{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,31]],"date-time":"2025-08-31T10:10:28Z","timestamp":1756635028477},"reference-count":34,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,11,7]],"date-time":"2023-11-07T00:00:00Z","timestamp":1699315200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,11,7]],"date-time":"2023-11-07T00:00:00Z","timestamp":1699315200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"the major project of Science and Technology Innovation 2030","award":["2021ZD0111400"],"award-info":[{"award-number":["2021ZD0111400"]}]},{"name":"Open project of the State Key Laboratory of Computer Architecture, Neural Network Enhanced Symbolic Execution Algorithm Research","award":["CARCH201910"],"award-info":[{"award-number":["CARCH201910"]}]},{"name":"the Fundamental Research Funds for the Central Universities","award":["3132018XNG1814","3132018XNG1815"],"award-info":[{"award-number":["3132018XNG1814","3132018XNG1815"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The popularity of small office and home office routers has brought convenience, but it also caused many security issues due to vulnerabilities. Black-box fuzzing through network protocols to discover vulnerabilities becomes a viable option. The main drawbacks of state-of-the-art black-box fuzzers can be summarized as follows. First, the feedback process neglects to discover the missing fields in the raw message. Secondly, the guidance of the raw message content in the mutation process is aimless. Finally, the randomized validity of the test case structure can cause most fuzzing tests to end up with an invalid response of the tested device. To address these challenges, we propose a novel black-box fuzzing framework called MSLFuzzer. MSLFuzzer infers the raw message structure according to the response from a tested device and generates a message segment list. Furthermore, MSLFuzzer performs semantic, sequence, and stability analyses on each message segment to enhance the complementation of missing fields in the raw message and guide the mutation process. We construct a dataset of 35 real-world vulnerabilities and evaluate MSLFuzzer. The evaluation results show that MSLFuzzer can find more vulnerabilities and elicit more types of responses from fuzzing targets. Additionally, MSLFuzzer successfully discovered 10 previously unknown vulnerabilities.<\/jats:p>","DOI":"10.1186\/s42400-023-00186-5","type":"journal-article","created":{"date-parts":[[2023,11,7]],"date-time":"2023-11-07T03:01:54Z","timestamp":1699326114000},"update-policy":"http:\/\/dx.doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["MSLFuzzer: black-box fuzzing of SOHO router devices via message segment list inference"],"prefix":"10.1186","volume":"6","author":[{"given":"Yixuan","family":"Cheng","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wenqing","family":"Fan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wei","family":"Huang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jingyu","family":"Yang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Gaoqing","family":"Yu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wen","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,11,7]]},"reference":[{"key":"186_CR1","unstructured":"Amini P, Portnoy A, Sears R (2019) Sulley: a pure-python fully automated and unattended fuzzing framework. Available https:\/\/github.com\/OpenRCE\/sulley. Accessed 9 Nov 2022"},{"key":"186_CR2","doi-asserted-by":"crossref","unstructured":"Aschermann C, Schumilo S, Blazytko T, Gawlik R, Holz T, Bochum R (2019) REDQUEEN: fuzzing with input-to-state correspondence. In: 2019 network and distributed system security symposium","DOI":"10.14722\/ndss.2019.23371"},{"key":"186_CR4","doi-asserted-by":"crossref","unstructured":"Chen D, Woo M, Brumley D (2016) Towards automated dynamic analysis for linux-based embedded firmware. In: Network and distributed system security symposium","DOI":"10.14722\/ndss.2016.23415"},{"key":"186_CR5","doi-asserted-by":"crossref","unstructured":"Chen J, Diao W, Zhao Q et al. (2018) IoTFuzzer: discovering memory corruptions in IoT through app-based fuzzing. In: Network and distributed system security symposium","DOI":"10.14722\/ndss.2018.23159"},{"key":"186_CR6","doi-asserted-by":"publisher","DOI":"10.1155\/2022\/9788219","author":"Y Cheng","year":"2022","unstructured":"Cheng Y et al (2022) PDFuzzerGen: policy-driven black-box fuzzer generation for smart devices. Secur Commun