Article Preview
TopIntroduction
IoT devices provide daily services interacting with users and often handle large amounts of user-provided data. All of this data can potentially be abused by an attacker to cause harm. Many different kinds of command injection attacks against IoT devices, such as OS command injection attacks and SQL injection attacks, are well understood. Such attacks can be prevented by sanitizing user input, and many approaches to address this problem were presented in the last few years.
One common assumption underlying many detection and prevention methods is that the data stored in the current IoT device or even devices connected to it is safe. However, an attacker might bypass the defenses via so-called higher-order injection vulnerabilities (HOCIVs) if he first stores the payload through a request and later uses this payload in a command interpreter through another request.
Consider a web service interface that saves the user's setting parameter (e.g., syslog server's address) to a config file. Another interface read the config file's setting parameter to a command shell. In this example, testing the former or latter interface in isolation could result in false negatives because they cannot trigger the vulnerability alone. Existing testing methods (Stasinopoulos, 2019) (Tool, 2020) need to enumerate and test all interface combinations to find this vulnerability, and it's not realistic in IoT devices with many interfaces.
Such vulnerabilities are often overlooked, but they could have severe impacts in practice. For example, an OS command injection attack would gain persistence if the injection payload could be stored in a configuration file while executable directories are not writable. Thus, detecting HOCIVs is crucial to improve the security of IoT devices.
Detecting such vulnerabilities can be done via either static or dynamic approaches. For static approaches, Dahse et.al. (Dahse, 2014) proposed RIPS to detect second-order vulnerabilities and related multi-step exploits in web applications by analyzing reads and writes to the web server's data stores. Redini et.al. (Redini, 2020) proposed Karonte to detect insecure multi-binary interactions in embedded firmware using a set of inter-process communication (IPC) data stores, it could find HOCIVs across multiple binary files. However, it is challenging to construct vulnerability PoCs (Proof of Concept) based on static analysis approaches, and a lot of manual analysis by source code or binary analysis expert is required. It is not realistic for the security testing of ever-changing IoT devices.
There are several dynamic approaches to detect command injection attacks in IoT devices via fuzzing (Stasinopoulos, 2019) (Tool, 2020), which do not require expert experience when testing. Such approaches are focused on fuzzing a single request and try to inject command injection payloads to all possible inputs. The analysis tools determine if the injected commands are executed. However, these approaches have high false-negative rates when detecting HOCIVs since triggering HOCIVs need to send different requests in specific orders.
In this paper, we present ReLink, a novel detection method for HOCIVs in IoT devices combining fuzzing and dynamic data flow tracking. First, we explore all network interfaces of the target IoT device by sending all possible requests on them and collect all data stores that are written to or read from by these requests. Second, we can get the data dependency graph between these requests based on the collected data stores and identify all possible request chains that may trigger HOCIVs based on the graph. Third, all the possible request chains are sent in order. A detailed data flow analysis is then performed to determine if the request chain could trigger commands' execution with user's input. Finally, we fuzz these selected request sequences to detect HOCIVs. With ReLink, we can detect HOCIVs with linear test space and low memory consumption, while most of the other methods require exponential test space and high memory consumption.
We implemented ReLink in a prototype for Linux-based IoT devices. We evaluated our approach by testing an experimental embedded system injected with 150 variants of HOCIVs compared our system with four well-known command injection fuzzing tools. Overall, ReLink detected 87.3% HOCIVs while reference tools missed more than 90% HOCIVs, indicating that these approaches do not correctly handle such vulnerabilities. ReLink cut more than 50% test space and time than the reference tools. In summary, we make the following contributions: