Back to the profile of Jiongchi YuCGIFuzz: Enabling Gray-Box Fuzzing for Web CGI of IoT Devices
Abstract: Fuzz testing for Internet of Things (IoT) devices has become a critical area of research, as these devices play an increasingly vital role in modern networks and infrastructure. While significant efforts have been made, the Common Gateway Interface (CGI) programs that serve as an important component within these devices remain underexplored. Despite their extensive use in IoT web services, the specific characteristics of CGI programs have posed technical challenges to existing fuzzing infrastructures. To address these gaps, we propose CGIFuzz, the first gray-box fuzzing framework tailored for CGI programs in Linux-based IoT devices. CGIFuzz initially enables dynamic instrumentation of CGI programs through Relay-Pass Instrumentation, then leverages Large Language Models (LLM) for assisting high-quality fuzz test input generation. Furthermore, CGIFuzz devises oracles for detecting command injection and memory corruption vulnerabilities by leveraging multiple critical features during program execution. Our evaluation of CGIFuzz on ten popular IoT devices demonstrates superior coverage exploration and vulnerability detection capabilities compared to the state-of-the-art fuzzers. Notably, CGIFuzz discovered 69 vulnerabilities, including 13 previously unknown ones for which 9 CVEs were assigned.
External IDs:doi:10.1109/tifs.2025.3620120
Loading