{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,23]],"date-time":"2026-01-23T10:46:15Z","timestamp":1769165175466,"version":"3.49.0"},"reference-count":45,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2021,7,19]],"date-time":"2021-07-19T00:00:00Z","timestamp":1626652800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2021,7,19]],"date-time":"2021-07-19T00:00:00Z","timestamp":1626652800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100014718","name":"Innovative Research Group Project of the National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["Grant No. 62032010"],"award-info":[{"award-number":["Grant No. 62032010"]}],"id":[{"id":"10.13039\/100014718","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100014718","name":"Innovative Research Group Project of the National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["U1836209"],"award-info":[{"award-number":["U1836209"]}],"id":[{"id":"10.13039\/100014718","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100014718","name":"Innovative Research Group Project of the National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["61802394"],"award-info":[{"award-number":["61802394"]}],"id":[{"id":"10.13039\/100014718","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecur"],"published-print":{"date-parts":[[2021,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>SOHO (small office\/home office) routers provide services for end devices to connect to the Internet, playing an important role in cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited due to the lack of input specification, lack of routers\u2019 internal running states, and lack of testing environment recovery mechanisms. Moreover, existing works for device fuzzing are more likely to detect memory corruption vulnerabilities.In this paper, we propose a solution ESRFuzzer to address these issues. It is a fully automated fuzzing framework for testing physical SOHO devices. It continuously and effectively generates test cases by leveraging two input semantic models, i.e., KEY-VALUE data model and CONF-READ communication model, and automatically recovers the testing environment with power management. It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities. With the guidance of the two semantic models, ESRFuzzer can work in two ways: general mode fuzzing and D-CONF mode fuzzing. General mode fuzzing can discover both issues which occur in the CONF and READ operation, while D-CONF mode fuzzing focus on the READ-op issues especially missed by general mode fuzzing.We ran ESRFuzzer on 10 popular routers across five vendors. In total, it discovered 136 unique issues, 120 of which have been confirmed as 0-day vulnerabilities we found. As an improvement of SRFuzzer, ESRFuzzer have discovered 35 previous undiscovered READ-op issues that belong to three vulnerability types, and 23 of them have been confirmed as 0-day vulnerabilities by vendors. The experimental results show that ESRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.<\/jats:p>","DOI":"10.1186\/s42400-021-00091-9","type":"journal-article","created":{"date-parts":[[2021,7,18]],"date-time":"2021-07-18T23:03:23Z","timestamp":1626649403000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":13,"title":["ESRFuzzer: an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities"],"prefix":"10.1186","volume":"4","author":[{"given":"Yu","family":"Zhang","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Huo","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kunpeng","family":"Jian","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ji","family":"Shi","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Longquan","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4787-4832","authenticated-orcid":false,"given":"Yanyan","family":"Zou","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Chao","family":"Zhang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Baoxu","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2021,7,19]]},"reference":[{"key":"91_CR1","unstructured":"ACI (2018) Securing IoT Devices: How Safe Is Your Wi-Fi Router?https:\/\/www.theamericanconsumer.org\/wp-content\/uploads\/2018\/09\/FINAL-Wi-Fi-Router-Vulnerabilities.pdf. Accessed 1 May 2019."},{"key":"91_CR2","unstructured":"Bojinov, H, Bursztein E, Lovett E, Boneh Dan (2009) Embedded management interfaces: Emerging massive insecurity, Las Vegas, Nevada."},{"key":"91_CR3","unstructured":"buildroot (2001) Buildroot - Making Embedded Linux Easy. https:\/\/buildroot.org\/. Accessed 1 May 2019."},{"key":"91_CR4","unstructured":"CENSUS (2016) Choronzon - An evolutionary knowledge-based fuzzer. https:\/\/github.com\/CENSUS\/choronzon. Accessed 1 May 2019."},{"key":"91_CR5","unstructured":"CERT (2016) Multiple Netgear routers are vulnerable to arbitrary command injection. https:\/\/www.kb.cert.org\/vuls\/id\/582384\/. Accessed 1 May 2019."},{"key":"91_CR6","volume-title":"IEEE Symposium on Security and Privacy (S&P)","author":"SK Cha","year":"2012","unstructured":"Cha, SK, Avgerinos T, Rebert A, Brumley D (2012) Unleashing mayhem on binary code In: IEEE Symposium on Security and Privacy (S&P).. IEEE, San Francisco."},{"key":"91_CR7","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"J Chen","year":"2018","unstructured":"Chen, J, Diao W, Zhao Q, Zuo C, Lin Z, Wang X, Lau WC, Sun M, Yang R, Zhang K (2018) Iotfuzzer: Discovering memory corruptions in iot through app-based fuzzing In: Network and Distributed System Security Symposium (NDSS).. ISOC, San Diego."},{"key":"91_CR8","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-46298-1","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"DD Chen","year":"2016","unstructured":"Chen, DD, Egele M, Woo M, Brumley D (2016) Towards automated dynamic analysis for linux-based embedded firmware In: Network and Distributed System Security Symposium (NDSS).. ISOC, San Diego."},{"key":"91_CR9","volume-title":"ACM Asia Conference on Computer and Communications Security (ASIACCS)","author":"A Costin","year":"2016","unstructured":"Costin, A, Zaddach J, Francillon A (2016) Automated dynamic firmware analysis at scale: A case study on embedded web interfaces In: ACM Asia Conference on Computer and Communications Security (ASIACCS).. ACM, Xi\u2019an."},{"key":"91_CR10","volume-title":"USENIX Security Symposium","author":"A Costin","year":"2014","unstructured":"Costin, A, Zaddach J, Francillon A, Balzarotti D (2014) A large-scale analysis of the security of embedded firmwares In: USENIX Security Symposium.. USENIX Association, San Diego."},{"key":"91_CR11","volume-title":"Annual Computer Security Applications Conference (ACSAC)","author":"A Cui","year":"2010","unstructured":"Cui, A, Stolfo SJ (2010) A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan In: Annual Computer Security Applications Conference (ACSAC).. IEEE, Orlando."},{"key":"91_CR12","volume-title":"USENIX Security Symposium","author":"D Davidson","year":"2013","unstructured":"Davidson, D, Moench B, Ristenpart T, Jha S (2013) Fie on firmware: Finding vulnerabilities in embedded systems using symbolic execution In: USENIX Security Symposium.. USENIX Association, Washington, D.C."},{"key":"91_CR13","unstructured":"devttys, 0 (2013) Binwalk: Firmware Analysis Tool. https:\/\/github.com\/ReFirmLabs\/binwalk. Accessed 1 May 2019."},{"key":"91_CR14","unstructured":"Fainelli, F (2008) The openwrt embedded development framework In: Free and Open Source Software Developers European Meeting (FOSDEM)."},{"key":"91_CR15","volume-title":"ACM Conference on Computer and Communications Security (CCS)","author":"Q Feng","year":"2016","unstructured":"Feng, Q, Zhou R, Xu C, Cheng Y, Testa B, Yin H (2016) Scalable graph-based bug search for firmware images In: ACM Conference on Computer and Communications Security (CCS).. ACM, Vienna."