SMuF: State Machine Based Mutational Fuzzing Framework for Internet of Things

  • Neeraj Karamchandani
  • Vinay Sachidananda
  • Suhas SetikereEmail author
  • Jianying Zhou
  • Yuval Elovici
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11260)


The Internet of Things (IoT) exposes vulnerabilities at various levels. In this paper, we propose a mutation-based fuzzing framework called SMuF in order to find various vulnerabilities in IoT devices. We harness the power of state machine to generate distinct states of a protocol. In addition, we also generate legitimate packets as levels and sub-levels to intelligently mutate the data fields in the packet. Our mutation technique lies in mutation based on location, context and time. We propose a probability score for selecting the inputs for fuzzing based on payload length. We implemented and evaluated the proposed framework in our IoT security testbed. Using SMuF, we have discovered various vulnerabilities such as Denial of Service (DoS), Buffer Overflow, Session Hijacking etc.


IoT security Mutational fuzzing Vulnerability discovery 



The first author’s work was done during his internship in SUTD supported by the SUTD start-up research grant SRG-ISTD-2017-124.


  1. 1.
    Lahmadi, A., Brandin, C., Festor, O.: A testing framework for discovering vulnerabilities in 6LoWPAN Networks. In: DCOSS, pp. 335–340 (2012)Google Scholar
  2. 2.
    Amini, P., Portnoy, A.: Sulley fuzzing framework.
  3. 3.
    Miller, B.P., Fredriksen, L., So, B.: An empirical study of the reliability of UNIX utilities. Commun. ACM 33(12), 32–44 (1990)CrossRefGoogle Scholar
  4. 4.
    Shastry, B., et al.: Static program analysis as a fuzzing aid. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 26–47 (2017)Google Scholar
  5. 5.
    Miller, C., Peterson, Z.N.: Analysis of mutation and generation based fuzzing, independent security evaluators. Baltimore, Maryland. Technical report (2007)Google Scholar
  6. 6.
    Babic, D., Martignoni, L., McCamant, S., Song, D.: Statically-directed dynamic automated test generation. In: ISSTA, pp. 12–22 (2011)Google Scholar
  7. 7.
    Denial of service.
  8. 8.
    Banks, G., Cova, M., Felmetsger, V., Almeroth, K., Kemmerer, R., Vigna, G.: SNOOZE: toward a Stateful network protocol fuzzer. In: 9th Information Security Conference (ISC) (2006)Google Scholar
  9. 9.
    Combs, G.: Wireshark.
  10. 10.
    Liu, G.H., Wu, G., Tao, Z., Shuai, J.M., Tang, Z.C.: Vulnerability analysis for x86 executables using genetic algorithm and fuzzing. In: Third International Conference on Convergence and Hybrid Information Technology, ICCIT 2008, vol. 2, pp. 491–497. IEEE, November 2008Google Scholar
  11. 11.
    Abdelnur, H.J., Festor, O.: KiF: a stateful SIP fuzzer. In: Proceedings of the 1st International Conference on Principles, Systems and Applications of IP Telecommunications (2007)Google Scholar
  12. 12.
    Hewlett Packard: Internet of things Research Study, Available via HP Enterprise (2015).
  13. 13.
    Hewlett Packard Enterprise. The Internet of Things: Today and Tomorrow, HPE report (2017).
  14. 14.
    De Ruiter, J., Poll, E.: Protocol state fuzzing of TLS implementations. In: USENIX Security Symposium 2008, 193–206 (2008)Google Scholar
  15. 15.
    DeMott, J.: The evolving art of fuzzing. In: DEF CON 14 (2006)Google Scholar
  16. 16.
    Viide, J., et al.: Experiences with model inference assisted fuzzing. In: USENIX Security (2008)Google Scholar
  17. 17.
    Wang, J., Chen, B., Wei, L., Liu, Y.: Skyfire: data-driven seed generation for fuzzing. In: IEEE S&P (2017)Google Scholar
  18. 18.
    Kali Linux: Penetration Testing and Ethical Hacking Linux Distribution (2017).
  19. 19.
  20. 20.
    Eddington, M.: Peach fuzzer.
  21. 21.
    Mimoso, M.: Exploit code released for NTP vulnerablity.
  22. 22.
    Rajpal, M., Blum, W., Singh, R.: Not all bytes are equal: neural byte sieve for fuzzing, arXiv preprint arXiv:1711.04596 (2017)
  23. 23.
    Zalewski, M.: American fuzzy lop.
  24. 24.
  25. 25.
    Godefroid, P., Levin, M.Y., Molnar, D.: Sage: whitebox fuzzing for security testing. Commun. ACM 55(3), 40–44 (2012)CrossRefGoogle Scholar
  26. 26.
    Roman, R., Zhou, J., Lopez, J.: On the features and challenges of security and privacy in distributed internet of things. Comput. Networks 57(10), 2266–2279 (2013)CrossRefGoogle Scholar
  27. 27.
    Veggalam, S., Rawat, S., Haller, I., Bos, H.: Ifuzzer: an evolutionary interpreter fuzzer using genetic programming. In: ESORICS, pp. 581–601 (2016)Google Scholar
  28. 28.
    Sachidananda, V., Siboni, S., Shabtai, A., Toh, J., Bhairav, S., Elovici, Y.: Let the cat out of the bag: a holistic approach towards security analysis of the internet of things. In: Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security, pp. 3–10. ACM, April 2017Google Scholar
  29. 29.
    Vlajic, N., Andrade, M., Nguyen, U.T.: The role of DNS TTL values in potential DDoS attacks: what do the major banks know about it? Procedia Comput. Sci. 10, 466–473 (2012)CrossRefGoogle Scholar
  30. 30.
  31. 31.
    Jia, Y.J., et al.: ContexIoT: towards providing contextual integrity to appified IoT platforms. In: NDSS (2017)Google Scholar
  32. 32.
    Wang, Y., Zhang, Z., Yao, D., Qu, B., Guo, L.: Inferring protocol state machine from network traces: a probabilistic approach. In: Proceedings of the 9th International Conference Applied Cryptography and Network Security (ACNS) (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Neeraj Karamchandani
    • 1
  • Vinay Sachidananda
    • 2
  • Suhas Setikere
    • 2
    Email author
  • Jianying Zhou
    • 2
  • Yuval Elovici
    • 2
  1. 1.Pennsylvania State UniversityState CollegeUSA
  2. 2.iTrustSingapore University of Technology and DesignSingaporeSingapore

Personalised recommendations