessity more than a nice to have. Out of the large and diverse pool of security assessment techniques, fuzzing has proven to be a highly effective method for identifying vulnerabilities through injecting unexpected or malformed inputs into target systems. This approach has proven to be particularly useful for uncovering security flaws such as buffer overflows, memory corruption, authentication weaknesses, and protocol inconsistencies, all of which are issues that if left unchecked, could lead to serious exploits. However, IoT systems come with unique constraints, including limited resources and distinct attack surfaces, which affect the effectiveness of different fuzzing techniques. Traditional methods that rely on large, complex and expensive testbeds may not be well-suited for IoT devices with restricted processing power and memory or in projects with limited budget. This paper explores various fuzzing technologies and compares their attributes for identifying the right solution when it comes to securing IoT systems. Specifically, it examines coverage-based fuzzing, metamorphic fuzzing, concolic fuzzing, fingerprinting and machine learning-assisted fuzzing in detecting software vulnerabilities and protocol flaws. Additionally, this research considers the trade-offs between scalability, automation, and efficiency when applying these techniques to IoT firmware.