},{"key":"91_CR16","unstructured":"Fitblip (2012) Sulley - a pure-python fully automated and unattended fuzzing framework. https:\/\/github.com\/OpenRCE\/sulley. Accessed 1 May 2019."},{"key":"91_CR17","unstructured":"Google (2015) Honggfuzz. https:\/\/github.com\/google\/honggfuzz. Accessed 1 May 2019."},{"key":"91_CR18","unstructured":"Google (2015) syzkaller - linux syscall fuzzer. https:\/\/github.com\/google\/syzkaller. Accessed 1 May 2019."},{"key":"91_CR19","volume-title":"USENIX Security Symposium","author":"B Gourdin","year":"2011","unstructured":"Gourdin, B, Soman C, Bojinov H, Bursztein E (2011) Toward secure embedded web interfaces In: USENIX Security Symposium.. USENIX Association, San Francisco."},{"key":"91_CR20","unstructured":"HP-Fortify-ShadowLabs (2014) Report: Internet of Things Research Study. https:\/\/www8.hp.com\/us\/en\/hp-news\/press-release.html?id=1744676. Accessed 1 May 2019."},{"key":"91_CR21","unstructured":"Independent Security Evaluators (2017) SOHO Network Equipment (Technical Report). https:\/\/www.securityevaluators.com\/wp-content\/uploads\/2017\/07\/soho_techreport.pdf. Accessed 1 May 2019."},{"key":"91_CR22","volume-title":"Annual Computer Security Applications Conference (ACSAC)","author":"V Jain","year":"2018","unstructured":"Jain, V, Rawat S, Giuffrida C, Bos H (2018) Tiff: Using input type inference to improve fuzzing In: Annual Computer Security Applications Conference (ACSAC).. IEEE, San Juan."},{"key":"91_CR23","unstructured":"jtpereyda (2012) A fork and successor of the Sulley Fuzzing Framework. https:\/\/github.com\/jtpereyda\/boofuzz. Accessed 1 May 2019."},{"key":"91_CR24","unstructured":"jtpereyda (2014) Wfuzz - The Web Fuzzer. https:\/\/github.com\/xmendez\/wfuzz. Accessed 1 May 2019."},{"key":"91_CR25","unstructured":"Khandelwal, S (2018) Thousands of MikroTik Routers Hacked to Eavesdrop On Network Traffic. https:\/\/thehackernews.com\/2018\/09\/mikrotik-router-hacking.html. Accessed 1 May 2019."},{"key":"91_CR26","volume-title":"USENIX Annual Technical Conference (USENIX ATC)","author":"SY Kim","year":"2017","unstructured":"Kim, SY, Lee S, Yun I, Xu W, Lee B, Yun Y, Kim T (2017) Cab-fuzz: Practical concolic testing techniques for cots operating systems In: USENIX Annual Technical Conference (USENIX ATC).. USENIX, Santa Clara."},{"key":"91_CR27","unstructured":"Largent, W, New VPNFilter malware targets at least 500K networking devices worldwide (2018). https:\/\/blog.talosintelligence.com\/2018\/05\/VPNFilter.html. Accessed 1 May 2019."},{"key":"91_CR28","unstructured":"LLVM (2015) libFuzzer - a library for coverage-guided fuzz testing. http:\/\/llvm.org\/docs\/LibFuzzer.html. Accessed 1 May 2019."},{"key":"91_CR29","unstructured":"Mi Smart Plug (2015). https:\/\/www.mi.com\/us\/mj-socket\/. Accessed 1 May 2019."},{"key":"91_CR30","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"M Muench","year":"2018","unstructured":"Muench, M, Stijohann J, Kargl F, Francillon A, Balzarotti D (2018) What you corrupt is not what you crash: Challenges in fuzzing embedded devices In: Network and Distributed System Security Symposium (NDSS).. ISOC, San Diego."},{"key":"91_CR31","unstructured":"NVD (2015) Common Vulnerability Scoring System (CVSS). https:\/\/nvd.nist.gov\/vuln-metrics\/cvss. Accessed 1 May 2019."},{"key":"91_CR32","unstructured":"NVD (2020) CVE-2020-15916. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-15916. Accessed 1 Dec 2020."},{"key":"91_CR33","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"S Rawat","year":"2017","unstructured":"Rawat, S, Jain V, Kumar A, Cojocar L, Giuffrida C, Bos H (2017) Vuzzer: Application-aware evolutionary fuzzing In: Network and Distributed System Security Symposium (NDSS).. ISOC, San Diego."},{"key":"91_CR34","unstructured":"rytilahti (2018) python-miio:Python library & console tool for controlling Xiaomi smart appliances. https:\/\/github.com\/rytilahti\/python-miio. Accessed 1 May 2019."},{"key":"91_CR35","unstructured":"Selenium (2004) A browser automation framework and ecosystem. https:\/\/github.com\/SeleniumHQ\/selenium\/. Accessed 1 May 2019."