SRFuzzer: an automatic fuzzing framework for physical SOHO router devices to discover multi-type vulnerabilities

SOHO (small office/home office) routers provide services for end devices to connect to the Internet, playing an important role in the cyberspace. Unfortunately, security vulnerabilities pervasively exist in these routers, especially in the web server modules, greatly endangering end users. To discover these vulnerabilities, fuzzing web server modules of SOHO routers is the most popular solution. However, its effectiveness is limited, due to the lack of input specification, lack of routers' internal running states, and lack of testing environment recovery mechanisms. Moreover, fuzzing in general only reports memory corruption vulnerabilities, and fails to discover other vulnerabilities, e.g., web-based vulnerabilities. In this paper, we propose a solution SRFuzzer to address these issues. It is a fully automated fuzzing framework for testing physical SOHO devices. It continuously and effectively generates test cases by leveraging two input semantic models, i.e., KEY-VALUE data model and CONF-READ communication model, and automatically recovers testing environment with power management. It also coordinates diversified mutation rules with multiple monitoring mechanisms to trigger multi-type vulnerabilities. To the best of our knowledge, it is the first whole-process fully automated fuzzing framework for SOHO routers. We ran SRFuzzer on 10 popular routers across five vendors. In total, it discovered 208 unique exceptional behaviors, 97 of which have been confirmed as 0-day vulnerabilities. The experimental results show that SRFuzzer outperforms state-of-the-art solutions in terms of types and number of vulnerabilities found.