Netw. https:\/\/doi.org\/10.1155\/2022\/9788219","journal-title":"Secur Commun Netw"},{"key":"186_CR7","doi-asserted-by":"crossref","unstructured":"Dinh S et al. (2021) Favocado: fuzzing the binding code of JavaScript engines using semantically correct test cases. In: Network and distributed system security symposium","DOI":"10.14722\/ndss.2021.24224"},{"issue":"13","key":"186_CR8","doi-asserted-by":"publisher","first-page":"10390","DOI":"10.1109\/JIOT.2021.3056179","volume":"8","author":"M Eceiza","year":"2021","unstructured":"Eceiza M, Flores JL, Iturbe M (2021) Fuzzing the Internet of Things: a review on the techniques and challenges for efficient vulnerability discovery in embedded systems. IEEE Internet Things J 8(13):10390\u201310411","journal-title":"IEEE Internet Things J"},{"key":"186_CR9","doi-asserted-by":"crossref","unstructured":"Feng X et al. (2021) Snipuzz: black-box fuzzing of iot firmware via message snippet inference. In: Proceedings of the 2021 ACM SIGSAC conference on computer and communications security, pp. 337\u2013350.","DOI":"10.1145\/3460120.3484543"},{"key":"186_CR11","doi-asserted-by":"crossref","unstructured":"Gan S et al. (2018) CollAFL: path sensitive fuzzing. In: 2018 IEEE symposium on security and privacy, pp. 679\u2013696","DOI":"10.1109\/SP.2018.00040"},{"key":"186_CR12","doi-asserted-by":"crossref","unstructured":"Han H, Oh D, Cha S (2019) CodeAlchemist: semantics-aware code generation to find vulnerabilities in JavaScript engines. In: Network and distributed system security symposium","DOI":"10.14722\/ndss.2019.23263"},{"issue":"3","key":"186_CR13","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3428334","volume":"4","author":"A Hazimeh","year":"2020","unstructured":"Hazimeh A, Herrera A, Payer M (2020) Magma: a ground-truth fuzzing benchmark. Proc ACM Meas Anal Comput Syst 4(3):1\u201329","journal-title":"Proc ACM Meas Anal Comput Syst"},{"key":"186_CR14","doi-asserted-by":"crossref","unstructured":"Huang H, Yao P, Wu R, Shi Q, Zhang C (2020) Pangolin: incremental hybrid fuzzing with polyhedral path abstraction. In: 2020 IEEE symposium on security and privacy, pp. 1613\u20131627","DOI":"10.1109\/SP40000.2020.00063"},{"key":"186_CR15","unstructured":"Jones AK, Sielken RS (2000) Computer system intrusion detection: a survey. Comput Sci Tech Rep, pp. 1\u201325."},{"issue":"2","key":"186_CR16","doi-asserted-by":"publisher","first-page":"59","DOI":"10.1049\/ntw2.12007","volume":"10","author":"P Khandait","year":"2021","unstructured":"Khandait P, Hubballi N, Mazumdar B (2021) IoTHunter: IoT network traffic classification using device specific keywords. IET Netw 10(2):59\u201375","journal-title":"IET Netw"},{"key":"186_CR17","doi-asserted-by":"crossref","unstructured":"Kim M, Kim D, Kim E, Kim S, Jang Y, Kim Y (2020) Firmae: towards large-scale emulation of iot firmware for dynamic analysis. In: Annual computer security applications conference, pp. 733\u2013745.","DOI":"10.1145\/3427228.3427294"},{"key":"186_CR18","unstructured":"Lee S, Han H, Cha S, Son S (2020) Montage: a neural network language {Model-Guided}{JavaScript} engine fuzzer. In: 29th USENIX security symposium, pp. 2613\u20132630."},{"key":"186_CR19","unstructured":"Micro T (2020) Smart yet flawed: IoT device vulnerabilities explained. Security News, Tech. Rep."},{"key":"186_CR20","doi-asserted-by":"crossref","unstructured":"Muench M, Nisi D, Francillon A, Balzarotti D (2018) Avatar 2: a multi-target orchestration platform. In: Proc. Workshop Binary Anal. Res. (Colocated NDSS Symp.), vol. 18, pp. 1\u201311.","DOI":"10.14722\/bar.2018.23017"},{"key":"186_CR21","unstructured":"National computer network emergency response technical team\/coordination center of China, 2021. Available: https:\/\/www.cert.org.cn\/publish\/english\/index.html. Accessed 9 Nov 2022"},{"key":"186_CR22","unstructured":"Pereyda J (2022) boofuzz: network protocol fuzzing for humans. Available https:\/\/boofuzz.readthedocs.io\/en\/latest\/. Accessed 9 Nov 2022"},{"key":"186_CR23","doi-asserted-by":"publisher","first-page":"103157","DOI":"10.1016\/j.cose.2023.103157","volume":"128","author":"C Qin","year":"2023","unstructured":"Qin C, Peng J, Liu P et al (2023) UCRF: static analyzing firmware to generate under-constrained seed for fuzzing SOHO router. Comput Secur 128:103157","journal-title":"Comput Secur"},{"key":"186_CR24","doi-asserted-by":"crossref","unstructured":"Redini N et al. (2021) Diane: identifying fuzzing triggers in apps to generate under-constrained inputs for IoT devices. In: 