},{"key":"91_CR36","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"Y Shoshitaishvili","year":"2015","unstructured":"Shoshitaishvili, Y, Wang R, Hauser C, Kruegel C, Vigna G (2015) Firmalice-automatic detection of authentication bypass vulnerabilities in binary firmware In: Network and Distributed System Security Symposium (NDSS).. ISOC, San Diego."},{"key":"91_CR37","unstructured":"Stasinopoulos, A, Ntantogian C, Xenakis C (2015) Commix: Detecting and exploiting command injection flaws In: BlackHat EU, Amsterdam."},{"key":"91_CR38","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"N Stephens","year":"2016","unstructured":"Stephens, N, Grosen J, Salls C, Dutcher A, Wang R, Corbetta J, Shoshitaishvili Y, Kruegel C, Vigna G (2016) Driller: Augmenting fuzzing through selective symbolic execution In: Network and Distributed System Security Symposium (NDSS).. ISOC, San Diego, California."},{"key":"91_CR39","unstructured":"strace (2000) strace - linux syscall tracer. https:\/\/strace.io\/. Accessed 1 May 2019."},{"issue":"8","key":"91_CR40","doi-asserted-by":"publisher","first-page":"1989","DOI":"10.3837\/tiis.2013.08.014","volume":"7","author":"Z Wang","year":"2013","unstructured":"Wang, Z, Zhang Y, Liu Q (2013) Rpfuzzer: A framework for discovering router protocols vulnerabilities based on fuzzing. KSII Trans Internet Inf Syst (TIIS) 7(8):1989\u20132009.","journal-title":"KSII Trans Internet Inf Syst (TIIS)"},{"key":"91_CR41","volume-title":"IEEE Symposium on Security and Privacy (S&P)","author":"W You","year":"2019","unstructured":"You, W, Wang X, Ma S, Huang J, Zhang X, Wang X, Liang B (2019) Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery In: IEEE Symposium on Security and Privacy (S&P).. IEEE, San Francisco."},{"key":"91_CR42","volume-title":"Network and Distributed System Security Symposium (NDSS)","author":"J Zaddach","year":"2014","unstructured":"Zaddach, J, Bruno L, Francillon A, Balzarotti D, et al (2014) Avatar: A framework to support dynamic security analysis of embedded systems\u2019 firmwares In: Network and Distributed System Security Symposium (NDSS).. ISOC, San Diego, California."},{"key":"91_CR43","unstructured":"Zalewski, M (2014) American Fuzzy Lop. http:\/\/lcamtuf.coredump.cx\/afl\/. Accessed 1 May 2019."},{"key":"91_CR44","unstructured":"Zerodium (2015). https:\/\/zerodium.com\/program.html. Accessed 1 May 2019."},{"key":"91_CR45","doi-asserted-by":"publisher","first-page":"544","DOI":"10.1145\/3359789.3359826","volume-title":"Proceedings of the 35th Annual Computer Security Applications Conference","author":"Y Zhang","year":"2019","unstructured":"Zhang, Y, Huo W, Jian K, Shi J, Lu H, Liu L, Wang C, Sun D, Zhang C, Liu B (2019) SRFuzzer: an automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities In: Proceedings of the 35th Annual Computer Security Applications Conference, 544\u2013556.. IEEE, San Juan."}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-021-00091-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-021-00091-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-021-00091-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,7,18]],"date-time":"2021-07-18T23:17:05Z","timestamp":1626650225000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-021-00091-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,7,19]]},"references-count":45,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,12]]}},"alternative-id":["91"],"URL":"https:\/\/doi.org\/10.1186\/s42400-021-00091-9","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,7,19]]},"assertion":[{"value":"7 January 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 April 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"19 July 2021","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"The authors declare that they have no competing interests.","order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"24"}}