On Designing an Efficient Distributed Black-Box Fuzzing System for Mobile Devices

Wang Hao Lee, Murali Srirangam Ramanujam, S.P.T. Krishnan
2015 Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security - ASIA CCS '15  
Security researchers who jailbreak iOS devices have usually crowdsourced for system level vulnerabilities [1] for iOS. However, their success has depended on whether a particular device owner encountered a crash in system-level code. To conduct voluntary security testing, black-box fuzzing is one of the ideal low-cost and simple techniques to find system level vulnerabilities for the less technical crowd. However, it is not the most effective method due to the large fuzzing space. At the same
more » ... me, when fuzzing mobile devices such as today's smartphones, it is extremely time consuming to instrument mobile devices of varying versions of system software across the world. This paper, describes Mobile Vulnerability Discovery Pipeline (MVDP), a semi-automated, vulnerability discovery pipeline for mobile devices. MVDP is a carefully crafted process targeted to produce malicious output that is very likely to crash the target leading to vulnerability discovery. MVDP employs a few novel black-box fuzzing techniques such as distributed fuzzing, parameter selection, mutation position optimisation and selection of good seed files. To date, MVDP has discovered around 1900 unique crashing inputs and helped to identify 7 unique vulnerabilities across various Android and iOS phone models.
doi:10.1145/2714576.2714607 dblp:conf/ccs/HaoRK15 fatcat:uygurjg6fnaizjnocg3wavzupm