2021 IEEE symposium on security and privacy, pp. 484\u2013500.","DOI":"10.1109\/SP40001.2021.00066"},{"issue":"22","key":"186_CR25","doi-asserted-by":"publisher","first-page":"22737","DOI":"10.1109\/JIOT.2022.3182589","volume":"9","author":"Z Shu","year":"2022","unstructured":"Shu Z, Yan G (2022) IoTInfer: automated blackbox fuzz testing of IoT network protocols guided by finite state machine inference. IEEE Internet Things J 9(22):22737\u201322751","journal-title":"IEEE Internet Things J"},{"key":"186_CR26","unstructured":"Unit 42, \u201c2020 Unit 42 IoT Threat Report\u201d, Palo Alto Networks, Inc., 2020. Available https:\/\/unit42.paloaltonetworks.com\/iot-threat-report-2020\/. Accessed 9 Nov 2022"},{"key":"186_CR27","doi-asserted-by":"publisher","DOI":"10.1155\/2019\/5076324","author":"D Wang","year":"2019","unstructured":"Wang D, Zhang X, Chen T, Li J (2019) Discovering vulnerabilities in COTS IoT devices through blackbox fuzzing web management interface. Secur Commun Netw. https:\/\/doi.org\/10.1155\/2019\/5076324","journal-title":"Secur Commun Netw"},{"key":"186_CR28","unstructured":"Wireshark. Available https:\/\/www.wireshark.org\/. Accessed 9 Nov 2022"},{"key":"186_CR29","unstructured":"Yamaji M (2022) Forecast: IoT semiconductors, worldwide, 2Q22 update. Gartner, Inc.. Available https:\/\/www.gartner.com\/en\/documents\/4016543\/. Accessed 9 Nov 2022"},{"issue":"19","key":"186_CR30","doi-asserted-by":"publisher","first-page":"9094","DOI":"10.3390\/app11199094","volume":"11","author":"Q Yin","year":"2021","unstructured":"Yin Q, Zhou X, Zhang H (2021) FirmHunter: state-aware and introspection-driven grey-box fuzzing towards IoT firmware. Appl Sci 11(19):9094","journal-title":"Appl Sci"},{"issue":"21","key":"186_CR31","doi-asserted-by":"publisher","first-page":"21607","DOI":"10.1109\/JIOT.2022.3183952","volume":"9","author":"Z Yu","year":"2022","unstructured":"Yu Z, Wang H, Wang D, Li Z, Song H (2022) CGFuzzer: a fuzzing approach based on coverage-guided generative adversarial networks for industrial IoT protocols. IEEE Internet Things J 9(21):21607\u201321619","journal-title":"IEEE Internet Things J"},{"key":"186_CR32","doi-asserted-by":"crossref","unstructured":"Zaddach J, Bruno L, Francillon A, Balzarotti D (2014) AVATAR: a framework to support dynamic security analysis of embedded systems' firmwares. In: 2014 network and distributed system security symposium","DOI":"10.14722\/ndss.2014.23229"},{"issue":"1","key":"186_CR33","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s42400-021-00091-9","volume":"4","author":"Y Zhang","year":"2021","unstructured":"Zhang Y et al (2021) ESRFuzzer: an enhanced fuzzing framework for physical SOHO router devices to discover multi-Type vulnerabilities. Cybersecurity 4(1):1\u201322","journal-title":"Cybersecurity"},{"key":"186_CR34","doi-asserted-by":"crossref","unstructured":"Zhang Y et al. (2019) SRFuzzer: an automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities. In: Proceedings of the 35th annual computer security applications conference, pp. 544\u2013556","DOI":"10.1145\/3359789.3359826"},{"key":"186_CR35","unstructured":"Zheng Y, Davanian A, Yin H, Song C, Zhu H, Sun L (2019) {FIRM-AFL}:{High-Throughput} greybox fuzzing of {IoT} firmware via augmented process emulation. In: 28th USENIX security symposium, pp. 1099\u20131114"},{"issue":"11s","key":"186_CR36","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3512345","volume":"54","author":"X Zhu","year":"2022","unstructured":"Zhu X, Wen S, Camtepe S, Xiang Y (2022) Fuzzing: a survey for roadmap. ACM Comput Surv 54(11s):1\u201336","journal-title":"ACM Comput Surv"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00186-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-023-00186-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00186-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,19]],"date-time":"2023-11-19T06:03:22Z","timestamp":1700373802000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-023-00186-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,7]]},"references-count":34,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,12]]}},"alternative-id":["186"],"URL":"https:\/\/doi.org\/10.1186\/s42400-023-00186-5","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,7]]},"assertion":[{"value":"1 May 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 August 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"7 November 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"51"}}